[Kernel-packages] [Bug 1555338] Re: Linux netfilter IPT_SO_SET_REPLACE memory corruption
** Changed in: linux-flo (Ubuntu Xenial) Status: New => Won't Fix ** Changed in: linux-mako (Ubuntu Xenial) Status: New => Won't Fix ** Changed in: linux-flo (Ubuntu) Status: New => Won't Fix ** Changed in: linux-goldfish (Ubuntu) Status: New => Won't Fix ** Changed in: linux-mako (Ubuntu) Status: New => Won't Fix -- You received this bug notification because you are a member of Kernel Packages, which is subscribed to linux-goldfish in Ubuntu. https://bugs.launchpad.net/bugs/1555338 Title: Linux netfilter IPT_SO_SET_REPLACE memory corruption Status in linux package in Ubuntu: Fix Released Status in linux-armadaxp package in Ubuntu: Invalid Status in linux-flo package in Ubuntu: Won't Fix Status in linux-goldfish package in Ubuntu: Won't Fix Status in linux-keystone package in Ubuntu: Invalid Status in linux-lts-quantal package in Ubuntu: Invalid Status in linux-lts-raring package in Ubuntu: Invalid Status in linux-lts-saucy package in Ubuntu: Invalid Status in linux-lts-trusty package in Ubuntu: Invalid Status in linux-lts-utopic package in Ubuntu: Invalid Status in linux-lts-vivid package in Ubuntu: Invalid Status in linux-lts-wily package in Ubuntu: Invalid Status in linux-lts-xenial package in Ubuntu: Invalid Status in linux-mako package in Ubuntu: Won't Fix Status in linux-manta package in Ubuntu: Invalid Status in linux-raspi2 package in Ubuntu: Fix Released Status in linux-snapdragon package in Ubuntu: Fix Released Status in linux-ti-omap4 package in Ubuntu: Invalid Status in linux source package in Precise: Fix Released Status in linux-armadaxp source package in Precise: Fix Released Status in linux-flo source package in Precise: Invalid Status in linux-goldfish source package in Precise: Invalid Status in linux-keystone source package in Precise: Invalid Status in linux-lts-quantal source package in Precise: Invalid Status in linux-lts-raring source package in Precise: Invalid Status in linux-lts-saucy source package in Precise: Invalid Status in linux-lts-trusty source package in Precise: Fix Released Status in linux-lts-utopic source package in Precise: Invalid Status in linux-lts-vivid source package in Precise: Invalid Status in linux-lts-wily source package in Precise: Invalid Status in linux-lts-xenial source package in Precise: Invalid Status in linux-mako source package in Precise: Invalid Status in linux-manta source package in Precise: Invalid Status in linux-raspi2 source package in Precise: Invalid Status in linux-snapdragon source package in Precise: Invalid Status in linux-ti-omap4 source package in Precise: Fix Released Status in linux source package in Trusty: Fix Released Status in linux-armadaxp source package in Trusty: Invalid Status in linux-flo source package in Trusty: Invalid Status in linux-goldfish source package in Trusty: Invalid Status in linux-keystone source package in Trusty: Fix Released Status in linux-lts-quantal source package in Trusty: Invalid Status in linux-lts-raring source package in Trusty: Invalid Status in linux-lts-saucy source package in Trusty: Invalid Status in linux-lts-trusty source package in Trusty: Invalid Status in linux-lts-utopic source package in Trusty: Fix Released Status in linux-lts-vivid source package in Trusty: Fix Released Status in linux-lts-wily source package in Trusty: Fix Released Status in linux-lts-xenial source package in Trusty: Fix Released Status in linux-mako source package in Trusty: Invalid Status in linux-manta source package in Trusty: Invalid Status in linux-raspi2 source package in Trusty: Invalid Status in linux-snapdragon source package in Trusty: Invalid Status in linux-ti-omap4 source package in Trusty: Invalid Status in linux source package in Vivid: Fix Released Status in linux-armadaxp source package in Vivid: Invalid Status in linux-flo source package in Vivid: Won't Fix Status in linux-goldfish source package in Vivid: New Status in linux-keystone source package in Vivid: Invalid Status in linux-lts-quantal source package in Vivid: Won't Fix Status in linux-lts-raring source package in Vivid: New Status in linux-lts-saucy source package in Vivid: Won't Fix Status in linux-lts-trusty source package in Vivid: Won't Fix Status in linux-lts-utopic source package in Vivid: Invalid Status in linux-lts-vivid source package in Vivid: Won't Fix Status in linux-lts-wily source package in Vivid: New Status in linux-lts-xenial source package in Vivid: New Status in linux-mako source package in Vivid: Won't Fix Status in linux-manta source package in Vivid: New Status in linux-raspi2 source package in Vivid: Won't Fix Status in linux-snapdragon source package in Vivid: New Status in linux-ti-omap4 source package in Vivid: Invalid Status in linux source package in Wily: Fix Released Status in linux-armadaxp source package in Wily:
[Kernel-packages] [Bug 1555338] Re: Linux netfilter IPT_SO_SET_REPLACE memory corruption
** Changed in: linux-goldfish (Ubuntu Xenial) Status: New => Won't Fix -- You received this bug notification because you are a member of Kernel Packages, which is subscribed to linux-goldfish in Ubuntu. https://bugs.launchpad.net/bugs/1555338 Title: Linux netfilter IPT_SO_SET_REPLACE memory corruption Status in linux package in Ubuntu: Fix Released Status in linux-armadaxp package in Ubuntu: Invalid Status in linux-flo package in Ubuntu: New Status in linux-goldfish package in Ubuntu: New Status in linux-keystone package in Ubuntu: Invalid Status in linux-lts-quantal package in Ubuntu: Invalid Status in linux-lts-raring package in Ubuntu: Invalid Status in linux-lts-saucy package in Ubuntu: Invalid Status in linux-lts-trusty package in Ubuntu: Invalid Status in linux-lts-utopic package in Ubuntu: Invalid Status in linux-lts-vivid package in Ubuntu: Invalid Status in linux-lts-wily package in Ubuntu: Invalid Status in linux-lts-xenial package in Ubuntu: Invalid Status in linux-mako package in Ubuntu: New Status in linux-manta package in Ubuntu: Invalid Status in linux-raspi2 package in Ubuntu: Fix Released Status in linux-snapdragon package in Ubuntu: Fix Released Status in linux-ti-omap4 package in Ubuntu: Invalid Status in linux source package in Precise: Fix Released Status in linux-armadaxp source package in Precise: Fix Released Status in linux-flo source package in Precise: Invalid Status in linux-goldfish source package in Precise: Invalid Status in linux-keystone source package in Precise: Invalid Status in linux-lts-quantal source package in Precise: Invalid Status in linux-lts-raring source package in Precise: Invalid Status in linux-lts-saucy source package in Precise: Invalid Status in linux-lts-trusty source package in Precise: Fix Released Status in linux-lts-utopic source package in Precise: Invalid Status in linux-lts-vivid source package in Precise: Invalid Status in linux-lts-wily source package in Precise: Invalid Status in linux-lts-xenial source package in Precise: Invalid Status in linux-mako source package in Precise: Invalid Status in linux-manta source package in Precise: Invalid Status in linux-raspi2 source package in Precise: Invalid Status in linux-snapdragon source package in Precise: Invalid Status in linux-ti-omap4 source package in Precise: Fix Released Status in linux source package in Trusty: Fix Released Status in linux-armadaxp source package in Trusty: Invalid Status in linux-flo source package in Trusty: Invalid Status in linux-goldfish source package in Trusty: Invalid Status in linux-keystone source package in Trusty: Fix Released Status in linux-lts-quantal source package in Trusty: Invalid Status in linux-lts-raring source package in Trusty: Invalid Status in linux-lts-saucy source package in Trusty: Invalid Status in linux-lts-trusty source package in Trusty: Invalid Status in linux-lts-utopic source package in Trusty: Fix Released Status in linux-lts-vivid source package in Trusty: Fix Released Status in linux-lts-wily source package in Trusty: Fix Released Status in linux-lts-xenial source package in Trusty: Fix Released Status in linux-mako source package in Trusty: Invalid Status in linux-manta source package in Trusty: Invalid Status in linux-raspi2 source package in Trusty: Invalid Status in linux-snapdragon source package in Trusty: Invalid Status in linux-ti-omap4 source package in Trusty: Invalid Status in linux source package in Vivid: Fix Released Status in linux-armadaxp source package in Vivid: Invalid Status in linux-flo source package in Vivid: Won't Fix Status in linux-goldfish source package in Vivid: New Status in linux-keystone source package in Vivid: Invalid Status in linux-lts-quantal source package in Vivid: Won't Fix Status in linux-lts-raring source package in Vivid: New Status in linux-lts-saucy source package in Vivid: Won't Fix Status in linux-lts-trusty source package in Vivid: Won't Fix Status in linux-lts-utopic source package in Vivid: Invalid Status in linux-lts-vivid source package in Vivid: Won't Fix Status in linux-lts-wily source package in Vivid: New Status in linux-lts-xenial source package in Vivid: New Status in linux-mako source package in Vivid: Won't Fix Status in linux-manta source package in Vivid: New Status in linux-raspi2 source package in Vivid: Won't Fix Status in linux-snapdragon source package in Vivid: New Status in linux-ti-omap4 source package in Vivid: Invalid Status in linux source package in Wily: Fix Released Status in linux-armadaxp source package in Wily: Invalid Status in linux-flo source package in Wily: New Status in linux-goldfish source package in Wily: New Status in linux-keystone source package in Wily: Invalid Status in linux-lts-quantal source package in Wily: Invalid Status in linux-lts-raring source package in Wily: Invalid
[Kernel-packages] [Bug 1555338] Re: Linux netfilter IPT_SO_SET_REPLACE memory corruption
** Branch linked: lp:ubuntu/trusty-security/linux-lts-wily ** Branch linked: lp:ubuntu/trusty-updates/linux-lts-wily -- You received this bug notification because you are a member of Kernel Packages, which is subscribed to linux-armadaxp in Ubuntu. https://bugs.launchpad.net/bugs/1555338 Title: Linux netfilter IPT_SO_SET_REPLACE memory corruption Status in linux package in Ubuntu: Fix Released Status in linux-armadaxp package in Ubuntu: Invalid Status in linux-flo package in Ubuntu: New Status in linux-goldfish package in Ubuntu: New Status in linux-keystone package in Ubuntu: Invalid Status in linux-lts-quantal package in Ubuntu: Invalid Status in linux-lts-raring package in Ubuntu: Invalid Status in linux-lts-saucy package in Ubuntu: Invalid Status in linux-lts-trusty package in Ubuntu: Invalid Status in linux-lts-utopic package in Ubuntu: Invalid Status in linux-lts-vivid package in Ubuntu: Invalid Status in linux-lts-wily package in Ubuntu: Invalid Status in linux-lts-xenial package in Ubuntu: Invalid Status in linux-mako package in Ubuntu: New Status in linux-manta package in Ubuntu: Invalid Status in linux-raspi2 package in Ubuntu: Fix Released Status in linux-snapdragon package in Ubuntu: Fix Released Status in linux-ti-omap4 package in Ubuntu: Invalid Status in linux source package in Precise: Fix Released Status in linux-armadaxp source package in Precise: Fix Released Status in linux-flo source package in Precise: Invalid Status in linux-goldfish source package in Precise: Invalid Status in linux-keystone source package in Precise: Invalid Status in linux-lts-quantal source package in Precise: Invalid Status in linux-lts-raring source package in Precise: Invalid Status in linux-lts-saucy source package in Precise: Invalid Status in linux-lts-trusty source package in Precise: Fix Released Status in linux-lts-utopic source package in Precise: Invalid Status in linux-lts-vivid source package in Precise: Invalid Status in linux-lts-wily source package in Precise: Invalid Status in linux-lts-xenial source package in Precise: Invalid Status in linux-mako source package in Precise: Invalid Status in linux-manta source package in Precise: Invalid Status in linux-raspi2 source package in Precise: Invalid Status in linux-snapdragon source package in Precise: Invalid Status in linux-ti-omap4 source package in Precise: Fix Released Status in linux source package in Trusty: Fix Released Status in linux-armadaxp source package in Trusty: Invalid Status in linux-flo source package in Trusty: Invalid Status in linux-goldfish source package in Trusty: Invalid Status in linux-keystone source package in Trusty: Fix Released Status in linux-lts-quantal source package in Trusty: Invalid Status in linux-lts-raring source package in Trusty: Invalid Status in linux-lts-saucy source package in Trusty: Invalid Status in linux-lts-trusty source package in Trusty: Invalid Status in linux-lts-utopic source package in Trusty: Fix Released Status in linux-lts-vivid source package in Trusty: Fix Released Status in linux-lts-wily source package in Trusty: Fix Released Status in linux-lts-xenial source package in Trusty: Fix Released Status in linux-mako source package in Trusty: Invalid Status in linux-manta source package in Trusty: Invalid Status in linux-raspi2 source package in Trusty: Invalid Status in linux-snapdragon source package in Trusty: Invalid Status in linux-ti-omap4 source package in Trusty: Invalid Status in linux source package in Vivid: Fix Released Status in linux-armadaxp source package in Vivid: Invalid Status in linux-flo source package in Vivid: New Status in linux-goldfish source package in Vivid: New Status in linux-keystone source package in Vivid: Invalid Status in linux-lts-quantal source package in Vivid: New Status in linux-lts-raring source package in Vivid: New Status in linux-lts-saucy source package in Vivid: New Status in linux-lts-trusty source package in Vivid: New Status in linux-lts-utopic source package in Vivid: Invalid Status in linux-lts-vivid source package in Vivid: New Status in linux-lts-wily source package in Vivid: New Status in linux-lts-xenial source package in Vivid: New Status in linux-mako source package in Vivid: New Status in linux-manta source package in Vivid: New Status in linux-raspi2 source package in Vivid: New Status in linux-snapdragon source package in Vivid: New Status in linux-ti-omap4 source package in Vivid: Invalid Status in linux source package in Wily: Fix Released Status in linux-armadaxp source package in Wily: Invalid Status in linux-flo source package in Wily: New Status in linux-goldfish source package in Wily: New Status in linux-keystone source package in Wily: Invalid Status in linux-lts-quantal source package in Wily: Invalid Status in linux-lts-raring source package in Wily: Invalid St
[Kernel-packages] [Bug 1555338] Re: Linux netfilter IPT_SO_SET_REPLACE memory corruption
** Tags removed: verification-needed-xenial ** Tags added: verification-done-xenial ** Tags removed: verification-needed-precise verification-needed-trusty verification-needed-vivid verification-needed-wily ** Tags added: verification-done-precise verification-done-trusty verification-done-vivid verification-done-wily -- You received this bug notification because you are a member of Kernel Packages, which is subscribed to linux-armadaxp in Ubuntu. https://bugs.launchpad.net/bugs/1555338 Title: Linux netfilter IPT_SO_SET_REPLACE memory corruption Status in linux package in Ubuntu: Fix Released Status in linux-armadaxp package in Ubuntu: Invalid Status in linux-flo package in Ubuntu: New Status in linux-goldfish package in Ubuntu: New Status in linux-keystone package in Ubuntu: Invalid Status in linux-lts-quantal package in Ubuntu: Invalid Status in linux-lts-raring package in Ubuntu: Invalid Status in linux-lts-saucy package in Ubuntu: Invalid Status in linux-lts-trusty package in Ubuntu: Invalid Status in linux-lts-utopic package in Ubuntu: Invalid Status in linux-lts-vivid package in Ubuntu: Invalid Status in linux-lts-wily package in Ubuntu: Invalid Status in linux-lts-xenial package in Ubuntu: Invalid Status in linux-mako package in Ubuntu: New Status in linux-manta package in Ubuntu: Invalid Status in linux-raspi2 package in Ubuntu: Fix Released Status in linux-snapdragon package in Ubuntu: Fix Released Status in linux-ti-omap4 package in Ubuntu: Invalid Status in linux source package in Precise: Fix Released Status in linux-armadaxp source package in Precise: Fix Released Status in linux-flo source package in Precise: Invalid Status in linux-goldfish source package in Precise: Invalid Status in linux-keystone source package in Precise: Invalid Status in linux-lts-quantal source package in Precise: Invalid Status in linux-lts-raring source package in Precise: Invalid Status in linux-lts-saucy source package in Precise: Invalid Status in linux-lts-trusty source package in Precise: Fix Released Status in linux-lts-utopic source package in Precise: Invalid Status in linux-lts-vivid source package in Precise: Invalid Status in linux-lts-wily source package in Precise: Invalid Status in linux-lts-xenial source package in Precise: Invalid Status in linux-mako source package in Precise: Invalid Status in linux-manta source package in Precise: Invalid Status in linux-raspi2 source package in Precise: Invalid Status in linux-snapdragon source package in Precise: Invalid Status in linux-ti-omap4 source package in Precise: Fix Released Status in linux source package in Trusty: Fix Released Status in linux-armadaxp source package in Trusty: Invalid Status in linux-flo source package in Trusty: Invalid Status in linux-goldfish source package in Trusty: Invalid Status in linux-keystone source package in Trusty: Fix Released Status in linux-lts-quantal source package in Trusty: Invalid Status in linux-lts-raring source package in Trusty: Invalid Status in linux-lts-saucy source package in Trusty: Invalid Status in linux-lts-trusty source package in Trusty: Invalid Status in linux-lts-utopic source package in Trusty: Fix Released Status in linux-lts-vivid source package in Trusty: Fix Released Status in linux-lts-wily source package in Trusty: Fix Released Status in linux-lts-xenial source package in Trusty: Fix Released Status in linux-mako source package in Trusty: Invalid Status in linux-manta source package in Trusty: Invalid Status in linux-raspi2 source package in Trusty: Invalid Status in linux-snapdragon source package in Trusty: Invalid Status in linux-ti-omap4 source package in Trusty: Invalid Status in linux source package in Vivid: Fix Released Status in linux-armadaxp source package in Vivid: Invalid Status in linux-flo source package in Vivid: New Status in linux-goldfish source package in Vivid: New Status in linux-keystone source package in Vivid: Invalid Status in linux-lts-quantal source package in Vivid: New Status in linux-lts-raring source package in Vivid: New Status in linux-lts-saucy source package in Vivid: New Status in linux-lts-trusty source package in Vivid: New Status in linux-lts-utopic source package in Vivid: Invalid Status in linux-lts-vivid source package in Vivid: New Status in linux-lts-wily source package in Vivid: New Status in linux-lts-xenial source package in Vivid: New Status in linux-mako source package in Vivid: New Status in linux-manta source package in Vivid: New Status in linux-raspi2 source package in Vivid: New Status in linux-snapdragon source package in Vivid: New Status in linux-ti-omap4 source package in Vivid: Invalid Status in linux source package in Wily: Fix Released Status in linux-armadaxp source package in Wily: Invalid Status in linux-flo source package in Wily: New Status in linux-goldfish source pa
[Kernel-packages] [Bug 1555338] Re: Linux netfilter IPT_SO_SET_REPLACE memory corruption
This bug is awaiting verification that the kernel in -proposed solves the problem. Please test the kernel and update this bug with the results. If the problem is solved, change the tag 'verification-needed- precise' to 'verification-done-precise'. If verification is not done by 5 working days from today, this fix will be dropped from the source code, and this bug will be closed. See https://wiki.ubuntu.com/Testing/EnableProposed for documentation how to enable and use -proposed. Thank you! ** Tags added: verification-needed-precise -- You received this bug notification because you are a member of Kernel Packages, which is subscribed to linux-armadaxp in Ubuntu. https://bugs.launchpad.net/bugs/1555338 Title: Linux netfilter IPT_SO_SET_REPLACE memory corruption Status in linux package in Ubuntu: Fix Released Status in linux-armadaxp package in Ubuntu: Invalid Status in linux-flo package in Ubuntu: New Status in linux-goldfish package in Ubuntu: New Status in linux-keystone package in Ubuntu: Invalid Status in linux-lts-quantal package in Ubuntu: Invalid Status in linux-lts-raring package in Ubuntu: Invalid Status in linux-lts-saucy package in Ubuntu: Invalid Status in linux-lts-trusty package in Ubuntu: Invalid Status in linux-lts-utopic package in Ubuntu: Invalid Status in linux-lts-vivid package in Ubuntu: Invalid Status in linux-lts-wily package in Ubuntu: Invalid Status in linux-lts-xenial package in Ubuntu: Invalid Status in linux-mako package in Ubuntu: New Status in linux-manta package in Ubuntu: Invalid Status in linux-raspi2 package in Ubuntu: Fix Released Status in linux-snapdragon package in Ubuntu: Fix Released Status in linux-ti-omap4 package in Ubuntu: Invalid Status in linux source package in Precise: Fix Released Status in linux-armadaxp source package in Precise: Fix Released Status in linux-flo source package in Precise: Invalid Status in linux-goldfish source package in Precise: Invalid Status in linux-keystone source package in Precise: Invalid Status in linux-lts-quantal source package in Precise: Invalid Status in linux-lts-raring source package in Precise: Invalid Status in linux-lts-saucy source package in Precise: Invalid Status in linux-lts-trusty source package in Precise: Fix Released Status in linux-lts-utopic source package in Precise: Invalid Status in linux-lts-vivid source package in Precise: Invalid Status in linux-lts-wily source package in Precise: Invalid Status in linux-lts-xenial source package in Precise: Invalid Status in linux-mako source package in Precise: Invalid Status in linux-manta source package in Precise: Invalid Status in linux-raspi2 source package in Precise: Invalid Status in linux-snapdragon source package in Precise: Invalid Status in linux-ti-omap4 source package in Precise: Fix Released Status in linux source package in Trusty: Fix Released Status in linux-armadaxp source package in Trusty: Invalid Status in linux-flo source package in Trusty: Invalid Status in linux-goldfish source package in Trusty: Invalid Status in linux-keystone source package in Trusty: Fix Released Status in linux-lts-quantal source package in Trusty: Invalid Status in linux-lts-raring source package in Trusty: Invalid Status in linux-lts-saucy source package in Trusty: Invalid Status in linux-lts-trusty source package in Trusty: Invalid Status in linux-lts-utopic source package in Trusty: Fix Released Status in linux-lts-vivid source package in Trusty: Fix Released Status in linux-lts-wily source package in Trusty: Fix Released Status in linux-lts-xenial source package in Trusty: Fix Released Status in linux-mako source package in Trusty: Invalid Status in linux-manta source package in Trusty: Invalid Status in linux-raspi2 source package in Trusty: Invalid Status in linux-snapdragon source package in Trusty: Invalid Status in linux-ti-omap4 source package in Trusty: Invalid Status in linux source package in Vivid: Fix Released Status in linux-armadaxp source package in Vivid: Invalid Status in linux-flo source package in Vivid: New Status in linux-goldfish source package in Vivid: New Status in linux-keystone source package in Vivid: Invalid Status in linux-lts-quantal source package in Vivid: New Status in linux-lts-raring source package in Vivid: New Status in linux-lts-saucy source package in Vivid: New Status in linux-lts-trusty source package in Vivid: New Status in linux-lts-utopic source package in Vivid: Invalid Status in linux-lts-vivid source package in Vivid: New Status in linux-lts-wily source package in Vivid: New Status in linux-lts-xenial source package in Vivid: New Status in linux-mako source package in Vivid: New Status in linux-manta source package in Vivid: New Status in linux-raspi2 source package in Vivid: New Status in linux-snapdragon source package in Vivid: New Status in linux-ti-omap4 source package
[Kernel-packages] [Bug 1555338] Re: Linux netfilter IPT_SO_SET_REPLACE memory corruption
This bug was fixed in the package linux-raspi2 - 4.4.0-1016.22 --- linux-raspi2 (4.4.0-1016.22) xenial; urgency=low [ Luis Henriques ] * Release Tracking Bug - LP: #1595881 * Rebase against Ubuntu-4.4.0-28.47 [ Ubuntu: 4.4.0-28.47 ] * Release Tracking Bug - LP: #1595874 * Linux netfilter local privilege escalation issues (LP: #1595350) - netfilter: x_tables: don't move to non-existent next rule - netfilter: x_tables: validate targets of jumps - netfilter: x_tables: add and use xt_check_entry_offsets - netfilter: x_tables: kill check_entry helper - netfilter: x_tables: assert minimum target size - netfilter: x_tables: add compat version of xt_check_entry_offsets - netfilter: x_tables: check standard target size too - netfilter: x_tables: check for bogus target offset - netfilter: x_tables: validate all offsets and sizes in a rule - netfilter: x_tables: don't reject valid target size on some architectures - netfilter: arp_tables: simplify translate_compat_table args - netfilter: ip_tables: simplify translate_compat_table args - netfilter: ip6_tables: simplify translate_compat_table args - netfilter: x_tables: xt_compat_match_from_user doesn't need a retval - netfilter: x_tables: do compat validation via translate_table - netfilter: x_tables: introduce and use xt_copy_counters_from_user * Linux netfilter IPT_SO_SET_REPLACE memory corruption (LP: #1555338) - netfilter: x_tables: validate e->target_offset early - netfilter: x_tables: make sure e->next_offset covers remaining blob size - netfilter: x_tables: fix unconditional helper linux-raspi2 (4.4.0-1015.19) xenial; urgency=low [ Kamal Mostafa ] * Release Tracking Bug - LP: #1594928 [ Ubuntu: 4.4.0-27.46 ] * Support Edge Gateway's Bluetooth LED (LP: #1512999) - Revert "UBUNTU: SAUCE: Bluetooth: Support for LED on Marvell modules" linux-raspi2 (4.4.0-1014.18) xenial; urgency=low [ Kamal Mostafa ] * Release Tracking Bug - LP: #1594478 [ Ubuntu: 4.4.0-26.45 ] * linux: Implement secure boot state variables (LP: #1593075) - SAUCE: UEFI: Add secure boot and MOK SB State disabled sysctl * failures building userspace packages that include ethtool.h (LP: #1592930) - ethtool.h: define INT_MAX for userland linux-raspi2 (4.4.0-1013.17) xenial; urgency=low [ Kamal Mostafa ] * Release Tracking Bug - LP: #1591461 [ Ubuntu: 4.4.0-25.44 ] * Xenial update to v4.4.13 stable release (LP: #1590455) - MIPS64: R6: R2 emulation bugfix - MIPS: math-emu: Fix jalr emulation when rd == $0 - MIPS: MSA: Fix a link error on `_init_msa_upper' with older GCC - MIPS: Don't unwind to user mode with EVA - MIPS: Avoid using unwind_stack() with usermode - MIPS: Fix siginfo.h to use strict posix types - MIPS: Fix uapi include in exported asm/siginfo.h - MIPS: Fix watchpoint restoration - MIPS: Flush highmem pages in __flush_dcache_page - MIPS: Handle highmem pages in __update_cache - MIPS: Sync icache & dcache in set_pte_at - MIPS: ath79: make bootconsole wait for both THRE and TEMT - MIPS: Reserve nosave data for hibernation - MIPS: Loongson-3: Reserve 32MB for RS780E integrated GPU - MIPS: Use copy_s.fmt rather than copy_u.fmt - MIPS: Fix MSA ld_*/st_* asm macros to use PTR_ADDU - MIPS: Prevent "restoration" of MSA context in non-MSA kernels - MIPS: Disable preemption during prctl(PR_SET_FP_MODE, ...) - MIPS: ptrace: Fix FP context restoration FCSR regression - MIPS: ptrace: Prevent writes to read-only FCSR bits - MIPS: Fix sigreturn via VDSO on microMIPS kernel - MIPS: Build microMIPS VDSO for microMIPS kernels - MIPS: lib: Mark intrinsics notrace - MIPS: VDSO: Build with `-fno-strict-aliasing' - affs: fix remount failure when there are no options changed - ASoC: ak4642: Enable cache usage to fix crashes on resume - Input: uinput - handle compat ioctl for UI_SET_PHYS - ARM: mvebu: fix GPIO config on the Linksys boards - ARM: dts: at91: fix typo in sama5d2 PIN_PD24 description - ARM: dts: exynos: Add interrupt line to MAX8997 PMIC on exynos4210-trats - ARM: dts: imx35: restore existing used clock enumeration - ath9k: Add a module parameter to invert LED polarity. - ath9k: Fix LED polarity for some Mini PCI AR9220 MB92 cards. - ath10k: fix debugfs pktlog_filter write - ath10k: fix firmware assert in monitor mode - ath10k: fix rx_channel during hw reconfigure - ath10k: fix kernel panic, move arvifs list head init before htt init - ath5k: Change led pin configuration for compaq c700 laptop - hwrng: exynos - Fix unbalanced PM runtime put on timeout error path - rtlwifi: rtl8723be: Add antenna select module parameter - rtlwifi: btcoexist: Implement antenna selection - rtlwifi: Fix logic error in enter/exit power-save mode - rtlwifi: pci: use dev_kfree_sk
