Linux Archive

Linux Archive (http://www.linux-archive.org/)
-   Debian Kernel (http://www.linux-archive.org/debian-kernel/)
-   -   Bug#624605: Potential fixes for lenny from stable 2.6.27.59 (http://www.linux-archive.org/debian-kernel/520176-bug-624605-potential-fixes-lenny-stable-2-6-27-59-a.html)

Ben Hutchings 04-30-2011 04:29 AM

Bug#624605: Potential fixes for lenny from stable 2.6.27.59
 
Package: linux-2.6
Version: 2.6.26-26lenny2
Severity: normal

We might as well get some benefit from these backports:

001/173 USB: EHCI: ASPM quirk of ISOC on AMD SB800
002/173 rt2x00: add device id for windy31 usb device
003/173 hwmon: (via686a) Initialize fan_div values
004/173 USB: usb-storage: unusual_devs entry for CamSport Evo
005/173 USB: EHCI: ASPM quirk of ISOC on AMD Hudson
006/173 USB: EHCI: fix DMA deallocation bug
007/173 USB: g_printer: fix bug in module parameter definitions
008/173 USB: io_edgeport: fix the reported firmware major and minor
009/173 USB: ti_usb: fix module removal
010/173 USB: Storage: Add unusual_devs entry for VTech Kidizoom
011/173 USB: prevent buggy hubs from crashing the USB stack

Not important enough.

012/173 [SCSI] fix medium error problems with some arrays which can cause data corruption

Fixes data loss.

013/173 [SCSI] libsas: fix runaway error handler problem
014/173 [media] radio-aimslab.c: Fix gcc 4.5+ bug
015/173 ALSA : au88x0 - Limit number of channels to fix Oops via OSS emu
016/173 Input: i8042 - introduce 'notimeout' blacklist for Dell Vostro V13

Not important enough.

017/173 NFS: Fix "kernel BUG at fs/aio.c:554!"

Might fix local DoS or data loss?

018/173 rapidio: fix hang on RapidIO doorbell queue full condition
019/173 serial: unbreak billionton CF card

Not important enough.

020/173 ptrace: use safer wake up on ptrace_detach()

Fixes local DoS.

021/173 fix jiffy calculations in calibrate_delay_direct to handle overflow
022/173 USB: serial: pl2303: Hybrid reader Uniform HCR331
023/173 drivers: update to pl2303 usb-serial to support Motorola cables
024/173 powerpc: Fix some 6xx/7xxx CPU setup functions
025/173 parisc: pass through ' ' to early (iodc) console
026/173 parisc : Remove broken line wrapping handling pdc_iodc_print()
027/173 hostap_cs: fix sleeping function called from invalid context

Not important enough.

028/173 md: fix regression with re-adding devices to arrays with no metadata

Not applicable.

029/173 [rejected]
030/173 TPM: Long default timeout fix
031/173 drm/radeon: remove 0x4243 pci id

Not important enough.

032/173 x86, mm: avoid possible bogus tlb entries by clearing prev mm_cpumask after switching mm

Fixes data loss.

033/173 NFSD: memory corruption due to writing beyond the stat array

Fixes data loss.

034/173 sctp: Fix out-of-bounds reading in sctp_asoc_get_hmac()

Already applied; CVE-2010-3705.

035/173 ocfs2_connection_find() returns pointer to bad structure

Might fix a security vulnerability.

036/173 Fix pktcdvd ioctl dev_minor range check

Already applied; CVE-2010-3437.

037/173 filter: make sure filters dont read uninitialized memory

Already applied; CVE-2010-4158.

038/173 x25: decrement netdev reference counts on unload

Not important enough.

039/173 [rejected]
040/173 [media] [v3,media] av7110: check for negative array offset

Already applied; CVE-2011-0521.

041/173 NFS: fix the return value of nfs_file_fsync()

Not applicable.

042/173 isdn: hisax: Replace the bogus access to irq stats

Not important enough.

043/173 dm raid1: fail writes if errors are not handled and log fails

Fixes data loss.

044/173 GFS2: Fix bmap allocation corner-case bug
045/173 sunrpc/cache: fix module refcnt leak in a failure path

Not important enough.

