[Kernel-packages] [Bug 1555338] Re: Linux netfilter IPT_SO_SET_REPLACE memory corruption

[Steve Beattie]

** Changed in: linux-flo (Ubuntu Xenial)
   Status: New => Won't Fix

** Changed in: linux-mako (Ubuntu Xenial)
   Status: New => Won't Fix

** Changed in: linux-flo (Ubuntu)
   Status: New => Won't Fix

** Changed in: linux-goldfish (Ubuntu)
   Status: New => Won't Fix

** Changed in: linux-mako (Ubuntu)
   Status: New => Won't Fix

-- 
You received this bug notification because you are a member of Kernel
Packages, which is subscribed to linux-goldfish in Ubuntu.
https://bugs.launchpad.net/bugs/1555338

Title:
  Linux netfilter IPT_SO_SET_REPLACE memory corruption

Status in linux package in Ubuntu:
  Fix Released
Status in linux-armadaxp package in Ubuntu:
  Invalid
Status in linux-flo package in Ubuntu:
  Won't Fix
Status in linux-goldfish package in Ubuntu:
  Won't Fix
Status in linux-keystone package in Ubuntu:
  Invalid
Status in linux-lts-quantal package in Ubuntu:
  Invalid
Status in linux-lts-raring package in Ubuntu:
  Invalid
Status in linux-lts-saucy package in Ubuntu:
  Invalid
Status in linux-lts-trusty package in Ubuntu:
  Invalid
Status in linux-lts-utopic package in Ubuntu:
  Invalid
Status in linux-lts-vivid package in Ubuntu:
  Invalid
Status in linux-lts-wily package in Ubuntu:
  Invalid
Status in linux-lts-xenial package in Ubuntu:
  Invalid
Status in linux-mako package in Ubuntu:
  Won't Fix
Status in linux-manta package in Ubuntu:
  Invalid
Status in linux-raspi2 package in Ubuntu:
  Fix Released
Status in linux-snapdragon package in Ubuntu:
  Fix Released
Status in linux-ti-omap4 package in Ubuntu:
  Invalid
Status in linux source package in Precise:
  Fix Released
Status in linux-armadaxp source package in Precise:
  Fix Released
Status in linux-flo source package in Precise:
  Invalid
Status in linux-goldfish source package in Precise:
  Invalid
Status in linux-keystone source package in Precise:
  Invalid
Status in linux-lts-quantal source package in Precise:
  Invalid
Status in linux-lts-raring source package in Precise:
  Invalid
Status in linux-lts-saucy source package in Precise:
  Invalid
Status in linux-lts-trusty source package in Precise:
  Fix Released
Status in linux-lts-utopic source package in Precise:
  Invalid
Status in linux-lts-vivid source package in Precise:
  Invalid
Status in linux-lts-wily source package in Precise:
  Invalid
Status in linux-lts-xenial source package in Precise:
  Invalid
Status in linux-mako source package in Precise:
  Invalid
Status in linux-manta source package in Precise:
  Invalid
Status in linux-raspi2 source package in Precise:
  Invalid
Status in linux-snapdragon source package in Precise:
  Invalid
Status in linux-ti-omap4 source package in Precise:
  Fix Released
Status in linux source package in Trusty:
  Fix Released
Status in linux-armadaxp source package in Trusty:
  Invalid
Status in linux-flo source package in Trusty:
  Invalid
Status in linux-goldfish source package in Trusty:
  Invalid
Status in linux-keystone source package in Trusty:
  Fix Released
Status in linux-lts-quantal source package in Trusty:
  Invalid
Status in linux-lts-raring source package in Trusty:
  Invalid
Status in linux-lts-saucy source package in Trusty:
  Invalid
Status in linux-lts-trusty source package in Trusty:
  Invalid
Status in linux-lts-utopic source package in Trusty:
  Fix Released
Status in linux-lts-vivid source package in Trusty:
  Fix Released
Status in linux-lts-wily source package in Trusty:
  Fix Released
Status in linux-lts-xenial source package in Trusty:
  Fix Released
Status in linux-mako source package in Trusty:
  Invalid
Status in linux-manta source package in Trusty:
  Invalid
Status in linux-raspi2 source package in Trusty:
  Invalid
Status in linux-snapdragon source package in Trusty:
  Invalid
Status in linux-ti-omap4 source package in Trusty:
  Invalid
Status in linux source package in Vivid:
  Fix Released
Status in linux-armadaxp source package in Vivid:
  Invalid
Status in linux-flo source package in Vivid:
  Won't Fix
Status in linux-goldfish source package in Vivid:
  New
Status in linux-keystone source package in Vivid:
  Invalid
Status in linux-lts-quantal source package in Vivid:
  Won't Fix
Status in linux-lts-raring source package in Vivid:
  New
Status in linux-lts-saucy source package in Vivid:
  Won't Fix
Status in linux-lts-trusty source package in Vivid:
  Won't Fix
Status in linux-lts-utopic source package in Vivid:
  Invalid
Status in linux-lts-vivid source package in Vivid:
  Won't Fix
Status in linux-lts-wily source package in Vivid:
  New
Status in linux-lts-xenial source package in Vivid:
  New
Status in linux-mako source package in Vivid:
  Won't Fix
Status in linux-manta source package in Vivid:
  New
Status in linux-raspi2 source package in Vivid:
  Won't Fix
Status in linux-snapdragon source package in Vivid:
  New
Status in linux-ti-omap4 source package in Vivid:
  Invalid
Status in linux source package in Wily:
  Fix Released
Status in linux-armadaxp source package in Wily:
  

[Kernel-packages] [Bug 1555338] Re: Linux netfilter IPT_SO_SET_REPLACE memory corruption

[Steve Beattie]

** Changed in: linux-goldfish (Ubuntu Xenial)
   Status: New => Won't Fix

-- 
You received this bug notification because you are a member of Kernel
Packages, which is subscribed to linux-goldfish in Ubuntu.
https://bugs.launchpad.net/bugs/1555338

Title:
  Linux netfilter IPT_SO_SET_REPLACE memory corruption

Status in linux package in Ubuntu:
  Fix Released
Status in linux-armadaxp package in Ubuntu:
  Invalid
Status in linux-flo package in Ubuntu:
  New
Status in linux-goldfish package in Ubuntu:
  New
Status in linux-keystone package in Ubuntu:
  Invalid
Status in linux-lts-quantal package in Ubuntu:
  Invalid
Status in linux-lts-raring package in Ubuntu:
  Invalid
Status in linux-lts-saucy package in Ubuntu:
  Invalid
Status in linux-lts-trusty package in Ubuntu:
  Invalid
Status in linux-lts-utopic package in Ubuntu:
  Invalid
Status in linux-lts-vivid package in Ubuntu:
  Invalid
Status in linux-lts-wily package in Ubuntu:
  Invalid
Status in linux-lts-xenial package in Ubuntu:
  Invalid
Status in linux-mako package in Ubuntu:
  New
Status in linux-manta package in Ubuntu:
  Invalid
Status in linux-raspi2 package in Ubuntu:
  Fix Released
Status in linux-snapdragon package in Ubuntu:
  Fix Released
Status in linux-ti-omap4 package in Ubuntu:
  Invalid
Status in linux source package in Precise:
  Fix Released
Status in linux-armadaxp source package in Precise:
  Fix Released
Status in linux-flo source package in Precise:
  Invalid
Status in linux-goldfish source package in Precise:
  Invalid
Status in linux-keystone source package in Precise:
  Invalid
Status in linux-lts-quantal source package in Precise:
  Invalid
Status in linux-lts-raring source package in Precise:
  Invalid
Status in linux-lts-saucy source package in Precise:
  Invalid
Status in linux-lts-trusty source package in Precise:
  Fix Released
Status in linux-lts-utopic source package in Precise:
  Invalid
Status in linux-lts-vivid source package in Precise:
  Invalid
Status in linux-lts-wily source package in Precise:
  Invalid
Status in linux-lts-xenial source package in Precise:
  Invalid
Status in linux-mako source package in Precise:
  Invalid
Status in linux-manta source package in Precise:
  Invalid
Status in linux-raspi2 source package in Precise:
  Invalid
Status in linux-snapdragon source package in Precise:
  Invalid
Status in linux-ti-omap4 source package in Precise:
  Fix Released
Status in linux source package in Trusty:
  Fix Released
Status in linux-armadaxp source package in Trusty:
  Invalid
Status in linux-flo source package in Trusty:
  Invalid
Status in linux-goldfish source package in Trusty:
  Invalid
Status in linux-keystone source package in Trusty:
  Fix Released
Status in linux-lts-quantal source package in Trusty:
  Invalid
Status in linux-lts-raring source package in Trusty:
  Invalid
Status in linux-lts-saucy source package in Trusty:
  Invalid
Status in linux-lts-trusty source package in Trusty:
  Invalid
Status in linux-lts-utopic source package in Trusty:
  Fix Released
Status in linux-lts-vivid source package in Trusty:
  Fix Released
Status in linux-lts-wily source package in Trusty:
  Fix Released
Status in linux-lts-xenial source package in Trusty:
  Fix Released
Status in linux-mako source package in Trusty:
  Invalid
Status in linux-manta source package in Trusty:
  Invalid
Status in linux-raspi2 source package in Trusty:
  Invalid
Status in linux-snapdragon source package in Trusty:
  Invalid
Status in linux-ti-omap4 source package in Trusty:
  Invalid
Status in linux source package in Vivid:
  Fix Released
Status in linux-armadaxp source package in Vivid:
  Invalid
Status in linux-flo source package in Vivid:
  Won't Fix
Status in linux-goldfish source package in Vivid:
  New
Status in linux-keystone source package in Vivid:
  Invalid
Status in linux-lts-quantal source package in Vivid:
  Won't Fix
Status in linux-lts-raring source package in Vivid:
  New
Status in linux-lts-saucy source package in Vivid:
  Won't Fix
Status in linux-lts-trusty source package in Vivid:
  Won't Fix
Status in linux-lts-utopic source package in Vivid:
  Invalid
Status in linux-lts-vivid source package in Vivid:
  Won't Fix
Status in linux-lts-wily source package in Vivid:
  New
Status in linux-lts-xenial source package in Vivid:
  New
Status in linux-mako source package in Vivid:
  Won't Fix
Status in linux-manta source package in Vivid:
  New
Status in linux-raspi2 source package in Vivid:
  Won't Fix
Status in linux-snapdragon source package in Vivid:
  New
Status in linux-ti-omap4 source package in Vivid:
  Invalid
Status in linux source package in Wily:
  Fix Released
Status in linux-armadaxp source package in Wily:
  Invalid
Status in linux-flo source package in Wily:
  New
Status in linux-goldfish source package in Wily:
  New
Status in linux-keystone source package in Wily:
  Invalid
Status in linux-lts-quantal source package in Wily:
  Invalid
Status in linux-lts-raring source package in Wily:
  Invalid

[Kernel-packages] [Bug 1555338] Re: Linux netfilter IPT_SO_SET_REPLACE memory corruption

[Launchpad Bug Tracker]

** Branch linked: lp:ubuntu/trusty-security/linux-lts-wily

** Branch linked: lp:ubuntu/trusty-updates/linux-lts-wily

-- 
You received this bug notification because you are a member of Kernel
Packages, which is subscribed to linux-armadaxp in Ubuntu.
https://bugs.launchpad.net/bugs/1555338

