Ubuntu
linux package

CVE-2011-0521

Lucid (10.04)
Bug #767526

Bug #767526 reported by Leann Ogasawara on 2011-04-20

258

This bug affects 1 person

Affects		Status	Importance	Assigned to	Milestone
	linux (Ubuntu)	Fix Released	Undecided	Unassigned
	Dapper	Won't Fix	Low	Leann Ogasawara
	Hardy	Fix Released	Low	Leann Ogasawara
	Karmic	Won't Fix	Undecided	Unassigned
	Lucid	Fix Released	Undecided	Unassigned
	Maverick	Fix Released	Undecided	Unassigned
	Natty	Fix Released	Undecided	Unassigned
	Oneiric	Fix Released	Undecided	Unassigned
	linux-fsl-imx51 (Ubuntu)	Invalid	Undecided	Unassigned
	Dapper	Invalid	Undecided	Unassigned
	Hardy	Invalid	Undecided	Unassigned
	Karmic	Won't Fix	Undecided	Unassigned
	Lucid	Fix Released	Undecided	Paolo Pisati
	Maverick	Invalid	Undecided	Unassigned
	Natty	Invalid	Undecided	Unassigned
	Oneiric	Invalid	Undecided	Unassigned
	linux-lts-backport-maverick (Ubuntu)	Invalid	Undecided	Unassigned
	Dapper	Invalid	Undecided	Unassigned
	Hardy	Invalid	Undecided	Unassigned
	Karmic	Invalid	Undecided	Unassigned
	Lucid	Won't Fix	Undecided	Unassigned
	Maverick	Invalid	Undecided	Unassigned
	Natty	Invalid	Undecided	Unassigned
	Oneiric	Invalid	Undecided	Unassigned
	linux-mvl-dove (Ubuntu)	Invalid	Undecided	Unassigned
	Dapper	Invalid	Undecided	Unassigned
	Hardy	Invalid	Undecided	Unassigned
	Karmic	Invalid	Undecided	Unassigned
	Lucid	Won't Fix	Undecided	Unassigned
	Maverick	Won't Fix	Undecided	Unassigned
	Natty	Invalid	Undecided	Unassigned
	Oneiric	Invalid	Undecided	Unassigned
	linux-ti-omap4 (Ubuntu)	Invalid	Undecided	Unassigned
	Dapper	Invalid	Undecided	Unassigned
	Hardy	Invalid	Undecided	Unassigned
	Karmic	Invalid	Undecided	Unassigned
	Lucid	Invalid	Undecided	Unassigned
	Maverick	Won't Fix	Undecided	Paolo Pisati
	Natty	Fix Released	Undecided	Unassigned
	Oneiric	Invalid	Undecided	Unassigned

(?)

Bug Description

The dvb_ca_ioctl function in drivers/media/dvb/ttpci/av7110_ca.c in the
Linux kernel before 2.6.38-rc2 does not check the sign of a certain integer
field, which allows local users to cause a denial of service (memory
corruption) or possibly have unspecified other impact via a negative value.

See original description

Tags: Edit Tag help

Related branches

lp:ubuntu/dapper-proposed/linux-source-2.6.15

lp:ubuntu/dapper-updates/linux-source-2.6.15

CVE References

Leann Ogasawara (leannogasawara) wrote on 2011-04-20:

#1

Marking Fix Released for Natty:

commit cb26a24ee9706473f31d34cc259f4dcf45cd0644
Author: Dan Carpenter <email address hidden>
Date: Fri Jan 7 16:41:54 2011 -0300

[media] [v3,media] av7110: check for negative array offset

ubuntu-natty$ git describe --contains cb26a24ee9706473f31d34cc259f4dcf45cd0644
Ubuntu-2.6.38-1.27~440^2~31

security vulnerability:	no → yes
description:	updated
Changed in linux (Ubuntu Natty):
status:	New → Fix Released

Leann Ogasawara (leannogasawara) wrote on 2011-04-20:

#2

Marking Fix Committed for Maverick as the patch is applied to the master-next branch.