[Kernel-packages] [Bug 1555338] Re: Linux netfilter IPT_SO_SET_REPLACE memory corruption
This bug was fixed in the package linux-raspi2 - 4.4.0-1016.22 --- linux-raspi2 (4.4.0-1016.22) xenial; urgency=low [ Luis Henriques ] * Release Tracking Bug - LP: #1595881 * Rebase against Ubuntu-4.4.0-28.47 [ Ubuntu: 4.4.0-28.47 ] * Release Tracking Bug - LP: #1595874 * Linux netfilter local privilege escalation issues (LP: #1595350) - netfilter: x_tables: don't move to non-existent next rule - netfilter: x_tables: validate targets of jumps - netfilter: x_tables: add and use xt_check_entry_offsets - netfilter: x_tables: kill check_entry helper - netfilter: x_tables: assert minimum target size - netfilter: x_tables: add compat version of xt_check_entry_offsets - netfilter: x_tables: check standard target size too - netfilter: x_tables: check for bogus target offset - netfilter: x_tables: validate all offsets and sizes in a rule - netfilter: x_tables: don't reject valid target size on some architectures - netfilter: arp_tables: simplify translate_compat_table args - netfilter: ip_tables: simplify translate_compat_table args - netfilter: ip6_tables: simplify translate_compat_table args - netfilter: x_tables: xt_compat_match_from_user doesn't need a retval - netfilter: x_tables: do compat validation via translate_table - netfilter: x_tables: introduce and use xt_copy_counters_from_user * Linux netfilter IPT_SO_SET_REPLACE memory corruption (LP: #1555338) - netfilter: x_tables: validate e->target_offset early - netfilter: x_tables: make sure e->next_offset covers remaining blob size - netfilter: x_tables: fix unconditional helper linux-raspi2 (4.4.0-1015.19) xenial; urgency=low [ Kamal Mostafa ] * Release Tracking Bug - LP: #1594928 [ Ubuntu: 4.4.0-27.46 ] * Support Edge Gateway's Bluetooth LED (LP: #1512999) - Revert "UBUNTU: SAUCE: Bluetooth: Support for LED on Marvell modules" linux-raspi2 (4.4.0-1014.18) xenial; urgency=low [ Kamal Mostafa ] * Release Tracking Bug - LP: #1594478 [ Ubuntu: 4.4.0-26.45 ] * linux: Implement secure boot state variables (LP: #1593075) - SAUCE: UEFI: Add secure boot and MOK SB State disabled sysctl * failures building userspace packages that include ethtool.h (LP: #1592930) - ethtool.h: define INT_MAX for userland linux-raspi2 (4.4.0-1013.17) xenial; urgency=low [ Kamal Mostafa ] * Release Tracking Bug - LP: #1591461 [ Ubuntu: 4.4.0-25.44 ] * Xenial update to v4.4.13 stable release (LP: #1590455) - MIPS64: R6: R2 emulation bugfix - MIPS: math-emu: Fix jalr emulation when rd == $0 - MIPS: MSA: Fix a link error on `_init_msa_upper' with older GCC - MIPS: Don't unwind to user mode with EVA - MIPS: Avoid using unwind_stack() with usermode - MIPS: Fix siginfo.h to use strict posix types - MIPS: Fix uapi include in exported asm/siginfo.h - MIPS: Fix watchpoint restoration - MIPS: Flush highmem pages in __flush_dcache_page - MIPS: Handle highmem pages in __update_cache - MIPS: Sync icache & dcache in set_pte_at - MIPS: ath79: make bootconsole wait for both THRE and TEMT - MIPS: Reserve nosave data for hibernation - MIPS: Loongson-3: Reserve 32MB for RS780E integrated GPU - MIPS: Use copy_s.fmt rather than copy_u.fmt - MIPS: Fix MSA ld_*/st_* asm macros to use PTR_ADDU - MIPS: Prevent "restoration" of MSA context in non-MSA kernels - MIPS: Disable preemption during prctl(PR_SET_FP_MODE, ...) - MIPS: ptrace: Fix FP context restoration FCSR regression - MIPS: ptrace: Prevent writes to read-only FCSR bits - MIPS: Fix sigreturn via VDSO on microMIPS kernel - MIPS: Build microMIPS VDSO for microMIPS kernels - MIPS: lib: Mark intrinsics notrace - MIPS: VDSO: Build with `-fno-strict-aliasing' - affs: fix remount failure when there are no options changed - ASoC: ak4642: Enable cache usage to fix crashes on resume - Input: uinput - handle compat ioctl for UI_SET_PHYS - ARM: mvebu: fix GPIO config on the Linksys boards - ARM: dts: at91: fix typo in sama5d2 PIN_PD24 description - ARM: dts: exynos: Add interrupt line to MAX8997 PMIC on exynos4210-trats - ARM: dts: imx35: restore existing used clock enumeration - ath9k: Add a module parameter to invert LED polarity. - ath9k: Fix LED polarity for some Mini PCI AR9220 MB92 cards. - ath10k: fix debugfs pktlog_filter write - ath10k: fix firmware assert in monitor mode - ath10k: fix rx_channel during hw reconfigure - ath10k: fix kernel panic, move arvifs list head init before htt init - ath5k: Change led pin configuration for compaq c700 laptop - hwrng: exynos - Fix unbalanced PM runtime put on timeout error path - rtlwifi: rtl8723be: Add antenna select module parameter - rtlwifi: btcoexist: Implement antenna selection - rtlwifi: Fix logic error in enter/exit power-save mode - rtlwifi: pci: use dev_kfree_sk
[Kernel-packages] [Bug 1555338] Re: Linux netfilter IPT_SO_SET_REPLACE memory corruption
This bug was fixed in the package linux-snapdragon - 4.4.0-1019.22 --- linux-snapdragon (4.4.0-1019.22) xenial; urgency=low [ Kamal Mostafa ] * Release Tracking Bug - LP: #1595882 [ Ubuntu: 4.4.0-28.47 ] * Linux netfilter local privilege escalation issues (LP: #1595350) - netfilter: x_tables: don't move to non-existent next rule - netfilter: x_tables: validate targets of jumps - netfilter: x_tables: add and use xt_check_entry_offsets - netfilter: x_tables: kill check_entry helper - netfilter: x_tables: assert minimum target size - netfilter: x_tables: add compat version of xt_check_entry_offsets - netfilter: x_tables: check standard target size too - netfilter: x_tables: check for bogus target offset - netfilter: x_tables: validate all offsets and sizes in a rule - netfilter: x_tables: don't reject valid target size on some architectures - netfilter: arp_tables: simplify translate_compat_table args - netfilter: ip_tables: simplify translate_compat_table args - netfilter: ip6_tables: simplify translate_compat_table args - netfilter: x_tables: xt_compat_match_from_user doesn't need a retval - netfilter: x_tables: do compat validation via translate_table - netfilter: x_tables: introduce and use xt_copy_counters_from_user * Linux netfilter IPT_SO_SET_REPLACE memory corruption (LP: #1555338) - netfilter: x_tables: validate e->target_offset early - netfilter: x_tables: make sure e->next_offset covers remaining blob size - netfilter: x_tables: fix unconditional helper linux-snapdragon (4.4.0-1018.21) xenial; urgency=low [ Kamal Mostafa ] * Release Tracking Bug - LP: #1594929 [ Ubuntu: 4.4.0-27.46 ] * Support Edge Gateway's Bluetooth LED (LP: #1512999) - Revert "UBUNTU: SAUCE: Bluetooth: Support for LED on Marvell modules" linux-snapdragon (4.4.0-1017.20) xenial; urgency=low [ Kamal Mostafa ] * Release Tracking Bug - LP: #1594480 [ Ubuntu: 4.4.0-26.45 ] * linux: Implement secure boot state variables (LP: #1593075) - SAUCE: UEFI: Add secure boot and MOK SB State disabled sysctl * failures building userspace packages that include ethtool.h (LP: #1592930) - ethtool.h: define INT_MAX for userland linux-snapdragon (4.4.0-1016.19) xenial; urgency=low [ Kamal Mostafa ] * Release Tracking Bug - LP: #1591462 [ Ubuntu: 4.4.0-25.44 ] * Xenial update to v4.4.13 stable release (LP: #1590455) - MIPS64: R6: R2 emulation bugfix - MIPS: math-emu: Fix jalr emulation when rd == $0 - MIPS: MSA: Fix a link error on `_init_msa_upper' with older GCC - MIPS: Don't unwind to user mode with EVA - MIPS: Avoid using unwind_stack() with usermode - MIPS: Fix siginfo.h to use strict posix types - MIPS: Fix uapi include in exported asm/siginfo.h - MIPS: Fix watchpoint restoration - MIPS: Flush highmem pages in __flush_dcache_page - MIPS: Handle highmem pages in __update_cache - MIPS: Sync icache & dcache in set_pte_at - MIPS: ath79: make bootconsole wait for both THRE and TEMT - MIPS: Reserve nosave data for hibernation - MIPS: Loongson-3: Reserve 32MB for RS780E integrated GPU - MIPS: Use copy_s.fmt rather than copy_u.fmt - MIPS: Fix MSA ld_*/st_* asm macros to use PTR_ADDU - MIPS: Prevent "restoration" of MSA context in non-MSA kernels - MIPS: Disable preemption during prctl(PR_SET_FP_MODE, ...) - MIPS: ptrace: Fix FP context restoration FCSR regression - MIPS: ptrace: Prevent writes to read-only FCSR bits - MIPS: Fix sigreturn via VDSO on microMIPS kernel - MIPS: Build microMIPS VDSO for microMIPS kernels - MIPS: lib: Mark intrinsics notrace - MIPS: VDSO: Build with `-fno-strict-aliasing' - affs: fix remount failure when there are no options changed - ASoC: ak4642: Enable cache usage to fix crashes on resume - Input: uinput - handle compat ioctl for UI_SET_PHYS - ARM: mvebu: fix GPIO config on the Linksys boards - ARM: dts: at91: fix typo in sama5d2 PIN_PD24 description - ARM: dts: exynos: Add interrupt line to MAX8997 PMIC on exynos4210-trats - ARM: dts: imx35: restore existing used clock enumeration - ath9k: Add a module parameter to invert LED polarity. - ath9k: Fix LED polarity for some Mini PCI AR9220 MB92 cards. - ath10k: fix debugfs pktlog_filter write - ath10k: fix firmware assert in monitor mode - ath10k: fix rx_channel during hw reconfigure - ath10k: fix kernel panic, move arvifs list head init before htt init - ath5k: Change led pin configuration for compaq c700 laptop - hwrng: exynos - Fix unbalanced PM runtime put on timeout error path - rtlwifi: rtl8723be: Add antenna select module parameter - rtlwifi: btcoexist: Implement antenna selection - rtlwifi: Fix logic error in enter/exit power-save mode - rtlwifi: pci: use dev_kfree_skb_irq instead of kfree_skb in rtl_pci_reset_trx_ring -
[Kernel-packages] [Bug 1555338] Re: Linux netfilter IPT_SO_SET_REPLACE memory corruption
This bug was fixed in the package linux-snapdragon - 4.4.0-1019.22 --- linux-snapdragon (4.4.0-1019.22) xenial; urgency=low [ Kamal Mostafa ] * Release Tracking Bug - LP: #1595882 [ Ubuntu: 4.4.0-28.47 ] * Linux netfilter local privilege escalation issues (LP: #1595350) - netfilter: x_tables: don't move to non-existent next rule - netfilter: x_tables: validate targets of jumps - netfilter: x_tables: add and use xt_check_entry_offsets - netfilter: x_tables: kill check_entry helper - netfilter: x_tables: assert minimum target size - netfilter: x_tables: add compat version of xt_check_entry_offsets - netfilter: x_tables: check standard target size too - netfilter: x_tables: check for bogus target offset - netfilter: x_tables: validate all offsets and sizes in a rule - netfilter: x_tables: don't reject valid target size on some architectures - netfilter: arp_tables: simplify translate_compat_table args - netfilter: ip_tables: simplify translate_compat_table args - netfilter: ip6_tables: simplify translate_compat_table args - netfilter: x_tables: xt_compat_match_from_user doesn't need a retval - netfilter: x_tables: do compat validation via translate_table - netfilter: x_tables: introduce and use xt_copy_counters_from_user * Linux netfilter IPT_SO_SET_REPLACE memory corruption (LP: #1555338) - netfilter: x_tables: validate e->target_offset early - netfilter: x_tables: make sure e->next_offset covers remaining blob size - netfilter: x_tables: fix unconditional helper linux-snapdragon (4.4.0-1018.21) xenial; urgency=low [ Kamal Mostafa ] * Release Tracking Bug - LP: #1594929 [ Ubuntu: 4.4.0-27.46 ] * Support Edge Gateway's Bluetooth LED (LP: #1512999) - Revert "UBUNTU: SAUCE: Bluetooth: Support for LED on Marvell modules" linux-snapdragon (4.4.0-1017.20) xenial; urgency=low [ Kamal Mostafa ] * Release Tracking Bug - LP: #1594480 [ Ubuntu: 4.4.0-26.45 ] * linux: Implement secure boot state variables (LP: #1593075) - SAUCE: UEFI: Add secure boot and MOK SB State disabled sysctl * failures building userspace packages that include ethtool.h (LP: #1592930) - ethtool.h: define INT_MAX for userland linux-snapdragon (4.4.0-1016.19) xenial; urgency=low [ Kamal Mostafa ] * Release Tracking Bug - LP: #1591462 [ Ubuntu: 4.4.0-25.44 ] * Xenial update to v4.4.13 stable release (LP: #1590455) - MIPS64: R6: R2 emulation bugfix - MIPS: math-emu: Fix jalr emulation when rd == $0 - MIPS: MSA: Fix a link error on `_init_msa_upper' with older GCC - MIPS: Don't unwind to user mode with EVA - MIPS: Avoid using unwind_stack() with usermode - MIPS: Fix siginfo.h to use strict posix types - MIPS: Fix uapi include in exported asm/siginfo.h - MIPS: Fix watchpoint restoration - MIPS: Flush highmem pages in __flush_dcache_page - MIPS: Handle highmem pages in __update_cache - MIPS: Sync icache & dcache in set_pte_at - MIPS: ath79: make bootconsole wait for both THRE and TEMT - MIPS: Reserve nosave data for hibernation - MIPS: Loongson-3: Reserve 32MB for RS780E integrated GPU - MIPS: Use copy_s.fmt rather than copy_u.fmt - MIPS: Fix MSA ld_*/st_* asm macros to use PTR_ADDU - MIPS: Prevent "restoration" of MSA context in non-MSA kernels - MIPS: Disable preemption during prctl(PR_SET_FP_MODE, ...) - MIPS: ptrace: Fix FP context restoration FCSR regression - MIPS: ptrace: Prevent writes to read-only FCSR bits - MIPS: Fix sigreturn via VDSO on microMIPS kernel - MIPS: Build microMIPS VDSO for microMIPS kernels - MIPS: lib: Mark intrinsics notrace - MIPS: VDSO: Build with `-fno-strict-aliasing' - affs: fix remount failure when there are no options changed - ASoC: ak4642: Enable cache usage to fix crashes on resume - Input: uinput - handle compat ioctl for UI_SET_PHYS - ARM: mvebu: fix GPIO config on the Linksys boards - ARM: dts: at91: fix typo in sama5d2 PIN_PD24 description - ARM: dts: exynos: Add interrupt line to MAX8997 PMIC on exynos4210-trats - ARM: dts: imx35: restore existing used clock enumeration - ath9k: Add a module parameter to invert LED polarity. - ath9k: Fix LED polarity for some Mini PCI AR9220 MB92 cards. - ath10k: fix debugfs pktlog_filter write - ath10k: fix firmware assert in monitor mode - ath10k: fix rx_channel during hw reconfigure - ath10k: fix kernel panic, move arvifs list head init before htt init - ath5k: Change led pin configuration for compaq c700 laptop - hwrng: exynos - Fix unbalanced PM runtime put on timeout error path - rtlwifi: rtl8723be: Add antenna select module parameter - rtlwifi: btcoexist: Implement antenna selection - rtlwifi: Fix logic error in enter/exit power-save mode - rtlwifi: pci: use dev_kfree_skb_irq instead of kfree_skb in rtl_pci_reset_trx_ring -
[Kernel-packages] [Bug 1555338] Re: Linux netfilter IPT_SO_SET_REPLACE memory corruption
This bug was fixed in the package linux-raspi2 - 4.4.0-1016.22 --- linux-raspi2 (4.4.0-1016.22) xenial; urgency=low [ Luis Henriques ] * Release Tracking Bug - LP: #1595881 * Rebase against Ubuntu-4.4.0-28.47 [ Ubuntu: 4.4.0-28.47 ] * Release Tracking Bug - LP: #1595874 * Linux netfilter local privilege escalation issues (LP: #1595350) - netfilter: x_tables: don't move to non-existent next rule - netfilter: x_tables: validate targets of jumps - netfilter: x_tables: add and use xt_check_entry_offsets - netfilter: x_tables: kill check_entry helper - netfilter: x_tables: assert minimum target size - netfilter: x_tables: add compat version of xt_check_entry_offsets - netfilter: x_tables: check standard target size too - netfilter: x_tables: check for bogus target offset - netfilter: x_tables: validate all offsets and sizes in a rule - netfilter: x_tables: don't reject valid target size on some architectures - netfilter: arp_tables: simplify translate_compat_table args - netfilter: ip_tables: simplify translate_compat_table args - netfilter: ip6_tables: simplify translate_compat_table args - netfilter: x_tables: xt_compat_match_from_user doesn't need a retval - netfilter: x_tables: do compat validation via translate_table - netfilter: x_tables: introduce and use xt_copy_counters_from_user * Linux netfilter IPT_SO_SET_REPLACE memory corruption (LP: #1555338) - netfilter: x_tables: validate e->target_offset early - netfilter: x_tables: make sure e->next_offset covers remaining blob size - netfilter: x_tables: fix unconditional helper linux-raspi2 (4.4.0-1015.19) xenial; urgency=low [ Kamal Mostafa ] * Release Tracking Bug - LP: #1594928 [ Ubuntu: 4.4.0-27.46 ] * Support Edge Gateway's Bluetooth LED (LP: #1512999) - Revert "UBUNTU: SAUCE: Bluetooth: Support for LED on Marvell modules" linux-raspi2 (4.4.0-1014.18) xenial; urgency=low [ Kamal Mostafa ] * Release Tracking Bug - LP: #1594478 [ Ubuntu: 4.4.0-26.45 ] * linux: Implement secure boot state variables (LP: #1593075) - SAUCE: UEFI: Add secure boot and MOK SB State disabled sysctl * failures building userspace packages that include ethtool.h (LP: #1592930) - ethtool.h: define INT_MAX for userland linux-raspi2 (4.4.0-1013.17) xenial; urgency=low [ Kamal Mostafa ] * Release Tracking Bug - LP: #1591461 [ Ubuntu: 4.4.0-25.44 ] * Xenial update to v4.4.13 stable release (LP: #1590455) - MIPS64: R6: R2 emulation bugfix - MIPS: math-emu: Fix jalr emulation when rd == $0 - MIPS: MSA: Fix a link error on `_init_msa_upper' with older GCC - MIPS: Don't unwind to user mode with EVA - MIPS: Avoid using unwind_stack() with usermode - MIPS: Fix siginfo.h to use strict posix types - MIPS: Fix uapi include in exported asm/siginfo.h - MIPS: Fix watchpoint restoration - MIPS: Flush highmem pages in __flush_dcache_page - MIPS: Handle highmem pages in __update_cache - MIPS: Sync icache & dcache in set_pte_at - MIPS: ath79: make bootconsole wait for both THRE and TEMT - MIPS: Reserve nosave data for hibernation - MIPS: Loongson-3: Reserve 32MB for RS780E integrated GPU - MIPS: Use copy_s.fmt rather than copy_u.fmt - MIPS: Fix MSA ld_*/st_* asm macros to use PTR_ADDU - MIPS: Prevent "restoration" of MSA context in non-MSA kernels - MIPS: Disable preemption during prctl(PR_SET_FP_MODE, ...) - MIPS: ptrace: Fix FP context restoration FCSR regression - MIPS: ptrace: Prevent writes to read-only FCSR bits - MIPS: Fix sigreturn via VDSO on microMIPS kernel - MIPS: Build microMIPS VDSO for microMIPS kernels - MIPS: lib: Mark intrinsics notrace - MIPS: VDSO: Build with `-fno-strict-aliasing' - affs: fix remount failure when there are no options changed - ASoC: ak4642: Enable cache usage to fix crashes on resume - Input: uinput - handle compat ioctl for UI_SET_PHYS - ARM: mvebu: fix GPIO config on the Linksys boards - ARM: dts: at91: fix typo in sama5d2 PIN_PD24 description - ARM: dts: exynos: Add interrupt line to MAX8997 PMIC on exynos4210-trats - ARM: dts: imx35: restore existing used clock enumeration - ath9k: Add a module parameter to invert LED polarity. - ath9k: Fix LED polarity for some Mini PCI AR9220 MB92 cards. - ath10k: fix debugfs pktlog_filter write - ath10k: fix firmware assert in monitor mode - ath10k: fix rx_channel during hw reconfigure - ath10k: fix kernel panic, move arvifs list head init before htt init - ath5k: Change led pin configuration for compaq c700 laptop - hwrng: exynos - Fix unbalanced PM runtime put on timeout error path - rtlwifi: rtl8723be: Add antenna select module parameter - rtlwifi: btcoexist: Implement antenna selection - rtlwifi: Fix logic error in enter/exit power-save mode - rtlwifi: pci: use dev_kfree_sk
[Kernel-packages] [Bug 1555338] Re: Linux netfilter IPT_SO_SET_REPLACE memory corruption
This bug was fixed in the package linux-snapdragon - 4.4.0-1019.22 --- linux-snapdragon (4.4.0-1019.22) xenial; urgency=low [ Kamal Mostafa ] * Release Tracking Bug - LP: #1595882 [ Ubuntu: 4.4.0-28.47 ] * Linux netfilter local privilege escalation issues (LP: #1595350) - netfilter: x_tables: don't move to non-existent next rule - netfilter: x_tables: validate targets of jumps - netfilter: x_tables: add and use xt_check_entry_offsets - netfilter: x_tables: kill check_entry helper - netfilter: x_tables: assert minimum target size - netfilter: x_tables: add compat version of xt_check_entry_offsets - netfilter: x_tables: check standard target size too - netfilter: x_tables: check for bogus target offset - netfilter: x_tables: validate all offsets and sizes in a rule - netfilter: x_tables: don't reject valid target size on some architectures - netfilter: arp_tables: simplify translate_compat_table args - netfilter: ip_tables: simplify translate_compat_table args - netfilter: ip6_tables: simplify translate_compat_table args - netfilter: x_tables: xt_compat_match_from_user doesn't need a retval - netfilter: x_tables: do compat validation via translate_table - netfilter: x_tables: introduce and use xt_copy_counters_from_user * Linux netfilter IPT_SO_SET_REPLACE memory corruption (LP: #1555338) - netfilter: x_tables: validate e->target_offset early - netfilter: x_tables: make sure e->next_offset covers remaining blob size - netfilter: x_tables: fix unconditional helper linux-snapdragon (4.4.0-1018.21) xenial; urgency=low [ Kamal Mostafa ] * Release Tracking Bug - LP: #1594929 [ Ubuntu: 4.4.0-27.46 ] * Support Edge Gateway's Bluetooth LED (LP: #1512999) - Revert "UBUNTU: SAUCE: Bluetooth: Support for LED on Marvell modules" linux-snapdragon (4.4.0-1017.20) xenial; urgency=low [ Kamal Mostafa ] * Release Tracking Bug - LP: #1594480 [ Ubuntu: 4.4.0-26.45 ] * linux: Implement secure boot state variables (LP: #1593075) - SAUCE: UEFI: Add secure boot and MOK SB State disabled sysctl * failures building userspace packages that include ethtool.h (LP: #1592930) - ethtool.h: define INT_MAX for userland linux-snapdragon (4.4.0-1016.19) xenial; urgency=low [ Kamal Mostafa ] * Release Tracking Bug - LP: #1591462 [ Ubuntu: 4.4.0-25.44 ] * Xenial update to v4.4.13 stable release (LP: #1590455) - MIPS64: R6: R2 emulation bugfix - MIPS: math-emu: Fix jalr emulation when rd == $0 - MIPS: MSA: Fix a link error on `_init_msa_upper' with older GCC - MIPS: Don't unwind to user mode with EVA - MIPS: Avoid using unwind_stack() with usermode - MIPS: Fix siginfo.h to use strict posix types - MIPS: Fix uapi include in exported asm/siginfo.h - MIPS: Fix watchpoint restoration - MIPS: Flush highmem pages in __flush_dcache_page - MIPS: Handle highmem pages in __update_cache - MIPS: Sync icache & dcache in set_pte_at - MIPS: ath79: make bootconsole wait for both THRE and TEMT - MIPS: Reserve nosave data for hibernation - MIPS: Loongson-3: Reserve 32MB for RS780E integrated GPU - MIPS: Use copy_s.fmt rather than copy_u.fmt - MIPS: Fix MSA ld_*/st_* asm macros to use PTR_ADDU - MIPS: Prevent "restoration" of MSA context in non-MSA kernels - MIPS: Disable preemption during prctl(PR_SET_FP_MODE, ...) - MIPS: ptrace: Fix FP context restoration FCSR regression - MIPS: ptrace: Prevent writes to read-only FCSR bits - MIPS: Fix sigreturn via VDSO on microMIPS kernel - MIPS: Build microMIPS VDSO for microMIPS kernels - MIPS: lib: Mark intrinsics notrace - MIPS: VDSO: Build with `-fno-strict-aliasing' - affs: fix remount failure when there are no options changed - ASoC: ak4642: Enable cache usage to fix crashes on resume - Input: uinput - handle compat ioctl for UI_SET_PHYS - ARM: mvebu: fix GPIO config on the Linksys boards - ARM: dts: at91: fix typo in sama5d2 PIN_PD24 description - ARM: dts: exynos: Add interrupt line to MAX8997 PMIC on exynos4210-trats - ARM: dts: imx35: restore existing used clock enumeration - ath9k: Add a module parameter to invert LED polarity. - ath9k: Fix LED polarity for some Mini PCI AR9220 MB92 cards. - ath10k: fix debugfs pktlog_filter write - ath10k: fix firmware assert in monitor mode - ath10k: fix rx_channel during hw reconfigure - ath10k: fix kernel panic, move arvifs list head init before htt init - ath5k: Change led pin configuration for compaq c700 laptop - hwrng: exynos - Fix unbalanced PM runtime put on timeout error path - rtlwifi: rtl8723be: Add antenna select module parameter - rtlwifi: btcoexist: Implement antenna selection - rtlwifi: Fix logic error in enter/exit power-save mode - rtlwifi: pci: use dev_kfree_skb_irq instead of kfree_skb in rtl_pci_reset_trx_ring -
[Kernel-packages] [Bug 1555338] Re: Linux netfilter IPT_SO_SET_REPLACE memory corruption