Title:
  Linux netfilter IPT_SO_SET_REPLACE memory corruption

Status in linux package in Ubuntu:
  Fix Released
Status in linux-armadaxp package in Ubuntu:
  Invalid
Status in linux-flo package in Ubuntu:
  New
Status in linux-goldfish package in Ubuntu:
  New
Status in linux-keystone package in Ubuntu:
  Invalid
Status in linux-lts-quantal package in Ubuntu:
  Invalid
Status in linux-lts-raring package in Ubuntu:
  Invalid
Status in linux-lts-saucy package in Ubuntu:
  Invalid
Status in linux-lts-trusty package in Ubuntu:
  Invalid
Status in linux-lts-utopic package in Ubuntu:
  Invalid
Status in linux-lts-vivid package in Ubuntu:
  Invalid
Status in linux-lts-wily package in Ubuntu:
  Invalid
Status in linux-lts-xenial package in Ubuntu:
  Invalid
Status in linux-mako package in Ubuntu:
  New
Status in linux-manta package in Ubuntu:
  Invalid
Status in linux-raspi2 package in Ubuntu:
  Fix Released
Status in linux-snapdragon package in Ubuntu:
  Fix Released
Status in linux-ti-omap4 package in Ubuntu:
  Invalid
Status in linux source package in Precise:
  Fix Released
Status in linux-armadaxp source package in Precise:
  Fix Released
Status in linux-flo source package in Precise:
  Invalid
Status in linux-goldfish source package in Precise:
  Invalid
Status in linux-keystone source package in Precise:
  Invalid
Status in linux-lts-quantal source package in Precise:
  Invalid
Status in linux-lts-raring source package in Precise:
  Invalid
Status in linux-lts-saucy source package in Precise:
  Invalid
Status in linux-lts-trusty source package in Precise:
  Fix Released
Status in linux-lts-utopic source package in Precise:
  Invalid
Status in linux-lts-vivid source package in Precise:
  Invalid
Status in linux-lts-wily source package in Precise:
  Invalid
Status in linux-lts-xenial source package in Precise:
  Invalid
Status in linux-mako source package in Precise:
  Invalid
Status in linux-manta source package in Precise:
  Invalid
Status in linux-raspi2 source package in Precise:
  Invalid
Status in linux-snapdragon source package in Precise:
  Invalid
Status in linux-ti-omap4 source package in Precise:
  Fix Released
Status in linux source package in Trusty:
  Fix Released
Status in linux-armadaxp source package in Trusty:
  Invalid
Status in linux-flo source package in Trusty:
  Invalid
Status in linux-goldfish source package in Trusty:
  Invalid
Status in linux-keystone source package in Trusty:
  Fix Released
Status in linux-lts-quantal source package in Trusty:
  Invalid
Status in linux-lts-raring source package in Trusty:
  Invalid
Status in linux-lts-saucy source package in Trusty:
  Invalid
Status in linux-lts-trusty source package in Trusty:
  Invalid
Status in linux-lts-utopic source package in Trusty:
  Fix Released
Status in linux-lts-vivid source package in Trusty:
  Fix Released
Status in linux-lts-wily source package in Trusty:
  Fix Released
Status in linux-lts-xenial source package in Trusty:
  Fix Released
Status in linux-mako source package in Trusty:
  Invalid
Status in linux-manta source package in Trusty:
  Invalid
Status in linux-raspi2 source package in Trusty:
  Invalid
Status in linux-snapdragon source package in Trusty:
  Invalid
Status in linux-ti-omap4 source package in Trusty:
  Invalid
Status in linux source package in Vivid:
  Fix Released
Status in linux-armadaxp source package in Vivid:
  Invalid
Status in linux-flo source package in Vivid:
  New
Status in linux-goldfish source package in Vivid:
  New
Status in linux-keystone source package in Vivid:
  Invalid
Status in linux-lts-quantal source package in Vivid:
  New
Status in linux-lts-raring source package in Vivid:
  New
Status in linux-lts-saucy source package in Vivid:
  New
Status in linux-lts-trusty source package in Vivid:
  New
Status in linux-lts-utopic source package in Vivid:
  Invalid
Status in linux-lts-vivid source package in Vivid:
  New
Status in linux-lts-wily source package in Vivid:
  New
Status in linux-lts-xenial source package in Vivid:
  New
Status in linux-mako source package in Vivid:
  New
Status in linux-manta source package in Vivid:
  New
Status in linux-raspi2 source package in Vivid:
  New
Status in linux-snapdragon source package in Vivid:
  New
Status in linux-ti-omap4 source package in Vivid:
  Invalid
Status in linux source package in Wily:
  Fix Released
Status in linux-armadaxp source package in Wily:
  Invalid
Status in linux-flo source package in Wily:
  New
Status in linux-goldfish source package in Wily:
  New
Status in linux-keystone source package in Wily:
  Invalid
Status in linux-lts-quantal source package in Wily:
  Invalid
Status in linux-lts-raring source package in Wily:
  Invalid

[Kernel-packages] [Bug 1555338] Re: Linux netfilter IPT_SO_SET_REPLACE memory corruption

[Seth Forshee]

** Tags removed: verification-needed-xenial
** Tags added: verification-done-xenial

** Tags removed: verification-needed-precise verification-needed-trusty 
verification-needed-vivid verification-needed-wily
** Tags added: verification-done-precise verification-done-trusty 
verification-done-vivid verification-done-wily

-- 
You received this bug notification because you are a member of Kernel
Packages, which is subscribed to linux-armadaxp in Ubuntu.
https://bugs.launchpad.net/bugs/1555338

Title:
  Linux netfilter IPT_SO_SET_REPLACE memory corruption

Status in linux package in Ubuntu:
  Fix Released
Status in linux-armadaxp package in Ubuntu:
  Invalid
Status in linux-flo package in Ubuntu:
  New
Status in linux-goldfish package in Ubuntu:
  New
Status in linux-keystone package in Ubuntu:
  Invalid
Status in linux-lts-quantal package in Ubuntu:
  Invalid
Status in linux-lts-raring package in Ubuntu:
  Invalid
Status in linux-lts-saucy package in Ubuntu:
  Invalid
Status in linux-lts-trusty package in Ubuntu:
  Invalid
Status in linux-lts-utopic package in Ubuntu:
  Invalid
Status in linux-lts-vivid package in Ubuntu:
  Invalid
Status in linux-lts-wily package in Ubuntu:
  Invalid
Status in linux-lts-xenial package in Ubuntu:
  Invalid
Status in linux-mako package in Ubuntu:
  New
Status in linux-manta package in Ubuntu:
  Invalid
Status in linux-raspi2 package in Ubuntu:
  Fix Released
Status in linux-snapdragon package in Ubuntu:
  Fix Released
Status in linux-ti-omap4 package in Ubuntu:
  Invalid
Status in linux source package in Precise:
  Fix Released
Status in linux-armadaxp source package in Precise:
  Fix Released
Status in linux-flo source package in Precise:
  Invalid
Status in linux-goldfish source package in Precise:
  Invalid
Status in linux-keystone source package in Precise:
  Invalid
Status in linux-lts-quantal source package in Precise:
  Invalid
Status in linux-lts-raring source package in Precise:
  Invalid
Status in linux-lts-saucy source package in Precise:
  Invalid
Status in linux-lts-trusty source package in Precise:
  Fix Released
Status in linux-lts-utopic source package in Precise:
  Invalid
Status in linux-lts-vivid source package in Precise:
  Invalid
Status in linux-lts-wily source package in Precise:
  Invalid
Status in linux-lts-xenial source package in Precise:
  Invalid
Status in linux-mako source package in Precise:
  Invalid
Status in linux-manta source package in Precise:
  Invalid
Status in linux-raspi2 source package in Precise:
  Invalid
Status in linux-snapdragon source package in Precise:
  Invalid
Status in linux-ti-omap4 source package in Precise:
  Fix Released
Status in linux source package in Trusty:
  Fix Released
Status in linux-armadaxp source package in Trusty:
  Invalid
Status in linux-flo source package in Trusty:
  Invalid
Status in linux-goldfish source package in Trusty:
  Invalid
Status in linux-keystone source package in Trusty:
  Fix Released
Status in linux-lts-quantal source package in Trusty:
  Invalid
Status in linux-lts-raring source package in Trusty:
  Invalid
Status in linux-lts-saucy source package in Trusty:
  Invalid
Status in linux-lts-trusty source package in Trusty:
  Invalid
Status in linux-lts-utopic source package in Trusty:
  Fix Released
Status in linux-lts-vivid source package in Trusty:
  Fix Released
Status in linux-lts-wily source package in Trusty:
  Fix Released
Status in linux-lts-xenial source package in Trusty:
  Fix Released
Status in linux-mako source package in Trusty:
  Invalid
Status in linux-manta source package in Trusty:
  Invalid
Status in linux-raspi2 source package in Trusty:
  Invalid
Status in linux-snapdragon source package in Trusty:
  Invalid
Status in linux-ti-omap4 source package in Trusty:
  Invalid
Status in linux source package in Vivid:
  Fix Released
Status in linux-armadaxp source package in Vivid:
  Invalid
Status in linux-flo source package in Vivid:
  New
Status in linux-goldfish source package in Vivid:
  New
Status in linux-keystone source package in Vivid:
  Invalid
Status in linux-lts-quantal source package in Vivid:
  New
Status in linux-lts-raring source package in Vivid:
  New
Status in linux-lts-saucy source package in Vivid:
  New
Status in linux-lts-trusty source package in Vivid:
  New
Status in linux-lts-utopic source package in Vivid:
  Invalid
Status in linux-lts-vivid source package in Vivid:
  New
Status in linux-lts-wily source package in Vivid:
  New
Status in linux-lts-xenial source package in Vivid:
  New
Status in linux-mako source package in Vivid:
  New
Status in linux-manta source package in Vivid:
  New
Status in linux-raspi2 source package in Vivid:
  New
Status in linux-snapdragon source package in Vivid:
  New
Status in linux-ti-omap4 source package in Vivid:
  Invalid
Status in linux source package in Wily:
  Fix Released
Status in linux-armadaxp source package in Wily:
  Invalid
Status in linux-flo source package in Wily:
  New
Status in linux-goldfish source 

[Kernel-packages] [Bug 1555338] Re: Linux netfilter IPT_SO_SET_REPLACE memory corruption

[Seth Forshee]

This bug is awaiting verification that the kernel in -proposed solves
the problem. Please test the kernel and update this bug with the
results. If the problem is solved, change the tag 'verification-needed-
precise' to 'verification-done-precise'.

If verification is not done by 5 working days from today, this fix will
be dropped from the source code, and this bug will be closed.

See https://wiki.ubuntu.com/Testing/EnableProposed for documentation how
to enable and use -proposed. Thank you!


** Tags added: verification-needed-precise

-- 
You received this bug notification because you are a member of Kernel
Packages, which is subscribed to linux-armadaxp in Ubuntu.
https://bugs.launchpad.net/bugs/1555338

