CVE-2010-4164

Bug #731199 reported by Steve Conklin on 2011-03-08
258
This bug affects 1 person
Affects Status Importance Assigned to Milestone
linux (Ubuntu)
Undecided
Unassigned
Dapper
Medium
Steve Conklin
Hardy
Medium
Steve Conklin
Karmic
Medium
Steve Conklin
Lucid
Undecided
Unassigned
Maverick
Undecided
Unassigned
Natty
Undecided
Unassigned
linux-fsl-imx51 (Ubuntu)
Undecided
Unassigned
Dapper
Undecided
Unassigned
Hardy
Undecided
Unassigned
Karmic
Undecided
Unassigned
Lucid
Undecided
Paolo Pisati
Maverick
Undecided
Unassigned
Natty
Undecided
Unassigned
linux-lts-backport-maverick (Ubuntu)
Undecided
Unassigned
Dapper
Undecided
Unassigned
Hardy
Undecided
Unassigned
Karmic
Undecided
Unassigned
Lucid
Undecided
Unassigned
Maverick
Undecided
Unassigned
Natty
Undecided
Unassigned
linux-mvl-dove (Ubuntu)
Undecided
Unassigned
Dapper
Undecided
Unassigned
Hardy
Undecided
Unassigned
Karmic
Undecided
Unassigned
Lucid
Undecided
Unassigned
Maverick
Undecided
Unassigned
Natty
Undecided
Unassigned
linux-ti-omap4 (Ubuntu)
Undecided
Unassigned
Dapper
Undecided
Unassigned
Hardy
Undecided
Unassigned
Karmic
Undecided
Unassigned
Lucid
Undecided
Unassigned
Maverick
Undecided
Paolo Pisati
Natty
Undecided
Unassigned
Steve Conklin (sconklin) on 2011-03-08
security vulnerability: no → yes
Steve Conklin (sconklin) wrote :

Multiple integer underflows in the x25_parse_facilities function in
net/x25/x25_facilities.c in the Linux kernel before 2.6.36.2 allow remote
attackers to cause a denial of service (system crash) via malformed X.25
(1) X25_FAC_CLASS_A, (2) X25_FAC_CLASS_B, (3) X25_FAC_CLASS_C, or (4)
X25_FAC_CLASS_D facility data, a different vulnerability than
CVE-2010-3873.