This bug is awaiting verification that the kernel in -proposed solves the problem. Please test the kernel and update this bug with the results. If the problem is solved, change the tag 'verification-needed- xenial' to 'verification-done-xenial'. If verification is not done by 5 working days from today, this fix will be dropped from the source code, and this bug will be closed. See https://wiki.ubuntu.com/Testing/EnableProposed for documentation how to enable and use -proposed. Thank you! -- You received this bug notification because you are a member of Kernel Packages, which is subscribed to linux-armadaxp in Ubuntu. https://bugs.launchpad.net/bugs/1555338 Title: Linux netfilter IPT_SO_SET_REPLACE memory corruption Status in linux package in Ubuntu: Fix Released Status in linux-armadaxp package in Ubuntu: Invalid Status in linux-flo package in Ubuntu: New Status in linux-goldfish package in Ubuntu: New Status in linux-keystone package in Ubuntu: Invalid Status in linux-lts-quantal package in Ubuntu: Invalid Status in linux-lts-raring package in Ubuntu: Invalid Status in linux-lts-saucy package in Ubuntu: Invalid Status in linux-lts-trusty package in Ubuntu: Invalid Status in linux-lts-utopic package in Ubuntu: Invalid Status in linux-lts-vivid package in Ubuntu: Invalid Status in linux-lts-wily package in Ubuntu: Invalid Status in linux-lts-xenial package in Ubuntu: Invalid Status in linux-mako package in Ubuntu: New Status in linux-manta package in Ubuntu: Invalid Status in linux-raspi2 package in Ubuntu: Invalid Status in linux-snapdragon package in Ubuntu: Invalid Status in linux-ti-omap4 package in Ubuntu: Invalid Status in linux source package in Precise: Fix Released Status in linux-armadaxp source package in Precise: Fix Released Status in linux-flo source package in Precise: Invalid Status in linux-goldfish source package in Precise: Invalid Status in linux-keystone source package in Precise: Invalid Status in linux-lts-quantal source package in Precise: Invalid Status in linux-lts-raring source package in Precise: Invalid Status in linux-lts-saucy source package in Precise: Invalid Status in linux-lts-trusty source package in Precise: Fix Released Status in linux-lts-utopic source package in Precise: Invalid Status in linux-lts-vivid source package in Precise: Invalid Status in linux-lts-wily source package in Precise: Invalid Status in linux-lts-xenial source package in Precise: Invalid Status in linux-mako source package in Precise: Invalid Status in linux-manta source package in Precise: Invalid Status in linux-raspi2 source package in Precise: Invalid Status in linux-snapdragon source package in Precise: Invalid Status in linux-ti-omap4 source package in Precise: Fix Released Status in linux source package in Trusty: Fix Released Status in linux-armadaxp source package in Trusty: Invalid Status in linux-flo source package in Trusty: Invalid Status in linux-goldfish source package in Trusty: Invalid Status in linux-keystone source package in Trusty: Fix Released Status in linux-lts-quantal source package in Trusty: Invalid Status in linux-lts-raring source package in Trusty: Invalid Status in linux-lts-saucy source package in Trusty: Invalid Status in linux-lts-trusty source package in Trusty: Invalid Status in linux-lts-utopic source package in Trusty: Fix Released Status in linux-lts-vivid source package in Trusty: Fix Released Status in linux-lts-wily source package in Trusty: Fix Released Status in linux-lts-xenial source package in Trusty: Fix Released Status in linux-mako source package in Trusty: Invalid Status in linux-manta source package in Trusty: Invalid Status in linux-raspi2 source package in Trusty: Invalid Status in linux-snapdragon source package in Trusty: Invalid Status in linux-ti-omap4 source package in Trusty: Invalid Status in linux source package in Vivid: Fix Released Status in linux-armadaxp source package in Vivid: Invalid Status in linux-flo source package in Vivid: New Status in linux-goldfish source package in Vivid: New Status in linux-keystone source package in Vivid: Invalid Status in linux-lts-quantal source package in Vivid: New Status in linux-lts-raring source package in Vivid: New Status in linux-lts-saucy source package in Vivid: New Status in linux-lts-trusty source package in Vivid: New Status in linux-lts-utopic source package in Vivid: Invalid Status in linux-lts-vivid source package in Vivid: New Status in linux-lts-wily source package in Vivid: New Status in linux-lts-xenial source package in Vivid: New Status in linux-mako source package in Vivid: New Status in linux-manta source package in Vivid: New Status in linux-raspi2 source package in Vivid: New Status in linux-snapdragon source package in Vivid: New Status in linux-ti-omap4 source package in Vivid: Invalid Status in linux source package in Wi
[Kernel-packages] [Bug 1555338] Re: Linux netfilter IPT_SO_SET_REPLACE memory corruption
This bug is awaiting verification that the kernel in -proposed solves the problem. Please test the kernel and update this bug with the results. If the problem is solved, change the tag 'verification-needed- vivid' to 'verification-done-vivid'. If verification is not done by 5 working days from today, this fix will be dropped from the source code, and this bug will be closed. See https://wiki.ubuntu.com/Testing/EnableProposed for documentation how to enable and use -proposed. Thank you! ** Tags added: verification-needed-wily -- You received this bug notification because you are a member of Kernel Packages, which is subscribed to linux-armadaxp in Ubuntu. https://bugs.launchpad.net/bugs/1555338 Title: Linux netfilter IPT_SO_SET_REPLACE memory corruption Status in linux package in Ubuntu: Fix Released Status in linux-armadaxp package in Ubuntu: Invalid Status in linux-flo package in Ubuntu: New Status in linux-goldfish package in Ubuntu: New Status in linux-keystone package in Ubuntu: Invalid Status in linux-lts-quantal package in Ubuntu: Invalid Status in linux-lts-raring package in Ubuntu: Invalid Status in linux-lts-saucy package in Ubuntu: Invalid Status in linux-lts-trusty package in Ubuntu: Invalid Status in linux-lts-utopic package in Ubuntu: Invalid Status in linux-lts-vivid package in Ubuntu: Invalid Status in linux-lts-wily package in Ubuntu: Invalid Status in linux-lts-xenial package in Ubuntu: Invalid Status in linux-mako package in Ubuntu: New Status in linux-manta package in Ubuntu: Invalid Status in linux-raspi2 package in Ubuntu: Invalid Status in linux-snapdragon package in Ubuntu: Invalid Status in linux-ti-omap4 package in Ubuntu: Invalid Status in linux source package in Precise: Fix Released Status in linux-armadaxp source package in Precise: Fix Released Status in linux-flo source package in Precise: Invalid Status in linux-goldfish source package in Precise: Invalid Status in linux-keystone source package in Precise: Invalid Status in linux-lts-quantal source package in Precise: Invalid Status in linux-lts-raring source package in Precise: Invalid Status in linux-lts-saucy source package in Precise: Invalid Status in linux-lts-trusty source package in Precise: Fix Released Status in linux-lts-utopic source package in Precise: Invalid Status in linux-lts-vivid source package in Precise: Invalid Status in linux-lts-wily source package in Precise: Invalid Status in linux-lts-xenial source package in Precise: Invalid Status in linux-mako source package in Precise: Invalid Status in linux-manta source package in Precise: Invalid Status in linux-raspi2 source package in Precise: Invalid Status in linux-snapdragon source package in Precise: Invalid Status in linux-ti-omap4 source package in Precise: Fix Released Status in linux source package in Trusty: Fix Released Status in linux-armadaxp source package in Trusty: Invalid Status in linux-flo source package in Trusty: Invalid Status in linux-goldfish source package in Trusty: Invalid Status in linux-keystone source package in Trusty: Fix Released Status in linux-lts-quantal source package in Trusty: Invalid Status in linux-lts-raring source package in Trusty: Invalid Status in linux-lts-saucy source package in Trusty: Invalid Status in linux-lts-trusty source package in Trusty: Invalid Status in linux-lts-utopic source package in Trusty: Fix Released Status in linux-lts-vivid source package in Trusty: Fix Released Status in linux-lts-wily source package in Trusty: Fix Released Status in linux-lts-xenial source package in Trusty: Fix Released Status in linux-mako source package in Trusty: Invalid Status in linux-manta source package in Trusty: Invalid Status in linux-raspi2 source package in Trusty: Invalid Status in linux-snapdragon source package in Trusty: Invalid Status in linux-ti-omap4 source package in Trusty: Invalid Status in linux source package in Vivid: Fix Released Status in linux-armadaxp source package in Vivid: Invalid Status in linux-flo source package in Vivid: New Status in linux-goldfish source package in Vivid: New Status in linux-keystone source package in Vivid: Invalid Status in linux-lts-quantal source package in Vivid: New Status in linux-lts-raring source package in Vivid: New Status in linux-lts-saucy source package in Vivid: New Status in linux-lts-trusty source package in Vivid: New Status in linux-lts-utopic source package in Vivid: Invalid Status in linux-lts-vivid source package in Vivid: New Status in linux-lts-wily source package in Vivid: New Status in linux-lts-xenial source package in Vivid: New Status in linux-mako source package in Vivid: New Status in linux-manta source package in Vivid: New Status in linux-raspi2 source package in Vivid: New Status in linux-snapdragon source package in Vivid: New Status in linux-ti-omap4 source package in Vivid: Inva
[Kernel-packages] [Bug 1555338] Re: Linux netfilter IPT_SO_SET_REPLACE memory corruption
This bug is awaiting verification that the kernel in -proposed solves the problem. Please test the kernel and update this bug with the results. If the problem is solved, change the tag 'verification-needed- wily' to 'verification-done-wily'. If verification is not done by 5 working days from today, this fix will be dropped from the source code, and this bug will be closed. See https://wiki.ubuntu.com/Testing/EnableProposed for documentation how to enable and use -proposed. Thank you! ** Tags added: verification-needed-xenial -- You received this bug notification because you are a member of Kernel Packages, which is subscribed to linux-armadaxp in Ubuntu. https://bugs.launchpad.net/bugs/1555338 Title: Linux netfilter IPT_SO_SET_REPLACE memory corruption Status in linux package in Ubuntu: Fix Released Status in linux-armadaxp package in Ubuntu: Invalid Status in linux-flo package in Ubuntu: New Status in linux-goldfish package in Ubuntu: New Status in linux-keystone package in Ubuntu: Invalid Status in linux-lts-quantal package in Ubuntu: Invalid Status in linux-lts-raring package in Ubuntu: Invalid Status in linux-lts-saucy package in Ubuntu: Invalid Status in linux-lts-trusty package in Ubuntu: Invalid Status in linux-lts-utopic package in Ubuntu: Invalid Status in linux-lts-vivid package in Ubuntu: Invalid Status in linux-lts-wily package in Ubuntu: Invalid Status in linux-lts-xenial package in Ubuntu: Invalid Status in linux-mako package in Ubuntu: New Status in linux-manta package in Ubuntu: Invalid Status in linux-raspi2 package in Ubuntu: Invalid Status in linux-snapdragon package in Ubuntu: Invalid Status in linux-ti-omap4 package in Ubuntu: Invalid Status in linux source package in Precise: Fix Released Status in linux-armadaxp source package in Precise: Fix Released Status in linux-flo source package in Precise: Invalid Status in linux-goldfish source package in Precise: Invalid Status in linux-keystone source package in Precise: Invalid Status in linux-lts-quantal source package in Precise: Invalid Status in linux-lts-raring source package in Precise: Invalid Status in linux-lts-saucy source package in Precise: Invalid Status in linux-lts-trusty source package in Precise: Fix Released Status in linux-lts-utopic source package in Precise: Invalid Status in linux-lts-vivid source package in Precise: Invalid Status in linux-lts-wily source package in Precise: Invalid Status in linux-lts-xenial source package in Precise: Invalid Status in linux-mako source package in Precise: Invalid Status in linux-manta source package in Precise: Invalid Status in linux-raspi2 source package in Precise: Invalid Status in linux-snapdragon source package in Precise: Invalid Status in linux-ti-omap4 source package in Precise: Fix Released Status in linux source package in Trusty: Fix Released Status in linux-armadaxp source package in Trusty: Invalid Status in linux-flo source package in Trusty: Invalid Status in linux-goldfish source package in Trusty: Invalid Status in linux-keystone source package in Trusty: Fix Released Status in linux-lts-quantal source package in Trusty: Invalid Status in linux-lts-raring source package in Trusty: Invalid Status in linux-lts-saucy source package in Trusty: Invalid Status in linux-lts-trusty source package in Trusty: Invalid Status in linux-lts-utopic source package in Trusty: Fix Released Status in linux-lts-vivid source package in Trusty: Fix Released Status in linux-lts-wily source package in Trusty: Fix Released Status in linux-lts-xenial source package in Trusty: Fix Released Status in linux-mako source package in Trusty: Invalid Status in linux-manta source package in Trusty: Invalid Status in linux-raspi2 source package in Trusty: Invalid Status in linux-snapdragon source package in Trusty: Invalid Status in linux-ti-omap4 source package in Trusty: Invalid Status in linux source package in Vivid: Fix Released Status in linux-armadaxp source package in Vivid: Invalid Status in linux-flo source package in Vivid: New Status in linux-goldfish source package in Vivid: New Status in linux-keystone source package in Vivid: Invalid Status in linux-lts-quantal source package in Vivid: New Status in linux-lts-raring source package in Vivid: New Status in linux-lts-saucy source package in Vivid: New Status in linux-lts-trusty source package in Vivid: New Status in linux-lts-utopic source package in Vivid: Invalid Status in linux-lts-vivid source package in Vivid: New Status in linux-lts-wily source package in Vivid: New Status in linux-lts-xenial source package in Vivid: New Status in linux-mako source package in Vivid: New Status in linux-manta source package in Vivid: New Status in linux-raspi2 source package in Vivid: New Status in linux-snapdragon source package in Vivid: New Status in linux-ti-omap4 source package in Vivid: Inva
[Kernel-packages] [Bug 1555338] Re: Linux netfilter IPT_SO_SET_REPLACE memory corruption
This bug is awaiting verification that the kernel in -proposed solves the problem. Please test the kernel and update this bug with the results. If the problem is solved, change the tag 'verification-needed- trusty' to 'verification-done-trusty'. If verification is not done by 5 working days from today, this fix will be dropped from the source code, and this bug will be closed. See https://wiki.ubuntu.com/Testing/EnableProposed for documentation how to enable and use -proposed. Thank you! ** Tags added: verification-needed-trusty ** Tags added: verification-needed-vivid -- You received this bug notification because you are a member of Kernel Packages, which is subscribed to linux-armadaxp in Ubuntu. https://bugs.launchpad.net/bugs/1555338 Title: Linux netfilter IPT_SO_SET_REPLACE memory corruption Status in linux package in Ubuntu: Fix Released Status in linux-armadaxp package in Ubuntu: Invalid Status in linux-flo package in Ubuntu: New Status in linux-goldfish package in Ubuntu: New Status in linux-keystone package in Ubuntu: Invalid Status in linux-lts-quantal package in Ubuntu: Invalid Status in linux-lts-raring package in Ubuntu: Invalid Status in linux-lts-saucy package in Ubuntu: Invalid Status in linux-lts-trusty package in Ubuntu: Invalid Status in linux-lts-utopic package in Ubuntu: Invalid Status in linux-lts-vivid package in Ubuntu: Invalid Status in linux-lts-wily package in Ubuntu: Invalid Status in linux-lts-xenial package in Ubuntu: Invalid Status in linux-mako package in Ubuntu: New Status in linux-manta package in Ubuntu: Invalid Status in linux-raspi2 package in Ubuntu: Invalid Status in linux-snapdragon package in Ubuntu: Invalid Status in linux-ti-omap4 package in Ubuntu: Invalid Status in linux source package in Precise: Fix Released Status in linux-armadaxp source package in Precise: Fix Released Status in linux-flo source package in Precise: Invalid Status in linux-goldfish source package in Precise: Invalid Status in linux-keystone source package in Precise: Invalid Status in linux-lts-quantal source package in Precise: Invalid Status in linux-lts-raring source package in Precise: Invalid Status in linux-lts-saucy source package in Precise: Invalid Status in linux-lts-trusty source package in Precise: Fix Released Status in linux-lts-utopic source package in Precise: Invalid Status in linux-lts-vivid source package in Precise: Invalid Status in linux-lts-wily source package in Precise: Invalid Status in linux-lts-xenial source package in Precise: Invalid Status in linux-mako source package in Precise: Invalid Status in linux-manta source package in Precise: Invalid Status in linux-raspi2 source package in Precise: Invalid Status in linux-snapdragon source package in Precise: Invalid Status in linux-ti-omap4 source package in Precise: Fix Released Status in linux source package in Trusty: Fix Released Status in linux-armadaxp source package in Trusty: Invalid Status in linux-flo source package in Trusty: Invalid Status in linux-goldfish source package in Trusty: Invalid Status in linux-keystone source package in Trusty: Fix Released Status in linux-lts-quantal source package in Trusty: Invalid Status in linux-lts-raring source package in Trusty: Invalid Status in linux-lts-saucy source package in Trusty: Invalid Status in linux-lts-trusty source package in Trusty: Invalid Status in linux-lts-utopic source package in Trusty: Fix Released Status in linux-lts-vivid source package in Trusty: Fix Released Status in linux-lts-wily source package in Trusty: Fix Released Status in linux-lts-xenial source package in Trusty: Fix Released Status in linux-mako source package in Trusty: Invalid Status in linux-manta source package in Trusty: Invalid Status in linux-raspi2 source package in Trusty: Invalid Status in linux-snapdragon source package in Trusty: Invalid Status in linux-ti-omap4 source package in Trusty: Invalid Status in linux source package in Vivid: Fix Released Status in linux-armadaxp source package in Vivid: Invalid Status in linux-flo source package in Vivid: New Status in linux-goldfish source package in Vivid: New Status in linux-keystone source package in Vivid: Invalid Status in linux-lts-quantal source package in Vivid: New Status in linux-lts-raring source package in Vivid: New Status in linux-lts-saucy source package in Vivid: New Status in linux-lts-trusty source package in Vivid: New Status in linux-lts-utopic source package in Vivid: Invalid Status in linux-lts-vivid source package in Vivid: New Status in linux-lts-wily source package in Vivid: New Status in linux-lts-xenial source package in Vivid: New Status in linux-mako source package in Vivid: New Status in linux-manta source package in Vivid: New Status in linux-raspi2 source package in Vivid: New Status in linux-snapdragon source package in Vivid: New Status in
[Kernel-packages] [Bug 1555338] Re: Linux netfilter IPT_SO_SET_REPLACE memory corruption
** Changed in: linux-snapdragon (Ubuntu Precise) Status: New => Invalid ** Changed in: linux-snapdragon (Ubuntu Precise) Importance: Undecided => High ** Changed in: linux-snapdragon (Ubuntu Wily) Status: New => Invalid ** Changed in: linux-snapdragon (Ubuntu Wily) Importance: Undecided => High ** Changed in: linux-snapdragon (Ubuntu Xenial) Status: New => Invalid ** Changed in: linux-snapdragon (Ubuntu Xenial) Importance: Undecided => High ** Changed in: linux-snapdragon (Ubuntu Yakkety) Status: New => Invalid ** Changed in: linux-snapdragon (Ubuntu Yakkety) Importance: Undecided => High ** Changed in: linux-snapdragon (Ubuntu Trusty) Status: New => Invalid ** Changed in: linux-snapdragon (Ubuntu Trusty) Importance: Undecided => High -- You received this bug notification because you are a member of Kernel Packages, which is subscribed to linux-armadaxp in Ubuntu. https://bugs.launchpad.net/bugs/1555338 Title: Linux netfilter IPT_SO_SET_REPLACE memory corruption Status in linux package in Ubuntu: Fix Released Status in linux-armadaxp package in Ubuntu: Invalid Status in linux-flo package in Ubuntu: New Status in linux-goldfish package in Ubuntu: New Status in linux-keystone package in Ubuntu: Invalid Status in linux-lts-quantal package in Ubuntu: Invalid Status in linux-lts-raring package in Ubuntu: Invalid Status in linux-lts-saucy package in Ubuntu: Invalid Status in linux-lts-trusty package in Ubuntu: Invalid Status in linux-lts-utopic package in Ubuntu: Invalid Status in linux-lts-vivid package in Ubuntu: Invalid Status in linux-lts-wily package in Ubuntu: Invalid Status in linux-lts-xenial package in Ubuntu: Invalid Status in linux-mako package in Ubuntu: New Status in linux-manta package in Ubuntu: Invalid Status in linux-raspi2 package in Ubuntu: Invalid Status in linux-snapdragon package in Ubuntu: Invalid Status in linux-ti-omap4 package in Ubuntu: Invalid Status in linux source package in Precise: Fix Released Status in linux-armadaxp source package in Precise: Fix Released Status in linux-flo source package in Precise: Invalid Status in linux-goldfish source package in Precise: Invalid Status in linux-keystone source package in Precise: Invalid Status in linux-lts-quantal source package in Precise: Invalid Status in linux-lts-raring source package in Precise: Invalid Status in linux-lts-saucy source package in Precise: Invalid Status in linux-lts-trusty source package in Precise: Fix Released Status in linux-lts-utopic source package in Precise: Invalid Status in linux-lts-vivid source package in Precise: Invalid Status in linux-lts-wily source package in Precise: Invalid Status in linux-lts-xenial source package in Precise: Invalid Status in linux-mako source package in Precise: Invalid Status in linux-manta source package in Precise: Invalid Status in linux-raspi2 source package in Precise: Invalid Status in linux-snapdragon source package in Precise: Invalid Status in linux-ti-omap4 source package in Precise: Fix Released Status in linux source package in Trusty: Fix Released Status in linux-armadaxp source package in Trusty: Invalid Status in linux-flo source package in Trusty: Invalid Status in linux-goldfish source package in Trusty: Invalid Status in linux-keystone source package in Trusty: Fix Released Status in linux-lts-quantal source package in Trusty: Invalid Status in linux-lts-raring source package in Trusty: Invalid Status in linux-lts-saucy source package in Trusty: Invalid Status in linux-lts-trusty source package in Trusty: Invalid Status in linux-lts-utopic source package in Trusty: Fix Released Status in linux-lts-vivid source package in Trusty: Fix Released Status in linux-lts-wily source package in Trusty: Fix Released Status in linux-lts-xenial source package in Trusty: Fix Released Status in linux-mako source package in Trusty: Invalid Status in linux-manta source package in Trusty: Invalid Status in linux-raspi2 source package in Trusty: Invalid Status in linux-snapdragon source package in Trusty: Invalid Status in linux-ti-omap4 source package in Trusty: Invalid Status in linux source package in Vivid: Fix Released Status in linux-armadaxp source package in Vivid: Invalid Status in linux-flo source package in Vivid: New Status in linux-goldfish source package in Vivid: New Status in linux-keystone source package in Vivid: Invalid Status in linux-lts-quantal source package in Vivid: New Status in linux-lts-raring source package in Vivid: New Status in linux-lts-saucy source package in Vivid: New Status in linux-lts-trusty source package in Vivid: New Status in linux-lts-utopic source package in Vivid: Invalid Status in linux-lts-vivid source package in Vivid: New Status in linux-lts-wily source package in Vivid: New Status in linux-lts-xenial source package in Vivid: New Stat
[Kernel-packages] [Bug 1555338] Re: Linux netfilter IPT_SO_SET_REPLACE memory corruption
** Also affects: linux (Ubuntu Yakkety) Importance: High Assignee: Tim Gardner (timg-tpi) Status: Fix Released ** Also affects: linux-ti-omap4 (Ubuntu Yakkety) Importance: High Status: Invalid ** Also affects: linux-armadaxp (Ubuntu Yakkety) Importance: High Status: Invalid ** Also affects: linux-lts-quantal (Ubuntu Yakkety) Importance: High Status: Invalid ** Also affects: linux-lts-raring (Ubuntu Yakkety) Importance: High Status: Invalid ** Also affects: linux-lts-saucy (Ubuntu Yakkety) Importance: High Status: Invalid ** Also affects: linux-mako (Ubuntu Yakkety) Importance: High Status: New ** Also affects: linux-manta (Ubuntu Yakkety) Importance: High Status: Invalid ** Also affects: linux-keystone (Ubuntu Yakkety) Importance: Undecided Status: Invalid ** Also affects: linux-goldfish (Ubuntu Yakkety) Importance: High Status: New ** Also affects: linux-flo (Ubuntu Yakkety) Importance: High Status: New ** Also affects: linux-lts-trusty (Ubuntu Yakkety) Importance: High Status: Invalid ** Also affects: linux-lts-utopic (Ubuntu Yakkety) Importance: High Status: Invalid ** Also affects: linux-lts-vivid (Ubuntu Yakkety) Importance: High Status: Invalid ** Also affects: linux-lts-wily (Ubuntu Yakkety) Importance: High Status: Invalid ** Also affects: linux-raspi2 (Ubuntu Yakkety) Importance: High Status: Invalid ** Also affects: linux-lts-xenial (Ubuntu Yakkety) Importance: High Status: Invalid -- You received this bug notification because you are a member of Kernel Packages, which is subscribed to linux-armadaxp in Ubuntu. https://bugs.launchpad.net/bugs/1555338 Title: Linux netfilter IPT_SO_SET_REPLACE memory corruption Status in linux package in Ubuntu: Fix Released Status in linux-armadaxp package in Ubuntu: Invalid Status in linux-flo package in Ubuntu: New Status in linux-goldfish package in Ubuntu: New Status in linux-keystone package in Ubuntu: Invalid Status in linux-lts-quantal package in Ubuntu: Invalid Status in linux-lts-raring package in Ubuntu: Invalid Status in linux-lts-saucy package in Ubuntu: Invalid Status in linux-lts-trusty package in Ubuntu: Invalid Status in linux-lts-utopic package in Ubuntu: Invalid Status in linux-lts-vivid package in Ubuntu: Invalid Status in linux-lts-wily package in Ubuntu: Invalid Status in linux-lts-xenial package in Ubuntu: Invalid Status in linux-mako package in Ubuntu: New Status in linux-manta package in Ubuntu: Invalid Status in linux-raspi2 package in Ubuntu: Invalid Status in linux-ti-omap4 package in Ubuntu: Invalid Status in linux source package in Precise: Fix Released Status in linux-armadaxp source package in Precise: Fix Released Status in linux-flo source package in Precise: Invalid Status in linux-goldfish source package in Precise: Invalid Status in linux-keystone source package in Precise: Invalid Status in linux-lts-quantal source package in Precise: Invalid Status in linux-lts-raring source package in Precise: Invalid Status in linux-lts-saucy source package in Precise: Invalid Status in linux-lts-trusty source package in Precise: Fix Released Status in linux-lts-utopic source package in Precise: Invalid Status in linux-lts-vivid source package in Precise: Invalid Status in linux-lts-wily source package in Precise: Invalid Status in linux-lts-xenial source package in Precise: Invalid Status in linux-mako source package in Precise: Invalid Status in linux-manta source package in Precise: Invalid Status in linux-raspi2 source package in Precise: Invalid Status in linux-ti-omap4 source package in Precise: Fix Released Status in linux source package in Trusty: Fix Released Status in linux-armadaxp source package in Trusty: Invalid Status in linux-flo source package in Trusty: Invalid Status in linux-goldfish source package in Trusty: Invalid Status in linux-keystone source package in Trusty: Fix Released Status in linux-lts-quantal source package in Trusty: Invalid Status in linux-lts-raring source package in Trusty: Invalid Status in linux-lts-saucy source package in Trusty: Invalid Status in linux-lts-trusty source package in Trusty: Invalid Status in linux-lts-utopic source package in Trusty: Fix Released Status in linux-lts-vivid source package in Trusty: Fix Released Status in linux-lts-wily source package in Trusty: Fix Released Status in linux-lts-xenial source package in Trusty: Fix Released Status in linux-mako source package in Trusty: Invalid Status in linux-manta source package in Trusty: Invalid Status in linux-raspi2 source package in Trusty: Invalid Status in linux-ti-omap4 source package in Trusty: Invalid Status in linux source package in Vivid: Fix Released Status in linux-armadaxp source package in Vivid: Invalid Status in linux-f
[Kernel-packages] [Bug 1555338] Re: Linux netfilter IPT_SO_SET_REPLACE memory corruption