Title:
  Linux netfilter IPT_SO_SET_REPLACE memory corruption

Status in linux package in Ubuntu:
  Fix Released
Status in linux-armadaxp package in Ubuntu:
  Invalid
Status in linux-flo package in Ubuntu:
  New
Status in linux-goldfish package in Ubuntu:
  New
Status in linux-keystone package in Ubuntu:
  Invalid
Status in linux-lts-quantal package in Ubuntu:
  Invalid
Status in linux-lts-raring package in Ubuntu:
  Invalid
Status in linux-lts-saucy package in Ubuntu:
  Invalid
Status in linux-lts-trusty package in Ubuntu:
  Invalid
Status in linux-lts-utopic package in Ubuntu:
  Invalid
Status in linux-lts-vivid package in Ubuntu:
  Invalid
Status in linux-lts-wily package in Ubuntu:
  Invalid
Status in linux-lts-xenial package in Ubuntu:
  Invalid
Status in linux-mako package in Ubuntu:
  New
Status in linux-manta package in Ubuntu:
  Invalid
Status in linux-raspi2 package in Ubuntu:
  Fix Released
Status in linux-snapdragon package in Ubuntu:
  Fix Released
Status in linux-ti-omap4 package in Ubuntu:
  Invalid
Status in linux source package in Precise:
  Fix Released
Status in linux-armadaxp source package in Precise:
  Fix Released
Status in linux-flo source package in Precise:
  Invalid
Status in linux-goldfish source package in Precise:
  Invalid
Status in linux-keystone source package in Precise:
  Invalid
Status in linux-lts-quantal source package in Precise:
  Invalid
Status in linux-lts-raring source package in Precise:
  Invalid
Status in linux-lts-saucy source package in Precise:
  Invalid
Status in linux-lts-trusty source package in Precise:
  Fix Released
Status in linux-lts-utopic source package in Precise:
  Invalid
Status in linux-lts-vivid source package in Precise:
  Invalid
Status in linux-lts-wily source package in Precise:
  Invalid
Status in linux-lts-xenial source package in Precise:
  Invalid
Status in linux-mako source package in Precise:
  Invalid
Status in linux-manta source package in Precise:
  Invalid
Status in linux-raspi2 source package in Precise:
  Invalid
Status in linux-snapdragon source package in Precise:
  Invalid
Status in linux-ti-omap4 source package in Precise:
  Fix Released
Status in linux source package in Trusty:
  Fix Released
Status in linux-armadaxp source package in Trusty:
  Invalid
Status in linux-flo source package in Trusty:
  Invalid
Status in linux-goldfish source package in Trusty:
  Invalid
Status in linux-keystone source package in Trusty:
  Fix Released
Status in linux-lts-quantal source package in Trusty:
  Invalid
Status in linux-lts-raring source package in Trusty:
  Invalid
Status in linux-lts-saucy source package in Trusty:
  Invalid
Status in linux-lts-trusty source package in Trusty:
  Invalid
Status in linux-lts-utopic source package in Trusty:
  Fix Released
Status in linux-lts-vivid source package in Trusty:
  Fix Released
Status in linux-lts-wily source package in Trusty:
  Fix Released
Status in linux-lts-xenial source package in Trusty:
  Fix Released
Status in linux-mako source package in Trusty:
  Invalid
Status in linux-manta source package in Trusty:
  Invalid
Status in linux-raspi2 source package in Trusty:
  Invalid
Status in linux-snapdragon source package in Trusty:
  Invalid
Status in linux-ti-omap4 source package in Trusty:
  Invalid
Status in linux source package in Vivid:
  Fix Released
Status in linux-armadaxp source package in Vivid:
  Invalid
Status in linux-flo source package in Vivid:
  New
Status in linux-goldfish source package in Vivid:
  New
Status in linux-keystone source package in Vivid:
  Invalid
Status in linux-lts-quantal source package in Vivid:
  New
Status in linux-lts-raring source package in Vivid:
  New
Status in linux-lts-saucy source package in Vivid:
  New
Status in linux-lts-trusty source package in Vivid:
  New
Status in linux-lts-utopic source package in Vivid:
  Invalid
Status in linux-lts-vivid source package in Vivid:
  New
Status in linux-lts-wily source package in Vivid:
  New
Status in linux-lts-xenial source package in Vivid:
  New
Status in linux-mako source package in Vivid:
  New
Status in linux-manta source package in Vivid:
  New
Status in linux-raspi2 source package in Vivid:
  New
Status in linux-snapdragon source package in Vivid:
  New
Status in linux-ti-omap4 source 

[Kernel-packages] [Bug 1555338] Re: Linux netfilter IPT_SO_SET_REPLACE memory corruption

[Launchpad Bug Tracker]

This bug was fixed in the package linux-raspi2 - 4.4.0-1016.22

---
linux-raspi2 (4.4.0-1016.22) xenial; urgency=low

  [ Luis Henriques ]

  * Release Tracking Bug
- LP: #1595881

  * Rebase against Ubuntu-4.4.0-28.47

  [ Ubuntu: 4.4.0-28.47 ]

  * Release Tracking Bug
- LP: #1595874
  * Linux netfilter local privilege escalation issues (LP: #1595350)
- netfilter: x_tables: don't move to non-existent next rule
- netfilter: x_tables: validate targets of jumps
- netfilter: x_tables: add and use xt_check_entry_offsets
- netfilter: x_tables: kill check_entry helper
- netfilter: x_tables: assert minimum target size
- netfilter: x_tables: add compat version of xt_check_entry_offsets
- netfilter: x_tables: check standard target size too
- netfilter: x_tables: check for bogus target offset
- netfilter: x_tables: validate all offsets and sizes in a rule
- netfilter: x_tables: don't reject valid target size on some architectures
- netfilter: arp_tables: simplify translate_compat_table args
- netfilter: ip_tables: simplify translate_compat_table args
- netfilter: ip6_tables: simplify translate_compat_table args
- netfilter: x_tables: xt_compat_match_from_user doesn't need a retval
- netfilter: x_tables: do compat validation via translate_table
- netfilter: x_tables: introduce and use xt_copy_counters_from_user
  * Linux netfilter IPT_SO_SET_REPLACE memory corruption (LP: #1555338)
- netfilter: x_tables: validate e->target_offset early
- netfilter: x_tables: make sure e->next_offset covers remaining blob size
- netfilter: x_tables: fix unconditional helper

linux-raspi2 (4.4.0-1015.19) xenial; urgency=low

  [ Kamal Mostafa ]

  * Release Tracking Bug
- LP: #1594928

  [ Ubuntu: 4.4.0-27.46 ]

  * Support Edge Gateway's Bluetooth LED (LP: #1512999)
- Revert "UBUNTU: SAUCE: Bluetooth: Support for LED on Marvell modules"

linux-raspi2 (4.4.0-1014.18) xenial; urgency=low

  [ Kamal Mostafa ]

  * Release Tracking Bug
- LP: #1594478

  [ Ubuntu: 4.4.0-26.45 ]

  * linux: Implement secure boot state variables (LP: #1593075)
- SAUCE: UEFI: Add secure boot and MOK SB State disabled sysctl
  * failures building userspace packages that include ethtool.h (LP: #1592930)
- ethtool.h: define INT_MAX for userland

linux-raspi2 (4.4.0-1013.17) xenial; urgency=low

  [ Kamal Mostafa ]

  * Release Tracking Bug
- LP: #1591461

  [ Ubuntu: 4.4.0-25.44 ]

  * Xenial update to v4.4.13 stable release (LP: #1590455)
- MIPS64: R6: R2 emulation bugfix
- MIPS: math-emu: Fix jalr emulation when rd == $0
- MIPS: MSA: Fix a link error on `_init_msa_upper' with older GCC
- MIPS: Don't unwind to user mode with EVA
- MIPS: Avoid using unwind_stack() with usermode
- MIPS: Fix siginfo.h to use strict posix types
- MIPS: Fix uapi include in exported asm/siginfo.h
- MIPS: Fix watchpoint restoration
- MIPS: Flush highmem pages in __flush_dcache_page
- MIPS: Handle highmem pages in __update_cache
- MIPS: Sync icache & dcache in set_pte_at
- MIPS: ath79: make bootconsole wait for both THRE and TEMT
- MIPS: Reserve nosave data for hibernation
- MIPS: Loongson-3: Reserve 32MB for RS780E integrated GPU
- MIPS: Use copy_s.fmt rather than copy_u.fmt
- MIPS: Fix MSA ld_*/st_* asm macros to use PTR_ADDU
- MIPS: Prevent "restoration" of MSA context in non-MSA kernels
- MIPS: Disable preemption during prctl(PR_SET_FP_MODE, ...)
- MIPS: ptrace: Fix FP context restoration FCSR regression
- MIPS: ptrace: Prevent writes to read-only FCSR bits
- MIPS: Fix sigreturn via VDSO on microMIPS kernel
- MIPS: Build microMIPS VDSO for microMIPS kernels
- MIPS: lib: Mark intrinsics notrace
- MIPS: VDSO: Build with `-fno-strict-aliasing'
- affs: fix remount failure when there are no options changed
- ASoC: ak4642: Enable cache usage to fix crashes on resume
- Input: uinput - handle compat ioctl for UI_SET_PHYS
- ARM: mvebu: fix GPIO config on the Linksys boards
- ARM: dts: at91: fix typo in sama5d2 PIN_PD24 description
- ARM: dts: exynos: Add interrupt line to MAX8997 PMIC on exynos4210-trats
- ARM: dts: imx35: restore existing used clock enumeration
- ath9k: Add a module parameter to invert LED polarity.
- ath9k: Fix LED polarity for some Mini PCI AR9220 MB92 cards.
- ath10k: fix debugfs pktlog_filter write
- ath10k: fix firmware assert in monitor mode
- ath10k: fix rx_channel during hw reconfigure
- ath10k: fix kernel panic, move arvifs list head init before htt init
- ath5k: Change led pin configuration for compaq c700 laptop
- hwrng: exynos - Fix unbalanced PM runtime put on timeout error path
- rtlwifi: rtl8723be: Add antenna select module parameter
- rtlwifi: btcoexist: Implement antenna selection
- rtlwifi: Fix logic error in enter/exit power-save mode
- rtlwifi: pci: use 

[Kernel-packages] [Bug 1555338] Re: Linux netfilter IPT_SO_SET_REPLACE memory corruption

[Launchpad Bug Tracker]

This bug was fixed in the package linux-raspi2 - 4.4.0-1016.22

---
linux-raspi2 (4.4.0-1016.22) xenial; urgency=low

  [ Luis Henriques ]

  * Release Tracking Bug
- LP: #1595881

  * Rebase against Ubuntu-4.4.0-28.47

  [ Ubuntu: 4.4.0-28.47 ]

  * Release Tracking Bug
- LP: #1595874
  * Linux netfilter local privilege escalation issues (LP: #1595350)
- netfilter: x_tables: don't move to non-existent next rule
- netfilter: x_tables: validate targets of jumps
- netfilter: x_tables: add and use xt_check_entry_offsets
- netfilter: x_tables: kill check_entry helper
- netfilter: x_tables: assert minimum target size
- netfilter: x_tables: add compat version of xt_check_entry_offsets
- netfilter: x_tables: check standard target size too
- netfilter: x_tables: check for bogus target offset
- netfilter: x_tables: validate all offsets and sizes in a rule
- netfilter: x_tables: don't reject valid target size on some architectures
- netfilter: arp_tables: simplify translate_compat_table args
- netfilter: ip_tables: simplify translate_compat_table args
- netfilter: ip6_tables: simplify translate_compat_table args
- netfilter: x_tables: xt_compat_match_from_user doesn't need a retval
- netfilter: x_tables: do compat validation via translate_table
- netfilter: x_tables: introduce and use xt_copy_counters_from_user
  * Linux netfilter IPT_SO_SET_REPLACE memory corruption (LP: #1555338)
- netfilter: x_tables: validate e->target_offset early
- netfilter: x_tables: make sure e->next_offset covers remaining blob size
- netfilter: x_tables: fix unconditional helper

linux-raspi2 (4.4.0-1015.19) xenial; urgency=low

  [ Kamal Mostafa ]

  * Release Tracking Bug
- LP: #1594928

  [ Ubuntu: 4.4.0-27.46 ]

  * Support Edge Gateway's Bluetooth LED (LP: #1512999)
- Revert "UBUNTU: SAUCE: Bluetooth: Support for LED on Marvell modules"

linux-raspi2 (4.4.0-1014.18) xenial; urgency=low

  [ Kamal Mostafa ]

  * Release Tracking Bug
- LP: #1594478

  [ Ubuntu: 4.4.0-26.45 ]

  * linux: Implement secure boot state variables (LP: #1593075)
- SAUCE: UEFI: Add secure boot and MOK SB State disabled sysctl
  * failures building userspace packages that include ethtool.h (LP: #1592930)
- ethtool.h: define INT_MAX for userland

linux-raspi2 (4.4.0-1013.17) xenial; urgency=low

  [ Kamal Mostafa ]

  * Release Tracking Bug
- LP: #1591461

  [ Ubuntu: 4.4.0-25.44 ]