upstream commit: 5ef41308f94dcbb3b7afc56cdef1c2ba53fa5d2f

Steve Conklin (sconklin) on 2011-03-08
Changed in linux (Ubuntu Maverick):
status: New → Fix Released
Changed in linux (Ubuntu Lucid):
status: New → Fix Released
Steve Conklin (sconklin) on 2011-03-08
Changed in linux (Ubuntu Natty):
status: New → Fix Committed
status: Fix Committed → Fix Released
Steve Conklin (sconklin) on 2011-03-08
Changed in linux (Ubuntu Karmic):
assignee: nobody → Steve Conklin (sconklin)
importance: Undecided → Medium
status: New → In Progress
Steve Conklin (sconklin) on 2011-03-08
Changed in linux (Ubuntu Hardy):
assignee: nobody → Steve Conklin (sconklin)
importance: Undecided → Medium
status: New → In Progress
Steve Conklin (sconklin) on 2011-03-08
Changed in linux (Ubuntu Dapper):
assignee: nobody → Steve Conklin (sconklin)
importance: Undecided → Medium
status: New → In Progress
Steve Conklin (sconklin) on 2011-03-08
Changed in linux (Ubuntu Dapper):
status: In Progress → Fix Committed
Changed in linux (Ubuntu Karmic):
status: In Progress → Fix Committed
Steve Conklin (sconklin) on 2011-03-08
Changed in linux (Ubuntu Hardy):
status: In Progress → Fix Committed
Changed in linux-mvl-dove (Ubuntu Natty):
status: New → Invalid
Changed in linux-fsl-imx51 (Ubuntu Natty):
status: New → Invalid
Changed in linux-lts-backport-maverick (Ubuntu Natty):
status: New → Invalid
Changed in linux-ti-omap4 (Ubuntu Lucid):
status: New → Confirmed
Changed in linux-ti-omap4 (Ubuntu Maverick):
status: New → Confirmed
Changed in linux-ti-omap4 (Ubuntu Natty):
status: New → Confirmed
Changed in linux-ti-omap4 (Ubuntu Dapper):
status: New → Confirmed
Changed in linux-ti-omap4 (Ubuntu Hardy):
status: New → Confirmed
Changed in linux-ti-omap4 (Ubuntu Karmic):
status: New → Confirmed
Brad Figg (brad-figg) on 2011-03-21
tags: added: kernel-cve-tracking-bug
Paolo Pisati (p-pisati) on 2011-03-25
Changed in linux-ti-omap4 (Ubuntu Dapper):
status: Confirmed → Invalid
Changed in linux-ti-omap4 (Ubuntu Hardy):
status: Confirmed → Invalid
Changed in linux-ti-omap4 (Ubuntu Karmic):
status: Confirmed → Invalid
Changed in linux-ti-omap4 (Ubuntu Lucid):
status: Confirmed → Invalid
Changed in linux-mvl-dove (Ubuntu Dapper):
status: New → Invalid
Changed in linux-mvl-dove (Ubuntu Hardy):
status: New → Invalid
Changed in linux-mvl-dove (Ubuntu Karmic):
status: New → Invalid
Paolo Pisati (p-pisati) on 2011-03-25
Changed in linux-ti-omap4 (Ubuntu Natty):
status: Confirmed → Invalid
Paolo Pisati (p-pisati) on 2011-03-25
Changed in linux-ti-omap4 (Ubuntu Maverick):
status: Confirmed → In Progress
Tim Gardner (timg-tpi) on 2011-03-25
Changed in linux-ti-omap4 (Ubuntu Maverick):
assignee: nobody → Paolo Pisati (p-pisati)
Tim Gardner (timg-tpi) on 2011-03-28
Changed in linux-ti-omap4 (Ubuntu Maverick):
status: In Progress → Fix Committed
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package linux - 2.6.24-29.88

---------------
linux (2.6.24-29.88) hardy-proposed; urgency=low

  [ Brad Figg ]

  * Release Tracking Bug
    - LP: #736290

  [Steve Conklin]

  * Ubuntu-2.6.24-29.87
  * [Config] Allow insertchanges to work in later version chroots

  [Upstream Kernel Changes]

  * do_exit(): make sure that we run with get_fs() == USER_DS,
    CVE-2010-4258
    - LP: #723945
    - CVE-2010-4258
  * Make the bulkstat_one compat ioctl handling more sane
    - LP: #692848
  * Fix xfs_bulkstat_one size checks & error handling
    - LP: #692848
  * xfs: always use iget in bulkstat
    - LP: #692848
  * x25: Prevent crashing when parsing bad X.25 facilities CVE-2010-4164
    - LP: #731199
    - CVE-2010-4164
  * Revised [CVE-2010-4346 Hardy] install_special_mapping skips
    security_file_mmap check. CVE-2010-4346
    - LP: #731971
    - CVE-2010-4346

linux (2.6.24-29.87) hardy-proposed; urgency=low

  [ Steve Conklin ]

  * Release Tracking Bug
    - LP: #725138

  [Upstream Kernel Changes]

  * bluetooth: Fix missing NULL check, CVE-2010-4242
    - LP: #714846
    - CVE-2010-4242
  * NFS: fix the return value of nfs_file_fsync()
    - LP: #585657
  * bio: take care not overflow page count when mapping/copying user data,
    CVE-2010-4162
    - LP: #721441
    - CVE-2010-4162
  * filter: make sure filters dont read uninitialized memory
    - LP: #721282
    - CVE-2010-4158
  * tty: Make tiocgicount a handler, CVE-2010-4076, CVE-2010-4077
    - LP: #720189
    - CVE-2010-4077
  * block: check for proper length of iov entries earlier in
    blk_rq_map_user_iov(), CVE-2010-4163
    - LP: #721504
    - CVE-2010-4163
 -- Brad Figg <email address hidden> Wed, 16 Mar 2011 09:43:35 -0700