** Changed in: linux-raspi2 (Ubuntu Xenial) Status: New => Invalid -- You received this bug notification because you are a member of Kernel Packages, which is subscribed to linux-armadaxp in Ubuntu. https://bugs.launchpad.net/bugs/1555338 Title: Linux netfilter IPT_SO_SET_REPLACE memory corruption Status in linux package in Ubuntu: Fix Released Status in linux-armadaxp package in Ubuntu: Invalid Status in linux-flo package in Ubuntu: New Status in linux-goldfish package in Ubuntu: New Status in linux-keystone package in Ubuntu: Invalid Status in linux-lts-quantal package in Ubuntu: Invalid Status in linux-lts-raring package in Ubuntu: Invalid Status in linux-lts-saucy package in Ubuntu: Invalid Status in linux-lts-trusty package in Ubuntu: Invalid Status in linux-lts-utopic package in Ubuntu: Invalid Status in linux-lts-vivid package in Ubuntu: Invalid Status in linux-lts-wily package in Ubuntu: Invalid Status in linux-lts-xenial package in Ubuntu: Invalid Status in linux-mako package in Ubuntu: New Status in linux-manta package in Ubuntu: Invalid Status in linux-raspi2 package in Ubuntu: Invalid Status in linux-ti-omap4 package in Ubuntu: Invalid Status in linux source package in Precise: Fix Released Status in linux-armadaxp source package in Precise: Fix Released Status in linux-flo source package in Precise: Invalid Status in linux-goldfish source package in Precise: Invalid Status in linux-keystone source package in Precise: Invalid Status in linux-lts-quantal source package in Precise: Invalid Status in linux-lts-raring source package in Precise: Invalid Status in linux-lts-saucy source package in Precise: Invalid Status in linux-lts-trusty source package in Precise: Fix Released Status in linux-lts-utopic source package in Precise: Invalid Status in linux-lts-vivid source package in Precise: Invalid Status in linux-lts-wily source package in Precise: Invalid Status in linux-lts-xenial source package in Precise: Invalid Status in linux-mako source package in Precise: Invalid Status in linux-manta source package in Precise: Invalid Status in linux-raspi2 source package in Precise: Invalid Status in linux-ti-omap4 source package in Precise: Fix Released Status in linux source package in Trusty: Fix Released Status in linux-armadaxp source package in Trusty: Invalid Status in linux-flo source package in Trusty: Invalid Status in linux-goldfish source package in Trusty: Invalid Status in linux-keystone source package in Trusty: Fix Released Status in linux-lts-quantal source package in Trusty: Invalid Status in linux-lts-raring source package in Trusty: Invalid Status in linux-lts-saucy source package in Trusty: Invalid Status in linux-lts-trusty source package in Trusty: Invalid Status in linux-lts-utopic source package in Trusty: Fix Released Status in linux-lts-vivid source package in Trusty: Fix Released Status in linux-lts-wily source package in Trusty: Fix Released Status in linux-lts-xenial source package in Trusty: Fix Released Status in linux-mako source package in Trusty: Invalid Status in linux-manta source package in Trusty: Invalid Status in linux-raspi2 source package in Trusty: Invalid Status in linux-ti-omap4 source package in Trusty: Invalid Status in linux source package in Vivid: Fix Released Status in linux-armadaxp source package in Vivid: Invalid Status in linux-flo source package in Vivid: New Status in linux-goldfish source package in Vivid: New Status in linux-keystone source package in Vivid: Invalid Status in linux-lts-quantal source package in Vivid: New Status in linux-lts-raring source package in Vivid: New Status in linux-lts-saucy source package in Vivid: New Status in linux-lts-trusty source package in Vivid: New Status in linux-lts-utopic source package in Vivid: Invalid Status in linux-lts-vivid source package in Vivid: New Status in linux-lts-wily source package in Vivid: New Status in linux-lts-xenial source package in Vivid: New Status in linux-mako source package in Vivid: New Status in linux-manta source package in Vivid: New Status in linux-raspi2 source package in Vivid: New Status in linux-ti-omap4 source package in Vivid: Invalid Status in linux source package in Wily: Fix Released Status in linux-armadaxp source package in Wily: Invalid Status in linux-flo source package in Wily: New Status in linux-goldfish source package in Wily: New Status in linux-keystone source package in Wily: Invalid Status in linux-lts-quantal source package in Wily: Invalid Status in linux-lts-raring source package in Wily: Invalid Status in linux-lts-saucy source package in Wily: Invalid Status in linux-lts-trusty source package in Wily: Invalid Status in linux-lts-utopic source package in Wily: Invalid Status in linux-lts-vivid source package in Wily: Invalid Status in linux-lts-wily source package in Wily: Inva
[Kernel-packages] [Bug 1555338] Re: Linux netfilter IPT_SO_SET_REPLACE memory corruption
** Changed in: linux-manta (Ubuntu Xenial) Status: New => Invalid -- You received this bug notification because you are a member of Kernel Packages, which is subscribed to linux-armadaxp in Ubuntu. https://bugs.launchpad.net/bugs/1555338 Title: Linux netfilter IPT_SO_SET_REPLACE memory corruption Status in linux package in Ubuntu: Fix Released Status in linux-armadaxp package in Ubuntu: Invalid Status in linux-flo package in Ubuntu: New Status in linux-goldfish package in Ubuntu: New Status in linux-keystone package in Ubuntu: Invalid Status in linux-lts-quantal package in Ubuntu: Invalid Status in linux-lts-raring package in Ubuntu: Invalid Status in linux-lts-saucy package in Ubuntu: Invalid Status in linux-lts-trusty package in Ubuntu: Invalid Status in linux-lts-utopic package in Ubuntu: Invalid Status in linux-lts-vivid package in Ubuntu: Invalid Status in linux-lts-wily package in Ubuntu: Invalid Status in linux-lts-xenial package in Ubuntu: Invalid Status in linux-mako package in Ubuntu: New Status in linux-manta package in Ubuntu: Invalid Status in linux-raspi2 package in Ubuntu: New Status in linux-ti-omap4 package in Ubuntu: Invalid Status in linux source package in Precise: Fix Released Status in linux-armadaxp source package in Precise: Fix Released Status in linux-flo source package in Precise: Invalid Status in linux-goldfish source package in Precise: Invalid Status in linux-keystone source package in Precise: Invalid Status in linux-lts-quantal source package in Precise: Invalid Status in linux-lts-raring source package in Precise: Invalid Status in linux-lts-saucy source package in Precise: Invalid Status in linux-lts-trusty source package in Precise: Fix Released Status in linux-lts-utopic source package in Precise: Invalid Status in linux-lts-vivid source package in Precise: Invalid Status in linux-lts-wily source package in Precise: Invalid Status in linux-lts-xenial source package in Precise: Invalid Status in linux-mako source package in Precise: Invalid Status in linux-manta source package in Precise: Invalid Status in linux-raspi2 source package in Precise: Invalid Status in linux-ti-omap4 source package in Precise: Fix Released Status in linux source package in Trusty: Fix Released Status in linux-armadaxp source package in Trusty: Invalid Status in linux-flo source package in Trusty: Invalid Status in linux-goldfish source package in Trusty: Invalid Status in linux-keystone source package in Trusty: Fix Released Status in linux-lts-quantal source package in Trusty: Invalid Status in linux-lts-raring source package in Trusty: Invalid Status in linux-lts-saucy source package in Trusty: Invalid Status in linux-lts-trusty source package in Trusty: Invalid Status in linux-lts-utopic source package in Trusty: Fix Released Status in linux-lts-vivid source package in Trusty: Fix Released Status in linux-lts-wily source package in Trusty: Fix Released Status in linux-lts-xenial source package in Trusty: Fix Released Status in linux-mako source package in Trusty: Invalid Status in linux-manta source package in Trusty: Invalid Status in linux-raspi2 source package in Trusty: Invalid Status in linux-ti-omap4 source package in Trusty: Invalid Status in linux source package in Vivid: Fix Released Status in linux-armadaxp source package in Vivid: Invalid Status in linux-flo source package in Vivid: New Status in linux-goldfish source package in Vivid: New Status in linux-keystone source package in Vivid: Invalid Status in linux-lts-quantal source package in Vivid: New Status in linux-lts-raring source package in Vivid: New Status in linux-lts-saucy source package in Vivid: New Status in linux-lts-trusty source package in Vivid: New Status in linux-lts-utopic source package in Vivid: Invalid Status in linux-lts-vivid source package in Vivid: New Status in linux-lts-wily source package in Vivid: New Status in linux-lts-xenial source package in Vivid: New Status in linux-mako source package in Vivid: New Status in linux-manta source package in Vivid: New Status in linux-raspi2 source package in Vivid: New Status in linux-ti-omap4 source package in Vivid: Invalid Status in linux source package in Wily: Fix Released Status in linux-armadaxp source package in Wily: Invalid Status in linux-flo source package in Wily: New Status in linux-goldfish source package in Wily: New Status in linux-keystone source package in Wily: Invalid Status in linux-lts-quantal source package in Wily: Invalid Status in linux-lts-raring source package in Wily: Invalid Status in linux-lts-saucy source package in Wily: Invalid Status in linux-lts-trusty source package in Wily: Invalid Status in linux-lts-utopic source package in Wily: Invalid Status in linux-lts-vivid source package in Wily: Invalid Status in linux-lts-wily source package in Wily: Invalid S
[Kernel-packages] [Bug 1555338] Re: Linux netfilter IPT_SO_SET_REPLACE memory corruption
This bug was fixed in the package linux-lts-xenial - 4.4.0-14.30~14.04.2 --- linux-lts-xenial (4.4.0-14.30~14.04.2) trusty; urgency=low * Release Tracking Bug (LP: #1558247) * Current 4.4 kernel won't boot on powerpc (LP: #1557130) - powerpc: Fix dedotify for binutils >= 2.26 * ZFS: send fails to transmit some holes [corruption] (LP: #1557151) - Illumos 6370 - ZFS send fails to transmit some holes * Request to cherry-pick uvcvideo patch for Xenial kernel support of RealSense camera (LP: #1557138) - UVC: Add support for ds4 depth camera * use after free of task_struct->numa_faults in task_numa_find_cpu (LP: #1527643) - sched/numa: Fix use-after-free bug in the task_numa_compare * overlay fs regression: chmod fails with "Operation not permitted" on chowned files (LP: #1555997) - ovl: copy new uid/gid into overlayfs runtime inode * Miscellaneous Ubuntu changes - SAUCE: Dump stack when X.509 certificates cannot be loaded -- Brad Figg Thu, 17 Mar 2016 09:18:22 -0700 ** Changed in: linux-lts-xenial (Ubuntu Trusty) Status: Invalid => Fix Released -- You received this bug notification because you are a member of Kernel Packages, which is subscribed to linux-armadaxp in Ubuntu. https://bugs.launchpad.net/bugs/1555338 Title: Linux netfilter IPT_SO_SET_REPLACE memory corruption Status in linux package in Ubuntu: Fix Released Status in linux-armadaxp package in Ubuntu: Invalid Status in linux-flo package in Ubuntu: New Status in linux-goldfish package in Ubuntu: New Status in linux-keystone package in Ubuntu: Invalid Status in linux-lts-quantal package in Ubuntu: Invalid Status in linux-lts-raring package in Ubuntu: Invalid Status in linux-lts-saucy package in Ubuntu: Invalid Status in linux-lts-trusty package in Ubuntu: Invalid Status in linux-lts-utopic package in Ubuntu: Invalid Status in linux-lts-vivid package in Ubuntu: Invalid Status in linux-lts-wily package in Ubuntu: Invalid Status in linux-lts-xenial package in Ubuntu: Invalid Status in linux-mako package in Ubuntu: New Status in linux-manta package in Ubuntu: New Status in linux-raspi2 package in Ubuntu: New Status in linux-ti-omap4 package in Ubuntu: Invalid Status in linux source package in Precise: Fix Released Status in linux-armadaxp source package in Precise: Fix Released Status in linux-flo source package in Precise: Invalid Status in linux-goldfish source package in Precise: Invalid Status in linux-keystone source package in Precise: Invalid Status in linux-lts-quantal source package in Precise: Invalid Status in linux-lts-raring source package in Precise: Invalid Status in linux-lts-saucy source package in Precise: Invalid Status in linux-lts-trusty source package in Precise: Fix Released Status in linux-lts-utopic source package in Precise: Invalid Status in linux-lts-vivid source package in Precise: Invalid Status in linux-lts-wily source package in Precise: Invalid Status in linux-lts-xenial source package in Precise: Invalid Status in linux-mako source package in Precise: Invalid Status in linux-manta source package in Precise: Invalid Status in linux-raspi2 source package in Precise: Invalid Status in linux-ti-omap4 source package in Precise: Fix Released Status in linux source package in Trusty: Fix Released Status in linux-armadaxp source package in Trusty: Invalid Status in linux-flo source package in Trusty: Invalid Status in linux-goldfish source package in Trusty: Invalid Status in linux-keystone source package in Trusty: Fix Released Status in linux-lts-quantal source package in Trusty: Invalid Status in linux-lts-raring source package in Trusty: Invalid Status in linux-lts-saucy source package in Trusty: Invalid Status in linux-lts-trusty source package in Trusty: Invalid Status in linux-lts-utopic source package in Trusty: Fix Released Status in linux-lts-vivid source package in Trusty: Fix Released Status in linux-lts-wily source package in Trusty: Fix Released Status in linux-lts-xenial source package in Trusty: Fix Released Status in linux-mako source package in Trusty: Invalid Status in linux-manta source package in Trusty: Invalid Status in linux-raspi2 source package in Trusty: Invalid Status in linux-ti-omap4 source package in Trusty: Invalid Status in linux source package in Vivid: Fix Released Status in linux-armadaxp source package in Vivid: Invalid Status in linux-flo source package in Vivid: New Status in linux-goldfish source package in Vivid: New Status in linux-keystone source package in Vivid: Invalid Status in linux-lts-quantal source package in Vivid: New Status in linux-lts-raring source package in Vivid: New Status in linux-lts-saucy source package in Vivid: New Status in linux-lts-trusty source package in Vivid: New Status in linux-lts-utopic source package in Vivid: Invalid Status in linux-lts-vivid source pa
[Kernel-packages] [Bug 1555338] Re: Linux netfilter IPT_SO_SET_REPLACE memory corruption
** Changed in: linux-raspi2 (Ubuntu Wily) Status: New => Fix Released ** Changed in: linux-lts-xenial (Ubuntu Trusty) Status: Fix Released => New ** Changed in: linux-lts-xenial (Ubuntu Trusty) Status: New => Invalid -- You received this bug notification because you are a member of Kernel Packages, which is subscribed to linux-armadaxp in Ubuntu. https://bugs.launchpad.net/bugs/1555338 Title: Linux netfilter IPT_SO_SET_REPLACE memory corruption Status in linux package in Ubuntu: Fix Released Status in linux-armadaxp package in Ubuntu: Invalid Status in linux-flo package in Ubuntu: New Status in linux-goldfish package in Ubuntu: New Status in linux-keystone package in Ubuntu: Invalid Status in linux-lts-quantal package in Ubuntu: Invalid Status in linux-lts-raring package in Ubuntu: Invalid Status in linux-lts-saucy package in Ubuntu: Invalid Status in linux-lts-trusty package in Ubuntu: Invalid Status in linux-lts-utopic package in Ubuntu: Invalid Status in linux-lts-vivid package in Ubuntu: Invalid Status in linux-lts-wily package in Ubuntu: Invalid Status in linux-lts-xenial package in Ubuntu: Invalid Status in linux-mako package in Ubuntu: New Status in linux-manta package in Ubuntu: New Status in linux-raspi2 package in Ubuntu: New Status in linux-ti-omap4 package in Ubuntu: Invalid Status in linux source package in Precise: Fix Released Status in linux-armadaxp source package in Precise: Fix Released Status in linux-flo source package in Precise: Invalid Status in linux-goldfish source package in Precise: Invalid Status in linux-keystone source package in Precise: Invalid Status in linux-lts-quantal source package in Precise: Invalid Status in linux-lts-raring source package in Precise: Invalid Status in linux-lts-saucy source package in Precise: Invalid Status in linux-lts-trusty source package in Precise: Fix Released Status in linux-lts-utopic source package in Precise: Invalid Status in linux-lts-vivid source package in Precise: Invalid Status in linux-lts-wily source package in Precise: Invalid Status in linux-lts-xenial source package in Precise: Invalid Status in linux-mako source package in Precise: Invalid Status in linux-manta source package in Precise: Invalid Status in linux-raspi2 source package in Precise: Invalid Status in linux-ti-omap4 source package in Precise: Fix Released Status in linux source package in Trusty: Fix Released Status in linux-armadaxp source package in Trusty: Invalid Status in linux-flo source package in Trusty: Invalid Status in linux-goldfish source package in Trusty: Invalid Status in linux-keystone source package in Trusty: Fix Released Status in linux-lts-quantal source package in Trusty: Invalid Status in linux-lts-raring source package in Trusty: Invalid Status in linux-lts-saucy source package in Trusty: Invalid Status in linux-lts-trusty source package in Trusty: Invalid Status in linux-lts-utopic source package in Trusty: Fix Released Status in linux-lts-vivid source package in Trusty: Fix Released Status in linux-lts-wily source package in Trusty: Fix Released Status in linux-lts-xenial source package in Trusty: Invalid Status in linux-mako source package in Trusty: Invalid Status in linux-manta source package in Trusty: Invalid Status in linux-raspi2 source package in Trusty: Invalid Status in linux-ti-omap4 source package in Trusty: Invalid Status in linux source package in Vivid: Fix Released Status in linux-armadaxp source package in Vivid: Invalid Status in linux-flo source package in Vivid: New Status in linux-goldfish source package in Vivid: New Status in linux-keystone source package in Vivid: Invalid Status in linux-lts-quantal source package in Vivid: New Status in linux-lts-raring source package in Vivid: New Status in linux-lts-saucy source package in Vivid: New Status in linux-lts-trusty source package in Vivid: New Status in linux-lts-utopic source package in Vivid: Invalid Status in linux-lts-vivid source package in Vivid: New Status in linux-lts-wily source package in Vivid: New Status in linux-lts-xenial source package in Vivid: New Status in linux-mako source package in Vivid: New Status in linux-manta source package in Vivid: New Status in linux-raspi2 source package in Vivid: New Status in linux-ti-omap4 source package in Vivid: Invalid Status in linux source package in Wily: Fix Released Status in linux-armadaxp source package in Wily: Invalid Status in linux-flo source package in Wily: New Status in linux-goldfish source package in Wily: New Status in linux-keystone source package in Wily: Invalid Status in linux-lts-quantal source package in Wily: Invalid Status in linux-lts-raring source package in Wily: Invalid Status in linux-lts-saucy source package in Wily: Invalid Status in linux-lts-trusty source package in Wily: Invalid Status in linux-lts-uto
[Kernel-packages] [Bug 1555338] Re: Linux netfilter IPT_SO_SET_REPLACE memory corruption
This bug was fixed in the package linux-lts-xenial - 4.4.0-13.29~14.04.1 --- linux-lts-xenial (4.4.0-13.29~14.04.1) trusty; urgency=low [ Tim Gardner ] * Release Tracking Bug - LP: #1556247 * s390/mm: four page table levels vs. fork (LP: #1556141) - s390/mm: four page table levels vs. fork * [Hyper-V] network performance patches for Xenial 16.04 (LP: #1556037) - hv_netvsc: use skb_get_hash() instead of a homegrown implementation - hv_netvsc: cleanup netdev feature flags for netvsc * fails to boot on megaraid (LP: #1552903) - SAUCE: (noup) megaraid_sas: Don't issue kill adapter for MFI controllers in case of PD list DCMD failure * ALSA: hda - add codec support for Kabylake display audio codec (LP: #1556002) - ALSA: hda - add codec support for Kabylake display audio codec * Backport upstream bugfixes to ubuntu-16.04 (LP: #1555765) - cpufreq: powernv: Free 'chips' on module exit - cpufreq: powernv: Hot-plug safe the kworker thread - cpufreq: powernv: Remove cpu_to_chip_id() from hot-path - cpufreq: powernv/tracing: Add powernv_throttle tracepoint - cpufreq: powernv: Replace pr_info with trace print for throttle event - SAUCE: (noup) cpufreq: powernv: Fix bugs in powernv_cpufreq_{init/exit} * Linux netfilter IPT_SO_SET_REPLACE memory corruption (LP: #1555338) - SAUCE: [nf,v2] netfilter: x_tables: don't rely on well-behaving userspace * integer overflow in xt_alloc_table_info (LP: #1555353) - SAUCE: (noup) netfilter: x_tables: check for size overflow * linux: auto-generate the reconstruct information from the git tag (LP: #143) - [Packaging] reconstruct -- automatically reconstruct against base tag - [Config] reconstruct -- update to autoreconstruct output - [Packaging] reconstruct -- update when inserting final changes * Xenial update to v4.4.5 stable release (LP: #1555640) - use ->d_seq to get coherency between ->d_inode and ->d_flags - drivers: sh: Restore legacy clock domain on SuperH platforms - Btrfs: fix deadlock running delayed iputs at transaction commit time - btrfs: Fix no_space in write and rm loop - btrfs: async-thread: Fix a use-after-free error for trace - block: Initialize max_dev_sectors to 0 - PCI: keystone: Fix MSI code that retrieves struct pcie_port pointer - parisc: Fix ptrace syscall number and return value modification - mips/kvm: fix ioctl error handling - kvm: x86: Update tsc multiplier on change. - fbcon: set a default value to blink interval - cifs: fix out-of-bounds access in lease parsing - CIFS: Fix SMB2+ interim response processing for read requests - Fix cifs_uniqueid_to_ino_t() function for s390x - vfio: fix ioctl error handling - KVM: x86: fix root cause for missed hardware breakpoints - arm/arm64: KVM: Fix ioctl error handling - iommu/amd: Apply workaround for ATS write permission check - iommu/amd: Fix boot warning when device 00:00.0 is not iommu covered - iommu/vt-d: Use BUS_NOTIFY_REMOVED_DEVICE in hotplug path - target: Fix WRITE_SAME/DISCARD conversion to linux 512b sectors - drm/ast: Fix incorrect register check for DRAM width - drm/radeon/pm: update current crtc info after setting the powerstate - drm/amdgpu/pm: update current crtc info after setting the powerstate - drm/amdgpu: apply gfx_v8 fixes to gfx_v7 as well - drm/amdgpu/gfx8: specify which engine to wait before vm flush - drm/amdgpu: return from atombios_dp_get_dpcd only when error - libata: fix HDIO_GET_32BIT ioctl - libata: Align ata_device's id on a cacheline - block: bio: introduce helpers to get the 1st and last bvec - writeback: flush inode cgroup wb switches instead of pinning super_block - Adding Intel Lewisburg device IDs for SATA - arm64: vmemmap: use virtual projection of linear region - PM / sleep / x86: Fix crash on graph trace through x86 suspend - ata: ahci: don't mark HotPlugCapable Ports as external/removable - tracing: Do not have 'comm' filter override event 'comm' field - pata-rb532-cf: get rid of the irq_to_gpio() call - Btrfs: fix loading of orphan roots leading to BUG_ON - Revert "jffs2: Fix lock acquisition order bug in jffs2_write_begin" - jffs2: Fix page lock / f->sem deadlock - Fix directory hardlinks from deleted directories - dmaengine: pxa_dma: fix cyclic transfers - adv7604: fix tx 5v detect regression - ALSA: usb-audio: Add a quirk for Plantronics DA45 - ALSA: ctl: Fix ioctls for X32 ABI - ALSA: hda - Fix mic issues on Acer Aspire E1-472 - ALSA: rawmidi: Fix ioctls X32 ABI - ALSA: timer: Fix ioctls for X32 ABI - ALSA: pcm: Fix ioctls for X32 ABI - ALSA: seq: oss: Don't drain at closing a client - ALSA: hdspm: Fix wrong boolean ctl value accesses - ALSA: hdsp: Fix wrong boolean ctl value accesses - ALSA: hdspm: Fix zero-division - ALSA: timer:
[Kernel-packages] [Bug 1555338] Re: Linux netfilter IPT_SO_SET_REPLACE memory corruption
This bug was fixed in the package linux - 4.4.0-13.29 --- linux (4.4.0-13.29) xenial; urgency=low [ Tim Gardner ] * Release Tracking Bug - LP: #1556247 * s390/mm: four page table levels vs. fork (LP: #1556141) - s390/mm: four page table levels vs. fork * [Hyper-V] network performance patches for Xenial 16.04 (LP: #1556037) - hv_netvsc: use skb_get_hash() instead of a homegrown implementation - hv_netvsc: cleanup netdev feature flags for netvsc * fails to boot on megaraid (LP: #1552903) - SAUCE: (noup) megaraid_sas: Don't issue kill adapter for MFI controllers in case of PD list DCMD failure * ALSA: hda - add codec support for Kabylake display audio codec (LP: #1556002) - ALSA: hda - add codec support for Kabylake display audio codec * Backport upstream bugfixes to ubuntu-16.04 (LP: #1555765) - cpufreq: powernv: Free 'chips' on module exit - cpufreq: powernv: Hot-plug safe the kworker thread - cpufreq: powernv: Remove cpu_to_chip_id() from hot-path - cpufreq: powernv/tracing: Add powernv_throttle tracepoint - cpufreq: powernv: Replace pr_info with trace print for throttle event - SAUCE: (noup) cpufreq: powernv: Fix bugs in powernv_cpufreq_{init/exit} * Linux netfilter IPT_SO_SET_REPLACE memory corruption (LP: #1555338) - SAUCE: [nf,v2] netfilter: x_tables: don't rely on well-behaving userspace * integer overflow in xt_alloc_table_info (LP: #1555353) - SAUCE: (noup) netfilter: x_tables: check for size overflow * linux: auto-generate the reconstruct information from the git tag (LP: #143) - [Packaging] reconstruct -- automatically reconstruct against base tag - [Config] reconstruct -- update to autoreconstruct output - [Packaging] reconstruct -- update when inserting final changes * Xenial update to v4.4.5 stable release (LP: #1555640) - use ->d_seq to get coherency between ->d_inode and ->d_flags - drivers: sh: Restore legacy clock domain on SuperH platforms - Btrfs: fix deadlock running delayed iputs at transaction commit time - btrfs: Fix no_space in write and rm loop - btrfs: async-thread: Fix a use-after-free error for trace - block: Initialize max_dev_sectors to 0 - PCI: keystone: Fix MSI code that retrieves struct pcie_port pointer - parisc: Fix ptrace syscall number and return value modification - mips/kvm: fix ioctl error handling - kvm: x86: Update tsc multiplier on change. - fbcon: set a default value to blink interval - cifs: fix out-of-bounds access in lease parsing - CIFS: Fix SMB2+ interim response processing for read requests - Fix cifs_uniqueid_to_ino_t() function for s390x - vfio: fix ioctl error handling - KVM: x86: fix root cause for missed hardware breakpoints - arm/arm64: KVM: Fix ioctl error handling - iommu/amd: Apply workaround for ATS write permission check - iommu/amd: Fix boot warning when device 00:00.0 is not iommu covered - iommu/vt-d: Use BUS_NOTIFY_REMOVED_DEVICE in hotplug path - target: Fix WRITE_SAME/DISCARD conversion to linux 512b sectors - drm/ast: Fix incorrect register check for DRAM width - drm/radeon/pm: update current crtc info after setting the powerstate - drm/amdgpu/pm: update current crtc info after setting the powerstate - drm/amdgpu: apply gfx_v8 fixes to gfx_v7 as well - drm/amdgpu/gfx8: specify which engine to wait before vm flush - drm/amdgpu: return from atombios_dp_get_dpcd only when error - libata: fix HDIO_GET_32BIT ioctl - libata: Align ata_device's id on a cacheline - block: bio: introduce helpers to get the 1st and last bvec - writeback: flush inode cgroup wb switches instead of pinning super_block - Adding Intel Lewisburg device IDs for SATA - arm64: vmemmap: use virtual projection of linear region - PM / sleep / x86: Fix crash on graph trace through x86 suspend - ata: ahci: don't mark HotPlugCapable Ports as external/removable - tracing: Do not have 'comm' filter override event 'comm' field - pata-rb532-cf: get rid of the irq_to_gpio() call - Btrfs: fix loading of orphan roots leading to BUG_ON - Revert "jffs2: Fix lock acquisition order bug in jffs2_write_begin" - jffs2: Fix page lock / f->sem deadlock - Fix directory hardlinks from deleted directories - dmaengine: pxa_dma: fix cyclic transfers - adv7604: fix tx 5v detect regression - ALSA: usb-audio: Add a quirk for Plantronics DA45 - ALSA: ctl: Fix ioctls for X32 ABI - ALSA: hda - Fix mic issues on Acer Aspire E1-472 - ALSA: rawmidi: Fix ioctls X32 ABI - ALSA: timer: Fix ioctls for X32 ABI - ALSA: pcm: Fix ioctls for X32 ABI - ALSA: seq: oss: Don't drain at closing a client - ALSA: hdspm: Fix wrong boolean ctl value accesses - ALSA: hdsp: Fix wrong boolean ctl value accesses - ALSA: hdspm: Fix zero-division - ALSA: timer: Fix broken compat timer user status i