  * Xenial update to v4.4.13 stable release (LP: #1590455)
- MIPS64: R6: R2 emulation bugfix
- MIPS: math-emu: Fix jalr emulation when rd == $0
- MIPS: MSA: Fix a link error on `_init_msa_upper' with older GCC
- MIPS: Don't unwind to user mode with EVA
- MIPS: Avoid using unwind_stack() with usermode
- MIPS: Fix siginfo.h to use strict posix types
- MIPS: Fix uapi include in exported asm/siginfo.h
- MIPS: Fix watchpoint restoration
- MIPS: Flush highmem pages in __flush_dcache_page
- MIPS: Handle highmem pages in __update_cache
- MIPS: Sync icache & dcache in set_pte_at
- MIPS: ath79: make bootconsole wait for both THRE and TEMT
- MIPS: Reserve nosave data for hibernation
- MIPS: Loongson-3: Reserve 32MB for RS780E integrated GPU
- MIPS: Use copy_s.fmt rather than copy_u.fmt
- MIPS: Fix MSA ld_*/st_* asm macros to use PTR_ADDU
- MIPS: Prevent "restoration" of MSA context in non-MSA kernels
- MIPS: Disable preemption during prctl(PR_SET_FP_MODE, ...)
- MIPS: ptrace: Fix FP context restoration FCSR regression
- MIPS: ptrace: Prevent writes to read-only FCSR bits
- MIPS: Fix sigreturn via VDSO on microMIPS kernel
- MIPS: Build microMIPS VDSO for microMIPS kernels
- MIPS: lib: Mark intrinsics notrace
- MIPS: VDSO: Build with `-fno-strict-aliasing'
- affs: fix remount failure when there are no options changed
- ASoC: ak4642: Enable cache usage to fix crashes on resume
- Input: uinput - handle compat ioctl for UI_SET_PHYS
- ARM: mvebu: fix GPIO config on the Linksys boards
- ARM: dts: at91: fix typo in sama5d2 PIN_PD24 description
- ARM: dts: exynos: Add interrupt line to MAX8997 PMIC on exynos4210-trats
- ARM: dts: imx35: restore existing used clock enumeration
- ath9k: Add a module parameter to invert LED polarity.
- ath9k: Fix LED polarity for some Mini PCI AR9220 MB92 cards.
- ath10k: fix debugfs pktlog_filter write
- ath10k: fix firmware assert in monitor mode
- ath10k: fix rx_channel during hw reconfigure
- ath10k: fix kernel panic, move arvifs list head init before htt init
- ath5k: Change led pin configuration for compaq c700 laptop
- hwrng: exynos - Fix unbalanced PM runtime put on timeout error path
- rtlwifi: rtl8723be: Add antenna select module parameter
- rtlwifi: btcoexist: Implement antenna selection
- rtlwifi: Fix logic error in enter/exit power-save mode
- rtlwifi: pci: use 

[Kernel-packages] [Bug 1555338] Re: Linux netfilter IPT_SO_SET_REPLACE memory corruption

[Launchpad Bug Tracker]

This bug was fixed in the package linux-snapdragon - 4.4.0-1019.22

---
linux-snapdragon (4.4.0-1019.22) xenial; urgency=low

  [ Kamal Mostafa ]

  * Release Tracking Bug
- LP: #1595882

  [ Ubuntu: 4.4.0-28.47 ]

  * Linux netfilter local privilege escalation issues (LP: #1595350)
- netfilter: x_tables: don't move to non-existent next rule
- netfilter: x_tables: validate targets of jumps
- netfilter: x_tables: add and use xt_check_entry_offsets
- netfilter: x_tables: kill check_entry helper
- netfilter: x_tables: assert minimum target size
- netfilter: x_tables: add compat version of xt_check_entry_offsets
- netfilter: x_tables: check standard target size too
- netfilter: x_tables: check for bogus target offset
- netfilter: x_tables: validate all offsets and sizes in a rule
- netfilter: x_tables: don't reject valid target size on some architectures
- netfilter: arp_tables: simplify translate_compat_table args
- netfilter: ip_tables: simplify translate_compat_table args
- netfilter: ip6_tables: simplify translate_compat_table args
- netfilter: x_tables: xt_compat_match_from_user doesn't need a retval
- netfilter: x_tables: do compat validation via translate_table
- netfilter: x_tables: introduce and use xt_copy_counters_from_user
  * Linux netfilter IPT_SO_SET_REPLACE memory corruption (LP: #1555338)
- netfilter: x_tables: validate e->target_offset early
- netfilter: x_tables: make sure e->next_offset covers remaining blob size
- netfilter: x_tables: fix unconditional helper

linux-snapdragon (4.4.0-1018.21) xenial; urgency=low

  [ Kamal Mostafa ]

  * Release Tracking Bug
- LP: #1594929

  [ Ubuntu: 4.4.0-27.46 ]

  * Support Edge Gateway's Bluetooth LED (LP: #1512999)
- Revert "UBUNTU: SAUCE: Bluetooth: Support for LED on Marvell modules"

linux-snapdragon (4.4.0-1017.20) xenial; urgency=low

  [ Kamal Mostafa ]

  * Release Tracking Bug
- LP: #1594480

  [ Ubuntu: 4.4.0-26.45 ]

  * linux: Implement secure boot state variables (LP: #1593075)
- SAUCE: UEFI: Add secure boot and MOK SB State disabled sysctl
  * failures building userspace packages that include ethtool.h (LP: #1592930)
- ethtool.h: define INT_MAX for userland

linux-snapdragon (4.4.0-1016.19) xenial; urgency=low

  [ Kamal Mostafa ]

  * Release Tracking Bug
- LP: #1591462

  [ Ubuntu: 4.4.0-25.44 ]

  * Xenial update to v4.4.13 stable release (LP: #1590455)
- MIPS64: R6: R2 emulation bugfix
- MIPS: math-emu: Fix jalr emulation when rd == $0
- MIPS: MSA: Fix a link error on `_init_msa_upper' with older GCC
- MIPS: Don't unwind to user mode with EVA
- MIPS: Avoid using unwind_stack() with usermode
- MIPS: Fix siginfo.h to use strict posix types
- MIPS: Fix uapi include in exported asm/siginfo.h
- MIPS: Fix watchpoint restoration
- MIPS: Flush highmem pages in __flush_dcache_page
- MIPS: Handle highmem pages in __update_cache
- MIPS: Sync icache & dcache in set_pte_at
- MIPS: ath79: make bootconsole wait for both THRE and TEMT
- MIPS: Reserve nosave data for hibernation
- MIPS: Loongson-3: Reserve 32MB for RS780E integrated GPU
- MIPS: Use copy_s.fmt rather than copy_u.fmt
- MIPS: Fix MSA ld_*/st_* asm macros to use PTR_ADDU
- MIPS: Prevent "restoration" of MSA context in non-MSA kernels
- MIPS: Disable preemption during prctl(PR_SET_FP_MODE, ...)
- MIPS: ptrace: Fix FP context restoration FCSR regression
- MIPS: ptrace: Prevent writes to read-only FCSR bits
- MIPS: Fix sigreturn via VDSO on microMIPS kernel
- MIPS: Build microMIPS VDSO for microMIPS kernels
- MIPS: lib: Mark intrinsics notrace
- MIPS: VDSO: Build with `-fno-strict-aliasing'
- affs: fix remount failure when there are no options changed
- ASoC: ak4642: Enable cache usage to fix crashes on resume
- Input: uinput - handle compat ioctl for UI_SET_PHYS
- ARM: mvebu: fix GPIO config on the Linksys boards
- ARM: dts: at91: fix typo in sama5d2 PIN_PD24 description
- ARM: dts: exynos: Add interrupt line to MAX8997 PMIC on exynos4210-trats
- ARM: dts: imx35: restore existing used clock enumeration
- ath9k: Add a module parameter to invert LED polarity.
- ath9k: Fix LED polarity for some Mini PCI AR9220 MB92 cards.
- ath10k: fix debugfs pktlog_filter write
- ath10k: fix firmware assert in monitor mode
- ath10k: fix rx_channel during hw reconfigure
- ath10k: fix kernel panic, move arvifs list head init before htt init
- ath5k: Change led pin configuration for compaq c700 laptop
- hwrng: exynos - Fix unbalanced PM runtime put on timeout error path
- rtlwifi: rtl8723be: Add antenna select module parameter
- rtlwifi: btcoexist: Implement antenna selection
- rtlwifi: Fix logic error in enter/exit power-save mode
- rtlwifi: pci: use dev_kfree_skb_irq instead of kfree_skb in
  rtl_pci_reset_trx_ring

[Kernel-packages] [Bug 1555338] Re: Linux netfilter IPT_SO_SET_REPLACE memory corruption

[Launchpad Bug Tracker]

This bug was fixed in the package linux-snapdragon - 4.4.0-1019.22

---
linux-snapdragon (4.4.0-1019.22) xenial; urgency=low

  [ Kamal Mostafa ]

  * Release Tracking Bug
- LP: #1595882

  [ Ubuntu: 4.4.0-28.47 ]

  * Linux netfilter local privilege escalation issues (LP: #1595350)
- netfilter: x_tables: don't move to non-existent next rule
- netfilter: x_tables: validate targets of jumps
- netfilter: x_tables: add and use xt_check_entry_offsets
- netfilter: x_tables: kill check_entry helper
- netfilter: x_tables: assert minimum target size
- netfilter: x_tables: add compat version of xt_check_entry_offsets
- netfilter: x_tables: check standard target size too
- netfilter: x_tables: check for bogus target offset
- netfilter: x_tables: validate all offsets and sizes in a rule
- netfilter: x_tables: don't reject valid target size on some architectures
- netfilter: arp_tables: simplify translate_compat_table args
- netfilter: ip_tables: simplify translate_compat_table args
- netfilter: ip6_tables: simplify translate_compat_table args
- netfilter: x_tables: xt_compat_match_from_user doesn't need a retval
- netfilter: x_tables: do compat validation via translate_table
- netfilter: x_tables: introduce and use xt_copy_counters_from_user
  * Linux netfilter IPT_SO_SET_REPLACE memory corruption (LP: #1555338)
- netfilter: x_tables: validate e->target_offset early
- netfilter: x_tables: make sure e->next_offset covers remaining blob size
- netfilter: x_tables: fix unconditional helper

linux-snapdragon (4.4.0-1018.21) xenial; urgency=low

  [ Kamal Mostafa ]

  * Release Tracking Bug
- LP: #1594929

  [ Ubuntu: 4.4.0-27.46 ]

  * Support Edge Gateway's Bluetooth LED (LP: #1512999)
- Revert "UBUNTU: SAUCE: Bluetooth: Support for LED on Marvell modules"

linux-snapdragon (4.4.0-1017.20) xenial; urgency=low

  [ Kamal Mostafa ]

  * Release Tracking Bug
- LP: #1594480

  [ Ubuntu: 4.4.0-26.45 ]

  * linux: Implement secure boot state variables (LP: #1593075)
- SAUCE: UEFI: Add secure boot and MOK SB State disabled sysctl
  * failures building userspace packages that include ethtool.h (LP: #1592930)
- ethtool.h: define INT_MAX for userland

linux-snapdragon (4.4.0-1016.19) xenial; urgency=low

  [ Kamal Mostafa ]

  * Release Tracking Bug
- LP: #1591462

  [ Ubuntu: 4.4.0-25.44 ]

  * Xenial update to v4.4.13 stable release (LP: #1590455)
- MIPS64: R6: R2 emulation bugfix
- MIPS: math-emu: Fix jalr emulation when rd == $0
- MIPS: MSA: Fix a link error on `_init_msa_upper' with older GCC
- MIPS: Don't unwind to user mode with EVA
- MIPS: Avoid using unwind_stack() with usermode
- MIPS: Fix siginfo.h to use strict posix types
- MIPS: Fix uapi include in exported asm/siginfo.h
- MIPS: Fix watchpoint restoration
- MIPS: Flush highmem pages in __flush_dcache_page
- MIPS: Handle highmem pages in __update_cache
- MIPS: Sync icache & dcache in set_pte_at
- MIPS: ath79: make bootconsole wait for both THRE and TEMT
- MIPS: Reserve nosave data for hibernation
- MIPS: Loongson-3: Reserve 32MB for RS780E integrated GPU
- MIPS: Use copy_s.fmt rather than copy_u.fmt
- MIPS: Fix MSA ld_*/st_* asm macros to use PTR_ADDU
- MIPS: Prevent "restoration" of MSA context in non-MSA kernels
- MIPS: Disable preemption during prctl(PR_SET_FP_MODE, ...)
- MIPS: ptrace: Fix FP context restoration FCSR regression
- MIPS: ptrace: Prevent writes to read-only FCSR bits
- MIPS: Fix sigreturn via VDSO on microMIPS kernel
- MIPS: Build microMIPS VDSO for microMIPS kernels
- MIPS: lib: Mark intrinsics notrace
- MIPS: VDSO: Build with `-fno-strict-aliasing'
- affs: fix remount failure when there are no options changed
- ASoC: ak4642: Enable cache usage to fix crashes on resume
- Input: uinput - handle compat ioctl for UI_SET_PHYS
- ARM: mvebu: fix GPIO config on the Linksys boards
- ARM: dts: at91: fix typo in sama5d2 PIN_PD24 description
- ARM: dts: exynos: Add interrupt line to MAX8997 PMIC on exynos4210-trats
- ARM: dts: imx35: restore existing used clock enumeration
- ath9k: Add a module parameter to invert LED polarity.
- ath9k: Fix LED polarity for some Mini PCI AR9220 MB92 cards.
- ath10k: fix debugfs pktlog_filter write
- ath10k: fix firmware assert in monitor mode
- ath10k: fix rx_channel during hw reconfigure
- ath10k: fix kernel panic, move arvifs list head init before htt init
- ath5k: Change led pin configuration for compaq c700 laptop
- hwrng: exynos - Fix unbalanced PM runtime put on timeout error path
- rtlwifi: rtl8723be: Add antenna select module parameter
- rtlwifi: btcoexist: Implement antenna selection
- rtlwifi: Fix logic error in enter/exit power-save mode
- rtlwifi: pci: use dev_kfree_skb_irq instead of kfree_skb in
  rtl_pci_reset_trx_ring

