[Bug 1660842] Re: apparmor not checking error if security_pin_fs() fails

[Steve Beattie]

** CVE removed: http://www.cve.mitre.org/cgi-
bin/cvename.cgi?name=2017-7184

** CVE removed: http://www.cve.mitre.org/cgi-
bin/cvename.cgi?name=2016-1575

** CVE removed: http://www.cve.mitre.org/cgi-
bin/cvename.cgi?name=2016-1576

-- 
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1660842

Title:
  apparmor not checking error if security_pin_fs() fails

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/linux/+bug/1660842/+subscriptions

-- 
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs

[Bug 1660842] Re: apparmor not checking error if security_pin_fs() fails

[Stefan Bader]

** Changed in: linux (Ubuntu Yakkety)
   Status: Fix Released => Triaged

-- 
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1660842

Title:
  apparmor not checking error if security_pin_fs() fails

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/linux/+bug/1660842/+subscriptions

-- 
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs

[Bug 1660842] Re: apparmor not checking error if security_pin_fs() fails

[Launchpad Bug Tracker]

This bug was fixed in the package linux - 4.8.0-45.48

---
linux (4.8.0-45.48) yakkety; urgency=low

  * CVE-2017-7184
- xfrm_user: validate XFRM_MSG_NEWAE XFRMA_REPLAY_ESN_VAL replay_window
- xfrm_user: validate XFRM_MSG_NEWAE incoming ESN size harder

 -- Stefan Bader   Fri, 24 Mar 2017 12:03:39
+0100

** Changed in: linux (Ubuntu Yakkety)
   Status: Triaged => Fix Released

** CVE added: http://www.cve.mitre.org/cgi-
bin/cvename.cgi?name=2017-7184

-- 
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1660842

Title:
  apparmor not checking error if security_pin_fs() fails

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/linux/+bug/1660842/+subscriptions

-- 
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs

[Bug 1660842] Re: apparmor not checking error if security_pin_fs() fails

[Stefan Bader]

Not fixed because we had to revert the commits due to various
regressions.

** Changed in: linux (Ubuntu Xenial)
   Status: Fix Released => Triaged

** Changed in: linux (Ubuntu Yakkety)
   Status: Fix Released => Triaged

-- 
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1660842

Title:
  apparmor not checking error if security_pin_fs() fails

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/linux/+bug/1660842/+subscriptions

-- 
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs

[Bug 1660842] Re: apparmor not checking error if security_pin_fs() fails

[Launchpad Bug Tracker]

This bug was fixed in the package linux - 4.4.0-65.86

---
linux (4.4.0-65.86) xenial; urgency=low

  * linux: 4.4.0-65.86 -proposed tracker (LP: #1667052)

  [ Stefan Bader ]
  * Upgrade Redpine RS9113 driver to support AP mode (LP: #1665211)
- SAUCE: Redpine driver to support Host AP mode

  * NFS client : permission denied when trying to access subshare, since kernel
4.4.0-31 (LP: #1649292)
- fs: Better permission checking for submounts

  * [Hyper-V] SAUCE: pci-hyperv fixes for SR-IOV on Azure (LP: #1665097)
- SAUCE: PCI: hv: Fix wslot_to_devfn() to fix warnings on device removal
- SAUCE: pci-hyperv: properly handle pci bus remove
- SAUCE: pci-hyperv: lock pci bus on device eject

  * [Hyper-V/Azure] Please include Mellanox OFED drivers in Azure kernel and
image (LP: #1650058)
- net/mlx4_en: Fix bad WQE issue
- net/mlx4_core: Fix racy CQ (Completion Queue) free
- net/mlx4_core: Fix when to save some qp context flags for dynamic VST to 
VGT
  transitions
- net/mlx4_core: Avoid command timeouts during VF driver device shutdown