046/173 tcp: Increase TCP_MAXSEG socket option minimum.
047/173 tcp: Make TCP_MAXSEG minimum more correct.

Fixes local DoS; CVE-2010-4165.

048/173 nfsd: correctly handle return value from nfsd_map_name_to_*

Not applicable.

049/173 s390: remove task_show_regs

Already applied; CVE-2011-0710.

050/173 fs/partitions: Validate map_count in Mac partition tables

Already applied; CVE-2011-1010.

051/173 [media] radio-aimslab.c needs #include <linux/delay.h>
052/173 ARM: Ensure predictable endian state on signal handler entry

Not important enough.

053/173 platform: x86: asus_acpi: world-writable procfs files
054/173 [rejected]
055/173 platform: x86: acer-wmi: world-writable sysfs threeg file
056/173 platform: x86: tc1100-wmi: world-writable sysfs wireless and jogdial files

Probably fix local DoS.

057/173 genirq: Disable the SHIRQ_DEBUG call in request_threaded_irq for now
058/173 usb: musb: omap2430: fix kernel panic on reboot

Not important enough.

059/173 ldm: corrupted partition table can cause kernel oops

Already applied; CVE-2011-1012.

060/173 md: correctly handle probe of an 'mdp' device.

Not important enough.

061/173 x25: Do not reference freed memory.

Possibly fixes local DoS.

062/173 mfd: Fix NULL pointer due to non-initialized ucb1x00-ts absinfo
063/173 x86: Use u32 instead of long to set reset vector back to 0

Not important enough.

064/173 ext2: Fix link count corruption under heavy link+rename load

Fixes possible local DoS or data loss.

065/173 sctp: Fix oops when sending queued ASCONF chunks

Fixes remote DoS; CVE-2010-1173.

066/173 virtio: set pci bus master enable bit

Required for compatibility as guest in qemu 0.11-0.12.

067/173 dccp: fix oops on Reset after close

Already applied; CVE-2011-1093.

068/173 r8169: disable ASPM

Not important enough.

069/173 usb: iowarrior: don't trust report_size for buffer size

Already applied; CVE-2010-4656.

070/173 [S390] keyboard: integer underflow bug

Fixes local DoS or maybe privilege escalation.

071/173 mm: fix possible cause of a page_mapped BUG

Possibly fixes local DoS.

072/173 powerpc/kdump: CPUs assume the context of the oopsing CPU
073/173 powerpc/kdump: Use chip->shutdown to disable IRQs
074/173 powerpc: Use more accurate limit for first segment memory allocations
075/173 powerpc/pseries: Add hcall to read 4 ptes at a time in real mode
076/173 powerpc/kexec: Speedup kexec hash PTE tear down
077/173 powerpc/crashdump: Do not fail on NULL pointer dereferencing
078/173 powerpc/kexec: Fix orphaned offline CPUs across kexec
079/173 hwmon/f71882fg: Set platform drvdata to NULL later
080/173 libata: no special completion processing for EH commands
081/173 x86: Fix panic when handling "mem={invalid}" param
082/173 ahci: add device IDs for Ibex Peak ahci controllers
083/173 ahci: AHCI and RAID mode SATA patch for Intel Cougar Point DeviceIDs
084/173 ahci: AHCI and RAID mode SATA patch for Intel Patsburg DeviceIDs
085/173 ahci: AHCI mode SATA patch for Intel DH89xxCC DeviceIDs
086/173 ahci: AHCI mode SATA patch for Intel Patsburg SATA RAID controller

Not important enough.

087/173 RDMA/cma: Fix crash in request handlers
088/173 IB/cm: Bump reference count on cm_id before invoking callback

CVE-2011-0695.

089/173 x86, quirk: Fix SB600 revision check
090/173 USB: serial/kobil_sct, fix potential tty NULL dereference
091/173 USB: serial: ch341: add new id
092/173 PCI: add more checking to ICH region quirks
093/173 PCI: do not create quirk I/O regions below PCIBIOS_MIN_IO for ICH
094/173 SUNRPC: Ensure we always run the tk_callback before tk_action
095/173 ext3: Always set dx_node's fake_dirent explicitly.