[Kernel-packages] [Bug 1555338] Re: Linux netfilter IPT_SO_SET_REPLACE memory corruption

[Launchpad Bug Tracker]

This bug was fixed in the package linux-raspi2 - 4.4.0-1016.22

---
linux-raspi2 (4.4.0-1016.22) xenial; urgency=low

  [ Luis Henriques ]

  * Release Tracking Bug
- LP: #1595881

  * Rebase against Ubuntu-4.4.0-28.47

  [ Ubuntu: 4.4.0-28.47 ]

  * Release Tracking Bug
- LP: #1595874
  * Linux netfilter local privilege escalation issues (LP: #1595350)
- netfilter: x_tables: don't move to non-existent next rule
- netfilter: x_tables: validate targets of jumps
- netfilter: x_tables: add and use xt_check_entry_offsets
- netfilter: x_tables: kill check_entry helper
- netfilter: x_tables: assert minimum target size
- netfilter: x_tables: add compat version of xt_check_entry_offsets
- netfilter: x_tables: check standard target size too
- netfilter: x_tables: check for bogus target offset
- netfilter: x_tables: validate all offsets and sizes in a rule
- netfilter: x_tables: don't reject valid target size on some architectures
- netfilter: arp_tables: simplify translate_compat_table args
- netfilter: ip_tables: simplify translate_compat_table args
- netfilter: ip6_tables: simplify translate_compat_table args
- netfilter: x_tables: xt_compat_match_from_user doesn't need a retval
- netfilter: x_tables: do compat validation via translate_table
- netfilter: x_tables: introduce and use xt_copy_counters_from_user
  * Linux netfilter IPT_SO_SET_REPLACE memory corruption (LP: #1555338)
- netfilter: x_tables: validate e->target_offset early
- netfilter: x_tables: make sure e->next_offset covers remaining blob size
- netfilter: x_tables: fix unconditional helper

linux-raspi2 (4.4.0-1015.19) xenial; urgency=low

  [ Kamal Mostafa ]

  * Release Tracking Bug
- LP: #1594928

  [ Ubuntu: 4.4.0-27.46 ]

  * Support Edge Gateway's Bluetooth LED (LP: #1512999)
- Revert "UBUNTU: SAUCE: Bluetooth: Support for LED on Marvell modules"

linux-raspi2 (4.4.0-1014.18) xenial; urgency=low

  [ Kamal Mostafa ]

  * Release Tracking Bug
- LP: #1594478

  [ Ubuntu: 4.4.0-26.45 ]

  * linux: Implement secure boot state variables (LP: #1593075)
- SAUCE: UEFI: Add secure boot and MOK SB State disabled sysctl
  * failures building userspace packages that include ethtool.h (LP: #1592930)
- ethtool.h: define INT_MAX for userland

linux-raspi2 (4.4.0-1013.17) xenial; urgency=low

  [ Kamal Mostafa ]

  * Release Tracking Bug
- LP: #1591461

  [ Ubuntu: 4.4.0-25.44 ]

  * Xenial update to v4.4.13 stable release (LP: #1590455)
- MIPS64: R6: R2 emulation bugfix
- MIPS: math-emu: Fix jalr emulation when rd == $0
- MIPS: MSA: Fix a link error on `_init_msa_upper' with older GCC
- MIPS: Don't unwind to user mode with EVA
- MIPS: Avoid using unwind_stack() with usermode
- MIPS: Fix siginfo.h to use strict posix types
- MIPS: Fix uapi include in exported asm/siginfo.h
- MIPS: Fix watchpoint restoration
- MIPS: Flush highmem pages in __flush_dcache_page
- MIPS: Handle highmem pages in __update_cache
- MIPS: Sync icache & dcache in set_pte_at
- MIPS: ath79: make bootconsole wait for both THRE and TEMT
- MIPS: Reserve nosave data for hibernation
- MIPS: Loongson-3: Reserve 32MB for RS780E integrated GPU
- MIPS: Use copy_s.fmt rather than copy_u.fmt
- MIPS: Fix MSA ld_*/st_* asm macros to use PTR_ADDU
- MIPS: Prevent "restoration" of MSA context in non-MSA kernels
- MIPS: Disable preemption during prctl(PR_SET_FP_MODE, ...)
- MIPS: ptrace: Fix FP context restoration FCSR regression
- MIPS: ptrace: Prevent writes to read-only FCSR bits
- MIPS: Fix sigreturn via VDSO on microMIPS kernel
- MIPS: Build microMIPS VDSO for microMIPS kernels
- MIPS: lib: Mark intrinsics notrace
- MIPS: VDSO: Build with `-fno-strict-aliasing'
- affs: fix remount failure when there are no options changed
- ASoC: ak4642: Enable cache usage to fix crashes on resume
- Input: uinput - handle compat ioctl for UI_SET_PHYS
- ARM: mvebu: fix GPIO config on the Linksys boards
- ARM: dts: at91: fix typo in sama5d2 PIN_PD24 description
- ARM: dts: exynos: Add interrupt line to MAX8997 PMIC on exynos4210-trats
- ARM: dts: imx35: restore existing used clock enumeration
- ath9k: Add a module parameter to invert LED polarity.
- ath9k: Fix LED polarity for some Mini PCI AR9220 MB92 cards.
- ath10k: fix debugfs pktlog_filter write
- ath10k: fix firmware assert in monitor mode
- ath10k: fix rx_channel during hw reconfigure
- ath10k: fix kernel panic, move arvifs list head init before htt init
- ath5k: Change led pin configuration for compaq c700 laptop
- hwrng: exynos - Fix unbalanced PM runtime put on timeout error path
- rtlwifi: rtl8723be: Add antenna select module parameter
- rtlwifi: btcoexist: Implement antenna selection
- rtlwifi: Fix logic error in enter/exit power-save mode
- rtlwifi: pci: use 

[Kernel-packages] [Bug 1555338] Re: Linux netfilter IPT_SO_SET_REPLACE memory corruption

[Launchpad Bug Tracker]

This bug was fixed in the package linux-snapdragon - 4.4.0-1019.22

---
linux-snapdragon (4.4.0-1019.22) xenial; urgency=low

  [ Kamal Mostafa ]

  * Release Tracking Bug
- LP: #1595882

  [ Ubuntu: 4.4.0-28.47 ]

  * Linux netfilter local privilege escalation issues (LP: #1595350)
- netfilter: x_tables: don't move to non-existent next rule
- netfilter: x_tables: validate targets of jumps
- netfilter: x_tables: add and use xt_check_entry_offsets
- netfilter: x_tables: kill check_entry helper
- netfilter: x_tables: assert minimum target size
- netfilter: x_tables: add compat version of xt_check_entry_offsets
- netfilter: x_tables: check standard target size too
- netfilter: x_tables: check for bogus target offset
- netfilter: x_tables: validate all offsets and sizes in a rule
- netfilter: x_tables: don't reject valid target size on some architectures
- netfilter: arp_tables: simplify translate_compat_table args
- netfilter: ip_tables: simplify translate_compat_table args
- netfilter: ip6_tables: simplify translate_compat_table args
- netfilter: x_tables: xt_compat_match_from_user doesn't need a retval
- netfilter: x_tables: do compat validation via translate_table
- netfilter: x_tables: introduce and use xt_copy_counters_from_user
  * Linux netfilter IPT_SO_SET_REPLACE memory corruption (LP: #1555338)
- netfilter: x_tables: validate e->target_offset early
- netfilter: x_tables: make sure e->next_offset covers remaining blob size
- netfilter: x_tables: fix unconditional helper

linux-snapdragon (4.4.0-1018.21) xenial; urgency=low

  [ Kamal Mostafa ]

  * Release Tracking Bug
- LP: #1594929

  [ Ubuntu: 4.4.0-27.46 ]

  * Support Edge Gateway's Bluetooth LED (LP: #1512999)
- Revert "UBUNTU: SAUCE: Bluetooth: Support for LED on Marvell modules"

linux-snapdragon (4.4.0-1017.20) xenial; urgency=low

  [ Kamal Mostafa ]

  * Release Tracking Bug
- LP: #1594480

  [ Ubuntu: 4.4.0-26.45 ]

  * linux: Implement secure boot state variables (LP: #1593075)
- SAUCE: UEFI: Add secure boot and MOK SB State disabled sysctl
  * failures building userspace packages that include ethtool.h (LP: #1592930)
- ethtool.h: define INT_MAX for userland

linux-snapdragon (4.4.0-1016.19) xenial; urgency=low

  [ Kamal Mostafa ]

  * Release Tracking Bug
- LP: #1591462

  [ Ubuntu: 4.4.0-25.44 ]

  * Xenial update to v4.4.13 stable release (LP: #1590455)
- MIPS64: R6: R2 emulation bugfix
- MIPS: math-emu: Fix jalr emulation when rd == $0
- MIPS: MSA: Fix a link error on `_init_msa_upper' with older GCC
- MIPS: Don't unwind to user mode with EVA
- MIPS: Avoid using unwind_stack() with usermode
- MIPS: Fix siginfo.h to use strict posix types
- MIPS: Fix uapi include in exported asm/siginfo.h
- MIPS: Fix watchpoint restoration
- MIPS: Flush highmem pages in __flush_dcache_page
- MIPS: Handle highmem pages in __update_cache
- MIPS: Sync icache & dcache in set_pte_at
- MIPS: ath79: make bootconsole wait for both THRE and TEMT
- MIPS: Reserve nosave data for hibernation
- MIPS: Loongson-3: Reserve 32MB for RS780E integrated GPU
- MIPS: Use copy_s.fmt rather than copy_u.fmt
- MIPS: Fix MSA ld_*/st_* asm macros to use PTR_ADDU
- MIPS: Prevent "restoration" of MSA context in non-MSA kernels
- MIPS: Disable preemption during prctl(PR_SET_FP_MODE, ...)
- MIPS: ptrace: Fix FP context restoration FCSR regression
- MIPS: ptrace: Prevent writes to read-only FCSR bits
- MIPS: Fix sigreturn via VDSO on microMIPS kernel
- MIPS: Build microMIPS VDSO for microMIPS kernels
- MIPS: lib: Mark intrinsics notrace
- MIPS: VDSO: Build with `-fno-strict-aliasing'
- affs: fix remount failure when there are no options changed
- ASoC: ak4642: Enable cache usage to fix crashes on resume
- Input: uinput - handle compat ioctl for UI_SET_PHYS
- ARM: mvebu: fix GPIO config on the Linksys boards
- ARM: dts: at91: fix typo in sama5d2 PIN_PD24 description
- ARM: dts: exynos: Add interrupt line to MAX8997 PMIC on exynos4210-trats
- ARM: dts: imx35: restore existing used clock enumeration
- ath9k: Add a module parameter to invert LED polarity.
- ath9k: Fix LED polarity for some Mini PCI AR9220 MB92 cards.
- ath10k: fix debugfs pktlog_filter write
- ath10k: fix firmware assert in monitor mode
- ath10k: fix rx_channel during hw reconfigure
- ath10k: fix kernel panic, move arvifs list head init before htt init
- ath5k: Change led pin configuration for compaq c700 laptop
- hwrng: exynos - Fix unbalanced PM runtime put on timeout error path
- rtlwifi: rtl8723be: Add antenna select module parameter
- rtlwifi: btcoexist: Implement antenna selection
- rtlwifi: Fix logic error in enter/exit power-save mode
- rtlwifi: pci: use dev_kfree_skb_irq instead of kfree_skb in
  rtl_pci_reset_trx_ring

[Kernel-packages] [Bug 1555338] Re: Linux netfilter IPT_SO_SET_REPLACE memory corruption

[Kamal Mostafa]

This bug is awaiting verification that the kernel in -proposed solves
the problem. Please test the kernel and update this bug with the
results. If the problem is solved, change the tag 'verification-needed-
xenial' to 'verification-done-xenial'.