[Kernel-packages] [Bug 1555338] Re: Linux netfilter IPT_SO_SET_REPLACE memory corruption
This bug was fixed in the package linux-keystone - 3.13.0-53.78 --- linux-keystone (3.13.0-53.78) trusty; urgency=low [ Ike Panhc ] * Release Tracking Bug - LP: #1555956 * Rebase to Ubuntu-3.13.0-83.127 [ Ubuntu: 3.13.0-83.127 ] * Release Tracking Bug - LP: #1555839 * SAUCE: [nf,v2] netfilter: x_tables: don't rely on well-behaving userspace - LP: #1555338 -- Ike Panhc Sat, 12 Mar 2016 10:03:08 +0800 ** Changed in: linux-keystone (Ubuntu Trusty) Status: Fix Committed => Fix Released -- You received this bug notification because you are a member of Kernel Packages, which is subscribed to linux-armadaxp in Ubuntu. https://bugs.launchpad.net/bugs/1555338 Title: Linux netfilter IPT_SO_SET_REPLACE memory corruption Status in linux package in Ubuntu: Fix Committed Status in linux-armadaxp package in Ubuntu: Invalid Status in linux-flo package in Ubuntu: New Status in linux-goldfish package in Ubuntu: New Status in linux-keystone package in Ubuntu: Invalid Status in linux-lts-quantal package in Ubuntu: Invalid Status in linux-lts-raring package in Ubuntu: Invalid Status in linux-lts-saucy package in Ubuntu: Invalid Status in linux-lts-trusty package in Ubuntu: Invalid Status in linux-lts-utopic package in Ubuntu: Invalid Status in linux-lts-vivid package in Ubuntu: Invalid Status in linux-lts-wily package in Ubuntu: Invalid Status in linux-lts-xenial package in Ubuntu: Invalid Status in linux-mako package in Ubuntu: New Status in linux-manta package in Ubuntu: New Status in linux-raspi2 package in Ubuntu: New Status in linux-ti-omap4 package in Ubuntu: Invalid Status in linux source package in Precise: Fix Released Status in linux-armadaxp source package in Precise: Fix Released Status in linux-flo source package in Precise: Invalid Status in linux-goldfish source package in Precise: Invalid Status in linux-keystone source package in Precise: Invalid Status in linux-lts-quantal source package in Precise: Invalid Status in linux-lts-raring source package in Precise: Invalid Status in linux-lts-saucy source package in Precise: Invalid Status in linux-lts-trusty source package in Precise: Fix Released Status in linux-lts-utopic source package in Precise: Invalid Status in linux-lts-vivid source package in Precise: Invalid Status in linux-lts-wily source package in Precise: Invalid Status in linux-lts-xenial source package in Precise: Invalid Status in linux-mako source package in Precise: Invalid Status in linux-manta source package in Precise: Invalid Status in linux-raspi2 source package in Precise: Invalid Status in linux-ti-omap4 source package in Precise: Fix Released Status in linux source package in Trusty: Fix Released Status in linux-armadaxp source package in Trusty: Invalid Status in linux-flo source package in Trusty: Invalid Status in linux-goldfish source package in Trusty: Invalid Status in linux-keystone source package in Trusty: Fix Released Status in linux-lts-quantal source package in Trusty: Invalid Status in linux-lts-raring source package in Trusty: Invalid Status in linux-lts-saucy source package in Trusty: Invalid Status in linux-lts-trusty source package in Trusty: Invalid Status in linux-lts-utopic source package in Trusty: Fix Released Status in linux-lts-vivid source package in Trusty: Fix Released Status in linux-lts-wily source package in Trusty: Fix Released Status in linux-lts-xenial source package in Trusty: New Status in linux-mako source package in Trusty: Invalid Status in linux-manta source package in Trusty: Invalid Status in linux-raspi2 source package in Trusty: Invalid Status in linux-ti-omap4 source package in Trusty: Invalid Status in linux source package in Vivid: Fix Released Status in linux-armadaxp source package in Vivid: Invalid Status in linux-flo source package in Vivid: New Status in linux-goldfish source package in Vivid: New Status in linux-keystone source package in Vivid: Invalid Status in linux-lts-quantal source package in Vivid: New Status in linux-lts-raring source package in Vivid: New Status in linux-lts-saucy source package in Vivid: New Status in linux-lts-trusty source package in Vivid: New Status in linux-lts-utopic source package in Vivid: Invalid Status in linux-lts-vivid source package in Vivid: New Status in linux-lts-wily source package in Vivid: New Status in linux-lts-xenial source package in Vivid: New Status in linux-mako source package in Vivid: New Status in linux-manta source package in Vivid: New Status in linux-raspi2 source package in Vivid: New Status in linux-ti-omap4 source package in Vivid: Invalid Status in linux source package in Wily: Fix Released Status in linux-armadaxp source package in Wily: Invalid Status in linux-flo source package in Wily: New Status in linux-goldfish source package in Wily: New Status in linux-keystone
[Kernel-packages] [Bug 1555338] Re: Linux netfilter IPT_SO_SET_REPLACE memory corruption
This bug was fixed in the package linux-armadaxp - 3.2.0-1664.88 --- linux-armadaxp (3.2.0-1664.88) precise; urgency=low [ Ike Panhc ] * Release Tracking Bug - LP: #1555919 * Rebase to Ubuntu-3.2.0-101.141 [ Ubuntu: 3.2.0-101.141 ] * Release Tracking Bug - LP: #1555809 * SAUCE: [nf,v2] netfilter: x_tables: don't rely on well-behaving userspace - LP: #1555338 -- Ike Panhc Sat, 12 Mar 2016 10:40:37 +0800 ** Changed in: linux-armadaxp (Ubuntu Precise) Status: Fix Committed => Fix Released -- You received this bug notification because you are a member of Kernel Packages, which is subscribed to linux-armadaxp in Ubuntu. https://bugs.launchpad.net/bugs/1555338 Title: Linux netfilter IPT_SO_SET_REPLACE memory corruption Status in linux package in Ubuntu: Fix Committed Status in linux-armadaxp package in Ubuntu: Invalid Status in linux-flo package in Ubuntu: New Status in linux-goldfish package in Ubuntu: New Status in linux-keystone package in Ubuntu: Invalid Status in linux-lts-quantal package in Ubuntu: Invalid Status in linux-lts-raring package in Ubuntu: Invalid Status in linux-lts-saucy package in Ubuntu: Invalid Status in linux-lts-trusty package in Ubuntu: Invalid Status in linux-lts-utopic package in Ubuntu: Invalid Status in linux-lts-vivid package in Ubuntu: Invalid Status in linux-lts-wily package in Ubuntu: Invalid Status in linux-lts-xenial package in Ubuntu: Invalid Status in linux-mako package in Ubuntu: New Status in linux-manta package in Ubuntu: New Status in linux-raspi2 package in Ubuntu: New Status in linux-ti-omap4 package in Ubuntu: Invalid Status in linux source package in Precise: Fix Released Status in linux-armadaxp source package in Precise: Fix Released Status in linux-flo source package in Precise: Invalid Status in linux-goldfish source package in Precise: Invalid Status in linux-keystone source package in Precise: Invalid Status in linux-lts-quantal source package in Precise: Invalid Status in linux-lts-raring source package in Precise: Invalid Status in linux-lts-saucy source package in Precise: Invalid Status in linux-lts-trusty source package in Precise: Fix Released Status in linux-lts-utopic source package in Precise: Invalid Status in linux-lts-vivid source package in Precise: Invalid Status in linux-lts-wily source package in Precise: Invalid Status in linux-lts-xenial source package in Precise: Invalid Status in linux-mako source package in Precise: Invalid Status in linux-manta source package in Precise: Invalid Status in linux-raspi2 source package in Precise: Invalid Status in linux-ti-omap4 source package in Precise: Fix Released Status in linux source package in Trusty: Fix Released Status in linux-armadaxp source package in Trusty: Invalid Status in linux-flo source package in Trusty: Invalid Status in linux-goldfish source package in Trusty: Invalid Status in linux-keystone source package in Trusty: Fix Committed Status in linux-lts-quantal source package in Trusty: Invalid Status in linux-lts-raring source package in Trusty: Invalid Status in linux-lts-saucy source package in Trusty: Invalid Status in linux-lts-trusty source package in Trusty: Invalid Status in linux-lts-utopic source package in Trusty: Fix Released Status in linux-lts-vivid source package in Trusty: Fix Released Status in linux-lts-wily source package in Trusty: Fix Released Status in linux-lts-xenial source package in Trusty: New Status in linux-mako source package in Trusty: Invalid Status in linux-manta source package in Trusty: Invalid Status in linux-raspi2 source package in Trusty: Invalid Status in linux-ti-omap4 source package in Trusty: Invalid Status in linux source package in Vivid: Fix Released Status in linux-armadaxp source package in Vivid: Invalid Status in linux-flo source package in Vivid: New Status in linux-goldfish source package in Vivid: New Status in linux-keystone source package in Vivid: Invalid Status in linux-lts-quantal source package in Vivid: New Status in linux-lts-raring source package in Vivid: New Status in linux-lts-saucy source package in Vivid: New Status in linux-lts-trusty source package in Vivid: New Status in linux-lts-utopic source package in Vivid: Invalid Status in linux-lts-vivid source package in Vivid: New Status in linux-lts-wily source package in Vivid: New Status in linux-lts-xenial source package in Vivid: New Status in linux-mako source package in Vivid: New Status in linux-manta source package in Vivid: New Status in linux-raspi2 source package in Vivid: New Status in linux-ti-omap4 source package in Vivid: Invalid Status in linux source package in Wily: Fix Released Status in linux-armadaxp source package in Wily: Invalid Status in linux-flo source package in Wily: New Status in linux-goldfish source package in Wily: New Status in linux-keys
[Kernel-packages] [Bug 1555338] Re: Linux netfilter IPT_SO_SET_REPLACE memory corruption
** Changed in: linux-lts-trusty (Ubuntu Precise) Status: New => Fix Released ** Changed in: linux-lts-trusty (Ubuntu Precise) Importance: Undecided => High ** Changed in: linux-lts-trusty (Ubuntu Wily) Status: New => Invalid ** Changed in: linux-lts-trusty (Ubuntu Wily) Importance: Undecided => High ** Changed in: linux-lts-trusty (Ubuntu Xenial) Status: New => Invalid ** Changed in: linux-lts-trusty (Ubuntu Xenial) Importance: Undecided => High ** Changed in: linux-lts-trusty (Ubuntu Trusty) Status: New => Invalid ** Changed in: linux-lts-trusty (Ubuntu Trusty) Importance: Undecided => High ** Changed in: linux-lts-wily (Ubuntu Precise) Status: New => Invalid ** Changed in: linux-lts-wily (Ubuntu Precise) Importance: Undecided => High ** Changed in: linux-lts-wily (Ubuntu Wily) Status: New => Invalid ** Changed in: linux-lts-wily (Ubuntu Wily) Importance: Undecided => High ** Changed in: linux-lts-wily (Ubuntu Xenial) Status: New => Invalid ** Changed in: linux-lts-wily (Ubuntu Xenial) Importance: Undecided => High ** Changed in: linux-lts-wily (Ubuntu Trusty) Status: New => Fix Released ** Changed in: linux-lts-wily (Ubuntu Trusty) Importance: Undecided => High ** Changed in: linux-lts-quantal (Ubuntu Precise) Status: New => Invalid ** Changed in: linux-lts-quantal (Ubuntu Precise) Importance: Undecided => High ** Changed in: linux-lts-quantal (Ubuntu Wily) Status: New => Invalid ** Changed in: linux-lts-quantal (Ubuntu Wily) Importance: Undecided => High ** Changed in: linux-lts-quantal (Ubuntu Xenial) Status: New => Invalid ** Changed in: linux-lts-quantal (Ubuntu Xenial) Importance: Undecided => High ** Changed in: linux-lts-quantal (Ubuntu Trusty) Status: New => Invalid ** Changed in: linux-lts-quantal (Ubuntu Trusty) Importance: Undecided => High ** Changed in: linux (Ubuntu Precise) Importance: Critical => High ** Changed in: linux (Ubuntu Wily) Importance: Critical => High ** Changed in: linux (Ubuntu Trusty) Importance: Critical => High ** Changed in: linux-ti-omap4 (Ubuntu Precise) Status: New => Fix Released ** Changed in: linux-ti-omap4 (Ubuntu Precise) Importance: Undecided => High ** Changed in: linux-ti-omap4 (Ubuntu Wily) Status: New => Invalid ** Changed in: linux-ti-omap4 (Ubuntu Wily) Importance: Undecided => High ** Changed in: linux-ti-omap4 (Ubuntu Xenial) Status: New => Invalid ** Changed in: linux-ti-omap4 (Ubuntu Xenial) Importance: Undecided => High ** Changed in: linux-ti-omap4 (Ubuntu Trusty) Status: New => Invalid ** Changed in: linux-ti-omap4 (Ubuntu Trusty) Importance: Undecided => High ** Changed in: linux-lts-raring (Ubuntu Precise) Status: New => Invalid ** Changed in: linux-lts-raring (Ubuntu Precise) Importance: Undecided => High ** Changed in: linux-lts-raring (Ubuntu Wily) Status: New => Invalid ** Changed in: linux-lts-raring (Ubuntu Wily) Importance: Undecided => High ** Changed in: linux-lts-raring (Ubuntu Xenial) Status: New => Invalid ** Changed in: linux-lts-raring (Ubuntu Xenial) Importance: Undecided => High ** Changed in: linux-lts-raring (Ubuntu Trusty) Status: New => Invalid ** Changed in: linux-lts-raring (Ubuntu Trusty) Importance: Undecided => High ** Changed in: linux-armadaxp (Ubuntu Precise) Importance: Critical => High ** Changed in: linux-armadaxp (Ubuntu Wily) Importance: Undecided => High ** Changed in: linux-armadaxp (Ubuntu Xenial) Importance: Undecided => High ** Changed in: linux-armadaxp (Ubuntu Trusty) Importance: Undecided => High ** Changed in: linux-lts-xenial (Ubuntu Precise) Status: New => Invalid ** Changed in: linux-lts-xenial (Ubuntu Precise) Importance: Undecided => High ** Changed in: linux-lts-xenial (Ubuntu Wily) Status: New => Invalid ** Changed in: linux-lts-xenial (Ubuntu Wily) Importance: Undecided => High ** Changed in: linux-lts-xenial (Ubuntu Xenial) Status: New => Invalid ** Changed in: linux-lts-xenial (Ubuntu Xenial) Importance: Undecided => High ** Changed in: linux-lts-xenial (Ubuntu Trusty) Importance: Undecided => High ** Changed in: linux-lts-saucy (Ubuntu Precise) Status: New => Invalid ** Changed in: linux-lts-saucy (Ubuntu Precise) Importance: Undecided => High ** Changed in: linux-lts-saucy (Ubuntu Wily) Status: New => Invalid ** Changed in: linux-lts-saucy (Ubuntu Wily) Importance: Undecided => High ** Changed in: linux-lts-saucy (Ubuntu Xenial) Status: New => Invalid ** Changed in: linux-lts-saucy (Ubuntu Xenial) Importance: Undecided => High ** Changed in: linux-lts-saucy (Ubuntu Trusty) Status: New => Invalid ** Changed in: linux-lts-saucy (Ubuntu Trusty) Importance: Undecided => High ** Changed in: linux-manta (Ubuntu Precise) Status: New => Invalid
[Kernel-packages] [Bug 1555338] Re: Linux netfilter IPT_SO_SET_REPLACE memory corruption
** Branch linked: lp:ubuntu/trusty-security/linux-lts-vivid ** Branch linked: lp:ubuntu/trusty-updates/linux-lts-vivid -- You received this bug notification because you are a member of Kernel Packages, which is subscribed to linux-armadaxp in Ubuntu. https://bugs.launchpad.net/bugs/1555338 Title: Linux netfilter IPT_SO_SET_REPLACE memory corruption Status in linux package in Ubuntu: Fix Committed Status in linux-armadaxp package in Ubuntu: Invalid Status in linux-keystone package in Ubuntu: Invalid Status in linux-lts-utopic package in Ubuntu: Invalid Status in linux source package in Precise: Fix Released Status in linux-armadaxp source package in Precise: Fix Committed Status in linux-keystone source package in Precise: Invalid Status in linux-lts-utopic source package in Precise: Invalid Status in linux source package in Trusty: Fix Released Status in linux-armadaxp source package in Trusty: Invalid Status in linux-keystone source package in Trusty: Fix Committed Status in linux-lts-utopic source package in Trusty: Fix Released Status in linux source package in Vivid: Fix Released Status in linux-armadaxp source package in Vivid: Invalid Status in linux-keystone source package in Vivid: Invalid Status in linux-lts-utopic source package in Vivid: Invalid Status in linux source package in Wily: Fix Released Status in linux-armadaxp source package in Wily: Invalid Status in linux-keystone source package in Wily: Invalid Status in linux-lts-utopic source package in Wily: Invalid Status in linux source package in Xenial: Fix Committed Status in linux-armadaxp source package in Xenial: Invalid Status in linux-keystone source package in Xenial: Invalid Status in linux-lts-utopic source package in Xenial: Invalid Bug description: [Impact] [From https://code.google.com/p/google-security-research/issues/detail?id=758 ] A memory corruption vulnerability exists in the IPT_SO_SET_REPLACE ioctl in the netfilter code for iptables support. This ioctl is can be triggered by an unprivileged user on PF_INET sockets when unprivileged user namespaces are available (CONFIG_USER_NS=y). Android does not enable this option, but desktop/server distributions and Chrome OS will commonly enable this to allow for containers support or sandboxing. In the mark_source_chains function (net/ipv4/netfilter/ip_tables.c) it is possible for a user-supplied ipt_entry structure to have a large next_offset field. This field is not bounds checked prior to writing a counter value at the supplied offset: newpos = pos + e->next_offset; ... e = (struct ipt_entry *) (entry0 + newpos); e->counters.pcnt = pos; This means that an out of bounds 32-bit write can occur in a 64kb range from the allocated heap entry, with a controlled offset and a partially controlled write value ("pos") or zero. The attached proof- of-concept (netfilter_setsockopt_v3.c) triggers the corruption multiple times to set adjacent heap structures to zero. This issue affects (at least) kernel versions 3.10, 3.18 and 4.4. It appears that a similar codepath is accessible via arp_tables.c/ARPT_SO_SET_REPLACE as well. [Fix] http://thread.gmane.org/gmane.comp.security.firewalls.netfilter.devel/62150 [Test Case] Download v3 testcase from https://code.google.com/p/google-security-research/issues/detail?id=758 gcc net*v3.c -o v3 ./v3 To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/linux/+bug/1555338/+subscriptions -- Mailing list: https://launchpad.net/~kernel-packages Post to : kernel-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~kernel-packages More help : https://help.launchpad.net/ListHelp
[Kernel-packages] [Bug 1555338] Re: Linux netfilter IPT_SO_SET_REPLACE memory corruption
This bug was fixed in the package linux-lts-utopic - 3.16.0-67.87~14.04.1 --- linux-lts-utopic (3.16.0-67.87~14.04.1) trusty; urgency=low [ Brad Figg ] * Release Tracking Bug - LP: #1555847 [ Florian Westphal ] * SAUCE: [nf,v2] netfilter: x_tables: don't rely on well-behaving userspace - LP: #1555338 linux-lts-utopic (3.16.0-66.86~14.04.1) trusty; urgency=low [ Brad Figg ] * Release Tracking Bug - LP: #1555277 [ Upstream Kernel Changes ] * Revert "drm/radeon: call hpd_irq_event on resume" - LP: #1554608 linux-lts-utopic (3.16.0-65.85~14.04.1) trusty; urgency=low [ Luis Henriques ] * Release Tracking Bug - LP: #1552352 [ Upstream Kernel Changes ] * Revert "firmware: dmi_scan: Fix UUID endianness for SMBIOS >= 2.6" - LP: #1551419 linux-lts-utopic (3.16.0-64.84~14.04.1) trusty; urgency=low [ Kamal Mostafa ] * Release Tracking Bug - LP: #1550605 [ Kamal Mostafa ] * Merged back 3.16.0-63.83~14.04.1 linux-lts-utopic (3.16.0-63.83~14.04.1) trusty; urgency=low [ Brad Figg ] * Release Tracking Bug - LP: #1548934 [ Dan Streetman ] * SAUCE: nbd: ratelimit error msgs after socket close - LP: #1505564 [ Upstream Kernel Changes ] * Revert "workqueue: make sure delayed work run in local cpu" - LP: #1546320 * drm/nouveau/nv46: Change mc subdev oclass from nv44 to nv4c - LP: #1543126 * veth: don’t modify ip_summed; doing so treats packets with bad checksums as good. - LP: #1543126 * sctp: sctp should release assoc when sctp_make_abort_user return NULL in sctp_close - LP: #1543126 * connector: bump skb->users before callback invocation - LP: #1543126 * unix: properly account for FDs passed over unix sockets - LP: #1543126 * bridge: Only call /sbin/bridge-stp for the initial network namespace - LP: #1543126 * vxlan: fix test which detect duplicate vxlan iface - LP: #1543126 * net: sctp: prevent writes to cookie_hmac_alg from accessing invalid memory - LP: #1543126 * tcp_yeah: don't set ssthresh below 2 - LP: #1543126 * bonding: Prevent IPv6 link local address on enslaved devices - LP: #1543126 * phonet: properly unshare skbs in phonet_rcv() - LP: #1543126 * net: bpf: reject invalid shifts - LP: #1543126 * ipv6: update skb->csum when CE mark is propagated - LP: #1543126 * team: Replace rcu_read_lock with a mutex in team_vlan_rx_kill_vid - LP: #1543126 * xen-netback: respect user provided max_queues - LP: #1543126 * xen-netfront: respect user provided max_queues - LP: #1543126 * xen-netfront: print correct number of queues - LP: #1543126 * xen-netfront: update num_queues to real created - LP: #1543126 * sctp: Prevent soft lockup when sctp_accept() is called during a timeout event - LP: #1543126 * sctp: convert sack_needed and sack_generation to bits - LP: #1543126 * sctp: start t5 timer only when peer rwnd is 0 and local state is SHUTDOWN_PENDING - LP: #1543126 * nfs: Fix unused variable error - LP: #1543126 * [media] gspca: ov534/topro: prevent a division by 0 - LP: #1543126 * [media] media: dvb-core: Don't force CAN_INVERSION_AUTO in oneshot mode - LP: #1543126 * tools lib traceevent: Fix output of %llu for 64 bit values read on 32 bit machines - LP: #1543126 * KVM: x86: expose MSR_TSC_AUX to userspace - LP: #1543126 * KVM: x86: correctly print #AC in traces - LP: #1543126 * drm/radeon: call hpd_irq_event on resume - LP: #1543126 * xhci: refuse loading if nousb is used - LP: #1543126 * arm64: Clear out any singlestep state on a ptrace detach operation - LP: #1543126 * time: Avoid signed overflow in timekeeping_get_ns() - LP: #1543126 * Bluetooth: Add support of Toshiba Broadcom based devices - LP: #1522949, #1543126 * rtlwifi: fix memory leak for USB device - LP: #1543126 * wlcore/wl12xx: spi: fix oops on firmware load - LP: #1543126 * EDAC: Fix the leak of mci->bus->name when bus_register fails - LP: #1543126 * EDAC, mc_sysfs: Fix freeing bus' name - LP: #1543126 * EDAC: Robustify workqueues destruction - LP: #1543126 * arm64: mm: ensure that the zero page is visible to the page table walker - LP: #1543126 * powerpc: Make value-returning atomics fully ordered - LP: #1543126 * powerpc: Make {cmp}xchg* and their atomic_ versions fully ordered - LP: #1543126 * dm space map metadata: remove unused variable in brb_pop() - LP: #1543126 * dm thin: fix race condition when destroying thin pool workqueue - LP: #1543126 * futex: Drop refcount if requeue_pi() acquired the rtmutex - LP: #1543126 * arm64: mdscr_el1: avoid exposing DCC to userspace - LP: #1543126 * arm64: kernel: enforce pmuserenr_el0 initialization and restore - LP: #1543126 * drm/radeon: clean up fujitsu quirks - LP: #1543126 * mmc: sdio: Fix in
[Kernel-packages] [Bug 1555338] Re: Linux netfilter IPT_SO_SET_REPLACE memory corruption
This bug was fixed in the package linux - 3.13.0-83.127 --- linux (3.13.0-83.127) trusty; urgency=low [ Brad Figg ] * Release Tracking Bug - LP: #1555839 [ Florian Westphal ] * SAUCE: [nf,v2] netfilter: x_tables: don't rely on well-behaving userspace - LP: #1555338 linux (3.13.0-82.126) trusty; urgency=low [ Brad Figg ] * Release Tracking Bug - LP: #1554732 [ Upstream Kernel Changes ] * Revert "drm/radeon: call hpd_irq_event on resume" - LP: #1554608 * net: generic dev_disable_lro() stacked device handling - LP: #1547680 linux (3.13.0-81.125) trusty; urgency=low [ Luis Henriques ] * Release Tracking Bug - LP: #1552316 [ Upstream Kernel Changes ] * Revert "firmware: dmi_scan: Fix UUID endianness for SMBIOS >= 2.6" - LP: #1551419 * bcache: Fix a lockdep splat in an error path - LP: #1551327 linux (3.13.0-80.124) trusty; urgency=low [ Brad Figg ] * Release Tracking Bug - LP: #1548519 [ Andy Whitcroft ] * [Debian] hv: hv_set_ifconfig -- convert to python3 - LP: #1506521 * [Debian] hv: hv_set_ifconfig -- switch to approved indentation - LP: #1540586 * [Debian] hv: hv_set_ifconfig -- fix numerous parameter handling issues - LP: #1540586 [ Dan Streetman ] * SAUCE: nbd: ratelimit error msgs after socket close - LP: #1505564 [ Upstream Kernel Changes ] * Revert "workqueue: make sure delayed work run in local cpu" - LP: #1546320 * [media] gspca: ov534/topro: prevent a division by 0 - LP: #1542497 * [media] media: dvb-core: Don't force CAN_INVERSION_AUTO in oneshot mode - LP: #1542497 * tools lib traceevent: Fix output of %llu for 64 bit values read on 32 bit machines - LP: #1542497 * KVM: x86: correctly print #AC in traces - LP: #1542497 * drm/radeon: call hpd_irq_event on resume - LP: #1542497 * xhci: refuse loading if nousb is used - LP: #1542497 * arm64: Clear out any singlestep state on a ptrace detach operation - LP: #1542497 * time: Avoid signed overflow in timekeeping_get_ns() - LP: #1542497 * rtlwifi: fix memory leak for USB device - LP: #1542497 * wlcore/wl12xx: spi: fix oops on firmware load - LP: #1542497 * EDAC, mc_sysfs: Fix freeing bus' name - LP: #1542497 * EDAC: Don't try to cancel workqueue when it's never setup - LP: #1542497 * EDAC: Robustify workqueues destruction - LP: #1542497 * powerpc: Make value-returning atomics fully ordered - LP: #1542497 * powerpc: Make {cmp}xchg* and their atomic_ versions fully ordered - LP: #1542497 * dm space map metadata: remove unused variable in brb_pop() - LP: #1542497 * dm thin: fix race condition when destroying thin pool workqueue - LP: #1542497 * futex: Drop refcount if requeue_pi() acquired the rtmutex - LP: #1542497 * drm/radeon: clean up fujitsu quirks - LP: #1542497 * mmc: sdio: Fix invalid vdd in voltage switch power cycle - LP: #1542497 * mmc: sdhci: Fix sdhci_runtime_pm_bus_on/off() - LP: #1542497 * udf: limit the maximum number of indirect extents in a row - LP: #1542497 * nfs: Fix race in __update_open_stateid() - LP: #1542497 * USB: cp210x: add ID for ELV Marble Sound Board 1 - LP: #1542497 * NFSv4: Don't perform cached access checks before we've OPENed the file - LP: #1542497 * NFS: Fix attribute cache revalidation - LP: #1542497 * posix-clock: Fix return code on the poll method's error path - LP: #1542497 * rtlwifi: rtl8192de: Fix incorrect module parameter descriptions - LP: #1542497 * rtlwifi: rtl8192se: Fix module parameter initialization - LP: #1542497 * rtlwifi: rtl8192ce: Fix handling of module parameters - LP: #1542497 * rtlwifi: rtl8192cu: Add missing parameter setup - LP: #1542497 * bcache: fix a livelock when we cause a huge number of cache misses - LP: #1542497 * bcache: Add a cond_resched() call to gc - LP: #1542497 * bcache: clear BCACHE_DEV_UNLINK_DONE flag when attaching a backing device - LP: #1542497 * bcache: fix a leak in bch_cached_dev_run() - LP: #1542497 * bcache: unregister reboot notifier if bcache fails to unregister device - LP: #1542497 * bcache: add mutex lock for bch_is_open - LP: #1542497 * bcache: allows use of register in udev to avoid "device_busy" error. - LP: #1542497 * bcache: Change refill_dirty() to always scan entire disk if necessary - LP: #1542497 * wlcore/wl12xx: spi: fix NULL pointer dereference (Oops) - LP: #1542497 * Input: i8042 - add Fujitsu Lifebook U745 to the nomux list - LP: #1542497 * libxfs: pack the agfl header structure so XFS_AGFL_SIZE is correct - LP: #1542497 * x86/xen: don't reset vcpu_info on a cancelled suspend - LP: #1542497 * udf: Prevent buffer overrun with multi-byte characters - LP: #1542497 * udf: Check output buffer length when converting name to CS0 - LP: #1542497