  * Xenial update to v4.4.49 stable release (LP: #1664960)
- ARC: [arcompact] brown paper bag bug in unaligned access delay slot fixup
- selinux: fix off-by-one in setprocattr
- Revert "x86/ioapic: Restore IO-APIC irq_chip retrigger callback"
- cpumask: use nr_cpumask_bits for parsing functions
- hns: avoid stack overflow with CONFIG_KASAN
- ARM: 8643/3: arm/ptrace: Preserve previous registers for short regset 
write
- target: Don't BUG_ON during NodeACL dynamic -> explicit conversion
- target: Use correct SCSI status during EXTENDED_COPY exception
- target: Fix early transport_generic_handle_tmr abort scenario
- target: Fix COMPARE_AND_WRITE ref leak for non GOOD status
- ARM: 8642/1: LPAE: catch pending imprecise abort on unmask
- mac80211: Fix adding of mesh vendor IEs
- netvsc: Set maximum GSO size in the right place
- scsi: zfcp: fix use-after-free by not tracing WKA port open/close on 
failed
  send
- scsi: aacraid: Fix INTx/MSI-x issue with older controllers
- scsi: mpt3sas: disable ASPM for MPI2 controllers
- xen-netfront: Delete rx_refill_timer in xennet_disconnect_backend()
- ALSA: seq: Fix race at creating a queue
- ALSA: seq: Don't handle loop timeout at snd_seq_pool_done()
- drm/i915: fix use-after-free in page_flip_completed()
- Linux 4.4.49

  * NFS client : kernel 4.4.0-57 crash with nfsv4 enries in /etc/fstab
(LP: #1650336)
- SUNRPC: fix refcounting problems with auth_gss messages.

  * [0bda:0328] Card reader failed after S3 (LP: #1664809)
- usb: hub: Wait for connection to be reestablished after port reset

  * linux-lts-xenial 4.4.0-63.84~14.04.2 ADT test failure with linux-lts-xenial
4.4.0-63.84~14.04.2 (LP: #1664912)
- SAUCE: apparmor: fix link auditing failure due to, uninitialized var

  * ibmvscsis: Add SGL LIMIT (LP: #1662551)
- ibmvscsis: Add SGL limit

  * [Hyper-V] Bug fixes for storvsc (tagged queuing, error conditions)
(LP: #1663687)
- scsi: storvsc: Enable tracking of queue depth
- scsi: storvsc: Remove the restriction on max segment size
- scsi: storvsc: Enable multi-queue support
- scsi: storvsc: use tagged SRB requests if supported by the device
- scsi: storvsc: properly handle SRB_ERROR when sense message is present
- scsi: storvsc: properly set residual data length on errors

  * ISST-LTE:pNV: ppc64_cpu command is hung w HDs, SSDs and NVMe (LP: #1662666)
- blk-mq: Avoid memory reclaim when remapping queues
- blk-mq: Fix failed allocation path when mapping queues

  * Possible missing firmware /lib/firmware/i915/kbl_dmc_ver1.bin for module
i915_bpo (LP: #1624164)
- SAUCE: i915_bpo: Remove MODULE_FIRMWARE statement for 
i915/kbl_dmc_ver1.bin

  *  Intel I210 ethernet does not work both after S3 (LP: #1662763)
- igb: implement igb_ptp_suspend
- igb: call igb_ptp_suspend during suspend/resume cycle

  * [Hyper-V] Fix ring buffer handling to avoid host throttling (LP: #1661430)
- Drivers: hv: vmbus: On write cleanup the logic to interrupt the host
- Drivers: hv: vmbus: On the read path cleanup the logic to interrupt the 
host
- Drivers: hv: vmbus: finally fix hv_need_to_signal_on_read()

  * brd module compiled as built-in (LP: #1593293)
- [Config] CONFIG_BLK_DEV_RAM=m

  * regession tests failing after stackprofile test is run (LP: #1661030)
- SAUCE: fix regression with domain change in complain mode

  * Permission denied and inconsistent behavior in complain mode with 'ip netns
list' command (LP: #1648903)
- SAUCE: fix regression with domain change in complain mode