If verification is not done by 5 working days from today, this fix will
be dropped from the source code, and this bug will be closed.

See https://wiki.ubuntu.com/Testing/EnableProposed for documentation how
to enable and use -proposed. Thank you!

-- 
You received this bug notification because you are a member of Kernel
Packages, which is subscribed to linux-armadaxp in Ubuntu.
https://bugs.launchpad.net/bugs/1555338

Title:
  Linux netfilter IPT_SO_SET_REPLACE memory corruption

Status in linux package in Ubuntu:
  Fix Released
Status in linux-armadaxp package in Ubuntu:
  Invalid
Status in linux-flo package in Ubuntu:
  New
Status in linux-goldfish package in Ubuntu:
  New
Status in linux-keystone package in Ubuntu:
  Invalid
Status in linux-lts-quantal package in Ubuntu:
  Invalid
Status in linux-lts-raring package in Ubuntu:
  Invalid
Status in linux-lts-saucy package in Ubuntu:
  Invalid
Status in linux-lts-trusty package in Ubuntu:
  Invalid
Status in linux-lts-utopic package in Ubuntu:
  Invalid
Status in linux-lts-vivid package in Ubuntu:
  Invalid
Status in linux-lts-wily package in Ubuntu:
  Invalid
Status in linux-lts-xenial package in Ubuntu:
  Invalid
Status in linux-mako package in Ubuntu:
  New
Status in linux-manta package in Ubuntu:
  Invalid
Status in linux-raspi2 package in Ubuntu:
  Invalid
Status in linux-snapdragon package in Ubuntu:
  Invalid
Status in linux-ti-omap4 package in Ubuntu:
  Invalid
Status in linux source package in Precise:
  Fix Released
Status in linux-armadaxp source package in Precise:
  Fix Released
Status in linux-flo source package in Precise:
  Invalid
Status in linux-goldfish source package in Precise:
  Invalid
Status in linux-keystone source package in Precise:
  Invalid
Status in linux-lts-quantal source package in Precise:
  Invalid
Status in linux-lts-raring source package in Precise:
  Invalid
Status in linux-lts-saucy source package in Precise:
  Invalid
Status in linux-lts-trusty source package in Precise:
  Fix Released
Status in linux-lts-utopic source package in Precise:
  Invalid
Status in linux-lts-vivid source package in Precise:
  Invalid
Status in linux-lts-wily source package in Precise:
  Invalid
Status in linux-lts-xenial source package in Precise:
  Invalid
Status in linux-mako source package in Precise:
  Invalid
Status in linux-manta source package in Precise:
  Invalid
Status in linux-raspi2 source package in Precise:
  Invalid
Status in linux-snapdragon source package in Precise:
  Invalid
Status in linux-ti-omap4 source package in Precise:
  Fix Released
Status in linux source package in Trusty:
  Fix Released
Status in linux-armadaxp source package in Trusty:
  Invalid
Status in linux-flo source package in Trusty:
  Invalid
Status in linux-goldfish source package in Trusty:
  Invalid
Status in linux-keystone source package in Trusty:
  Fix Released
Status in linux-lts-quantal source package in Trusty:
  Invalid
Status in linux-lts-raring source package in Trusty:
  Invalid
Status in linux-lts-saucy source package in Trusty:
  Invalid
Status in linux-lts-trusty source package in Trusty:
  Invalid
Status in linux-lts-utopic source package in Trusty:
  Fix Released
Status in linux-lts-vivid source package in Trusty:
  Fix Released
Status in linux-lts-wily source package in Trusty:
  Fix Released
Status in linux-lts-xenial source package in Trusty:
  Fix Released
Status in linux-mako source package in Trusty:
  Invalid
Status in linux-manta source package in Trusty:
  Invalid
Status in linux-raspi2 source package in Trusty:
  Invalid
Status in linux-snapdragon source package in Trusty:
  Invalid
Status in linux-ti-omap4 source package in Trusty:
  Invalid
Status in linux source package in Vivid:
  Fix Released
Status in linux-armadaxp source package in Vivid:
  Invalid
Status in linux-flo source package in Vivid:
  New
Status in linux-goldfish source package in Vivid:
  New
Status in linux-keystone source package in Vivid:
  Invalid
Status in linux-lts-quantal source package in Vivid:
  New
Status in linux-lts-raring source package in Vivid:
  New
Status in linux-lts-saucy source package in Vivid:
  New
Status in linux-lts-trusty source package in Vivid:
  New
Status in linux-lts-utopic source package in Vivid:
  Invalid
Status in linux-lts-vivid source package in Vivid:
  New
Status in linux-lts-wily source package in Vivid:
  New
Status in linux-lts-xenial source package in Vivid:
  New
Status in linux-mako source package in Vivid:
  New
Status in linux-manta source package in Vivid:
  New
Status in linux-raspi2 source package in Vivid:
  New
Status in linux-snapdragon source package in Vivid:
  New
Status in linux-ti-omap4 source package in Vivid:
  Invalid
Status in linux source package in 

[Kernel-packages] [Bug 1555338] Re: Linux netfilter IPT_SO_SET_REPLACE memory corruption

[Kamal Mostafa]

This bug is awaiting verification that the kernel in -proposed solves
the problem. Please test the kernel and update this bug with the
results. If the problem is solved, change the tag 'verification-needed-
vivid' to 'verification-done-vivid'.

If verification is not done by 5 working days from today, this fix will
be dropped from the source code, and this bug will be closed.

See https://wiki.ubuntu.com/Testing/EnableProposed for documentation how
to enable and use -proposed. Thank you!


** Tags added: verification-needed-wily

-- 
You received this bug notification because you are a member of Kernel
Packages, which is subscribed to linux-armadaxp in Ubuntu.
https://bugs.launchpad.net/bugs/1555338

Title:
  Linux netfilter IPT_SO_SET_REPLACE memory corruption

Status in linux package in Ubuntu:
  Fix Released
Status in linux-armadaxp package in Ubuntu:
  Invalid
Status in linux-flo package in Ubuntu:
  New
Status in linux-goldfish package in Ubuntu:
  New
Status in linux-keystone package in Ubuntu:
  Invalid
Status in linux-lts-quantal package in Ubuntu:
  Invalid
Status in linux-lts-raring package in Ubuntu:
  Invalid
Status in linux-lts-saucy package in Ubuntu:
  Invalid
Status in linux-lts-trusty package in Ubuntu:
  Invalid
Status in linux-lts-utopic package in Ubuntu:
  Invalid
Status in linux-lts-vivid package in Ubuntu:
  Invalid
Status in linux-lts-wily package in Ubuntu:
  Invalid
Status in linux-lts-xenial package in Ubuntu:
  Invalid
Status in linux-mako package in Ubuntu:
  New
Status in linux-manta package in Ubuntu:
  Invalid
Status in linux-raspi2 package in Ubuntu:
  Invalid
Status in linux-snapdragon package in Ubuntu:
  Invalid
Status in linux-ti-omap4 package in Ubuntu:
  Invalid
Status in linux source package in Precise:
  Fix Released
Status in linux-armadaxp source package in Precise:
  Fix Released
Status in linux-flo source package in Precise:
  Invalid
Status in linux-goldfish source package in Precise:
  Invalid
Status in linux-keystone source package in Precise:
  Invalid
Status in linux-lts-quantal source package in Precise:
  Invalid
Status in linux-lts-raring source package in Precise:
  Invalid
Status in linux-lts-saucy source package in Precise:
  Invalid
Status in linux-lts-trusty source package in Precise:
  Fix Released
Status in linux-lts-utopic source package in Precise:
  Invalid
Status in linux-lts-vivid source package in Precise:
  Invalid
Status in linux-lts-wily source package in Precise:
  Invalid
Status in linux-lts-xenial source package in Precise:
  Invalid
Status in linux-mako source package in Precise:
  Invalid
Status in linux-manta source package in Precise:
  Invalid
Status in linux-raspi2 source package in Precise:
  Invalid
Status in linux-snapdragon source package in Precise:
  Invalid
Status in linux-ti-omap4 source package in Precise:
  Fix Released
Status in linux source package in Trusty:
  Fix Released
Status in linux-armadaxp source package in Trusty:
  Invalid
Status in linux-flo source package in Trusty:
  Invalid
Status in linux-goldfish source package in Trusty:
  Invalid
Status in linux-keystone source package in Trusty:
  Fix Released
Status in linux-lts-quantal source package in Trusty:
  Invalid
Status in linux-lts-raring source package in Trusty:
  Invalid
Status in linux-lts-saucy source package in Trusty:
  Invalid
Status in linux-lts-trusty source package in Trusty:
  Invalid
Status in linux-lts-utopic source package in Trusty:
  Fix Released
Status in linux-lts-vivid source package in Trusty:
  Fix Released
Status in linux-lts-wily source package in Trusty:
  Fix Released
Status in linux-lts-xenial source package in Trusty:
  Fix Released
Status in linux-mako source package in Trusty:
  Invalid
Status in linux-manta source package in Trusty:
  Invalid
Status in linux-raspi2 source package in Trusty:
  Invalid
Status in linux-snapdragon source package in Trusty:
  Invalid
Status in linux-ti-omap4 source package in Trusty:
  Invalid
Status in linux source package in Vivid:
  Fix Released
Status in linux-armadaxp source package in Vivid:
  Invalid
Status in linux-flo source package in Vivid:
  New
Status in linux-goldfish source package in Vivid:
  New
Status in linux-keystone source package in Vivid:
  Invalid
Status in linux-lts-quantal source package in Vivid:
  New
Status in linux-lts-raring source package in Vivid:
  New
Status in linux-lts-saucy source package in Vivid:
  New
Status in linux-lts-trusty source package in Vivid:
  New
Status in linux-lts-utopic source package in Vivid:
  Invalid
Status in linux-lts-vivid source package in Vivid:
  New
Status in linux-lts-wily source package in Vivid:
  New
Status in linux-lts-xenial source package in Vivid:
  New
Status in linux-mako source package in Vivid:
  New
Status in linux-manta source package in Vivid:
  New
Status in linux-raspi2 source package in Vivid:
  New
Status in linux-snapdragon source package in Vivid:
  New
Status in linux-ti-omap4 source package in Vivid:
  

[Kernel-packages] [Bug 1555338] Re: Linux netfilter IPT_SO_SET_REPLACE memory corruption

[Kamal Mostafa]

This bug is awaiting verification that the kernel in -proposed solves
the problem. Please test the kernel and update this bug with the
results. If the problem is solved, change the tag 'verification-needed-
wily' to 'verification-done-wily'.

If verification is not done by 5 working days from today, this fix will
be dropped from the source code, and this bug will be closed.

See https://wiki.ubuntu.com/Testing/EnableProposed for documentation how
to enable and use -proposed. Thank you!