Changed in linux (Ubuntu Maverick):
status:	New → Fix Committed

Leann Ogasawara (leannogasawara) wrote on 2011-04-20:

#3

Marking Fix Committed for Lucid. Patch is in current 2.6.32-31.61 kernel in lucid-proposed.

Changed in linux (Ubuntu Lucid):
status:	New → Fix Committed
Changed in linux (Ubuntu Hardy):
assignee:	nobody → Leann Ogasawara (leannogasawara)
importance:	Undecided → Low
status:	New → In Progress

Leann Ogasawara (leannogasawara) on 2011-04-20

Changed in linux (Ubuntu Dapper):
assignee:	nobody → Leann Ogasawara (leannogasawara)
importance:	Undecided → Low
status:	New → In Progress

Leann Ogasawara (leannogasawara) wrote on 2011-04-20:

#4

dapper.patch Edit (1.8 KiB, text/plain)

Leann Ogasawara (leannogasawara) wrote on 2011-04-20:

#5

hardy.patch Edit (1.7 KiB, text/plain)

Tim Gardner (timg-tpi) on 2011-04-21

Changed in linux (Ubuntu Hardy):
status:	In Progress → Fix Committed
Changed in linux (Ubuntu Dapper):
status:	In Progress → Fix Committed

Steve Conklin (sconklin) on 2011-04-25

tags:

added: kernel-cve-tracking-bug

Paolo Pisati (p-pisati) on 2011-04-28

Changed in linux (Ubuntu Lucid):
status:	Fix Committed → Fix Released
Changed in linux (Ubuntu Maverick):
status:	Fix Committed → Fix Released

Paolo Pisati (p-pisati) on 2011-04-28

Changed in linux-mvl-dove (Ubuntu):
status:	New → Invalid
Changed in linux-mvl-dove (Ubuntu Dapper):
status:	New → Invalid
Changed in linux-mvl-dove (Ubuntu Hardy):
status:	New → Invalid
Changed in linux-mvl-dove (Ubuntu Karmic):
status:	New → Invalid
Changed in linux-mvl-dove (Ubuntu Natty):
status:	New → Invalid
Changed in linux-ti-omap4 (Ubuntu):
status:	New → Invalid
Changed in linux-ti-omap4 (Ubuntu Dapper):
status:	New → Invalid
Changed in linux-ti-omap4 (Ubuntu Hardy):
status:	New → Invalid
Changed in linux-ti-omap4 (Ubuntu Karmic):
status:	New → Invalid
Changed in linux-ti-omap4 (Ubuntu Lucid):
status:	New → Invalid
Changed in linux-ti-omap4 (Ubuntu Natty):
status:	New → Fix Released

Paolo Pisati (p-pisati) on 2011-04-29

Changed in linux-mvl-dove (Ubuntu Lucid):
status:	New → In Progress

Paolo Pisati (p-pisati) on 2011-04-29

Changed in linux-ti-omap4 (Ubuntu Maverick):
assignee:	nobody → Paolo Pisati (p-pisati)
status:	New → In Progress

Launchpad Janitor (janitor) wrote on 2011-05-23:

#6

This bug was fixed in the package linux - 2.6.24-29.89

---------------
linux (2.6.24-29.89) hardy-proposed; urgency=low

[ Steve Conklin ]

* Release Tracking Bug
- LP: #768380

[Tim Gardner]

* [Config] remove generated files

[Upstream Kernel Changes]