Not important enough.

096/173 x86: Flush TLB if PGD entry is changed in i386 PAE mode

Fixes possible user-space hang.

097/173 isdn: avoid calling tty_ldisc_flush() in atomic context
098/173 [PARISC] fix per-cpu flag problem in the cpu affinity checkers
099/173 powerpc/kdump: Fix race in kdump shutdown
100/173 powerpc: rtas_flash needs to use rtas_data_buf
101/173 x86, binutils, xen: Fix another wrong size directive
102/173 aio: wake all waiters when destroying ctx
103/173 shmem: let shared anonymous be nonlinear again

Not important enough.

104/173 Prevent rt_sigqueueinfo and rt_tgsigqueueinfo from spoofing the signal code

Fixes CVE-2011-1182.

105/173 ext3: skip orphan cleanup on rocompat fs

Fixes data loss.

106/173 procfs: fix /proc/<pid>/maps heap check

Not important enough.

107/173 proc: protect mm start_code/end_code in /proc/pid/stat

Fixes local information leak that defeats ASLR.

108/173 fbcon: Bugfix soft cursor detection in Tile Blitting
109/173 ehci-hcd: Bug fix: don't set a QH's Halt bit
110/173 USB: uss720 fixup refcount position
111/173 USB: cdc-acm: fix potential null-pointer dereference on disconnect
112/173 Input: xen-kbdfront - advertise either absolute or relative coordinates
113/173 dcdbas: force SMI to happen when expected
114/173 myri10ge: fix rmmod crash
115/173 cciss: fix lost command issue
116/173 sound/oss/opl3: validate voice and channel indexes
117/173 mac80211: initialize sta->last_rx in sta_info_alloc
118/173 [SCSI] ses: show devices for enclosures with no page 7
119/173 [SCSI] ses: Avoid kernel panic when lun 0 is not mapped

Not important enough.

120/173 eCryptfs: ecryptfs_keyring_auth_tok_for_sig() bug fix

Might fix a local DoS?

121/173 Relax si_code check in rt_sigqueueinfo and rt_tgsigqueueinfo

Fixes regression in 104/173.

122/173 xfs: prevent leaking uninitialized stack memory in FSGEOMETRY_V1

Already applied; CVE-2011-0711.

123/173 irda: validate peer name and attribute lengths

Fixes remote privilege escalation.

124/173 irda: prevent heap corruption on invalid nickname

Fixes local privilege escalation.

125/173 ASoC: Explicitly say registerless widgets have no register
126/173 ALSA: ens1371: fix Creative Ectiva support

Not important enough.

127/173 ROSE: prevent heap corruption with bad facilities

CVE-2011-1493.

128/173 UBIFS: do not read flash unnecessarily
129/173 UBIFS: fix oops on error path in read_pnode
130/173 quota: Don't write quota info in dquot_commit()

Not important enough

131/173 mm: avoid wrapping vm_pgoff in mremap()

Fixes local DoS.

132/173 Bluetooth: sco: fix information leak to userspace

Already applied; CVE-2011-1078.

133/173 bridge: netfilter: fix information leak

Already applied; CVE-2011-1080.

134/173 Bluetooth: bnep: fix buffer overflow

Already applied; CVE-2011-1079.

135/173 Bluetooth: add support for Apple MacBook Pro 8,2

Not important enough.

136/173 Treat writes as new when holes span across page boundaries

Fixes data loss.

137/173 char/tpm: Fix unitialized usage of data buffer

Not important enough.

138/173 netfilter: ip_tables: fix infoleak to userspace

Already applied; CVE-2011-1171.

139/173 netfilter: arp_tables: fix infoleak to userspace

Already applied; CVE-2011-1170.

140/173 netfilter: ipt_CLUSTERIP: fix buffer overflow

Not a real buffer overflow; not really important.

141/173 ipv6: netfilter: ip6_tables: fix infoleak to userspace

Already applied; CVE-2011-1172.

142/173 drivers/rtc/rtc-ds1511.c: world-writable sysfs nvram file

Fixes local DoS.

143/173 econet: 4 byte infoleak to the network

Already applied; CVE-2011-1173.