** Tags added: verification-needed-xenial

-- 
You received this bug notification because you are a member of Kernel
Packages, which is subscribed to linux-armadaxp in Ubuntu.
https://bugs.launchpad.net/bugs/1555338

Title:
  Linux netfilter IPT_SO_SET_REPLACE memory corruption

Status in linux package in Ubuntu:
  Fix Released
Status in linux-armadaxp package in Ubuntu:
  Invalid
Status in linux-flo package in Ubuntu:
  New
Status in linux-goldfish package in Ubuntu:
  New
Status in linux-keystone package in Ubuntu:
  Invalid
Status in linux-lts-quantal package in Ubuntu:
  Invalid
Status in linux-lts-raring package in Ubuntu:
  Invalid
Status in linux-lts-saucy package in Ubuntu:
  Invalid
Status in linux-lts-trusty package in Ubuntu:
  Invalid
Status in linux-lts-utopic package in Ubuntu:
  Invalid
Status in linux-lts-vivid package in Ubuntu:
  Invalid
Status in linux-lts-wily package in Ubuntu:
  Invalid
Status in linux-lts-xenial package in Ubuntu:
  Invalid
Status in linux-mako package in Ubuntu:
  New
Status in linux-manta package in Ubuntu:
  Invalid
Status in linux-raspi2 package in Ubuntu:
  Invalid
Status in linux-snapdragon package in Ubuntu:
  Invalid
Status in linux-ti-omap4 package in Ubuntu:
  Invalid
Status in linux source package in Precise:
  Fix Released
Status in linux-armadaxp source package in Precise:
  Fix Released
Status in linux-flo source package in Precise:
  Invalid
Status in linux-goldfish source package in Precise:
  Invalid
Status in linux-keystone source package in Precise:
  Invalid
Status in linux-lts-quantal source package in Precise:
  Invalid
Status in linux-lts-raring source package in Precise:
  Invalid
Status in linux-lts-saucy source package in Precise:
  Invalid
Status in linux-lts-trusty source package in Precise:
  Fix Released
Status in linux-lts-utopic source package in Precise:
  Invalid
Status in linux-lts-vivid source package in Precise:
  Invalid
Status in linux-lts-wily source package in Precise:
  Invalid
Status in linux-lts-xenial source package in Precise:
  Invalid
Status in linux-mako source package in Precise:
  Invalid
Status in linux-manta source package in Precise:
  Invalid
Status in linux-raspi2 source package in Precise:
  Invalid
Status in linux-snapdragon source package in Precise:
  Invalid
Status in linux-ti-omap4 source package in Precise:
  Fix Released
Status in linux source package in Trusty:
  Fix Released
Status in linux-armadaxp source package in Trusty:
  Invalid
Status in linux-flo source package in Trusty:
  Invalid
Status in linux-goldfish source package in Trusty:
  Invalid
Status in linux-keystone source package in Trusty:
  Fix Released
Status in linux-lts-quantal source package in Trusty:
  Invalid
Status in linux-lts-raring source package in Trusty:
  Invalid
Status in linux-lts-saucy source package in Trusty:
  Invalid
Status in linux-lts-trusty source package in Trusty:
  Invalid
Status in linux-lts-utopic source package in Trusty:
  Fix Released
Status in linux-lts-vivid source package in Trusty:
  Fix Released
Status in linux-lts-wily source package in Trusty:
  Fix Released
Status in linux-lts-xenial source package in Trusty:
  Fix Released
Status in linux-mako source package in Trusty:
  Invalid
Status in linux-manta source package in Trusty:
  Invalid
Status in linux-raspi2 source package in Trusty:
  Invalid
Status in linux-snapdragon source package in Trusty:
  Invalid
Status in linux-ti-omap4 source package in Trusty:
  Invalid
Status in linux source package in Vivid:
  Fix Released
Status in linux-armadaxp source package in Vivid:
  Invalid
Status in linux-flo source package in Vivid:
  New
Status in linux-goldfish source package in Vivid:
  New
Status in linux-keystone source package in Vivid:
  Invalid
Status in linux-lts-quantal source package in Vivid:
  New
Status in linux-lts-raring source package in Vivid:
  New
Status in linux-lts-saucy source package in Vivid:
  New
Status in linux-lts-trusty source package in Vivid:
  New
Status in linux-lts-utopic source package in Vivid:
  Invalid
Status in linux-lts-vivid source package in Vivid:
  New
Status in linux-lts-wily source package in Vivid:
  New
Status in linux-lts-xenial source package in Vivid:
  New
Status in linux-mako source package in Vivid:
  New
Status in linux-manta source package in Vivid:
  New
Status in linux-raspi2 source package in Vivid:
  New
Status in linux-snapdragon source package in Vivid:
  New
Status in linux-ti-omap4 source package in Vivid:
  

[Kernel-packages] [Bug 1555338] Re: Linux netfilter IPT_SO_SET_REPLACE memory corruption

[Kamal Mostafa]

This bug is awaiting verification that the kernel in -proposed solves
the problem. Please test the kernel and update this bug with the
results. If the problem is solved, change the tag 'verification-needed-
trusty' to 'verification-done-trusty'.

If verification is not done by 5 working days from today, this fix will
be dropped from the source code, and this bug will be closed.

See https://wiki.ubuntu.com/Testing/EnableProposed for documentation how
to enable and use -proposed. Thank you!


** Tags added: verification-needed-trusty

** Tags added: verification-needed-vivid

-- 
You received this bug notification because you are a member of Kernel
Packages, which is subscribed to linux-armadaxp in Ubuntu.
https://bugs.launchpad.net/bugs/1555338

Title:
  Linux netfilter IPT_SO_SET_REPLACE memory corruption

Status in linux package in Ubuntu:
  Fix Released
Status in linux-armadaxp package in Ubuntu:
  Invalid
Status in linux-flo package in Ubuntu:
  New
Status in linux-goldfish package in Ubuntu:
  New
Status in linux-keystone package in Ubuntu:
  Invalid
Status in linux-lts-quantal package in Ubuntu:
  Invalid
Status in linux-lts-raring package in Ubuntu:
  Invalid
Status in linux-lts-saucy package in Ubuntu:
  Invalid
Status in linux-lts-trusty package in Ubuntu:
  Invalid
Status in linux-lts-utopic package in Ubuntu:
  Invalid
Status in linux-lts-vivid package in Ubuntu:
  Invalid
Status in linux-lts-wily package in Ubuntu:
  Invalid
Status in linux-lts-xenial package in Ubuntu:
  Invalid
Status in linux-mako package in Ubuntu:
  New
Status in linux-manta package in Ubuntu:
  Invalid
Status in linux-raspi2 package in Ubuntu:
  Invalid
Status in linux-snapdragon package in Ubuntu:
  Invalid
Status in linux-ti-omap4 package in Ubuntu:
  Invalid
Status in linux source package in Precise:
  Fix Released
Status in linux-armadaxp source package in Precise:
  Fix Released
Status in linux-flo source package in Precise:
  Invalid
Status in linux-goldfish source package in Precise:
  Invalid
Status in linux-keystone source package in Precise:
  Invalid
Status in linux-lts-quantal source package in Precise:
  Invalid
Status in linux-lts-raring source package in Precise:
  Invalid
Status in linux-lts-saucy source package in Precise:
  Invalid
Status in linux-lts-trusty source package in Precise:
  Fix Released
Status in linux-lts-utopic source package in Precise:
  Invalid
Status in linux-lts-vivid source package in Precise:
  Invalid
Status in linux-lts-wily source package in Precise:
  Invalid
Status in linux-lts-xenial source package in Precise:
  Invalid
Status in linux-mako source package in Precise:
  Invalid
Status in linux-manta source package in Precise:
  Invalid
Status in linux-raspi2 source package in Precise:
  Invalid
Status in linux-snapdragon source package in Precise:
  Invalid
Status in linux-ti-omap4 source package in Precise:
  Fix Released
Status in linux source package in Trusty:
  Fix Released
Status in linux-armadaxp source package in Trusty:
  Invalid
Status in linux-flo source package in Trusty:
  Invalid
Status in linux-goldfish source package in Trusty:
  Invalid
Status in linux-keystone source package in Trusty:
  Fix Released
Status in linux-lts-quantal source package in Trusty:
  Invalid
Status in linux-lts-raring source package in Trusty:
  Invalid
Status in linux-lts-saucy source package in Trusty:
  Invalid
Status in linux-lts-trusty source package in Trusty:
  Invalid
Status in linux-lts-utopic source package in Trusty:
  Fix Released
Status in linux-lts-vivid source package in Trusty:
  Fix Released
Status in linux-lts-wily source package in Trusty:
  Fix Released
Status in linux-lts-xenial source package in Trusty:
  Fix Released
Status in linux-mako source package in Trusty:
  Invalid
Status in linux-manta source package in Trusty:
  Invalid
Status in linux-raspi2 source package in Trusty:
  Invalid
Status in linux-snapdragon source package in Trusty:
  Invalid
Status in linux-ti-omap4 source package in Trusty:
  Invalid
Status in linux source package in Vivid:
  Fix Released
Status in linux-armadaxp source package in Vivid:
  Invalid
Status in linux-flo source package in Vivid:
  New
Status in linux-goldfish source package in Vivid:
  New
Status in linux-keystone source package in Vivid:
  Invalid
Status in linux-lts-quantal source package in Vivid:
  New
Status in linux-lts-raring source package in Vivid:
  New
Status in linux-lts-saucy source package in Vivid:
  New
Status in linux-lts-trusty source package in Vivid:
  New
Status in linux-lts-utopic source package in Vivid:
  Invalid
Status in linux-lts-vivid source package in Vivid:
  New
Status in linux-lts-wily source package in Vivid:
  New
Status in linux-lts-xenial source package in Vivid:
  New
Status in linux-mako source package in Vivid:
  New
Status in linux-manta source package in Vivid:
  New
Status in linux-raspi2 source package in Vivid:
  New
Status in linux-snapdragon source package in Vivid:
  New
Status in 

[Kernel-packages] [Bug 1555338] Re: Linux netfilter IPT_SO_SET_REPLACE memory corruption

[Steve Beattie]

** Changed in: linux-snapdragon (Ubuntu Precise)
   Status: New => Invalid

** Changed in: linux-snapdragon (Ubuntu Precise)
   Importance: Undecided => High

** Changed in: linux-snapdragon (Ubuntu Wily)
   Status: New => Invalid

** Changed in: linux-snapdragon (Ubuntu Wily)
   Importance: Undecided => High

** Changed in: linux-snapdragon (Ubuntu Xenial)
   Status: New => Invalid

** Changed in: linux-snapdragon (Ubuntu Xenial)
   Importance: Undecided => High

** Changed in: linux-snapdragon (Ubuntu Yakkety)
   Status: New => Invalid

** Changed in: linux-snapdragon (Ubuntu Yakkety)
   Importance: Undecided => High

** Changed in: linux-snapdragon (Ubuntu Trusty)
   Status: New => Invalid

** Changed in: linux-snapdragon (Ubuntu Trusty)
   Importance: Undecided => High

-- 
You received this bug notification because you are a member of Kernel
Packages, which is subscribed to linux-armadaxp in Ubuntu.
https://bugs.launchpad.net/bugs/1555338