[Kernel-packages] [Bug 1555338] Re: Linux netfilter IPT_SO_SET_REPLACE memory corruption
This bug was fixed in the package linux - 3.19.0-56.62 --- linux (3.19.0-56.62) vivid; urgency=low [ Brad Figg ] * Release Tracking Bug - LP: #1555832 [ Florian Westphal ] * SAUCE: [nf,v2] netfilter: x_tables: don't rely on well-behaving userspace - LP: #1555338 linux (3.19.0-55.61) vivid; urgency=low [ Brad Figg ] * Release Tracking Bug - LP: #1554708 [ Upstream Kernel Changes ] * Revert "drm/radeon: call hpd_irq_event on resume" - LP: #1554608 linux (3.19.0-54.60) vivid; urgency=low [ Luis Henriques ] * Release Tracking Bug - LP: #1552337 [ Upstream Kernel Changes ] * Revert "firmware: dmi_scan: Fix UUID endianness for SMBIOS >= 2.6" - LP: #1551419 linux (3.19.0-53.59) vivid; urgency=low [ Kamal Mostafa ] * Release Tracking Bug - LP: #1550576 [ Kamal Mostafa ] * Merged back 3.19.0-52.58 linux (3.19.0-52.58) vivid; urgency=low [ Brad Figg ] * Release Tracking Bug - LP: #1548548 [ Dan Streetman ] * SAUCE: nbd: ratelimit error msgs after socket close - LP: #1505564 [ Upstream Kernel Changes ] * Revert "ACPI / LPSS: allow to use specific PM domain during ->probe()" - LP: #1542457 * Revert "workqueue: make sure delayed work run in local cpu" - LP: #1546320 * net: ipmr: fix static mfc/dev leaks on table destruction - LP: #1542457 * drm/nouveau/nv46: Change mc subdev oclass from nv44 to nv4c - LP: #1542457 * ovl: allow zero size xattr - LP: #1542457 * ovl: use a minimal buffer in ovl_copy_xattr - LP: #1542457 * [media] vb2: fix a regression in poll() behavior for output,streams - LP: #1542457 * [media] gspca: ov534/topro: prevent a division by 0 - LP: #1542457 * [media] media: dvb-core: Don't force CAN_INVERSION_AUTO in oneshot mode - LP: #1542457 * tools lib traceevent: Fix output of %llu for 64 bit values read on 32 bit machines - LP: #1542457 * KVM: x86: expose MSR_TSC_AUX to userspace - LP: #1542457 * KVM: x86: correctly print #AC in traces - LP: #1542457 * drm/radeon: call hpd_irq_event on resume - LP: #1542457 * xhci: refuse loading if nousb is used - LP: #1542457 * arm64: Clear out any singlestep state on a ptrace detach operation - LP: #1542457 * time: Avoid signed overflow in timekeeping_get_ns() - LP: #1542457 * ovl: root: copy attr - LP: #1542457 * Bluetooth: Add support of Toshiba Broadcom based devices - LP: #1522949, #1542457 * rtlwifi: fix memory leak for USB device - LP: #1542457 * wlcore/wl12xx: spi: fix oops on firmware load - LP: #1542457 * ovl: check dentry positiveness in ovl_cleanup_whiteouts() - LP: #1542457 * EDAC, mc_sysfs: Fix freeing bus' name - LP: #1542457 * EDAC: Robustify workqueues destruction - LP: #1542457 * arm64: mm: ensure that the zero page is visible to the page table walker - LP: #1542457 * powerpc: Make value-returning atomics fully ordered - LP: #1542457 * powerpc: Make {cmp}xchg* and their atomic_ versions fully ordered - LP: #1542457 * dm space map metadata: remove unused variable in brb_pop() - LP: #1542457 * dm thin: fix race condition when destroying thin pool workqueue - LP: #1542457 * futex: Drop refcount if requeue_pi() acquired the rtmutex - LP: #1542457 * arm64: mdscr_el1: avoid exposing DCC to userspace - LP: #1542457 * arm64: kernel: enforce pmuserenr_el0 initialization and restore - LP: #1542457 * drm/radeon: Fix off-by-one errors in radeon_vm_bo_set_addr - LP: #1542457 * drm/radeon: clean up fujitsu quirks - LP: #1542457 * mmc: sdio: Fix invalid vdd in voltage switch power cycle - LP: #1542457 * mmc: sdhci: Fix DMA descriptor with zero data length - LP: #1542457 * mmc: sdhci: Fix sdhci_runtime_pm_bus_on/off() - LP: #1542457 * udf: limit the maximum number of indirect extents in a row - LP: #1542457 * [media] rc: sunxi-cir: Initialize the spinlock properly - LP: #1542457 * nfs: Fix race in __update_open_stateid() - LP: #1542457 * USB: cp210x: add ID for ELV Marble Sound Board 1 - LP: #1542457 * NFSv4: Don't perform cached access checks before we've OPENed the file - LP: #1542457 * NFS: Ensure we revalidate attributes before using execute_ok() - LP: #1542457 * Thermal: initialize thermal zone device correctly - LP: #1542457 * Thermal: handle thermal zone device properly during system sleep - LP: #1542457 * Thermal: do thermal zone update after a cooling device registered - LP: #1542457 * posix-clock: Fix return code on the poll method's error path - LP: #1542457 * rtlwifi: rtl8723be: Fix module parameter initialization - LP: #1542457 * rtlwifi: rtl8723ae: Fix initialization of module parameters - LP: #1542457 * rtlwifi: rtl8821ae: Fix errors in parameter initialization - LP: #1542457 * rtlwifi: rtl8188ee: Fix module parameter initialization
[Kernel-packages] [Bug 1555338] Re: Linux netfilter IPT_SO_SET_REPLACE memory corruption
This bug was fixed in the package linux - 3.2.0-101.141 --- linux (3.2.0-101.141) precise; urgency=low [ Brad Figg ] * Release Tracking Bug - LP: #1555809 [ Florian Westphal ] * SAUCE: [nf,v2] netfilter: x_tables: don't rely on well-behaving userspace - LP: #1555338 linux (3.2.0-100.140) precise; urgency=low [ Brad Figg ] * Release Tracking Bug - LP: #1548504 [ Upstream Kernel Changes ] * veth: don’t modify ip_summed; doing so treats packets with bad checksums as good. - LP: #1547207 * ALSA: usb-audio: avoid freeing umidi object twice - LP: #1546177 - CVE-2016-2384 -- Brad Figg Thu, 10 Mar 2016 13:05:32 -0800 ** Changed in: linux (Ubuntu Precise) Status: Fix Committed => Fix Released -- You received this bug notification because you are a member of Kernel Packages, which is subscribed to linux-armadaxp in Ubuntu. https://bugs.launchpad.net/bugs/1555338 Title: Linux netfilter IPT_SO_SET_REPLACE memory corruption Status in linux package in Ubuntu: Fix Committed Status in linux-armadaxp package in Ubuntu: Invalid Status in linux-keystone package in Ubuntu: Invalid Status in linux-lts-utopic package in Ubuntu: Invalid Status in linux source package in Precise: Fix Released Status in linux-armadaxp source package in Precise: Fix Committed Status in linux-keystone source package in Precise: Invalid Status in linux-lts-utopic source package in Precise: Invalid Status in linux source package in Trusty: Fix Committed Status in linux-armadaxp source package in Trusty: Invalid Status in linux-keystone source package in Trusty: Fix Committed Status in linux-lts-utopic source package in Trusty: Fix Committed Status in linux source package in Vivid: Fix Committed Status in linux-armadaxp source package in Vivid: Invalid Status in linux-keystone source package in Vivid: Invalid Status in linux-lts-utopic source package in Vivid: Invalid Status in linux source package in Wily: Fix Released Status in linux-armadaxp source package in Wily: Invalid Status in linux-keystone source package in Wily: Invalid Status in linux-lts-utopic source package in Wily: Invalid Status in linux source package in Xenial: Fix Committed Status in linux-armadaxp source package in Xenial: Invalid Status in linux-keystone source package in Xenial: Invalid Status in linux-lts-utopic source package in Xenial: Invalid Bug description: [Impact] [From https://code.google.com/p/google-security-research/issues/detail?id=758 ] A memory corruption vulnerability exists in the IPT_SO_SET_REPLACE ioctl in the netfilter code for iptables support. This ioctl is can be triggered by an unprivileged user on PF_INET sockets when unprivileged user namespaces are available (CONFIG_USER_NS=y). Android does not enable this option, but desktop/server distributions and Chrome OS will commonly enable this to allow for containers support or sandboxing. In the mark_source_chains function (net/ipv4/netfilter/ip_tables.c) it is possible for a user-supplied ipt_entry structure to have a large next_offset field. This field is not bounds checked prior to writing a counter value at the supplied offset: newpos = pos + e->next_offset; ... e = (struct ipt_entry *) (entry0 + newpos); e->counters.pcnt = pos; This means that an out of bounds 32-bit write can occur in a 64kb range from the allocated heap entry, with a controlled offset and a partially controlled write value ("pos") or zero. The attached proof- of-concept (netfilter_setsockopt_v3.c) triggers the corruption multiple times to set adjacent heap structures to zero. This issue affects (at least) kernel versions 3.10, 3.18 and 4.4. It appears that a similar codepath is accessible via arp_tables.c/ARPT_SO_SET_REPLACE as well. [Fix] http://thread.gmane.org/gmane.comp.security.firewalls.netfilter.devel/62150 [Test Case] Download v3 testcase from https://code.google.com/p/google-security-research/issues/detail?id=758 gcc net*v3.c -o v3 ./v3 To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/linux/+bug/1555338/+subscriptions -- Mailing list: https://launchpad.net/~kernel-packages Post to : kernel-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~kernel-packages More help : https://help.launchpad.net/ListHelp
[Kernel-packages] [Bug 1555338] Re: Linux netfilter IPT_SO_SET_REPLACE memory corruption
This bug was fixed in the package linux - 4.2.0-34.39 --- linux (4.2.0-34.39) wily; urgency=low [ Brad Figg ] * Release Tracking Bug - LP: #1555821 [ Florian Westphal ] * SAUCE: [nf] netfilter: x_tables: check for size overflow - LP: #1555353 * SAUCE: [nf,v2] netfilter: x_tables: don't rely on well-behaving userspace - LP: #1555338 linux (4.2.0-33.38) wily; urgency=low [ Brad Figg ] * Release Tracking Bug - LP: #1554649 [ Upstream Kernel Changes ] * Revert "drm/radeon: call hpd_irq_event on resume" - LP: #1554608 * cxl: Fix PSL timebase synchronization detection - LP: #1532914 linux (4.2.0-32.37) wily; urgency=low [ Kamal Mostafa ] * Release Tracking Bug - LP: #1550045 [ Kamal Mostafa ] * Merged back Ubuntu-4.2.0-31.36 linux (4.2.0-31.36) wily; urgency=low [ Brad Figg ] * Release Tracking Bug - LP: #1548579 [ Andy Whitcroft ] * [Debian] hv: hv_set_ifconfig -- convert to python3 - LP: #1506521 * [Debian] hv: hv_set_ifconfig -- switch to approved indentation - LP: #1540586 * [Debian] hv: hv_set_ifconfig -- fix numerous parameter handling issues - LP: #1540586 [ Carol L Soto ] * SAUCE: IB/IPoIB: Do not set skb truesize since using one linearskb - LP: #1541326 [ Dan Streetman ] * SAUCE: nbd: ratelimit error msgs after socket close - LP: #1505564 [ Tim Gardner ] * Revert "SAUCE: (noup) cxlflash: Fix to avoid virtual LUN failover failure" - LP: #1541635 * Revert "SAUCE: (noup) cxlflash: Fix to escalate LINK_RESET also on port 1" - LP: #1541635 * [Config] ARMV8_DEPRECATED=y - LP: #1545542 [ Upstream Kernel Changes ] * x86/xen/p2m: hint at the last populated P2M entry - LP: #1542941 * mm: add dma_pool_zalloc() call to DMA API - LP: #1543737 * sctp: Prevent soft lockup when sctp_accept() is called during a timeout event - LP: #1543737 * xen-netback: respect user provided max_queues - LP: #1543737 * xen-netfront: respect user provided max_queues - LP: #1543737 * xen-netfront: update num_queues to real created - LP: #1543737 * iio: adis_buffer: Fix out-of-bounds memory access - LP: #1543737 * KVM: PPC: Fix emulation of H_SET_DABR/X on POWER8 - LP: #1543737 * KVM: PPC: Fix ONE_REG AltiVec support - LP: #1543737 * x86/irq: Call chip->irq_set_affinity in proper context - LP: #1543737 * drm/amdgpu: fix tonga smu resume - LP: #1543737 * perf kvm record/report: 'unprocessable sample' error while recording/reporting guest data - LP: #1543737 * hrtimer: Handle remaining time proper for TIME_LOW_RES - LP: #1543737 * timerfd: Handle relative timers with CONFIG_TIME_LOW_RES proper - LP: #1543737 * posix-timers: Handle relative timers with CONFIG_TIME_LOW_RES proper - LP: #1543737 * itimers: Handle relative timers with CONFIG_TIME_LOW_RES proper - LP: #1543737 * drm/amdgpu: Use drm_calloc_large for VM page_tables array - LP: #1543737 * drm/amdgpu: fix amdgpu_bo_pin_restricted VRAM placing v2 - LP: #1543737 * drm/radeon: properly byte swap vce firmware setup - LP: #1543737 * ACPI: Revert "ACPI / video: Add Dell Inspiron 5737 to the blacklist" - LP: #1543737 * ACPI / PCI / hotplug: unlock in error path in acpiphp_enable_slot() - LP: #1543737 * hwmon: (dell-smm) Blacklist Dell Studio XPS 8000 - LP: #1543737 * usb: cdc-acm: handle unlinked urb in acm read callback - LP: #1543737 * usb: cdc-acm: send zero packet for intel 7260 modem - LP: #1543737 * cdc-acm:exclude Samsung phone 04e8:685d - LP: #1543737 * usb: hub: do not clear BOS field during reset device - LP: #1543737 * USB: cp210x: add ID for IAI USB to RS485 adaptor - LP: #1543737 * USB: visor: fix null-deref at probe - LP: #1543737 * USB: serial: visor: fix crash on detecting device without write_urbs - LP: #1543737 * USB: serial: option: Adding support for Telit LE922 - LP: #1543737 * ALSA: seq: Fix incorrect sanity check at snd_seq_oss_synth_cleanup() - LP: #1543737 * ALSA: seq: Degrade the error message for too many opens - LP: #1543737 * USB: serial: ftdi_sio: add support for Yaesu SCU-18 cable - LP: #1543737 * arm64: kernel: fix architected PMU registers unconditional access - LP: #1543737 * USB: option: fix Cinterion AHxx enumeration - LP: #1543737 * ALSA: compress: Disable GET_CODEC_CAPS ioctl for some architectures - LP: #1543737 * ALSA: usb-audio: Fix TEAC UD-501/UD-503/NT-503 usb delay - LP: #1543737 * virtio_pci: fix use after free on release - LP: #1543737 * ALSA: bebob: Use a signed return type for get_formation_index - LP: #1543737 * arm64: errata: Add -mpc-relative-literal-loads to build flags - LP: #1533009, #1543737 * arm64: mm: avoid calling apply_to_page_range on empty range - LP: #1543737 * x86/mm: Fix types used in pgprot cacheability
[Kernel-packages] [Bug 1555338] Re: Linux netfilter IPT_SO_SET_REPLACE memory corruption
This has been assigned CVE-2016-3134 ( http://www.openwall.com/lists /oss-security/2016/03/14/1 ). ** CVE added: http://www.cve.mitre.org/cgi- bin/cvename.cgi?name=2016-3134 -- You received this bug notification because you are a member of Kernel Packages, which is subscribed to linux-armadaxp in Ubuntu. https://bugs.launchpad.net/bugs/1555338 Title: Linux netfilter IPT_SO_SET_REPLACE memory corruption Status in linux package in Ubuntu: Fix Committed Status in linux-armadaxp package in Ubuntu: Invalid Status in linux-keystone package in Ubuntu: Invalid Status in linux-lts-utopic package in Ubuntu: Invalid Status in linux source package in Precise: Fix Committed Status in linux-armadaxp source package in Precise: Fix Committed Status in linux-keystone source package in Precise: Invalid Status in linux-lts-utopic source package in Precise: Invalid Status in linux source package in Trusty: Fix Committed Status in linux-armadaxp source package in Trusty: Invalid Status in linux-keystone source package in Trusty: Fix Committed Status in linux-lts-utopic source package in Trusty: Fix Committed Status in linux source package in Vivid: Fix Committed Status in linux-armadaxp source package in Vivid: Invalid Status in linux-keystone source package in Vivid: Invalid Status in linux-lts-utopic source package in Vivid: Invalid Status in linux source package in Wily: Fix Committed Status in linux-armadaxp source package in Wily: Invalid Status in linux-keystone source package in Wily: Invalid Status in linux-lts-utopic source package in Wily: Invalid Status in linux source package in Xenial: Fix Committed Status in linux-armadaxp source package in Xenial: Invalid Status in linux-keystone source package in Xenial: Invalid Status in linux-lts-utopic source package in Xenial: Invalid Bug description: [Impact] [From https://code.google.com/p/google-security-research/issues/detail?id=758 ] A memory corruption vulnerability exists in the IPT_SO_SET_REPLACE ioctl in the netfilter code for iptables support. This ioctl is can be triggered by an unprivileged user on PF_INET sockets when unprivileged user namespaces are available (CONFIG_USER_NS=y). Android does not enable this option, but desktop/server distributions and Chrome OS will commonly enable this to allow for containers support or sandboxing. In the mark_source_chains function (net/ipv4/netfilter/ip_tables.c) it is possible for a user-supplied ipt_entry structure to have a large next_offset field. This field is not bounds checked prior to writing a counter value at the supplied offset: newpos = pos + e->next_offset; ... e = (struct ipt_entry *) (entry0 + newpos); e->counters.pcnt = pos; This means that an out of bounds 32-bit write can occur in a 64kb range from the allocated heap entry, with a controlled offset and a partially controlled write value ("pos") or zero. The attached proof- of-concept (netfilter_setsockopt_v3.c) triggers the corruption multiple times to set adjacent heap structures to zero. This issue affects (at least) kernel versions 3.10, 3.18 and 4.4. It appears that a similar codepath is accessible via arp_tables.c/ARPT_SO_SET_REPLACE as well. [Fix] http://thread.gmane.org/gmane.comp.security.firewalls.netfilter.devel/62150 [Test Case] Download v3 testcase from https://code.google.com/p/google-security-research/issues/detail?id=758 gcc net*v3.c -o v3 ./v3 To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/linux/+bug/1555338/+subscriptions -- Mailing list: https://launchpad.net/~kernel-packages Post to : kernel-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~kernel-packages More help : https://help.launchpad.net/ListHelp
[Kernel-packages] [Bug 1555338] Re: Linux netfilter IPT_SO_SET_REPLACE memory corruption
** Branch linked: lp:ubuntu/trusty-proposed/linux-lts-xenial -- You received this bug notification because you are a member of Kernel Packages, which is subscribed to linux-armadaxp in Ubuntu. https://bugs.launchpad.net/bugs/1555338 Title: Linux netfilter IPT_SO_SET_REPLACE memory corruption Status in linux package in Ubuntu: Fix Committed Status in linux-armadaxp package in Ubuntu: Invalid Status in linux-keystone package in Ubuntu: Invalid Status in linux-lts-utopic package in Ubuntu: Invalid Status in linux source package in Precise: Fix Committed Status in linux-armadaxp source package in Precise: Fix Committed Status in linux-keystone source package in Precise: Invalid Status in linux-lts-utopic source package in Precise: Invalid Status in linux source package in Trusty: Fix Committed Status in linux-armadaxp source package in Trusty: Invalid Status in linux-keystone source package in Trusty: Fix Committed Status in linux-lts-utopic source package in Trusty: Fix Committed Status in linux source package in Vivid: Fix Committed Status in linux-armadaxp source package in Vivid: Invalid Status in linux-keystone source package in Vivid: Invalid Status in linux-lts-utopic source package in Vivid: Invalid Status in linux source package in Wily: Fix Committed Status in linux-armadaxp source package in Wily: Invalid Status in linux-keystone source package in Wily: Invalid Status in linux-lts-utopic source package in Wily: Invalid Status in linux source package in Xenial: Fix Committed Status in linux-armadaxp source package in Xenial: Invalid Status in linux-keystone source package in Xenial: Invalid Status in linux-lts-utopic source package in Xenial: Invalid Bug description: [Impact] [From https://code.google.com/p/google-security-research/issues/detail?id=758 ] A memory corruption vulnerability exists in the IPT_SO_SET_REPLACE ioctl in the netfilter code for iptables support. This ioctl is can be triggered by an unprivileged user on PF_INET sockets when unprivileged user namespaces are available (CONFIG_USER_NS=y). Android does not enable this option, but desktop/server distributions and Chrome OS will commonly enable this to allow for containers support or sandboxing. In the mark_source_chains function (net/ipv4/netfilter/ip_tables.c) it is possible for a user-supplied ipt_entry structure to have a large next_offset field. This field is not bounds checked prior to writing a counter value at the supplied offset: newpos = pos + e->next_offset; ... e = (struct ipt_entry *) (entry0 + newpos); e->counters.pcnt = pos; This means that an out of bounds 32-bit write can occur in a 64kb range from the allocated heap entry, with a controlled offset and a partially controlled write value ("pos") or zero. The attached proof- of-concept (netfilter_setsockopt_v3.c) triggers the corruption multiple times to set adjacent heap structures to zero. This issue affects (at least) kernel versions 3.10, 3.18 and 4.4. It appears that a similar codepath is accessible via arp_tables.c/ARPT_SO_SET_REPLACE as well. [Fix] http://thread.gmane.org/gmane.comp.security.firewalls.netfilter.devel/62150 [Test Case] Download v3 testcase from https://code.google.com/p/google-security-research/issues/detail?id=758 gcc net*v3.c -o v3 ./v3 To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/linux/+bug/1555338/+subscriptions -- Mailing list: https://launchpad.net/~kernel-packages Post to : kernel-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~kernel-packages More help : https://help.launchpad.net/ListHelp
[Kernel-packages] [Bug 1555338] Re: Linux netfilter IPT_SO_SET_REPLACE memory corruption
** Branch linked: lp:ubuntu/trusty-proposed/linux-lts-wily -- You received this bug notification because you are a member of Kernel Packages, which is subscribed to linux-armadaxp in Ubuntu. https://bugs.launchpad.net/bugs/1555338 Title: Linux netfilter IPT_SO_SET_REPLACE memory corruption Status in linux package in Ubuntu: Fix Committed Status in linux-armadaxp package in Ubuntu: Invalid Status in linux-keystone package in Ubuntu: Invalid Status in linux-lts-utopic package in Ubuntu: Invalid Status in linux source package in Precise: Fix Committed Status in linux-armadaxp source package in Precise: Fix Committed Status in linux-keystone source package in Precise: Invalid Status in linux-lts-utopic source package in Precise: Invalid Status in linux source package in Trusty: Fix Committed Status in linux-armadaxp source package in Trusty: Invalid Status in linux-keystone source package in Trusty: Fix Committed Status in linux-lts-utopic source package in Trusty: Fix Committed Status in linux source package in Vivid: Fix Committed Status in linux-armadaxp source package in Vivid: Invalid Status in linux-keystone source package in Vivid: Invalid Status in linux-lts-utopic source package in Vivid: Invalid Status in linux source package in Wily: Fix Committed Status in linux-armadaxp source package in Wily: Invalid Status in linux-keystone source package in Wily: Invalid Status in linux-lts-utopic source package in Wily: Invalid Status in linux source package in Xenial: Fix Committed Status in linux-armadaxp source package in Xenial: Invalid Status in linux-keystone source package in Xenial: Invalid Status in linux-lts-utopic source package in Xenial: Invalid Bug description: [Impact] [From https://code.google.com/p/google-security-research/issues/detail?id=758 ] A memory corruption vulnerability exists in the IPT_SO_SET_REPLACE ioctl in the netfilter code for iptables support. This ioctl is can be triggered by an unprivileged user on PF_INET sockets when unprivileged user namespaces are available (CONFIG_USER_NS=y). Android does not enable this option, but desktop/server distributions and Chrome OS will commonly enable this to allow for containers support or sandboxing. In the mark_source_chains function (net/ipv4/netfilter/ip_tables.c) it is possible for a user-supplied ipt_entry structure to have a large next_offset field. This field is not bounds checked prior to writing a counter value at the supplied offset: newpos = pos + e->next_offset; ... e = (struct ipt_entry *) (entry0 + newpos); e->counters.pcnt = pos; This means that an out of bounds 32-bit write can occur in a 64kb range from the allocated heap entry, with a controlled offset and a partially controlled write value ("pos") or zero. The attached proof- of-concept (netfilter_setsockopt_v3.c) triggers the corruption multiple times to set adjacent heap structures to zero. This issue affects (at least) kernel versions 3.10, 3.18 and 4.4. It appears that a similar codepath is accessible via arp_tables.c/ARPT_SO_SET_REPLACE as well. [Fix] http://thread.gmane.org/gmane.comp.security.firewalls.netfilter.devel/62150 [Test Case] Download v3 testcase from https://code.google.com/p/google-security-research/issues/detail?id=758 gcc net*v3.c -o v3 ./v3 To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/linux/+bug/1555338/+subscriptions -- Mailing list: https://launchpad.net/~kernel-packages Post to : kernel-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~kernel-packages More help : https://help.launchpad.net/ListHelp
[Kernel-packages] [Bug 1555338] Re: Linux netfilter IPT_SO_SET_REPLACE memory corruption