144/173 sound/oss: remove offset from load_patch callbacks
145/173 sound: oss: midi_synth: check get_user() return value
146/173 repair gdbstub to match the gdbserial protocol specification
147/173 powerpc/kexec: Add ifdef CONFIG_PPC_STD_MMU_64 to PPC64 code
148/173 powerpc: Fix default_machine_crash_shutdown #ifdef botch

Not important enough.

149/173 sctp: fix to calc the INIT/INIT-ACK chunk length correctly is set

Fixes local DoS.

150/173 net: ax25: fix information leak to userland

Already applied; CVE-2010-3875.

151/173 net: packet: fix information leak to userland

Already applied; CVE-2010-3876.

152/173 ext4: fix credits computing for indirect mapped files

Fixes data loss. Maybe not important as ext4 was considered
experimental in lenny.

153/173 nfsd: fix auth_domain reference leak on nlm operations

Probably fixes remote DoS.

154/173 net: tipc: fix information leak to userland

Already applied; CVE-2010-3877.

155/173 inet_diag: Make sure we actually run the same bytecode we audited.

Already applied; CVE-2010-3880.

156/173 econet: Fix crash in aun_incoming().

Already applied; CVE-2010-4342.

157/173 irda: prevent integer underflow in IRLMP_ENUMDEVICES

Already applied; CVE-2010-4529.

158/173 CAN: Use inode instead of kernel address for /proc file

Already applied; CVE-2010-4565.

159/173 exec: make argv/envp memory visible to oom-killer
160/173 exec: copy-and-paste the fixes into compat_do_execve() paths

Already applied; CVE-2010-4243.

161/173 xfs: zero proper structure size for geometry calls

Already applied; fixes regression in 122/173.

162/173 [media] video: sn9c102: world-wirtable sysfs files

Fixes local DoS.

163/173 x86: Fix a bogus unwind annotation in lib/semaphore_32.S
164/173 [IA64] tioca: Fix assignment from incompatible pointer warnings
165/173 nommu: ramfs: pages allocated to an inode's pagecache may get wrongly discarded
166/173 MAINTAINERS: update STABLE BRANCH info
167/173 UBIFS: fix oops when R/O file-system is fsync'ed

Not important enough.

168/173 next_pidmap: fix overflow condition

Fixes local DoS or information leak?

169/173 proc: do proper range check on readdir offset

Fixes local DoS or information leak?

170/173 USB: EHCI: unlink unused QHs when the controller is stopped

Not important enough.

171/173 net: ax25: fix information leak to userland harder

Fixes local information leak.

172/173 net: Fix oops from tcp_collapse() when using splice()

Fixes local DoS.

173/173 [SCSI] mptsas: fix hangs caused by ATA pass-through

Not important enough.

Ben.



--
To UNSUBSCRIBE, email to debian-kernel-REQUEST@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org
Archive: 20110430042919.12348.92338.reportbug@localhost">ht tp://lists.debian.org/20110430042919.12348.92338.reportbug@localhost

Ben Hutchings 04-30-2011 04:36 AM

Bug#624605: Potential fixes for lenny from stable 2.6.27.59
 
On Sat, 2011-04-30 at 05:29 +0100, Ben Hutchings wrote:
[...]
> 137/173 char/tpm: Fix unitialized usage of data buffer
>
> Not important enough.
[...]

Actually, this is an information leak.

Ben.

--
Ben Hutchings
Once a job is fouled up, anything done to improve it makes it worse.

dann frazier 05-16-2011 01:04 AM

Bug#624605: Potential fixes for lenny from stable 2.6.27.59
 
fyi, got a lot done on this while travelling, but not yet complete -
I've just committed my current set of changes for safe keeping. Once I
finish that up I'll follow-up here w/ a more complete reply to the
patchlist.



--
To UNSUBSCRIBE, email to debian-kernel-REQUEST@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org
Archive: 20110516010411.GA26519@dannf.org">http://lists.debian.org/20110516010411.GA26519@dannf.org


All times are GMT. The time now is 02:44 PM.

VBulletin, Copyright ©2000 - 2014, Jelsoft Enterprises Ltd.
Content Relevant URLs by vBSEO ©2007, Crawlability, Inc.