This bug was fixed in the package linux-ti-omap4 - 2.6.35-903.24 --------------- linux-ti-omap4 (2.6.35-903.24) maverick-proposed; urgency=low * Release tracking bug - LP: #838037 [ Upstream Kernel Changes ] * ipv6: make fragment identifications less predictable, CVE-2011-2699 - LP: #827685 - CVE-2011-2699 * perf: Fix software event overflow, CVE-2011-2918 - LP: #834121 - CVE-2011-2918 * proc: fix oops on invalid /proc//maps access, CVE-2011-1020 - LP: #813026 - CVE-2011-1020 linux-ti-omap4 (2.6.35-903.23) maverick-proposed; urgency=low * Release tracking bug - LP: #829655 [ Upstream Kernel Changes ] * drm/radeon/kms: check AA resolve registers on r300, CVE-2011-1016 - LP: #745686 - CVE-2011-1016 * drm/radeon: fix regression with AA resolve checking, CVE-2011-1016 - LP: #745686 - CVE-2011-1016 * can-bcm: fix minor heap overflow - LP: #690730 * CAN: Use inode instead of kernel address for /proc file, CVE-2010-4565 - LP: #765007 - CVE-2010-4565 * av7110: check for negative array offset - LP: #747520 * xfs: prevent leaking uninitialized stack memory in FSGEOMETRY_V1, CVE-2011-0711 - LP: #767740 - CVE-2011-0711 * ALSA: caiaq - Fix possible string-buffer overflow - LP: #747520 * IB/cm: Bump reference count on cm_id before invoking callback, CVE-2011-0695 - LP: #770369 - CVE-2011-0695 * RDMA/cma: Fix crash in request handlers, CVE-2011-0695 - LP: #770369 - CVE-2011-0695 * Treat writes as new when holes span across page boundaries, CVE-2011-0463 - LP: #770483 - CVE-2011-0463 * net: clear heap allocations for privileged ethtool actions - LP: #686158 * usb: iowarrior: don't trust report_size for buffer size - LP: #747520 * fs/partitions/ldm.c: fix oops caused by corrupted partition table, CVE-2011-1017 - LP: #771382 - CVE-2011-1017 * Prevent rt_sigqueueinfo and rt_tgsigqueueinfo from spoofing the signal code - LP: #747520 * Relax si_code check in rt_sigqueueinfo and rt_tgsigqueueinfo - LP: #747520 * exec: make argv/envp memory visible to oom-killer - LP: #690730 * next_pidmap: fix overflow condition - LP: #772560 * proc: do proper range check on readdir offset - LP: #772560 * ALSA: sound/pci/asihpi: check adapter index in hpi_ioctl, CVE-2011-1169 - LP: #785331 - CVE-2011-1169 * mpt2sas: prevent heap overflows and unchecked reads, CVE-2011-1494 - LP: #787145 - CVE-2011-1494 * agp: fix arbitrary kernel memory writes, CVE-1011-2022 - LP: #788684 - CVE-1011-2022 * can: add missing socket check in can/raw release, CVE-2011-1748 - LP: #788694 - CVE-2011-1748 * agp: fix OOM and buffer overflow - LP: #788700 * drivers/net/cxgb3/cxgb3_main.c: prevent reading uninitialized stack memory - CVE-2010-3296 - CVE-2010-3296 * drivers/net/eql.c: prevent reading uninitialized stack memory - CVE-2010-3297 - CVE-2010-3297 * inet_diag: Make sure we actually run the same bytecode we audited, CVE-2010-3880 - LP: #711865 - CVE-2010-3880 * setup_arg_pages: diagnose excessive argument size - CVE-2010-3858 - LP: #672664 - CVE-2010-3858 * net: Truncate recvfrom and sendto length to INT_MAX - CVE-2010-3859 - LP: #690730 - CVE-2010-3859 * net: Limit socket I/O iovec total length to INT_MAX - CVE-2010-3859 - LP: #690730 - CVE-2010-3859 * ipc: initialize structure memory to zero for compat functions - CVE-2010-4073 - LP: #690730 - CVE-2010-4073 * ALSA: sound/pci/rme9652: prevent reading uninitialized stack memory - CVE-2010-4080, CVE-2010-4081 - LP: #672664 - CVE-2010-4080, CVE-2010-4081 * drivers/video/via/ioctl.c: prevent reading uninitialized stack memory - CVE-2010-4082 - CVE-2010-4082 * sys_semctl: fix kernel stack leakage, CVE-2010-4083 - LP: #712749 - CVE-2010-4083 * gdth: integer overflow in ioctl - CVE-2010-4157 - LP: #686158 - CVE-2010-4157 * bio: take care not overflow page count when mapping/copying user data - CVE-2010-4162 - LP: #721441 - CVE-2010-4162 * bluetooth: Fix missing NULL check - CVE-2010-4242 - LP: #686158 * rds: Integer overflow in RDS cmsg handling, CVE-2010-4175 - LP: #721455 - CVE-2010-4175 * perf_events: Fix perf_counter_mmap() hook in mprotect() - CVE-2010-4169 - LP: #690730 - CVE-2010-4169 * block: check for proper length of iov entries in blk_rq_map_user_iov() - CVE-2010-4163 - LP: #690730 - CVE-2010-4163 * block: check for proper length of iov entries earlier in blk_rq_map_user_iov(), CVE-2010-4163 - LP: #721504 - CVE-2010-4163 * fs/partitions/efi.c: corrupted GUID partition tables can cause kernel oops - LP: #795418 - CVE-2011-1577 * Fix corrupted OSF partition table parsing - LP: #796606 - CVE-2011-1163 * can: Add missing socket check in can/bcm release. - LP: #796502 - CVE-2011-1598 * proc: protect mm start_code/end_code in /proc/pid/stat - LP: #799906 - CVE-2011-0726 * tty: icount changeover for other main devices, CVE-2010-4076, CVE-2010-4077 - LP: #720189 - CVE-2010-4077 * tty: Make tiocgicount a handler, CVE-2010-4076, CVE-2010-4077 - LP: #794034 - CVE-2010-4077 * posix-cpu-timers: workaround to suppress the problems with mt exec, CVE-2010-4248 - LP: #712609 - CVE-2010-4248 * Rename 'pipe_info()' to 'get_pipe_info()' CVE-2010-4256 - LP: #799805 - CVE-2010-4256 * Export 'get_pipe_info()' to other users CVE-2010-4256 - LP: #799805 - CVE-2010-4256 * IB/uverbs: Handle large number of entries in poll CQ CVE-2010-4649 - LP: #800121 - CVE-2010-4649 * nfs4: Ensure that ACL pages sent over NFS were not allocated from the slab (v3) CVE-2011-1090 - LP: #800775 - CVE-2011-1090 * epoll: prevent creating circular epoll structures CVE-2011-1082 - LP: #800758 - CVE-2011-1082 * xfs: zero proper structure size for geometry calls CVE-2011-0711 - LP: #767740 - CVE-2011-0711 * ldm: corrupted partition table can cause kernel oops CVE-2011-1012 - LP: #801083 - CVE-2011-1012 * netfilter: ipt_CLUSTERIP: fix buffer overflow CVE-2011-2534 - LP: #801473 - CVE-2011-2534 * netfilter: arp_tables: fix infoleak to userspace CVE-2011-1170 - LP: #801480 - CVE-2011-1170 * netfilter: ip_tables: fix infoleak to userspace CVE-2011-1171 - LP: #801482 - CVE-2011-1171 * ipv6: netfilter: ip6_tables: fix infoleak to userspace CVE-2011-1172 - LP: #801483 - CVE-2011-1172 * econet: 4 byte infoleak to the network CVE-2011-1173 - LP: #801484 - CVE-2011-1173 * fs/partitions: Validate map_count in Mac partition tables CVE-2011-1010 - LP: #804225 - CVE-2011-1010 * drm: fix unsigned vs signed comparison issue in modeset ctl ioctl CVE-2011-1013 - LP: #804229 * net: don't allow CAP_NET_ADMIN to load non-netdev kernel modules CVE-2011-1019 - LP: #804366 - CVE-2011-1019 * exec: copy-and-paste the fixes into compat_do_execve() paths CVE-2010-4243 - LP: #804234 - CVE-2010-4243 * taskstats: don't allow duplicate entries in listener mode, CVE-2011-2484 - LP: #806390 - CVE-2011-2484 * dccp: handle invalid feature options length, CVE-2011-1770 - LP: #806375 - CVE-2011-1770 * pagemap: close races with suid execve, CVE-2011-1020 - LP: #813026 - CVE-2011-1020 * report errors in /proc/*/*map* sanely, CVE-2011-1020 - LP: #813026 - CVE-2011-1020 * close race in /proc/*/environ, CVE-2011-1020 - LP: #813026 - CVE-2011-1020 * auxv: require the target to be tracable (or yourself), CVE-2011-1020 - LP: #813026 - CVE-2011-1020 * deal with races in /proc/*/{syscall, stack, personality}, CVE-2011-1020 - LP: #813026 - CVE-2011-1020 * dccp: fix oops on Reset after close, CVE-2011-1093 - LP: #814087 - CVE-2011-1093 * Bluetooth: sco: fix information leak to userspace, CVE-2011-1078 - LP: #816542 - CVE-2011-1078 * Bluetooth: bnep: fix buffer overflow, CVE-2011-1079 - LP: #816544 - CVE-2011-1079 * bridge: netfilter: fix information leak, CVE-2011-1080 - LP: #816545 - CVE-2011-1080 * gro: Reset dev pointer on reuse, CVE-2011-1478 - LP: #816549 - CVE-2011-1478 * gro: reset skb_iif on reuseu, CVE-2011-1478 - LP: #816549 - CVE-2011-1478 * char/tpm: Fix unitialized usage of data buffer, CVE-2011-1160 - LP: #816546 - CVE-2011-1160 * irda: validate peer name and attribute lengths, CVE-2011-1180 - LP: #816547 - CVE-2011-1180 * ROSE: prevent heap corruption with bad facilities, CVE-2011-1493 - LP: #816550 - CVE-2011-1493 * rose: Add length checks to CALL_REQUEST parsing, CVE-2011-1493 - LP: #816550 - CVE-2011-1493 * Bluetooth: l2cap and rfcomm: fix 1 byte infoleak to userspace. - LP: #819569 - CVE-2011-2492 * Add mount option to check uid of device being mounted = expect uid, CVE-2011-1833 - LP: #732628 - CVE-2011-1833 -- Paolo Pisati