** Branch linked: lp:ubuntu/trusty-proposed/linux-lts-vivid -- You received this bug notification because you are a member of Kernel Packages, which is subscribed to linux-armadaxp in Ubuntu. https://bugs.launchpad.net/bugs/1555338 Title: Linux netfilter IPT_SO_SET_REPLACE memory corruption Status in linux package in Ubuntu: Fix Committed Status in linux-armadaxp package in Ubuntu: Invalid Status in linux-keystone package in Ubuntu: Invalid Status in linux-lts-utopic package in Ubuntu: Invalid Status in linux source package in Precise: Fix Committed Status in linux-armadaxp source package in Precise: Fix Committed Status in linux-keystone source package in Precise: Invalid Status in linux-lts-utopic source package in Precise: Invalid Status in linux source package in Trusty: Fix Committed Status in linux-armadaxp source package in Trusty: Invalid Status in linux-keystone source package in Trusty: Fix Committed Status in linux-lts-utopic source package in Trusty: Fix Committed Status in linux source package in Vivid: Fix Committed Status in linux-armadaxp source package in Vivid: Invalid Status in linux-keystone source package in Vivid: Invalid Status in linux-lts-utopic source package in Vivid: Invalid Status in linux source package in Wily: Fix Committed Status in linux-armadaxp source package in Wily: Invalid Status in linux-keystone source package in Wily: Invalid Status in linux-lts-utopic source package in Wily: Invalid Status in linux source package in Xenial: Fix Committed Status in linux-armadaxp source package in Xenial: Invalid Status in linux-keystone source package in Xenial: Invalid Status in linux-lts-utopic source package in Xenial: Invalid Bug description: [Impact] [From https://code.google.com/p/google-security-research/issues/detail?id=758 ] A memory corruption vulnerability exists in the IPT_SO_SET_REPLACE ioctl in the netfilter code for iptables support. This ioctl is can be triggered by an unprivileged user on PF_INET sockets when unprivileged user namespaces are available (CONFIG_USER_NS=y). Android does not enable this option, but desktop/server distributions and Chrome OS will commonly enable this to allow for containers support or sandboxing. In the mark_source_chains function (net/ipv4/netfilter/ip_tables.c) it is possible for a user-supplied ipt_entry structure to have a large next_offset field. This field is not bounds checked prior to writing a counter value at the supplied offset: newpos = pos + e->next_offset; ... e = (struct ipt_entry *) (entry0 + newpos); e->counters.pcnt = pos; This means that an out of bounds 32-bit write can occur in a 64kb range from the allocated heap entry, with a controlled offset and a partially controlled write value ("pos") or zero. The attached proof- of-concept (netfilter_setsockopt_v3.c) triggers the corruption multiple times to set adjacent heap structures to zero. This issue affects (at least) kernel versions 3.10, 3.18 and 4.4. It appears that a similar codepath is accessible via arp_tables.c/ARPT_SO_SET_REPLACE as well. [Fix] http://thread.gmane.org/gmane.comp.security.firewalls.netfilter.devel/62150 [Test Case] Download v3 testcase from https://code.google.com/p/google-security-research/issues/detail?id=758 gcc net*v3.c -o v3 ./v3 To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/linux/+bug/1555338/+subscriptions -- Mailing list: https://launchpad.net/~kernel-packages Post to : kernel-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~kernel-packages More help : https://help.launchpad.net/ListHelp
[Kernel-packages] [Bug 1555338] Re: Linux netfilter IPT_SO_SET_REPLACE memory corruption
** Also affects: linux-keystone (Ubuntu) Importance: Undecided Status: New ** Also affects: linux-armadaxp (Ubuntu) Importance: Undecided Status: New ** Changed in: linux-keystone (Ubuntu Xenial) Status: New => Invalid ** Changed in: linux-keystone (Ubuntu Precise) Status: New => Invalid ** Changed in: linux-keystone (Ubuntu Wily) Status: New => Invalid ** Changed in: linux-armadaxp (Ubuntu Vivid) Status: New => Invalid ** Changed in: linux-armadaxp (Ubuntu Trusty) Status: New => Invalid ** Changed in: linux-keystone (Ubuntu Vivid) Status: New => Invalid ** Changed in: linux-armadaxp (Ubuntu) Status: New => Invalid ** Changed in: linux-armadaxp (Ubuntu Wily) Status: New => Invalid ** Changed in: linux-keystone (Ubuntu Trusty) Status: New => Fix Committed ** Changed in: linux-armadaxp (Ubuntu Precise) Status: New => Fix Committed ** Changed in: linux-keystone (Ubuntu Trusty) Importance: Undecided => Critical ** Changed in: linux-armadaxp (Ubuntu Precise) Importance: Undecided => Critical -- You received this bug notification because you are a member of Kernel Packages, which is subscribed to linux-lts-utopic in Ubuntu. https://bugs.launchpad.net/bugs/1555338 Title: Linux netfilter IPT_SO_SET_REPLACE memory corruption Status in linux package in Ubuntu: Fix Committed Status in linux-armadaxp package in Ubuntu: Invalid Status in linux-keystone package in Ubuntu: Invalid Status in linux-lts-utopic package in Ubuntu: Invalid Status in linux source package in Precise: Fix Committed Status in linux-armadaxp source package in Precise: Fix Committed Status in linux-keystone source package in Precise: Invalid Status in linux-lts-utopic source package in Precise: Invalid Status in linux source package in Trusty: Fix Committed Status in linux-armadaxp source package in Trusty: Invalid Status in linux-keystone source package in Trusty: Fix Committed Status in linux-lts-utopic source package in Trusty: Fix Committed Status in linux source package in Vivid: Fix Committed Status in linux-armadaxp source package in Vivid: Invalid Status in linux-keystone source package in Vivid: Invalid Status in linux-lts-utopic source package in Vivid: Invalid Status in linux source package in Wily: Fix Committed Status in linux-armadaxp source package in Wily: Invalid Status in linux-keystone source package in Wily: Invalid Status in linux-lts-utopic source package in Wily: Invalid Status in linux source package in Xenial: Fix Committed Status in linux-armadaxp source package in Xenial: Invalid Status in linux-keystone source package in Xenial: Invalid Status in linux-lts-utopic source package in Xenial: Invalid Bug description: [Impact] [From https://code.google.com/p/google-security-research/issues/detail?id=758 ] A memory corruption vulnerability exists in the IPT_SO_SET_REPLACE ioctl in the netfilter code for iptables support. This ioctl is can be triggered by an unprivileged user on PF_INET sockets when unprivileged user namespaces are available (CONFIG_USER_NS=y). Android does not enable this option, but desktop/server distributions and Chrome OS will commonly enable this to allow for containers support or sandboxing. In the mark_source_chains function (net/ipv4/netfilter/ip_tables.c) it is possible for a user-supplied ipt_entry structure to have a large next_offset field. This field is not bounds checked prior to writing a counter value at the supplied offset: newpos = pos + e->next_offset; ... e = (struct ipt_entry *) (entry0 + newpos); e->counters.pcnt = pos; This means that an out of bounds 32-bit write can occur in a 64kb range from the allocated heap entry, with a controlled offset and a partially controlled write value ("pos") or zero. The attached proof- of-concept (netfilter_setsockopt_v3.c) triggers the corruption multiple times to set adjacent heap structures to zero. This issue affects (at least) kernel versions 3.10, 3.18 and 4.4. It appears that a similar codepath is accessible via arp_tables.c/ARPT_SO_SET_REPLACE as well. [Fix] http://thread.gmane.org/gmane.comp.security.firewalls.netfilter.devel/62150 [Test Case] Download v3 testcase from https://code.google.com/p/google-security-research/issues/detail?id=758 gcc net*v3.c -o v3 ./v3 To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/linux/+bug/1555338/+subscriptions -- Mailing list: https://launchpad.net/~kernel-packages Post to : kernel-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~kernel-packages More help : https://help.launchpad.net/ListHelp
[Kernel-packages] [Bug 1555338] Re: Linux netfilter IPT_SO_SET_REPLACE memory corruption
** Changed in: linux-lts-utopic (Ubuntu Trusty) Status: In Progress => Fix Committed -- You received this bug notification because you are a member of Kernel Packages, which is subscribed to linux-lts-utopic in Ubuntu. https://bugs.launchpad.net/bugs/1555338 Title: Linux netfilter IPT_SO_SET_REPLACE memory corruption Status in linux package in Ubuntu: Fix Committed Status in linux-lts-utopic package in Ubuntu: Invalid Status in linux source package in Precise: Fix Committed Status in linux-lts-utopic source package in Precise: Invalid Status in linux source package in Trusty: Fix Committed Status in linux-lts-utopic source package in Trusty: Fix Committed Status in linux source package in Vivid: Fix Committed Status in linux-lts-utopic source package in Vivid: Invalid Status in linux source package in Wily: Fix Committed Status in linux-lts-utopic source package in Wily: Invalid Status in linux source package in Xenial: Fix Committed Status in linux-lts-utopic source package in Xenial: Invalid Bug description: [Impact] [From https://code.google.com/p/google-security-research/issues/detail?id=758 ] A memory corruption vulnerability exists in the IPT_SO_SET_REPLACE ioctl in the netfilter code for iptables support. This ioctl is can be triggered by an unprivileged user on PF_INET sockets when unprivileged user namespaces are available (CONFIG_USER_NS=y). Android does not enable this option, but desktop/server distributions and Chrome OS will commonly enable this to allow for containers support or sandboxing. In the mark_source_chains function (net/ipv4/netfilter/ip_tables.c) it is possible for a user-supplied ipt_entry structure to have a large next_offset field. This field is not bounds checked prior to writing a counter value at the supplied offset: newpos = pos + e->next_offset; ... e = (struct ipt_entry *) (entry0 + newpos); e->counters.pcnt = pos; This means that an out of bounds 32-bit write can occur in a 64kb range from the allocated heap entry, with a controlled offset and a partially controlled write value ("pos") or zero. The attached proof- of-concept (netfilter_setsockopt_v3.c) triggers the corruption multiple times to set adjacent heap structures to zero. This issue affects (at least) kernel versions 3.10, 3.18 and 4.4. It appears that a similar codepath is accessible via arp_tables.c/ARPT_SO_SET_REPLACE as well. [Fix] http://thread.gmane.org/gmane.comp.security.firewalls.netfilter.devel/62150 [Test Case] Download v3 testcase from https://code.google.com/p/google-security-research/issues/detail?id=758 gcc net*v3.c -o v3 ./v3 To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/linux/+bug/1555338/+subscriptions -- Mailing list: https://launchpad.net/~kernel-packages Post to : kernel-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~kernel-packages More help : https://help.launchpad.net/ListHelp
[Kernel-packages] [Bug 1555338] Re: Linux netfilter IPT_SO_SET_REPLACE memory corruption
** Changed in: linux-lts-utopic (Ubuntu Trusty) Importance: Undecided => Critical ** Changed in: linux (Ubuntu Wily) Importance: Undecided => Critical ** Changed in: linux (Ubuntu Vivid) Importance: Undecided => Critical ** Changed in: linux (Ubuntu Trusty) Importance: Undecided => Critical ** Changed in: linux (Ubuntu Precise) Importance: Undecided => Critical ** Changed in: linux (Ubuntu Precise) Assignee: (unassigned) => Chris J Arges (arges) -- You received this bug notification because you are a member of Kernel Packages, which is subscribed to linux-lts-utopic in Ubuntu. https://bugs.launchpad.net/bugs/1555338 Title: Linux netfilter IPT_SO_SET_REPLACE memory corruption Status in linux package in Ubuntu: Fix Committed Status in linux-lts-utopic package in Ubuntu: Invalid Status in linux source package in Precise: Fix Committed Status in linux-lts-utopic source package in Precise: Invalid Status in linux source package in Trusty: Fix Committed Status in linux-lts-utopic source package in Trusty: In Progress Status in linux source package in Vivid: Fix Committed Status in linux-lts-utopic source package in Vivid: Invalid Status in linux source package in Wily: Fix Committed Status in linux-lts-utopic source package in Wily: Invalid Status in linux source package in Xenial: Fix Committed Status in linux-lts-utopic source package in Xenial: Invalid Bug description: [Impact] [From https://code.google.com/p/google-security-research/issues/detail?id=758 ] A memory corruption vulnerability exists in the IPT_SO_SET_REPLACE ioctl in the netfilter code for iptables support. This ioctl is can be triggered by an unprivileged user on PF_INET sockets when unprivileged user namespaces are available (CONFIG_USER_NS=y). Android does not enable this option, but desktop/server distributions and Chrome OS will commonly enable this to allow for containers support or sandboxing. In the mark_source_chains function (net/ipv4/netfilter/ip_tables.c) it is possible for a user-supplied ipt_entry structure to have a large next_offset field. This field is not bounds checked prior to writing a counter value at the supplied offset: newpos = pos + e->next_offset; ... e = (struct ipt_entry *) (entry0 + newpos); e->counters.pcnt = pos; This means that an out of bounds 32-bit write can occur in a 64kb range from the allocated heap entry, with a controlled offset and a partially controlled write value ("pos") or zero. The attached proof- of-concept (netfilter_setsockopt_v3.c) triggers the corruption multiple times to set adjacent heap structures to zero. This issue affects (at least) kernel versions 3.10, 3.18 and 4.4. It appears that a similar codepath is accessible via arp_tables.c/ARPT_SO_SET_REPLACE as well. [Fix] http://thread.gmane.org/gmane.comp.security.firewalls.netfilter.devel/62150 [Test Case] Download v3 testcase from https://code.google.com/p/google-security-research/issues/detail?id=758 gcc net*v3.c -o v3 ./v3 To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/linux/+bug/1555338/+subscriptions -- Mailing list: https://launchpad.net/~kernel-packages Post to : kernel-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~kernel-packages More help : https://help.launchpad.net/ListHelp
[Kernel-packages] [Bug 1555338] Re: Linux netfilter IPT_SO_SET_REPLACE memory corruption
** Tags added: kernel-cve-skip-description -- You received this bug notification because you are a member of Kernel Packages, which is subscribed to linux-lts-utopic in Ubuntu. https://bugs.launchpad.net/bugs/1555338 Title: Linux netfilter IPT_SO_SET_REPLACE memory corruption Status in linux package in Ubuntu: Fix Committed Status in linux-lts-utopic package in Ubuntu: Invalid Status in linux source package in Precise: Fix Committed Status in linux-lts-utopic source package in Precise: Invalid Status in linux source package in Trusty: Fix Committed Status in linux-lts-utopic source package in Trusty: In Progress Status in linux source package in Vivid: Fix Committed Status in linux-lts-utopic source package in Vivid: Invalid Status in linux source package in Wily: Fix Committed Status in linux-lts-utopic source package in Wily: Invalid Status in linux source package in Xenial: Fix Committed Status in linux-lts-utopic source package in Xenial: Invalid Bug description: [Impact] [From https://code.google.com/p/google-security-research/issues/detail?id=758 ] A memory corruption vulnerability exists in the IPT_SO_SET_REPLACE ioctl in the netfilter code for iptables support. This ioctl is can be triggered by an unprivileged user on PF_INET sockets when unprivileged user namespaces are available (CONFIG_USER_NS=y). Android does not enable this option, but desktop/server distributions and Chrome OS will commonly enable this to allow for containers support or sandboxing. In the mark_source_chains function (net/ipv4/netfilter/ip_tables.c) it is possible for a user-supplied ipt_entry structure to have a large next_offset field. This field is not bounds checked prior to writing a counter value at the supplied offset: newpos = pos + e->next_offset; ... e = (struct ipt_entry *) (entry0 + newpos); e->counters.pcnt = pos; This means that an out of bounds 32-bit write can occur in a 64kb range from the allocated heap entry, with a controlled offset and a partially controlled write value ("pos") or zero. The attached proof- of-concept (netfilter_setsockopt_v3.c) triggers the corruption multiple times to set adjacent heap structures to zero. This issue affects (at least) kernel versions 3.10, 3.18 and 4.4. It appears that a similar codepath is accessible via arp_tables.c/ARPT_SO_SET_REPLACE as well. [Fix] http://thread.gmane.org/gmane.comp.security.firewalls.netfilter.devel/62150 [Test Case] Download v3 testcase from https://code.google.com/p/google-security-research/issues/detail?id=758 gcc net*v3.c -o v3 ./v3 To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/linux/+bug/1555338/+subscriptions -- Mailing list: https://launchpad.net/~kernel-packages Post to : kernel-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~kernel-packages More help : https://help.launchpad.net/ListHelp
[Kernel-packages] [Bug 1555338] Re: Linux netfilter IPT_SO_SET_REPLACE memory corruption
** Changed in: linux (Ubuntu Vivid) Status: In Progress => Fix Committed ** Changed in: linux (Ubuntu Trusty) Status: In Progress => Fix Committed -- You received this bug notification because you are a member of Kernel Packages, which is subscribed to linux-lts-utopic in Ubuntu. https://bugs.launchpad.net/bugs/1555338 Title: Linux netfilter IPT_SO_SET_REPLACE memory corruption Status in linux package in Ubuntu: Fix Committed Status in linux-lts-utopic package in Ubuntu: Invalid Status in linux source package in Precise: Fix Committed Status in linux-lts-utopic source package in Precise: Invalid Status in linux source package in Trusty: Fix Committed Status in linux-lts-utopic source package in Trusty: In Progress Status in linux source package in Vivid: Fix Committed Status in linux-lts-utopic source package in Vivid: Invalid Status in linux source package in Wily: Fix Committed Status in linux-lts-utopic source package in Wily: Invalid Status in linux source package in Xenial: Fix Committed Status in linux-lts-utopic source package in Xenial: Invalid Bug description: [Impact] [From https://code.google.com/p/google-security-research/issues/detail?id=758 ] A memory corruption vulnerability exists in the IPT_SO_SET_REPLACE ioctl in the netfilter code for iptables support. This ioctl is can be triggered by an unprivileged user on PF_INET sockets when unprivileged user namespaces are available (CONFIG_USER_NS=y). Android does not enable this option, but desktop/server distributions and Chrome OS will commonly enable this to allow for containers support or sandboxing. In the mark_source_chains function (net/ipv4/netfilter/ip_tables.c) it is possible for a user-supplied ipt_entry structure to have a large next_offset field. This field is not bounds checked prior to writing a counter value at the supplied offset: newpos = pos + e->next_offset; ... e = (struct ipt_entry *) (entry0 + newpos); e->counters.pcnt = pos; This means that an out of bounds 32-bit write can occur in a 64kb range from the allocated heap entry, with a controlled offset and a partially controlled write value ("pos") or zero. The attached proof- of-concept (netfilter_setsockopt_v3.c) triggers the corruption multiple times to set adjacent heap structures to zero. This issue affects (at least) kernel versions 3.10, 3.18 and 4.4. It appears that a similar codepath is accessible via arp_tables.c/ARPT_SO_SET_REPLACE as well. [Fix] http://thread.gmane.org/gmane.comp.security.firewalls.netfilter.devel/62150 [Test Case] Download v3 testcase from https://code.google.com/p/google-security-research/issues/detail?id=758 gcc net*v3.c -o v3 ./v3 To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/linux/+bug/1555338/+subscriptions -- Mailing list: https://launchpad.net/~kernel-packages Post to : kernel-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~kernel-packages More help : https://help.launchpad.net/ListHelp
[Kernel-packages] [Bug 1555338] Re: Linux netfilter IPT_SO_SET_REPLACE memory corruption
** Changed in: linux (Ubuntu Wily) Status: In Progress => Fix Committed -- You received this bug notification because you are a member of Kernel Packages, which is subscribed to linux-lts-utopic in Ubuntu. https://bugs.launchpad.net/bugs/1555338 Title: Linux netfilter IPT_SO_SET_REPLACE memory corruption Status in linux package in Ubuntu: Fix Committed Status in linux-lts-utopic package in Ubuntu: Invalid Status in linux source package in Precise: Fix Committed Status in linux-lts-utopic source package in Precise: Invalid Status in linux source package in Trusty: In Progress Status in linux-lts-utopic source package in Trusty: In Progress Status in linux source package in Vivid: In Progress Status in linux-lts-utopic source package in Vivid: Invalid Status in linux source package in Wily: Fix Committed Status in linux-lts-utopic source package in Wily: Invalid Status in linux source package in Xenial: Fix Committed Status in linux-lts-utopic source package in Xenial: Invalid Bug description: [Impact] [From https://code.google.com/p/google-security-research/issues/detail?id=758 ] A memory corruption vulnerability exists in the IPT_SO_SET_REPLACE ioctl in the netfilter code for iptables support. This ioctl is can be triggered by an unprivileged user on PF_INET sockets when unprivileged user namespaces are available (CONFIG_USER_NS=y). Android does not enable this option, but desktop/server distributions and Chrome OS will commonly enable this to allow for containers support or sandboxing. In the mark_source_chains function (net/ipv4/netfilter/ip_tables.c) it is possible for a user-supplied ipt_entry structure to have a large next_offset field. This field is not bounds checked prior to writing a counter value at the supplied offset: newpos = pos + e->next_offset; ... e = (struct ipt_entry *) (entry0 + newpos); e->counters.pcnt = pos; This means that an out of bounds 32-bit write can occur in a 64kb range from the allocated heap entry, with a controlled offset and a partially controlled write value ("pos") or zero. The attached proof- of-concept (netfilter_setsockopt_v3.c) triggers the corruption multiple times to set adjacent heap structures to zero. This issue affects (at least) kernel versions 3.10, 3.18 and 4.4. It appears that a similar codepath is accessible via arp_tables.c/ARPT_SO_SET_REPLACE as well. [Fix] http://thread.gmane.org/gmane.comp.security.firewalls.netfilter.devel/62150 [Test Case] Download v3 testcase from https://code.google.com/p/google-security-research/issues/detail?id=758 gcc net*v3.c -o v3 ./v3 To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/linux/+bug/1555338/+subscriptions -- Mailing list: https://launchpad.net/~kernel-packages Post to : kernel-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~kernel-packages More help : https://help.launchpad.net/ListHelp
[Kernel-packages] [Bug 1555338] Re: Linux netfilter IPT_SO_SET_REPLACE memory corruption
** Changed in: linux (Ubuntu Precise) Status: New => Fix Committed -- You received this bug notification because you are a member of Kernel Packages, which is subscribed to linux-lts-utopic in Ubuntu. https://bugs.launchpad.net/bugs/1555338 Title: Linux netfilter IPT_SO_SET_REPLACE memory corruption Status in linux package in Ubuntu: Fix Committed Status in linux-lts-utopic package in Ubuntu: Invalid Status in linux source package in Precise: Fix Committed Status in linux-lts-utopic source package in Precise: Invalid Status in linux source package in Trusty: In Progress Status in linux-lts-utopic source package in Trusty: In Progress Status in linux source package in Vivid: In Progress Status in linux-lts-utopic source package in Vivid: Invalid Status in linux source package in Wily: In Progress Status in linux-lts-utopic source package in Wily: Invalid Status in linux source package in Xenial: Fix Committed Status in linux-lts-utopic source package in Xenial: Invalid Bug description: [Impact] [From https://code.google.com/p/google-security-research/issues/detail?id=758 ] A memory corruption vulnerability exists in the IPT_SO_SET_REPLACE ioctl in the netfilter code for iptables support. This ioctl is can be triggered by an unprivileged user on PF_INET sockets when unprivileged user namespaces are available (CONFIG_USER_NS=y). Android does not enable this option, but desktop/server distributions and Chrome OS will commonly enable this to allow for containers support or sandboxing. In the mark_source_chains function (net/ipv4/netfilter/ip_tables.c) it is possible for a user-supplied ipt_entry structure to have a large next_offset field. This field is not bounds checked prior to writing a counter value at the supplied offset: newpos = pos + e->next_offset; ... e = (struct ipt_entry *) (entry0 + newpos); e->counters.pcnt = pos; This means that an out of bounds 32-bit write can occur in a 64kb range from the allocated heap entry, with a controlled offset and a partially controlled write value ("pos") or zero. The attached proof- of-concept (netfilter_setsockopt_v3.c) triggers the corruption multiple times to set adjacent heap structures to zero. This issue affects (at least) kernel versions 3.10, 3.18 and 4.4. It appears that a similar codepath is accessible via arp_tables.c/ARPT_SO_SET_REPLACE as well. [Fix] http://thread.gmane.org/gmane.comp.security.firewalls.netfilter.devel/62150 [Test Case] Download v3 testcase from https://code.google.com/p/google-security-research/issues/detail?id=758 gcc net*v3.c -o v3 ./v3 To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/linux/+bug/1555338/+subscriptions -- Mailing list: https://launchpad.net/~kernel-packages Post to : kernel-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~kernel-packages More help : https://help.launchpad.net/ListHelp
[Kernel-packages] [Bug 1555338] Re: Linux netfilter IPT_SO_SET_REPLACE memory corruption
** Changed in: linux (Ubuntu Trusty) Status: New => In Progress ** Changed in: linux (Ubuntu Trusty) Assignee: (unassigned) => Chris J Arges (arges) ** Changed in: linux (Ubuntu Vivid) Status: New => In Progress ** Changed in: linux-lts-utopic (Ubuntu Trusty) Status: New => In Progress ** Changed in: linux-lts-utopic (Ubuntu Trusty) Assignee: (unassigned) => Chris J Arges (arges) -- You received this bug notification because you are a member of Kernel Packages, which is subscribed to linux-lts-utopic in Ubuntu. https://bugs.launchpad.net/bugs/1555338 Title: Linux netfilter IPT_SO_SET_REPLACE memory corruption Status in linux package in Ubuntu: Fix Committed Status in linux-lts-utopic package in Ubuntu: Invalid Status in linux source package in Precise: New Status in linux-lts-utopic source package in Precise: Invalid Status in linux source package in Trusty: In Progress Status in linux-lts-utopic source package in Trusty: In Progress Status in linux source package in Vivid: In Progress Status in linux-lts-utopic source package in Vivid: Invalid Status in linux source package in Wily: In Progress Status in linux-lts-utopic source package in Wily: Invalid Status in linux source package in Xenial: Fix Committed Status in linux-lts-utopic source package in Xenial: Invalid Bug description: [Impact] [From https://code.google.com/p/google-security-research/issues/detail?id=758 ] A memory corruption vulnerability exists in the IPT_SO_SET_REPLACE ioctl in the netfilter code for iptables support. This ioctl is can be triggered by an unprivileged user on PF_INET sockets when unprivileged user namespaces are available (CONFIG_USER_NS=y). Android does not enable this option, but desktop/server distributions and Chrome OS will commonly enable this to allow for containers support or sandboxing. In the mark_source_chains function (net/ipv4/netfilter/ip_tables.c) it is possible for a user-supplied ipt_entry structure to have a large next_offset field. This field is not bounds checked prior to writing a counter value at the supplied offset: newpos = pos + e->next_offset; ... e = (struct ipt_entry *) (entry0 + newpos); e->counters.pcnt = pos; This means that an out of bounds 32-bit write can occur in a 64kb range from the allocated heap entry, with a controlled offset and a partially controlled write value ("pos") or zero. The attached proof- of-concept (netfilter_setsockopt_v3.c) triggers the corruption multiple times to set adjacent heap structures to zero. This issue affects (at least) kernel versions 3.10, 3.18 and 4.4. It appears that a similar codepath is accessible via arp_tables.c/ARPT_SO_SET_REPLACE as well. [Fix] http://thread.gmane.org/gmane.comp.security.firewalls.netfilter.devel/62150 [Test Case] Download v3 testcase from https://code.google.com/p/google-security-research/issues/detail?id=758 gcc net*v3.c -o v3 ./v3 To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/linux/+bug/1555338/+subscriptions -- Mailing list: https://launchpad.net/~kernel-packages Post to : kernel-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~kernel-packages More help : https://help.launchpad.net/ListHelp
[Kernel-packages] [Bug 1555338] Re: Linux netfilter IPT_SO_SET_REPLACE memory corruption