Changed in linux (Ubuntu Hardy):
status: Fix Committed → Fix Released
Launchpad Janitor (janitor) wrote :
Download full text (3.4 KiB)

This bug was fixed in the package linux-ti-omap4 - 2.6.35-903.22

---------------
linux-ti-omap4 (2.6.35-903.22) maverick; urgency=low

  [ Paolo Pisati ]

  * Release Tracking Bug
    - LP: #744250

  [ Upstream Kernel Changes ]

  * ALSA: seq/oss - Fix double-free at error path of snd_seq_oss_open(), CVE-2010-3080
    - CVE-2010-3080
  * tracing: t_start: reset FTRACE_ITER_HASH in case of seek/pread, CVE-2010-3079
    - CVE-2010-3079
  * KEYS: Fix bug in keyctl_session_to_parent() if parent has no session keyring, CVE-2010-2960
    - CVE-2010-2960
  * drm/i915: Sanity check pread/pwrite, CVE-2010-2962
    - CVE-2010-2962
  * do_exit(): make sure that we run with get_fs() == USER_DS, CVE-2010-3849
    - CVE-2010-3849
  * econet: disallow NULL remote addr for sendmsg(), fixes CVE-2010-3849
    - CVE-2010-3849
  * econet: fix CVE-2010-3850
    - CVE-2010-3850
  * econet: fix CVE-2010-3848
    - CVE-2010-3848
  * compat: Make compat_alloc_user_space() incorporate the access_ok(), CVE-2010-3081
    - CVE-2010-3081
  * irda: Correctly clean up self->ias_obj on irda_bind() failure., CVE-2010-2954
    - CVE-2010-2954
  * wireless extensions: fix kernel heap content leak, CVE-2010-2955
    - CVE-2010-2955
  * KEYS: Fix RCU no-lock warning in keyctl_session_to_parent(), CVE-2010-2960
    - CVE-2010-2960
  * Fix pktcdvd ioctl dev_minor range check, CVE-2010-3437
    - CVE-2010-3437
  * Fix out-of-bounds reading in sctp_asoc_get_hmac(), CVE-2010-3705
    - CVE-2010-3705
  * ocfs2: Don't walk off the end of fast symlinks., CVE-2010-NNN2
    - CVE-2010-NNN2
  * v4l: disable dangerous buggy compat function, CVE-2010-2963
    - CVE-2010-2963
  * Local privilege escalation vulnerability in RDS sockets, CVE-2010-3904
    - CVE-2010-3904
  * net: clear heap allocation for ETHTOOL_GRXCLSRLALL, CVE-2010-3861
    - CVE-2010-3861
  * ipc: shm: fix information leak to userland, CVE-2010-4072
    - CVE-2010-4072
  * tcp: Increase TCP_MAXSEG socket option minimum., CVE-2010-4165
    - CVE-2010-4165
  * af_unix: limit unix_tot_inflight, CVE-2010-4249
    - CVE-2010-4249
  * V4L/DVB: ivtvfb: prevent reading uninitialized stack memory, CVE-2010-4079
    - LP: #707649
    - CVE-2010-4079
  * net: fix rds_iovec page count overflow, CVE-2010-3865
    - LP: #709153
    - CVE-2010-3865
  * net: ax25: fix information leak to userland, CVE-2010-3875
    - LP: #710714
    - CVE-2010-3875
  * net: ax25: fix information leak to userland harder, CVE-2010-3875
    - LP: #710714
    - CVE-2010-3875
  * net: packet: fix information leak to userland, CVE-2010-3876
    - LP: #710714
    - CVE-2010-3876
  * net: tipc: fix information leak to userland, CVE-2010-3877
    - LP: #711291
    - CVE-2010-3877
  * filter: make sure filters dont read uninitialized memory, CVE-2010-4158
    - LP: #721282
    - CVE-2010-4158
  * econet: Fix crash in aun_incoming(). CVE-2010-4342
    - LP: #736394
    - CVE-2010-4342
  * sound: Prevent buffer overflow in OSS load_mixer_volumes, CVE-2010-4527
    - LP: #737073
    - CVE-2010-4527
  * irda: prevent integer underflow in IRLMP_ENUMDEVICES, CVE-2010-4529
    - LP: #737823
    - CVE-2010-4529
  * x25: Prevent crashing when parsing bad X.25 facilities, C...

