This bug was nominated against a series that is no longer supported, ie vivid. The bug task representing the vivid nomination is being closed as Won't Fix.
This change has been made by an automated script, maintained by the Ubuntu Kernel Team. ** Changed in: linux-lts-vivid (Ubuntu Vivid) Status: New => Won't Fix -- You received this bug notification because you are a member of नेपाली भाषा समायोजकहरुको समूह, which is subscribed to Xenial. Matching subscriptions: Ubuntu 16.04 Bugs https://bugs.launchpad.net/bugs/1555338 Title: Linux netfilter IPT_SO_SET_REPLACE memory corruption Status in linux package in Ubuntu: Fix Released Status in linux-armadaxp package in Ubuntu: Invalid Status in linux-flo package in Ubuntu: New Status in linux-goldfish package in Ubuntu: New Status in linux-keystone package in Ubuntu: Invalid Status in linux-lts-quantal package in Ubuntu: Invalid Status in linux-lts-raring package in Ubuntu: Invalid Status in linux-lts-saucy package in Ubuntu: Invalid Status in linux-lts-trusty package in Ubuntu: Invalid Status in linux-lts-utopic package in Ubuntu: Invalid Status in linux-lts-vivid package in Ubuntu: Invalid Status in linux-lts-wily package in Ubuntu: Invalid Status in linux-lts-xenial package in Ubuntu: Invalid Status in linux-mako package in Ubuntu: New Status in linux-manta package in Ubuntu: Invalid Status in linux-raspi2 package in Ubuntu: Fix Released Status in linux-snapdragon package in Ubuntu: Fix Released Status in linux-ti-omap4 package in Ubuntu: Invalid Status in linux source package in Precise: Fix Released Status in linux-armadaxp source package in Precise: Fix Released Status in linux-flo source package in Precise: Invalid Status in linux-goldfish source package in Precise: Invalid Status in linux-keystone source package in Precise: Invalid Status in linux-lts-quantal source package in Precise: Invalid Status in linux-lts-raring source package in Precise: Invalid Status in linux-lts-saucy source package in Precise: Invalid Status in linux-lts-trusty source package in Precise: Fix Released Status in linux-lts-utopic source package in Precise: Invalid Status in linux-lts-vivid source package in Precise: Invalid Status in linux-lts-wily source package in Precise: Invalid Status in linux-lts-xenial source package in Precise: Invalid Status in linux-mako source package in Precise: Invalid Status in linux-manta source package in Precise: Invalid Status in linux-raspi2 source package in Precise: Invalid Status in linux-snapdragon source package in Precise: Invalid Status in linux-ti-omap4 source package in Precise: Fix Released Status in linux source package in Trusty: Fix Released Status in linux-armadaxp source package in Trusty: Invalid Status in linux-flo source package in Trusty: Invalid Status in linux-goldfish source package in Trusty: Invalid Status in linux-keystone source package in Trusty: Fix Released Status in linux-lts-quantal source package in Trusty: Invalid Status in linux-lts-raring source package in Trusty: Invalid Status in linux-lts-saucy source package in Trusty: Invalid Status in linux-lts-trusty source package in Trusty: Invalid Status in linux-lts-utopic source package in Trusty: Fix Released Status in linux-lts-vivid source package in Trusty: Fix Released Status in linux-lts-wily source package in Trusty: Fix Released Status in linux-lts-xenial source package in Trusty: Fix Released Status in linux-mako source package in Trusty: Invalid Status in linux-manta source package in Trusty: Invalid Status in linux-raspi2 source package in Trusty: Invalid Status in linux-snapdragon source package in Trusty: Invalid Status in linux-ti-omap4 source package in Trusty: Invalid Status in linux source package in Vivid: Fix Released Status in linux-armadaxp source package in Vivid: Invalid Status in linux-flo source package in Vivid: Won't Fix Status in linux-goldfish source package in Vivid: New Status in linux-keystone source package in Vivid: Invalid Status in linux-lts-quantal source package in Vivid: Won't Fix Status in linux-lts-raring source package in Vivid: New Status in linux-lts-saucy source package in Vivid: Won't Fix Status in linux-lts-trusty source package in Vivid: Won't Fix Status in linux-lts-utopic source package in Vivid: Invalid Status in linux-lts-vivid source package in Vivid: Won't Fix Status in linux-lts-wily source package in Vivid: New Status in linux-lts-xenial source package in Vivid: New Status in linux-mako source package in Vivid: Won't Fix Status in linux-manta source package in Vivid: New Status in linux-raspi2 source package in Vivid: Won't Fix Status in linux-snapdragon source package in Vivid: New Status in linux-ti-omap4 source package in Vivid: Invalid Status in linux source package in Wily: Fix Released Status in linux-armadaxp source package in Wily: Invalid Status in linux-flo source package in Wily: New Status in linux-goldfish