  * flock not mediated by 'k' (LP: #1658219)
- SAUCE: apparmor: flock mediation is not being enforced on cache check

  * unexpected errno=13 and disconnected path when trying to open /proc/1/ns/mnt
from a unshared mount 

[Bug 1660842] Re: apparmor not checking error if security_pin_fs() fails

[Launchpad Bug Tracker]

This bug was fixed in the package linux - 4.8.0-40.43

---
linux (4.8.0-40.43) yakkety; urgency=low

  * linux: 4.8.0-40.43 -proposed tracker (LP: #1667066)

  [ Andy Whitcroft ]
  * NFS client : permission denied when trying to access subshare, since kernel
4.4.0-31 (LP: #1649292)
- fs: Better permission checking for submounts

  * shaking screen  (LP: #1651981)
- drm/radeon: drop verde dpm quirks

  * [0bda:0328] Card reader failed after S3 (LP: #1664809)
- usb: hub: Wait for connection to be reestablished after port reset

  * linux-lts-xenial 4.4.0-63.84~14.04.2 ADT test failure with linux-lts-xenial
4.4.0-63.84~14.04.2 (LP: #1664912)
- SAUCE: apparmor: fix link auditing failure due to, uninitialized var

  * In Ubuntu 17.04 : after reboot getting message in console like Unable to
open file: /etc/keys/x509_ima.der (-2) (LP: #1656908)
- SAUCE: ima: Downgrade error to warning

  * 16.04.2: Extra patches for POWER9 (LP: #1664564)
- powerpc/mm: Fix no execute fault handling on pre-POWER5
- powerpc/mm: Fix spurrious segfaults on radix with autonuma

  * ibmvscsis: Add SGL LIMIT (LP: #1662551)
- ibmvscsis: Add SGL limit

  * [Hyper-V] Bug fixes for storvsc (tagged queuing, error conditions)
(LP: #1663687)
- scsi: storvsc: Enable tracking of queue depth
- scsi: storvsc: Remove the restriction on max segment size
- scsi: storvsc: Enable multi-queue support
- scsi: storvsc: use tagged SRB requests if supported by the device
- scsi: storvsc: properly handle SRB_ERROR when sense message is present
- scsi: storvsc: properly set residual data length on errors

  * Ubuntu16.10-KVM:Big configuration with multiple guests running SRIOV VFs
caused KVM host hung and all KVM guests down. (LP: #1651248)
- KVM: PPC: Book 3S: XICS cleanup: remove XICS_RM_REJECT
- KVM: PPC: Book 3S: XICS: correct the real mode ICP rejecting counter
- KVM: PPC: Book 3S: XICS: Fix potential issue with duplicate IRQ resends
- KVM: PPC: Book 3S: XICS: Implement ICS P/Q states
- KVM: PPC: Book 3S: XICS: Don't lock twice when checking for resend

  * ISST-LTE:pNV: ppc64_cpu command is hung w HDs, SSDs and NVMe (LP: #1662666)
- blk-mq: Avoid memory reclaim when remapping queues
- blk-mq: Fix failed allocation path when mapping queues
- blk-mq: Always schedule hctx->next_cpu

  * systemd-udevd hung in blk_mq_freeze_queue_wait testing unpartitioned NVMe
drive (LP: #1662673)
- percpu-refcount: fix reference leak during percpu-atomic transition

  * [Yakkety SRU] Enable KEXEC support in ARM64 kernel (LP: #1662554)
- [Config] Enable KEXEC support in ARM64.