Read more...

Changed in linux-ti-omap4 (Ubuntu Maverick):
status: Fix Committed → Fix Released
Paolo Pisati (p-pisati) on 2011-04-29
Changed in linux-mvl-dove (Ubuntu Lucid):
status: New → In Progress
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package linux - 2.6.31-23.75

---------------
linux (2.6.31-23.75) karmic-proposed; urgency=low

  [ Brad Figg ]

  * Release Tracking Bug
    - LP: #737663

  [ Upstream Kernel Changes ]

  * do_exit(): make sure that we run with get_fs() == USER_DS,
    CVE-2010-4258
    - LP: #723945
    - CVE-2010-4258
  * xfs: always use iget in bulkstat
    - LP: #692848
  * x25: Prevent crashing when parsing bad X.25 facilities CVE-2010-4164
    - LP: #731199
    - CVE-2010-4164
  * Revised [CVE-2010-4345 Karmic] install_special_mapping skips
    security_file_mmap check. CVE-2010-4346
    - LP: #731971
    - CVE-2010-4346
  * econet: Fix crash in aun_incoming(). CVE-2010-4342
    - LP: #736394
    - CVE-2010-4342
 -- Brad Figg <email address hidden> Fri, 18 Mar 2011 09:43:00 -0700

Changed in linux (Ubuntu Karmic):
status: Fix Committed → Fix Released
Paolo Pisati (p-pisati) wrote :

karmic is EOL

Changed in linux-fsl-imx51 (Ubuntu Dapper):
status: New → Invalid
Changed in linux-fsl-imx51 (Ubuntu Hardy):
status: New → Invalid
Changed in linux-fsl-imx51 (Ubuntu Maverick):
status: New → Invalid
Changed in linux-fsl-imx51 (Ubuntu Karmic):
status: New → Won't Fix
Paolo Pisati (p-pisati) on 2011-06-02
Changed in linux-fsl-imx51 (Ubuntu Lucid):
assignee: nobody → Paolo Pisati (p-pisati)
status: New → In Progress
Launchpad Janitor (janitor) wrote :
Download full text (4.2 KiB)

This bug was fixed in the package linux-fsl-imx51 - 2.6.31-609.26

---------------
linux-fsl-imx51 (2.6.31-609.26) lucid; urgency=low

  [ Paolo Pisati ]

  * Tracking bug
    - LP: #795219
  * [Config] Disable parport_pc on fsl-imx51
    - LP: #601226

  [ Upstream Kernel Changes ]