source package in Wily: New Status in linux-keystone source package in Wily: Invalid Status in linux-lts-quantal source package in Wily: Invalid Status in linux-lts-raring source package in Wily: Invalid Status in linux-lts-saucy source package in Wily: Invalid Status in linux-lts-trusty source package in Wily: Invalid Status in linux-lts-utopic source package in Wily: Invalid Status in linux-lts-vivid source package in Wily: Invalid Status in linux-lts-wily source package in Wily: Invalid Status in linux-lts-xenial source package in Wily: Invalid Status in linux-mako source package in Wily: New Status in linux-manta source package in Wily: New Status in linux-raspi2 source package in Wily: Fix Released Status in linux-snapdragon source package in Wily: Invalid Status in linux-ti-omap4 source package in Wily: Invalid Status in linux source package in Xenial: Fix Released Status in linux-armadaxp source package in Xenial: Invalid Status in linux-flo source package in Xenial: New Status in linux-goldfish source package in Xenial: New Status in linux-keystone source package in Xenial: Invalid Status in linux-lts-quantal source package in Xenial: Invalid Status in linux-lts-raring source package in Xenial: Invalid Status in linux-lts-saucy source package in Xenial: Invalid Status in linux-lts-trusty source package in Xenial: Invalid Status in linux-lts-utopic source package in Xenial: Invalid Status in linux-lts-vivid source package in Xenial: Invalid Status in linux-lts-wily source package in Xenial: Invalid Status in linux-lts-xenial source package in Xenial: Invalid Status in linux-mako source package in Xenial: New Status in linux-manta source package in Xenial: Invalid Status in linux-raspi2 source package in Xenial: Fix Released Status in linux-snapdragon source package in Xenial: Fix Released Status in linux-ti-omap4 source package in Xenial: Invalid Status in linux source package in Yakkety: Fix Released Status in linux-armadaxp source package in Yakkety: Invalid Status in linux-flo source package in Yakkety: New Status in linux-goldfish source package in Yakkety: New Status in linux-keystone source package in Yakkety: Invalid Status in linux-lts-quantal source package in Yakkety: Invalid Status in linux-lts-raring source package in Yakkety: Invalid Status in linux-lts-saucy source package in Yakkety: Invalid Status in linux-lts-trusty source package in Yakkety: Invalid Status in linux-lts-utopic source package in Yakkety: Invalid Status in linux-lts-vivid source package in Yakkety: Invalid Status in linux-lts-wily source package in Yakkety: Invalid Status in linux-lts-xenial source package in Yakkety: Invalid Status in linux-mako source package in Yakkety: New Status in linux-manta source package in Yakkety: Invalid Status in linux-raspi2 source package in Yakkety: Fix Released Status in linux-snapdragon source package in Yakkety: Fix Released Status in linux-ti-omap4 source package in Yakkety: Invalid Bug description: [Impact] [From https://code.google.com/p/google-security-research/issues/detail?id=758 ] A memory corruption vulnerability exists in the IPT_SO_SET_REPLACE ioctl in the netfilter code for iptables support. This ioctl is can be triggered by an unprivileged user on PF_INET sockets when unprivileged user namespaces are available (CONFIG_USER_NS=y). Android does not enable this option, but desktop/server distributions and Chrome OS will commonly enable this to allow for containers support or sandboxing. In the mark_source_chains function (net/ipv4/netfilter/ip_tables.c) it is possible for a user-supplied ipt_entry structure to have a large next_offset field. This field is not bounds checked prior to writing a counter value at the supplied offset: newpos = pos + e->next_offset; ... e = (struct ipt_entry *) (entry0 + newpos); e->counters.pcnt = pos; This means that an out of bounds 32-bit write can occur in a 64kb range from the allocated heap entry, with a controlled offset and a partially controlled write value ("pos") or zero. The attached proof- of-concept (netfilter_setsockopt_v3.c) triggers the corruption multiple times to set adjacent heap structures to zero. This issue affects (at least) kernel versions 3.10, 3.18 and 4.4. It appears that a similar codepath is accessible via arp_tables.c/ARPT_SO_SET_REPLACE as well. [Fix] http://thread.gmane.org/gmane.comp.security.firewalls.netfilter.devel/62150 [Test Case] Download v3 testcase from https://code.google.com/p/google-security-research/issues/detail?id=758 gcc net*v3.c -o v3 ./v3 To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/linux/+bug/1555338/+subscriptions _______________________________________________ Mailing list: https://launchpad.net/~group.of.nepali.translators Post to : group.of.nepali.translators@lists.launchpad.net Unsubscribe : https://launchpad.net/~group.of.nepali.translators More help : https://help.launchpad.net/ListHelp