  * [Hyper-V] Fix ring buffer handling to avoid host throttling (LP: #1661430)
- Drivers: hv: vmbus: On write cleanup the logic to interrupt the host
- Drivers: hv: vmbus: On the read path cleanup the logic to interrupt the 
host
- Drivers: hv: vmbus: finally fix hv_need_to_signal_on_read()

  * brd module compiled as built-in (LP: #1593293)
- CONFIG_BLK_DEV_RAM=m

  * regession tests failing after stackprofile test is run (LP: #1661030)
- SAUCE: fix regression with domain change in complain mode

  * Permission denied and inconsistent behavior in complain mode with 'ip netns
list' command (LP: #1648903)
- SAUCE: fix regression with domain change in complain mode

  * flock not mediated by 'k' (LP: #1658219)
- SAUCE: apparmor: flock mediation is not being enforced on cache check

  * unexpected errno=13 and disconnected path when trying to open /proc/1/ns/mnt
from a unshared mount namespace (LP: #1656121)
- SAUCE: apparmor: null profiles should inherit parent control flags

  * apparmor refcount leak of profile namespace when removing profiles
(LP: #1660849)
- SAUCE: apparmor: fix ns ref count link when removing profiles from policy

  * tor in lxd: apparmor="DENIED" operation="change_onexec"
namespace="root//CONTAINERNAME_" profile="unconfined"
name="system_tor" (LP: #1648143)
- SAUCE: apparmor: Fix no_new_privs blocking change_onexec when using 
stacked
  namespaces

  * apparmor_parser hangs indefinitely when called by multiple threads
(LP: #1645037)
- SAUCE: apparmor: fix lock ordering for mkdir

  * apparmor leaking securityfs pin count (LP: #1660846)
- SAUCE: apparmor: fix leak on securityfs pin count

  * apparmor reference count leak when securityfs_setup_d_inode\ () fails
(LP: #1660845)
- SAUCE: apparmor: fix reference count leak when securityfs_setup_d_inode()
  fails

  * apparmor not checking error if security_pin_fs() fails (LP: #1660842)
- SAUCE: apparmor: fix not handling error case when securityfs_pin_fs() 
fails

  * apparmor oops in bind_mnt when dev_path lookup fails (LP: #1660840)
- SAUCE: apparmor: fix oops in bind_mnt when dev_path lookup fails

  * apparmor  auditing denied access of special apparmor .null fi\ le
(LP: #1660836)
- SAUCE: apparmor: 

[Bug 1660842] Re: apparmor not checking error if security_pin_fs() fails

[Brad Figg]

This bug is awaiting verification that the kernel in -proposed solves
the problem. Please test the kernel and update this bug with the
results. If the problem is solved, change the tag 'verification-needed-
yakkety' to 'verification-done-yakkety'. If the problem still exists,
change the tag 'verification-needed-yakkety' to 'verification-failed-
yakkety'.

If verification is not done by 5 working days from today, this fix will
be dropped from the source code, and this bug will be closed.

See https://wiki.ubuntu.com/Testing/EnableProposed for documentation how
to enable and use -proposed. Thank you!

-- 
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1660842

Title:
  apparmor not checking error if security_pin_fs() fails

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/linux/+bug/1660842/+subscriptions

-- 
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs

[Bug 1660842] Re: apparmor not checking error if security_pin_fs() fails

[Brad Figg]

This bug is awaiting verification that the kernel in -proposed solves
the problem. Please test the kernel and update this bug with the
results. If the problem is solved, change the tag 'verification-needed-
xenial' to 'verification-done-xenial'. If the problem still exists,
change the tag 'verification-needed-xenial' to 'verification-failed-
xenial'.

If verification is not done by 5 working days from today, this fix will
be dropped from the source code, and this bug will be closed.

See https://wiki.ubuntu.com/Testing/EnableProposed for documentation how
to enable and use -proposed. Thank you!