v2 of the patch http://thread.gmane.org/gmane.comp.security.firewalls.netfilter.devel/62150 -- You received this bug notification because you are a member of Kernel Packages, which is subscribed to linux-lts-utopic in Ubuntu. https://bugs.launchpad.net/bugs/1555338 Title: Linux netfilter IPT_SO_SET_REPLACE memory corruption Status in linux package in Ubuntu: Fix Committed Status in linux-lts-utopic package in Ubuntu: Invalid Status in linux source package in Precise: New Status in linux-lts-utopic source package in Precise: Invalid Status in linux source package in Trusty: New Status in linux-lts-utopic source package in Trusty: New Status in linux source package in Vivid: New Status in linux-lts-utopic source package in Vivid: Invalid Status in linux source package in Wily: In Progress Status in linux-lts-utopic source package in Wily: Invalid Status in linux source package in Xenial: Fix Committed Status in linux-lts-utopic source package in Xenial: Invalid Bug description: [Impact] [From https://code.google.com/p/google-security-research/issues/detail?id=758 ] A memory corruption vulnerability exists in the IPT_SO_SET_REPLACE ioctl in the netfilter code for iptables support. This ioctl is can be triggered by an unprivileged user on PF_INET sockets when unprivileged user namespaces are available (CONFIG_USER_NS=y). Android does not enable this option, but desktop/server distributions and Chrome OS will commonly enable this to allow for containers support or sandboxing. In the mark_source_chains function (net/ipv4/netfilter/ip_tables.c) it is possible for a user-supplied ipt_entry structure to have a large next_offset field. This field is not bounds checked prior to writing a counter value at the supplied offset: newpos = pos + e->next_offset; ... e = (struct ipt_entry *) (entry0 + newpos); e->counters.pcnt = pos; This means that an out of bounds 32-bit write can occur in a 64kb range from the allocated heap entry, with a controlled offset and a partially controlled write value ("pos") or zero. The attached proof- of-concept (netfilter_setsockopt_v3.c) triggers the corruption multiple times to set adjacent heap structures to zero. This issue affects (at least) kernel versions 3.10, 3.18 and 4.4. It appears that a similar codepath is accessible via arp_tables.c/ARPT_SO_SET_REPLACE as well. [Fix] http://thread.gmane.org/gmane.comp.security.firewalls.netfilter.devel/62150 [Test Case] Download v3 testcase from https://code.google.com/p/google-security-research/issues/detail?id=758 gcc net*v3.c -o v3 ./v3 To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/linux/+bug/1555338/+subscriptions -- Mailing list: https://launchpad.net/~kernel-packages Post to : kernel-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~kernel-packages More help : https://help.launchpad.net/ListHelp
[Kernel-packages] [Bug 1555338] Re: Linux netfilter IPT_SO_SET_REPLACE memory corruption
** Changed in: linux (Ubuntu Vivid) Status: In Progress => New ** Changed in: linux-lts-utopic (Ubuntu Trusty) Status: In Progress => New ** Changed in: linux-lts-utopic (Ubuntu Trusty) Assignee: Chris J Arges (arges) => (unassigned) -- You received this bug notification because you are a member of Kernel Packages, which is subscribed to linux-lts-utopic in Ubuntu. https://bugs.launchpad.net/bugs/1555338 Title: Linux netfilter IPT_SO_SET_REPLACE memory corruption Status in linux package in Ubuntu: Fix Committed Status in linux-lts-utopic package in Ubuntu: Invalid Status in linux source package in Precise: New Status in linux-lts-utopic source package in Precise: Invalid Status in linux source package in Trusty: New Status in linux-lts-utopic source package in Trusty: New Status in linux source package in Vivid: New Status in linux-lts-utopic source package in Vivid: Invalid Status in linux source package in Wily: In Progress Status in linux-lts-utopic source package in Wily: Invalid Status in linux source package in Xenial: Fix Committed Status in linux-lts-utopic source package in Xenial: Invalid Bug description: [Impact] [From https://code.google.com/p/google-security-research/issues/detail?id=758 ] A memory corruption vulnerability exists in the IPT_SO_SET_REPLACE ioctl in the netfilter code for iptables support. This ioctl is can be triggered by an unprivileged user on PF_INET sockets when unprivileged user namespaces are available (CONFIG_USER_NS=y). Android does not enable this option, but desktop/server distributions and Chrome OS will commonly enable this to allow for containers support or sandboxing. In the mark_source_chains function (net/ipv4/netfilter/ip_tables.c) it is possible for a user-supplied ipt_entry structure to have a large next_offset field. This field is not bounds checked prior to writing a counter value at the supplied offset: newpos = pos + e->next_offset; ... e = (struct ipt_entry *) (entry0 + newpos); e->counters.pcnt = pos; This means that an out of bounds 32-bit write can occur in a 64kb range from the allocated heap entry, with a controlled offset and a partially controlled write value ("pos") or zero. The attached proof- of-concept (netfilter_setsockopt_v3.c) triggers the corruption multiple times to set adjacent heap structures to zero. This issue affects (at least) kernel versions 3.10, 3.18 and 4.4. It appears that a similar codepath is accessible via arp_tables.c/ARPT_SO_SET_REPLACE as well. [Fix] http://thread.gmane.org/gmane.comp.security.firewalls.netfilter.devel/62150 [Test Case] Download v3 testcase from https://code.google.com/p/google-security-research/issues/detail?id=758 gcc net*v3.c -o v3 ./v3 To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/linux/+bug/1555338/+subscriptions -- Mailing list: https://launchpad.net/~kernel-packages Post to : kernel-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~kernel-packages More help : https://help.launchpad.net/ListHelp
[Kernel-packages] [Bug 1555338] Re: Linux netfilter IPT_SO_SET_REPLACE memory corruption
** Changed in: linux (Ubuntu Vivid) Status: New => In Progress ** Changed in: linux (Ubuntu Vivid) Assignee: (unassigned) => Chris J Arges (arges) ** Changed in: linux-lts-utopic (Ubuntu Trusty) Status: New => In Progress ** Changed in: linux-lts-utopic (Ubuntu Trusty) Assignee: (unassigned) => Chris J Arges (arges) ** Description changed: - [From https://code.google.com/p/google-security- - research/issues/detail?id=758 ] + [Impact] + [From https://code.google.com/p/google-security-research/issues/detail?id=758 ] A memory corruption vulnerability exists in the IPT_SO_SET_REPLACE ioctl in the netfilter code for iptables support. This ioctl is can be triggered by an unprivileged user on PF_INET sockets when unprivileged user namespaces are available (CONFIG_USER_NS=y). Android does not enable this option, but desktop/server distributions and Chrome OS will commonly enable this to allow for containers support or sandboxing. In the mark_source_chains function (net/ipv4/netfilter/ip_tables.c) it is possible for a user-supplied ipt_entry structure to have a large next_offset field. This field is not bounds checked prior to writing a counter value at the supplied offset: newpos = pos + e->next_offset; ... e = (struct ipt_entry *) (entry0 + newpos); e->counters.pcnt = pos; This means that an out of bounds 32-bit write can occur in a 64kb range from the allocated heap entry, with a controlled offset and a partially controlled write value ("pos") or zero. The attached proof-of-concept (netfilter_setsockopt_v3.c) triggers the corruption multiple times to set adjacent heap structures to zero. This issue affects (at least) kernel versions 3.10, 3.18 and 4.4. It appears that a similar codepath is accessible via arp_tables.c/ARPT_SO_SET_REPLACE as well. + + [Fix] + http://thread.gmane.org/gmane.comp.security.firewalls.netfilter.devel/62150 + + [Test Case] + Download v3 testcase from https://code.google.com/p/google-security-research/issues/detail?id=758 + gcc net*v3.c -o v3 + ./v3 -- You received this bug notification because you are a member of Kernel Packages, which is subscribed to linux-lts-utopic in Ubuntu. https://bugs.launchpad.net/bugs/1555338 Title: Linux netfilter IPT_SO_SET_REPLACE memory corruption Status in linux package in Ubuntu: Fix Committed Status in linux-lts-utopic package in Ubuntu: Invalid Status in linux source package in Precise: New Status in linux-lts-utopic source package in Precise: Invalid Status in linux source package in Trusty: New Status in linux-lts-utopic source package in Trusty: In Progress Status in linux source package in Vivid: In Progress Status in linux-lts-utopic source package in Vivid: Invalid Status in linux source package in Wily: In Progress Status in linux-lts-utopic source package in Wily: Invalid Status in linux source package in Xenial: Fix Committed Status in linux-lts-utopic source package in Xenial: Invalid Bug description: [Impact] [From https://code.google.com/p/google-security-research/issues/detail?id=758 ] A memory corruption vulnerability exists in the IPT_SO_SET_REPLACE ioctl in the netfilter code for iptables support. This ioctl is can be triggered by an unprivileged user on PF_INET sockets when unprivileged user namespaces are available (CONFIG_USER_NS=y). Android does not enable this option, but desktop/server distributions and Chrome OS will commonly enable this to allow for containers support or sandboxing. In the mark_source_chains function (net/ipv4/netfilter/ip_tables.c) it is possible for a user-supplied ipt_entry structure to have a large next_offset field. This field is not bounds checked prior to writing a counter value at the supplied offset: newpos = pos + e->next_offset; ... e = (struct ipt_entry *) (entry0 + newpos); e->counters.pcnt = pos; This means that an out of bounds 32-bit write can occur in a 64kb range from the allocated heap entry, with a controlled offset and a partially controlled write value ("pos") or zero. The attached proof- of-concept (netfilter_setsockopt_v3.c) triggers the corruption multiple times to set adjacent heap structures to zero. This issue affects (at least) kernel versions 3.10, 3.18 and 4.4. It appears that a similar codepath is accessible via arp_tables.c/ARPT_SO_SET_REPLACE as well. [Fix] http://thread.gmane.org/gmane.comp.security.firewalls.netfilter.devel/62150 [Test Case] Download v3 testcase from https://code.google.com/p/google-security-research/issues/detail?id=758 gcc net*v3.c -o v3 ./v3 To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/linux/+bug/1555338/+subscriptions -- Mailing list: https://launchpad.net/~kernel-packages Post to : kernel-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~kernel-packages More help : https://help.launchpad.net/ListHel
[Kernel-packages] [Bug 1555338] Re: Linux netfilter IPT_SO_SET_REPLACE memory corruption
** Changed in: linux (Ubuntu Wily) Status: New => In Progress ** Changed in: linux (Ubuntu Wily) Assignee: (unassigned) => Chris J Arges (arges) -- You received this bug notification because you are a member of Kernel Packages, which is subscribed to linux-lts-utopic in Ubuntu. https://bugs.launchpad.net/bugs/1555338 Title: Linux netfilter IPT_SO_SET_REPLACE memory corruption Status in linux package in Ubuntu: Fix Committed Status in linux-lts-utopic package in Ubuntu: Invalid Status in linux source package in Precise: New Status in linux-lts-utopic source package in Precise: Invalid Status in linux source package in Trusty: New Status in linux-lts-utopic source package in Trusty: New Status in linux source package in Vivid: New Status in linux-lts-utopic source package in Vivid: Invalid Status in linux source package in Wily: In Progress Status in linux-lts-utopic source package in Wily: Invalid Status in linux source package in Xenial: Fix Committed Status in linux-lts-utopic source package in Xenial: Invalid Bug description: [From https://code.google.com/p/google-security- research/issues/detail?id=758 ] A memory corruption vulnerability exists in the IPT_SO_SET_REPLACE ioctl in the netfilter code for iptables support. This ioctl is can be triggered by an unprivileged user on PF_INET sockets when unprivileged user namespaces are available (CONFIG_USER_NS=y). Android does not enable this option, but desktop/server distributions and Chrome OS will commonly enable this to allow for containers support or sandboxing. In the mark_source_chains function (net/ipv4/netfilter/ip_tables.c) it is possible for a user-supplied ipt_entry structure to have a large next_offset field. This field is not bounds checked prior to writing a counter value at the supplied offset: newpos = pos + e->next_offset; ... e = (struct ipt_entry *) (entry0 + newpos); e->counters.pcnt = pos; This means that an out of bounds 32-bit write can occur in a 64kb range from the allocated heap entry, with a controlled offset and a partially controlled write value ("pos") or zero. The attached proof- of-concept (netfilter_setsockopt_v3.c) triggers the corruption multiple times to set adjacent heap structures to zero. This issue affects (at least) kernel versions 3.10, 3.18 and 4.4. It appears that a similar codepath is accessible via arp_tables.c/ARPT_SO_SET_REPLACE as well. To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/linux/+bug/1555338/+subscriptions -- Mailing list: https://launchpad.net/~kernel-packages Post to : kernel-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~kernel-packages More help : https://help.launchpad.net/ListHelp
[Kernel-packages] [Bug 1555338] Re: Linux netfilter IPT_SO_SET_REPLACE memory corruption
** Changed in: linux (Ubuntu Xenial) Status: In Progress => Fix Committed -- You received this bug notification because you are a member of Kernel Packages, which is subscribed to linux-lts-utopic in Ubuntu. https://bugs.launchpad.net/bugs/1555338 Title: Linux netfilter IPT_SO_SET_REPLACE memory corruption Status in linux package in Ubuntu: Fix Committed Status in linux-lts-utopic package in Ubuntu: Invalid Status in linux source package in Precise: New Status in linux-lts-utopic source package in Precise: Invalid Status in linux source package in Trusty: New Status in linux-lts-utopic source package in Trusty: New Status in linux source package in Vivid: New Status in linux-lts-utopic source package in Vivid: Invalid Status in linux source package in Wily: New Status in linux-lts-utopic source package in Wily: Invalid Status in linux source package in Xenial: Fix Committed Status in linux-lts-utopic source package in Xenial: Invalid Bug description: [From https://code.google.com/p/google-security- research/issues/detail?id=758 ] A memory corruption vulnerability exists in the IPT_SO_SET_REPLACE ioctl in the netfilter code for iptables support. This ioctl is can be triggered by an unprivileged user on PF_INET sockets when unprivileged user namespaces are available (CONFIG_USER_NS=y). Android does not enable this option, but desktop/server distributions and Chrome OS will commonly enable this to allow for containers support or sandboxing. In the mark_source_chains function (net/ipv4/netfilter/ip_tables.c) it is possible for a user-supplied ipt_entry structure to have a large next_offset field. This field is not bounds checked prior to writing a counter value at the supplied offset: newpos = pos + e->next_offset; ... e = (struct ipt_entry *) (entry0 + newpos); e->counters.pcnt = pos; This means that an out of bounds 32-bit write can occur in a 64kb range from the allocated heap entry, with a controlled offset and a partially controlled write value ("pos") or zero. The attached proof- of-concept (netfilter_setsockopt_v3.c) triggers the corruption multiple times to set adjacent heap structures to zero. This issue affects (at least) kernel versions 3.10, 3.18 and 4.4. It appears that a similar codepath is accessible via arp_tables.c/ARPT_SO_SET_REPLACE as well. To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/linux/+bug/1555338/+subscriptions -- Mailing list: https://launchpad.net/~kernel-packages Post to : kernel-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~kernel-packages More help : https://help.launchpad.net/ListHelp
[Kernel-packages] [Bug 1555338] Re: Linux netfilter IPT_SO_SET_REPLACE memory corruption
** Changed in: linux-lts-utopic (Ubuntu Xenial) Status: New => Invalid -- You received this bug notification because you are a member of Kernel Packages, which is subscribed to linux-lts-utopic in Ubuntu. https://bugs.launchpad.net/bugs/1555338 Title: Linux netfilter IPT_SO_SET_REPLACE memory corruption Status in linux package in Ubuntu: In Progress Status in linux-lts-utopic package in Ubuntu: Invalid Status in linux source package in Precise: New Status in linux-lts-utopic source package in Precise: Invalid Status in linux source package in Trusty: New Status in linux-lts-utopic source package in Trusty: New Status in linux source package in Vivid: New Status in linux-lts-utopic source package in Vivid: Invalid Status in linux source package in Wily: New Status in linux-lts-utopic source package in Wily: Invalid Status in linux source package in Xenial: In Progress Status in linux-lts-utopic source package in Xenial: Invalid Bug description: [From https://code.google.com/p/google-security- research/issues/detail?id=758 ] A memory corruption vulnerability exists in the IPT_SO_SET_REPLACE ioctl in the netfilter code for iptables support. This ioctl is can be triggered by an unprivileged user on PF_INET sockets when unprivileged user namespaces are available (CONFIG_USER_NS=y). Android does not enable this option, but desktop/server distributions and Chrome OS will commonly enable this to allow for containers support or sandboxing. In the mark_source_chains function (net/ipv4/netfilter/ip_tables.c) it is possible for a user-supplied ipt_entry structure to have a large next_offset field. This field is not bounds checked prior to writing a counter value at the supplied offset: newpos = pos + e->next_offset; ... e = (struct ipt_entry *) (entry0 + newpos); e->counters.pcnt = pos; This means that an out of bounds 32-bit write can occur in a 64kb range from the allocated heap entry, with a controlled offset and a partially controlled write value ("pos") or zero. The attached proof- of-concept (netfilter_setsockopt_v3.c) triggers the corruption multiple times to set adjacent heap structures to zero. This issue affects (at least) kernel versions 3.10, 3.18 and 4.4. It appears that a similar codepath is accessible via arp_tables.c/ARPT_SO_SET_REPLACE as well. To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/linux/+bug/1555338/+subscriptions -- Mailing list: https://launchpad.net/~kernel-packages Post to : kernel-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~kernel-packages More help : https://help.launchpad.net/ListHelp
[Kernel-packages] [Bug 1555338] Re: Linux netfilter IPT_SO_SET_REPLACE memory corruption
** Also affects: linux (Ubuntu Wily) Importance: Undecided Status: New ** Also affects: linux (Ubuntu Vivid) Importance: Undecided Status: New ** Also affects: linux (Ubuntu Precise) Importance: Undecided Status: New ** Also affects: linux (Ubuntu Trusty) Importance: Undecided Status: New ** Also affects: linux-lts-utopic (Ubuntu) Importance: Undecided Status: New ** Changed in: linux-lts-utopic (Ubuntu Precise) Status: New => Invalid ** Changed in: linux-lts-utopic (Ubuntu Vivid) Status: New => Invalid ** Changed in: linux-lts-utopic (Ubuntu Wily) Status: New => Invalid -- You received this bug notification because you are a member of Kernel Packages, which is subscribed to linux in Ubuntu. https://bugs.launchpad.net/bugs/1555338 Title: Linux netfilter IPT_SO_SET_REPLACE memory corruption Status in linux package in Ubuntu: In Progress Status in linux-lts-utopic package in Ubuntu: New Status in linux source package in Precise: New Status in linux-lts-utopic source package in Precise: Invalid Status in linux source package in Trusty: New Status in linux-lts-utopic source package in Trusty: New Status in linux source package in Vivid: New Status in linux-lts-utopic source package in Vivid: Invalid Status in linux source package in Wily: New Status in linux-lts-utopic source package in Wily: Invalid Status in linux source package in Xenial: In Progress Status in linux-lts-utopic source package in Xenial: New Bug description: [From https://code.google.com/p/google-security- research/issues/detail?id=758 ] A memory corruption vulnerability exists in the IPT_SO_SET_REPLACE ioctl in the netfilter code for iptables support. This ioctl is can be triggered by an unprivileged user on PF_INET sockets when unprivileged user namespaces are available (CONFIG_USER_NS=y). Android does not enable this option, but desktop/server distributions and Chrome OS will commonly enable this to allow for containers support or sandboxing. In the mark_source_chains function (net/ipv4/netfilter/ip_tables.c) it is possible for a user-supplied ipt_entry structure to have a large next_offset field. This field is not bounds checked prior to writing a counter value at the supplied offset: newpos = pos + e->next_offset; ... e = (struct ipt_entry *) (entry0 + newpos); e->counters.pcnt = pos; This means that an out of bounds 32-bit write can occur in a 64kb range from the allocated heap entry, with a controlled offset and a partially controlled write value ("pos") or zero. The attached proof- of-concept (netfilter_setsockopt_v3.c) triggers the corruption multiple times to set adjacent heap structures to zero. This issue affects (at least) kernel versions 3.10, 3.18 and 4.4. It appears that a similar codepath is accessible via arp_tables.c/ARPT_SO_SET_REPLACE as well. To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/linux/+bug/1555338/+subscriptions -- Mailing list: https://launchpad.net/~kernel-packages Post to : kernel-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~kernel-packages More help : https://help.launchpad.net/ListHelp
[Kernel-packages] [Bug 1555338] Re: Linux netfilter IPT_SO_SET_REPLACE memory corruption
** Also affects: linux (Ubuntu Xenial) Importance: High Status: Confirmed ** Changed in: linux (Ubuntu Xenial) Status: Confirmed => In Progress ** Changed in: linux (Ubuntu Xenial) Assignee: (unassigned) => Tim Gardner (timg-tpi) -- You received this bug notification because you are a member of Kernel Packages, which is subscribed to linux in Ubuntu. https://bugs.launchpad.net/bugs/1555338 Title: Linux netfilter IPT_SO_SET_REPLACE memory corruption Status in linux package in Ubuntu: In Progress Status in linux source package in Xenial: In Progress Bug description: [From https://code.google.com/p/google-security- research/issues/detail?id=758 ] A memory corruption vulnerability exists in the IPT_SO_SET_REPLACE ioctl in the netfilter code for iptables support. This ioctl is can be triggered by an unprivileged user on PF_INET sockets when unprivileged user namespaces are available (CONFIG_USER_NS=y). Android does not enable this option, but desktop/server distributions and Chrome OS will commonly enable this to allow for containers support or sandboxing. In the mark_source_chains function (net/ipv4/netfilter/ip_tables.c) it is possible for a user-supplied ipt_entry structure to have a large next_offset field. This field is not bounds checked prior to writing a counter value at the supplied offset: newpos = pos + e->next_offset; ... e = (struct ipt_entry *) (entry0 + newpos); e->counters.pcnt = pos; This means that an out of bounds 32-bit write can occur in a 64kb range from the allocated heap entry, with a controlled offset and a partially controlled write value ("pos") or zero. The attached proof- of-concept (netfilter_setsockopt_v3.c) triggers the corruption multiple times to set adjacent heap structures to zero. This issue affects (at least) kernel versions 3.10, 3.18 and 4.4. It appears that a similar codepath is accessible via arp_tables.c/ARPT_SO_SET_REPLACE as well. To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/linux/+bug/1555338/+subscriptions -- Mailing list: https://launchpad.net/~kernel-packages Post to : kernel-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~kernel-packages More help : https://help.launchpad.net/ListHelp
[Kernel-packages] [Bug 1555338] Re: Linux netfilter IPT_SO_SET_REPLACE memory corruption
upstream proposed fix: http://marc.info/?l=netfilter- devel&m=145757134822741&w=2 ** Information type changed from Private Security to Public Security -- You received this bug notification because you are a member of Kernel Packages, which is subscribed to linux in Ubuntu. https://bugs.launchpad.net/bugs/1555338 Title: Linux netfilter IPT_SO_SET_REPLACE memory corruption Status in linux package in Ubuntu: Confirmed Bug description: [From https://code.google.com/p/google-security- research/issues/detail?id=758 ] A memory corruption vulnerability exists in the IPT_SO_SET_REPLACE ioctl in the netfilter code for iptables support. This ioctl is can be triggered by an unprivileged user on PF_INET sockets when unprivileged user namespaces are available (CONFIG_USER_NS=y). Android does not enable this option, but desktop/server distributions and Chrome OS will commonly enable this to allow for containers support or sandboxing. In the mark_source_chains function (net/ipv4/netfilter/ip_tables.c) it is possible for a user-supplied ipt_entry structure to have a large next_offset field. This field is not bounds checked prior to writing a counter value at the supplied offset: newpos = pos + e->next_offset; ... e = (struct ipt_entry *) (entry0 + newpos); e->counters.pcnt = pos; This means that an out of bounds 32-bit write can occur in a 64kb range from the allocated heap entry, with a controlled offset and a partially controlled write value ("pos") or zero. The attached proof- of-concept (netfilter_setsockopt_v3.c) triggers the corruption multiple times to set adjacent heap structures to zero. This issue affects (at least) kernel versions 3.10, 3.18 and 4.4. It appears that a similar codepath is accessible via arp_tables.c/ARPT_SO_SET_REPLACE as well. To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/linux/+bug/1555338/+subscriptions -- Mailing list: https://launchpad.net/~kernel-packages Post to : kernel-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~kernel-packages More help : https://help.launchpad.net/ListHelp