  * econet: Fix crash in aun_incoming(). CVE-2010-4342
    - LP: #736394
    - CVE-2010-4342
  * sound: Prevent buffer overflow in OSS load_mixer_volumes, CVE-2010-4527
    - LP: #737073
    - CVE-2010-4527
  * irda: prevent integer underflow in IRLMP_ENUMDEVICES, CVE-2010-4529
    - LP: #737823
    - CVE-2010-4529
  * av7110: check for negative array offset, CVE-2011-0521
    - LP: #767526
    - CVE-2011-0521
  * xfs: prevent leaking uninitialized stack memory in FSGEOMETRY_V1,
    CVE-2011-0711
    - LP: #767740
    - CVE-2011-0711
-- Steve Conklin <email address hidden> Thu, 21 Apr 2011 09:28:26 -0500

Changed in linux (Ubuntu Hardy):
status:	Fix Committed → Fix Released

Paolo Pisati (p-pisati) wrote on 2011-06-02:

#7

karmic is EOL

Changed in linux-fsl-imx51 (Ubuntu):
status:	New → Invalid
Changed in linux-fsl-imx51 (Ubuntu Dapper):
status:	New → Invalid
Changed in linux-fsl-imx51 (Ubuntu Hardy):
status:	New → Invalid
Changed in linux-fsl-imx51 (Ubuntu Maverick):
status:	New → Invalid
Changed in linux-fsl-imx51 (Ubuntu Natty):
status:	New → Invalid
Changed in linux-fsl-imx51 (Ubuntu Karmic):
status:	New → Won't Fix

Paolo Pisati (p-pisati) on 2011-06-02

Changed in linux-fsl-imx51 (Ubuntu Lucid):
assignee:	nobody → Paolo Pisati (p-pisati)
status:	New → In Progress

Launchpad Janitor (janitor) wrote on 2011-07-05:

#8

Download full text (4.2 KiB)

This bug was fixed in the package linux-fsl-imx51 - 2.6.31-609.26

---------------
linux-fsl-imx51 (2.6.31-609.26) lucid; urgency=low

[ Paolo Pisati ]

  * Tracking bug
    - LP: #795219
  * [Config] Disable parport_pc on fsl-imx51
    - LP: #601226

[ Upstream Kernel Changes ]

  * ALSA: sound/pci/rme9652: prevent reading uninitialized stack memory
    - LP: #712723, #712737
  * can-bcm: fix minor heap overflow
    - LP: #710680
  * drivers/video/via/ioctl.c: prevent reading uninitialized stack memory
    - LP: #712744
  * gdth: integer overflow in ioctl
    - LP: #711797
  * inet_diag: Make sure we actually run the same bytecode we audited, CVE-2010-3880
    - LP: #711865
    - CVE-2010-3880
  * net: fix rds_iovec page count overflow, CVE-2010-3865
    - LP: #709153
    - CVE-2010-3865
  * net: packet: fix information leak to userland, CVE-2010-3876
    - LP: #711045
    - CVE-2010-3876
  * net: tipc: fix information leak to userland, CVE-2010-3877
    - LP: #711291
    - CVE-2010-3877
  * net: Truncate recvfrom and sendto length to INT_MAX.
    - LP: #708839
  * posix-cpu-timers: workaround to suppress the problems with mt exec
    - LP: #712609
  * sys_semctl: fix kernel stack leakage
    - LP: #712749
  * x25: Patch to fix bug 15678 - x25 accesses fields beyond end of packet.
    - LP: #709372
  * memory corruption in X.25 facilities parsing
    - LP: #709372
  * net: ax25: fix information leak to userland, CVE-2010-3875
    - LP: #710714
    - CVE-2010-3875
  * net: ax25: fix information leak to userland harder, CVE-2010-3875
    - LP: #710714
    - CVE-2010-3875
  * fs/partitions/ldm.c: fix oops caused by corrupted partition table, CVE-2011-1017
    - LP: #771382
    - CVE-2011-1017
  * net: clear heap allocations for privileged ethtool actions
    - LP: #771445
  * Prevent rt_sigqueueinfo and rt_tgsigqueueinfo from spoofing the signal code
    - LP: #772543
  * Relax si_code check in rt_sigqueueinfo and rt_tgsigqueueinfo
    - LP: #772543
  * exec: make argv/envp memory visible to oom-killer
    - LP: #768408
  * next_pidmap: fix overflow condition
    - LP: #784727
  * proc: do proper range check on readdir offset
    - LP: #784727
  * mpt2sas: prevent heap overflows and unchecked reads
    - LP: #787145
  * agp: fix arbitrary kernel memory writes
    - LP: #788684
  * can: add missing socket check in can/raw release
    - LP: #788694
  * agp: fix OOM and buffer overflow
    - LP: #788700
  * do_exit(): make sure that we run with get_fs() == USER_DS - CVE-2010-4258
    - LP: #723945
    - CVE-2010-4258
  * x25: Prevent crashing when parsing bad X.25 facilities - CVE-2010-4164
    - LP: #731199
    - CVE-2010-4164
  * install_special_mapping skips security_file_mmap check - CVE-2010-4346
    - LP: #731971
    - CVE-2010-4346
  * econet: Fix crash in aun_incoming() - CVE-2010-4342
    - LP: #736394
    - CVE-2010-4342
  * sound: Prevent buffer overflow in OSS load_mixer_volumes - CVE-2010-4527
    - LP: #737073
    - CVE-2010-4527
  * irda: prevent integer underflow in IRLMP_ENUMDEVICES, CVE-2010-4529
    - LP: #737823
    - CVE-2010-4529
  * CAN: Use inode instead of kernel address for /proc file - CVE-2010-4565
    - LP: #765007...

Changed in linux-fsl-imx51 (Ubuntu Lucid):
status:	In Progress → Fix Released

Andy Whitcroft (apw) on 2011-07-05

Changed in linux-lts-backport-maverick (Ubuntu Maverick):
status:	New → Invalid
Changed in linux-lts-backport-maverick (Ubuntu Natty):
status:	New → Invalid
Changed in linux-lts-backport-maverick (Ubuntu Oneiric):
status:	New → Invalid
Changed in linux-lts-backport-maverick (Ubuntu Dapper):
status:	New → Invalid
Changed in linux-lts-backport-maverick (Ubuntu Hardy):
status:	New → Invalid
Changed in linux (Ubuntu Karmic):
status:	New → Won't Fix
Changed in linux-lts-backport-maverick (Ubuntu Karmic):
status:	New → Invalid

Jamie Strandboge (jdstrand) on 2011-10-14

Changed in linux (Ubuntu Dapper):
status:	Fix Committed → Won't Fix

Jamie Strandboge (jdstrand) on 2013-05-21

Changed in linux-ti-omap4 (Ubuntu Maverick):
status:	In Progress → Won't Fix

Jamie Strandboge (jdstrand) on 2013-05-22

Changed in linux-lts-backport-maverick (Ubuntu Lucid):
status:	New → Won't Fix

Jamie Strandboge (jdstrand) wrote on 2013-07-12:

#9

Thank you for reporting this bug to Ubuntu. maverick has reached EOL
(End of Life) for this package and is no longer supported. As
a result, this bug against maverick is being marked "Won't Fix".
Please see https://wiki.ubuntu.com/Releases for currently
supported Ubuntu releases.

Please feel free to report any other bugs you may find.

Changed in linux-mvl-dove (Ubuntu Maverick):
status:	New → Won't Fix

Rolf Leggewie (r0lf) wrote on 2015-06-17:

#10

lucid has seen the end of its life and is no longer receiving any updates. Marking the lucid task for this ticket as "Won't Fix".

Changed in linux-mvl-dove (Ubuntu Lucid):
status:	In Progress → Won't Fix

Report a bug

This report contains Public Security information Edit

Everyone can see this security related information.

You are

Subscribing...

Edit bug mail

Other bug subscribers

Patches

dapper.patch (edit)
hardy.patch (edit)

Add patch