** Tags added: verification-needed-xenial

** Tags added: verification-needed-yakkety

-- 
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1660842

Title:
  apparmor not checking error if security_pin_fs() fails

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/linux/+bug/1660842/+subscriptions

-- 
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs

[Bug 1660842] Re: apparmor not checking error if security_pin_fs() fails

[Launchpad Bug Tracker]

This bug was fixed in the package linux - 4.10.0-8.10

---
linux (4.10.0-8.10) zesty; urgency=low

  [ Tim Gardner ]

  * Release Tracking Bug
- LP: #1664217

  * [Hyper-V] Bug fixes for storvsc (tagged queuing, error conditions)
(LP: #1663687)
- scsi: storvsc: Enable tracking of queue depth
- scsi: storvsc: Remove the restriction on max segment size
- scsi: storvsc: Enable multi-queue support
- scsi: storvsc: use tagged SRB requests if supported by the device
- scsi: storvsc: properly handle SRB_ERROR when sense message is present
- scsi: storvsc: properly set residual data length on errors

  * Ubuntu16.10-KVM:Big configuration with multiple guests running SRIOV VFs
caused KVM host hung and all KVM guests down. (LP: #1651248)
- KVM: PPC: Book 3S: XICS cleanup: remove XICS_RM_REJECT
- KVM: PPC: Book 3S: XICS: correct the real mode ICP rejecting counter
- KVM: PPC: Book 3S: XICS: Fix potential issue with duplicate IRQ resends
- KVM: PPC: Book 3S: XICS: Implement ICS P/Q states
- KVM: PPC: Book 3S: XICS: Don't lock twice when checking for resend

  * overlay: mkdir fails if directory exists in lowerdir in a user namespace
(LP: #1531747)
- SAUCE: overlayfs: Skip permission checking for trusted.overlayfs.* xattrs

  * CVE-2016-1575 (LP: #1534961)
- SAUCE: overlayfs: Skip permission checking for trusted.overlayfs.* xattrs

  * CVE-2016-1576 (LP: #1535150)
- SAUCE: overlayfs: Skip permission checking for trusted.overlayfs.* xattrs

  * Miscellaneous Ubuntu changes
- SAUCE: md/raid6 algorithms: scale test duration for speedier boots
- SAUCE: Import aufs driver
- d-i: Build message-modules udeb for arm64
- rebase to v4.10-rc8

  * Miscellaneous upstream changes
- Revert "UBUNTU: SAUCE: aufs -- remove .readlink assignment"
- Revert "UBUNTU: SAUCE: (no-up) aufs: for v4.9-rc1, support 
setattr_prepare()"
- Revert "UBUNTU: SAUCE: aufs -- Add flags argument to aufs_rename()"
- Revert "UBUNTU: SAUCE: aufs -- Convert to use xattr handlers"
- Revert "UBUNTU: SAUCE: Import aufs driver"

  [ Upstream Kernel Changes ]

  * rebase to v4.10-rc8

 -- Tim Gardner   Mon, 06 Feb 2017 08:34:24
-0700

** Changed in: linux (Ubuntu Zesty)
   Status: In Progress => Fix Released

** CVE added: http://www.cve.mitre.org/cgi-
bin/cvename.cgi?name=2016-1575

** CVE added: http://www.cve.mitre.org/cgi-
bin/cvename.cgi?name=2016-1576

-- 
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1660842

Title:
  apparmor not checking error if security_pin_fs() fails

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/linux/+bug/1660842/+subscriptions

-- 
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs

[Bug 1660842] Re: apparmor not checking error if security_pin_fs() fails

[Thadeu Lima de Souza Cascardo]

** Changed in: linux (Ubuntu Xenial)
   Status: In Progress => Fix Committed

** Changed in: linux (Ubuntu Yakkety)
   Status: In Progress => Fix Committed

-- 
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1660842

Title:
  apparmor not checking error if security_pin_fs() fails

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/linux/+bug/1660842/+subscriptions

-- 
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs

[Bug 1660842] Re: apparmor not checking error if security_pin_fs() fails

[John Johansen]

** Changed in: linux (Ubuntu Xenial)
   Status: Incomplete => In Progress

** Changed in: linux (Ubuntu Yakkety)
   Status: Incomplete => In Progress

** Changed in: linux (Ubuntu Zesty)
   Status: Incomplete => In Progress

-- 
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1660842

Title:
  apparmor not checking error if security_pin_fs() fails

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/linux/+bug/1660842/+subscriptions

-- 
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs