mbox

[lucid/fsl-imx51,pull,request] First round of CVE fixes

Message ID 4DE6133A.9070000@canonical.com
State New
Headers show

Pull-request

git://kernel.ubuntu.com/ppisati/ubuntu-lucid.git fsl-imx51

Message

Paolo Pisati June 1, 2011, 10:23 a.m. UTC
The following changes since commit 50173a10506485bd731f62bcbd7c9410a1fb5b43:

  UBUNTU: Ubuntu-2.6.31-608.25 (2011-05-27 18:41:05 +0200)

are available in the git repository at:
  git://kernel.ubuntu.com/ppisati/ubuntu-lucid.git fsl-imx51

Andy Whitcroft (1):
      net: packet: fix information leak to userland, CVE-2010-3876

Dan Carpenter (1):
      gdth: integer overflow in ioctl

Dan Rosenberg (4):
      ALSA: sound/pci/rme9652: prevent reading uninitialized stack memory
      drivers/video/via/ioctl.c: prevent reading uninitialized stack memory
      sys_semctl: fix kernel stack leakage
      mpt2sas: prevent heap overflows and unchecked reads

John Hughes (1):
      x25: Patch to fix bug 15678 - x25 accesses fields beyond end of
packet.

Julien Tinnes (1):
      Prevent rt_sigqueueinfo and rt_tgsigqueueinfo from spoofing the
signal code

Kees Cook (2):
      net: ax25: fix information leak to userland harder, CVE-2010-3875
      net: clear heap allocations for privileged ethtool actions

Kulikov Vasiliy (1):
      net: tipc: fix information leak to userland, CVE-2010-3877

Linus Torvalds (4):
      net: fix rds_iovec page count overflow, CVE-2010-3865
      net: Truncate recvfrom and sendto length to INT_MAX.
      next_pidmap: fix overflow condition
      proc: do proper range check on readdir offset

Nelson Elhage (1):
      inet_diag: Make sure we actually run the same bytecode we audited,
CVE-2010-3880

Oleg Nesterov (2):
      posix-cpu-timers: workaround to suppress the problems with mt exec
      exec: make argv/envp memory visible to oom-killer

Oliver Hartkopp (2):
      can-bcm: fix minor heap overflow
      can: add missing socket check in can/raw release

Paolo Pisati (1):
      UBUNTU: Start new release

Roland Dreier (1):
      Relax si_code check in rt_sigqueueinfo and rt_tgsigqueueinfo

Timo Warns (1):
      fs/partitions/ldm.c: fix oops caused by corrupted partition table,
CVE-2011-1017

Vasiliy Kulikov (3):
      net: ax25: fix information leak to userland, CVE-2010-3875
      agp: fix arbitrary kernel memory writes
      agp: fix OOM and buffer overflow

andrew hendry (1):
      memory corruption in X.25 facilities parsing

 .../abi/{2.6.31-608.24 => 2.6.31-608.25}/abiname   |    0
 .../{2.6.31-608.24 => 2.6.31-608.25}/armel/imx51   |    0
 .../armel/imx51.modules                            |    0
 debian.fsl-imx51/changelog                         |    8 +++
 drivers/char/agp/generic.c                         |   19 ++++++--
 drivers/scsi/gdth.c                                |    8 +++
 drivers/scsi/mpt2sas/mpt2sas_ctl.c                 |   23 +++++++++-
 drivers/video/via/ioctl.c                          |    2 +
 fs/exec.c                                          |   28 +++++++++++-
 fs/partitions/ldm.c                                |   16 +++++--
 fs/proc/base.c                                     |    9 +++-
 include/linux/binfmts.h                            |    1 +
 include/linux/pid.h                                |    2 +-
 include/net/netlink.h                              |    2 +-
 include/net/x25.h                                  |    4 ++
 ipc/sem.c                                          |    2 +
 kernel/exit.c                                      |    8 +++
 kernel/pid.c                                       |    5 ++-
 kernel/signal.c                                    |   16 +++++--
 net/ax25/af_ax25.c                                 |    2 +-
 net/can/bcm.c                                      |    2 +-
 net/can/raw.c                                      |    7 +++-
 net/core/ethtool.c                                 |    2 +-
 net/ipv4/inet_diag.c                               |   27 +++++++-----
 net/packet/af_packet.c                             |    3 +-
 net/rds/rdma.c                                     |   11 +++++
 net/socket.c                                       |    4 ++
 net/tipc/socket.c                                  |    1 +
 net/x25/af_x25.c                                   |   47
+++++++++++++++++++-
 net/x25/x25_facilities.c                           |   20 ++++++--
 net/x25/x25_in.c                                   |   17 +++++--
 sound/pci/rme9652/hdsp.c                           |    1 +
 sound/pci/rme9652/hdspm.c                          |    1 +
 33 files changed, 251 insertions(+), 47 deletions(-)
 rename debian.fsl-imx51/abi/{2.6.31-608.24 => 2.6.31-608.25}/abiname (100%)
 rename debian.fsl-imx51/abi/{2.6.31-608.24 =>
2.6.31-608.25}/armel/imx51 (100%)
 rename debian.fsl-imx51/abi/{2.6.31-608.24 =>
2.6.31-608.25}/armel/imx51.modules (100%)


(sort-of) top down list of CVE closed in this pull:

CVE-2010-3876, CVE-2010-4157, CVE-2010-4080, CVE-2010-4081,
CVE-2010-4082, CVE-2010-4083, CVE-2011-1494, CVE-2011-1182,
CVE-2010-3875, CVE-2010-4655, CVE-2010-3877, CVE-2010-3865,
CVE-2010-3859, CVE-2011-1593, CVE-2010-3880, CVE-2010-4248,
CVE-2010-4243, CVE-2010-3874, CVE-2011-1748, CVE-2011-1017,
CVE-2010-3875, CVE-1011-2022, CVE-2011-1747, CVE-2010-3873

this one is not a CVE fix:

John Hughes (1):
x25: Patch to fix bug 15678 - x25 accesses fields beyond end of packet.

but is needed for:

andrew hendry (1):
      memory corruption in X.25 facilities parsing

All the commits where cherry-picked from lucid, have the upstream sha,
contain the buglink and were previously acked by some of the kteam.

The release is still open since i'm going to push CVE fixes till the
next kernel cut.

Comments

Paolo Pisati June 1, 2011, 11:01 a.m. UTC | #1
On 06/01/2011 12:23 PM, Paolo Pisati wrote:
> The following changes since commit 50173a10506485bd731f62bcbd7c9410a1fb5b43:
> 
>   UBUNTU: Ubuntu-2.6.31-608.25 (2011-05-27 18:41:05 +0200)

one thing i forgot: i had to modify this commit since previously it was
"Ubuntu-2.6.31-608.25" and that broke fdr insertchanges&c.

So, this is actually a "git reset" request than a pull.
Andy Whitcroft June 1, 2011, 11:30 a.m. UTC | #2
On Wed, Jun 01, 2011 at 12:23:54PM +0200, Paolo Pisati wrote:

> (sort-of) top down list of CVE closed in this pull:
> 
> CVE-2010-3876, CVE-2010-4157, CVE-2010-4080, CVE-2010-4081,
> CVE-2010-4082, CVE-2010-4083, CVE-2011-1494, CVE-2011-1182,
> CVE-2010-3875, CVE-2010-4655, CVE-2010-3877, CVE-2010-3865,
> CVE-2010-3859, CVE-2011-1593, CVE-2010-3880, CVE-2010-4248,
> CVE-2010-4243, CVE-2010-3874, CVE-2011-1748, CVE-2011-1017,
> CVE-2010-3875, CVE-1011-2022, CVE-2011-1747, CVE-2010-3873
> 
> this one is not a CVE fix:
> 
> John Hughes (1):
> x25: Patch to fix bug 15678 - x25 accesses fields beyond end of packet.
> 
> but is needed for:
> 
> andrew hendry (1):
>       memory corruption in X.25 facilities parsing
> 
> All the commits where cherry-picked from lucid, have the upstream sha,
> contain the buglink and were previously acked by some of the kteam.
> 
> The release is still open since i'm going to push CVE fixes till the
> next kernel cut.

I have reviewed all of these patches, they all (but two) seem identicle to
the upstream commits, the others seem identicle to that applied to Lucid.
Therefore:

Acked-by: Andy Whitcroft <apw@canonical.com>

The component patches here were all already reviewed and have been
Acked-by: by team members already.  In the main they are already released
into the main Distro kernel, have been tested by QA, and pushed out into
-updates.  Therefore I believe this lot is ready for application.

Applied to Lucid fsl-imx51.

-apw