  * ALSA: sound/pci/rme9652: prevent reading uninitialized stack memory
    - LP: #712723, #712737
  * can-bcm: fix minor heap overflow
    - LP: #710680
  * drivers/video/via/ioctl.c: prevent reading uninitialized stack memory
    - LP: #712744
  * gdth: integer overflow in ioctl
    - LP: #711797
  * inet_diag: Make sure we actually run the same bytecode we audited, CVE-2010-3880
    - LP: #711865
    - CVE-2010-3880
  * net: fix rds_iovec page count overflow, CVE-2010-3865
    - LP: #709153
    - CVE-2010-3865
  * net: packet: fix information leak to userland, CVE-2010-3876
    - LP: #711045
    - CVE-2010-3876
  * net: tipc: fix information leak to userland, CVE-2010-3877
    - LP: #711291
    - CVE-2010-3877
  * net: Truncate recvfrom and sendto length to INT_MAX.
    - LP: #708839
  * posix-cpu-timers: workaround to suppress the problems with mt exec
    - LP: #712609
  * sys_semctl: fix kernel stack leakage
    - LP: #712749
  * x25: Patch to fix bug 15678 - x25 accesses fields beyond end of packet.
    - LP: #709372
  * memory corruption in X.25 facilities parsing
    - LP: #709372
  * net: ax25: fix information leak to userland, CVE-2010-3875
    - LP: #710714
    - CVE-2010-3875
  * net: ax25: fix information leak to userland harder, CVE-2010-3875
    - LP: #710714
    - CVE-2010-3875
  * fs/partitions/ldm.c: fix oops caused by corrupted partition table, CVE-2011-1017
    - LP: #771382
    - CVE-2011-1017
  * net: clear heap allocations for privileged ethtool actions
    - LP: #771445
  * Prevent rt_sigqueueinfo and rt_tgsigqueueinfo from spoofing the signal code
    - LP: #772543
  * Relax si_code check in rt_sigqueueinfo and rt_tgsigqueueinfo
    - LP: #772543
  * exec: make argv/envp memory visible to oom-killer
    - LP: #768408
  * next_pidmap: fix overflow condition
    - LP: #784727
  * proc: do proper range check on readdir offset
    - LP: #784727
  * mpt2sas: prevent heap overflows and unchecked reads
    - LP: #787145
  * agp: fix arbitrary kernel memory writes
    - LP: #788684
  * can: add missing socket check in can/raw release
    - LP: #788694
  * agp: fix OOM and buffer overflow
    - LP: #788700
  * do_exit(): make sure that we run with get_fs() == USER_DS - CVE-2010-4258
    - LP: #723945
    - CVE-2010-4258
  * x25: Prevent crashing when parsing bad X.25 facilities - CVE-2010-4164
    - LP: #731199
    - CVE-2010-4164
  * install_special_mapping skips security_file_mmap check - CVE-2010-4346
    - LP: #731971
    - CVE-2010-4346
  * econet: Fix crash in aun_incoming() - CVE-2010-4342
    - LP: #736394
    - CVE-2010-4342
  * sound: Prevent buffer overflow in OSS load_mixer_volumes - CVE-2010-4527
    - LP: #737073
    - CVE-2010-4527
  * irda: prevent integer underflow in IRLMP_ENUMDEVICES, CVE-2010-4529
    - LP: #737823
    - CVE-2010-4529
  * CAN: Use inode instead of kernel address for /proc file - CVE-2010-4565
    - LP: #765007...

Read more...

Changed in linux-fsl-imx51 (Ubuntu Lucid):
status: In Progress → Fix Released
Changed in linux-lts-backport-maverick (Ubuntu Dapper):
status: New → Won't Fix
Changed in linux-lts-backport-maverick (Ubuntu Karmic):
status: New → Won't Fix
Changed in linux (Ubuntu Dapper):
status: Fix Committed → Won't Fix
Changed in linux-lts-backport-maverick (Ubuntu Hardy):
status: New → Won't Fix
Changed in linux-mvl-dove (Ubuntu Maverick):
status: New → Won't Fix
Changed in linux-lts-backport-maverick (Ubuntu Lucid):
status: New → Won't Fix
Changed in linux-lts-backport-maverick (Ubuntu Maverick):
status: New → Won't Fix
Paolo Pisati (p-pisati) on 2013-05-28
Changed in linux-mvl-dove (Ubuntu Lucid):
status: In Progress → Fix Released
To post a comment you must log in.
This report contains Public Security information  Edit
Everyone can see this security related information.

Other bug subscribers