Title:
  Linux netfilter IPT_SO_SET_REPLACE memory corruption

Status in linux package in Ubuntu:
  Fix Released
Status in linux-armadaxp package in Ubuntu:
  Invalid
Status in linux-flo package in Ubuntu:
  New
Status in linux-goldfish package in Ubuntu:
  New
Status in linux-keystone package in Ubuntu:
  Invalid
Status in linux-lts-quantal package in Ubuntu:
  Invalid
Status in linux-lts-raring package in Ubuntu:
  Invalid
Status in linux-lts-saucy package in Ubuntu:
  Invalid
Status in linux-lts-trusty package in Ubuntu:
  Invalid
Status in linux-lts-utopic package in Ubuntu:
  Invalid
Status in linux-lts-vivid package in Ubuntu:
  Invalid
Status in linux-lts-wily package in Ubuntu:
  Invalid
Status in linux-lts-xenial package in Ubuntu:
  Invalid
Status in linux-mako package in Ubuntu:
  New
Status in linux-manta package in Ubuntu:
  Invalid
Status in linux-raspi2 package in Ubuntu:
  Invalid
Status in linux-snapdragon package in Ubuntu:
  Invalid
Status in linux-ti-omap4 package in Ubuntu:
  Invalid
Status in linux source package in Precise:
  Fix Released
Status in linux-armadaxp source package in Precise:
  Fix Released
Status in linux-flo source package in Precise:
  Invalid
Status in linux-goldfish source package in Precise:
  Invalid
Status in linux-keystone source package in Precise:
  Invalid
Status in linux-lts-quantal source package in Precise:
  Invalid
Status in linux-lts-raring source package in Precise:
  Invalid
Status in linux-lts-saucy source package in Precise:
  Invalid
Status in linux-lts-trusty source package in Precise:
  Fix Released
Status in linux-lts-utopic source package in Precise:
  Invalid
Status in linux-lts-vivid source package in Precise:
  Invalid
Status in linux-lts-wily source package in Precise:
  Invalid
Status in linux-lts-xenial source package in Precise:
  Invalid
Status in linux-mako source package in Precise:
  Invalid
Status in linux-manta source package in Precise:
  Invalid
Status in linux-raspi2 source package in Precise:
  Invalid
Status in linux-snapdragon source package in Precise:
  Invalid
Status in linux-ti-omap4 source package in Precise:
  Fix Released
Status in linux source package in Trusty:
  Fix Released
Status in linux-armadaxp source package in Trusty:
  Invalid
Status in linux-flo source package in Trusty:
  Invalid
Status in linux-goldfish source package in Trusty:
  Invalid
Status in linux-keystone source package in Trusty:
  Fix Released
Status in linux-lts-quantal source package in Trusty:
  Invalid
Status in linux-lts-raring source package in Trusty:
  Invalid
Status in linux-lts-saucy source package in Trusty:
  Invalid
Status in linux-lts-trusty source package in Trusty:
  Invalid
Status in linux-lts-utopic source package in Trusty:
  Fix Released
Status in linux-lts-vivid source package in Trusty:
  Fix Released
Status in linux-lts-wily source package in Trusty:
  Fix Released
Status in linux-lts-xenial source package in Trusty:
  Fix Released
Status in linux-mako source package in Trusty:
  Invalid
Status in linux-manta source package in Trusty:
  Invalid
Status in linux-raspi2 source package in Trusty:
  Invalid
Status in linux-snapdragon source package in Trusty:
  Invalid
Status in linux-ti-omap4 source package in Trusty:
  Invalid
Status in linux source package in Vivid:
  Fix Released
Status in linux-armadaxp source package in Vivid:
  Invalid
Status in linux-flo source package in Vivid:
  New
Status in linux-goldfish source package in Vivid:
  New
Status in linux-keystone source package in Vivid:
  Invalid
Status in linux-lts-quantal source package in Vivid:
  New
Status in linux-lts-raring source package in Vivid:
  New
Status in linux-lts-saucy source package in Vivid:
  New
Status in linux-lts-trusty source package in Vivid:
  New
Status in linux-lts-utopic source package in Vivid:
  Invalid
Status in linux-lts-vivid source package in Vivid:
  New
Status in linux-lts-wily source package in Vivid:
  New
Status in linux-lts-xenial source package in Vivid:
  New

[Kernel-packages] [Bug 1555338] Re: Linux netfilter IPT_SO_SET_REPLACE memory corruption

[Steve Beattie]

** Also affects: linux (Ubuntu Yakkety)
   Importance: High
 Assignee: Tim Gardner (timg-tpi)
   Status: Fix Released

** Also affects: linux-ti-omap4 (Ubuntu Yakkety)
   Importance: High
   Status: Invalid

** Also affects: linux-armadaxp (Ubuntu Yakkety)
   Importance: High
   Status: Invalid

** Also affects: linux-lts-quantal (Ubuntu Yakkety)
   Importance: High
   Status: Invalid

** Also affects: linux-lts-raring (Ubuntu Yakkety)
   Importance: High
   Status: Invalid

** Also affects: linux-lts-saucy (Ubuntu Yakkety)
   Importance: High
   Status: Invalid

** Also affects: linux-mako (Ubuntu Yakkety)
   Importance: High
   Status: New

** Also affects: linux-manta (Ubuntu Yakkety)
   Importance: High
   Status: Invalid

** Also affects: linux-keystone (Ubuntu Yakkety)
   Importance: Undecided
   Status: Invalid

** Also affects: linux-goldfish (Ubuntu Yakkety)
   Importance: High
   Status: New

** Also affects: linux-flo (Ubuntu Yakkety)
   Importance: High
   Status: New

** Also affects: linux-lts-trusty (Ubuntu Yakkety)
   Importance: High
   Status: Invalid

** Also affects: linux-lts-utopic (Ubuntu Yakkety)
   Importance: High
   Status: Invalid

** Also affects: linux-lts-vivid (Ubuntu Yakkety)
   Importance: High
   Status: Invalid

** Also affects: linux-lts-wily (Ubuntu Yakkety)
   Importance: High
   Status: Invalid

** Also affects: linux-raspi2 (Ubuntu Yakkety)
   Importance: High
   Status: Invalid

** Also affects: linux-lts-xenial (Ubuntu Yakkety)
   Importance: High
   Status: Invalid

-- 
You received this bug notification because you are a member of Kernel
Packages, which is subscribed to linux-armadaxp in Ubuntu.
https://bugs.launchpad.net/bugs/1555338

Title:
  Linux netfilter IPT_SO_SET_REPLACE memory corruption

Status in linux package in Ubuntu:
  Fix Released
Status in linux-armadaxp package in Ubuntu:
  Invalid
Status in linux-flo package in Ubuntu:
  New
Status in linux-goldfish package in Ubuntu:
  New
Status in linux-keystone package in Ubuntu:
  Invalid
Status in linux-lts-quantal package in Ubuntu:
  Invalid
Status in linux-lts-raring package in Ubuntu:
  Invalid
Status in linux-lts-saucy package in Ubuntu:
  Invalid
Status in linux-lts-trusty package in Ubuntu:
  Invalid
Status in linux-lts-utopic package in Ubuntu:
  Invalid
Status in linux-lts-vivid package in Ubuntu:
  Invalid
Status in linux-lts-wily package in Ubuntu:
  Invalid
Status in linux-lts-xenial package in Ubuntu:
  Invalid
Status in linux-mako package in Ubuntu:
  New
Status in linux-manta package in Ubuntu:
  Invalid
Status in linux-raspi2 package in Ubuntu:
  Invalid
Status in linux-ti-omap4 package in Ubuntu:
  Invalid
Status in linux source package in Precise:
  Fix Released
Status in linux-armadaxp source package in Precise:
  Fix Released
Status in linux-flo source package in Precise:
  Invalid
Status in linux-goldfish source package in Precise:
  Invalid
Status in linux-keystone source package in Precise:
  Invalid
Status in linux-lts-quantal source package in Precise:
  Invalid
Status in linux-lts-raring source package in Precise:
  Invalid
Status in linux-lts-saucy source package in Precise:
  Invalid
Status in linux-lts-trusty source package in Precise:
  Fix Released
Status in linux-lts-utopic source package in Precise:
  Invalid
Status in linux-lts-vivid source package in Precise:
  Invalid
Status in linux-lts-wily source package in Precise:
  Invalid
Status in linux-lts-xenial source package in Precise:
  Invalid
Status in linux-mako source package in Precise:
  Invalid
Status in linux-manta source package in Precise:
  Invalid
Status in linux-raspi2 source package in Precise:
  Invalid
Status in linux-ti-omap4 source package in Precise:
  Fix Released
Status in linux source package in Trusty:
  Fix Released
Status in linux-armadaxp source package in Trusty:
  Invalid
Status in linux-flo source package in Trusty:
  Invalid
Status in linux-goldfish source package in Trusty:
  Invalid
Status in linux-keystone source package in Trusty:
  Fix Released
Status in linux-lts-quantal source package in Trusty:
  Invalid
Status in linux-lts-raring source package in Trusty:
  Invalid
Status in linux-lts-saucy source package in Trusty:
  Invalid
Status in linux-lts-trusty source package in Trusty:
  Invalid
Status in linux-lts-utopic source package in Trusty:
  Fix Released
Status in linux-lts-vivid source package in Trusty:
  Fix Released
Status in linux-lts-wily source package in Trusty:
  Fix Released
Status in linux-lts-xenial source package in Trusty:
  Fix Released
Status in linux-mako source package in Trusty:
  Invalid
Status in linux-manta source package in Trusty:
  Invalid
Status in linux-raspi2 source package in Trusty:
  Invalid
Status in linux-ti-omap4 source package in Trusty:
  Invalid
Status in linux source package in Vivid:
  Fix Released
Status in linux-armadaxp source package in Vivid:
  Invalid
Status in 

[Kernel-packages] [Bug 1555338] Re: Linux netfilter IPT_SO_SET_REPLACE memory corruption

[Steve Beattie]

** Changed in: linux-raspi2 (Ubuntu Xenial)
   Status: New => Invalid

-- 
You received this bug notification because you are a member of Kernel
Packages, which is subscribed to linux-armadaxp in Ubuntu.
https://bugs.launchpad.net/bugs/1555338

Title:
  Linux netfilter IPT_SO_SET_REPLACE memory corruption

Status in linux package in Ubuntu:
  Fix Released
Status in linux-armadaxp package in Ubuntu:
  Invalid
Status in linux-flo package in Ubuntu:
  New
Status in linux-goldfish package in Ubuntu:
  New
Status in linux-keystone package in Ubuntu:
  Invalid
Status in linux-lts-quantal package in Ubuntu:
  Invalid
Status in linux-lts-raring package in Ubuntu:
  Invalid
Status in linux-lts-saucy package in Ubuntu:
  Invalid
Status in linux-lts-trusty package in Ubuntu:
  Invalid
Status in linux-lts-utopic package in Ubuntu:
  Invalid
Status in linux-lts-vivid package in Ubuntu:
  Invalid
Status in linux-lts-wily package in Ubuntu:
  Invalid
Status in linux-lts-xenial package in Ubuntu:
  Invalid
Status in linux-mako package in Ubuntu:
  New
Status in linux-manta package in Ubuntu:
  Invalid
Status in linux-raspi2 package in Ubuntu:
  Invalid
Status in linux-ti-omap4 package in Ubuntu:
  Invalid
Status in linux source package in Precise:
  Fix Released
Status in linux-armadaxp source package in Precise:
  Fix Released
Status in linux-flo source package in Precise:
  Invalid
Status in linux-goldfish source package in Precise:
  Invalid
Status in linux-keystone source package in Precise:
  Invalid
Status in linux-lts-quantal source package in Precise:
  Invalid
Status in linux-lts-raring source package in Precise:
  Invalid
Status in linux-lts-saucy source package in Precise:
  Invalid
Status in linux-lts-trusty source package in Precise:
  Fix Released
Status in linux-lts-utopic source package in Precise:
  Invalid
Status in linux-lts-vivid source package in Precise:
  Invalid
Status in linux-lts-wily source package in Precise:
  Invalid
Status in linux-lts-xenial source package in Precise:
  Invalid
Status in linux-mako source package in Precise:
  Invalid
Status in linux-manta source package in Precise:
  Invalid
Status in linux-raspi2 source package in Precise:
  Invalid
Status in linux-ti-omap4 source package in Precise:
  Fix Released
Status in linux source package in Trusty:
  Fix Released
Status in linux-armadaxp source package in Trusty:
  Invalid
Status in linux-flo source package in Trusty:
  Invalid
Status in linux-goldfish source package in Trusty:
  Invalid
Status in linux-keystone source package in Trusty:
  Fix Released
Status in linux-lts-quantal source package in Trusty:
  Invalid
Status in linux-lts-raring source package in Trusty:
  Invalid
Status in linux-lts-saucy source package in Trusty:
  Invalid
Status in linux-lts-trusty source package in Trusty:
  Invalid
Status in linux-lts-utopic source package in Trusty:
  Fix Released
Status in linux-lts-vivid source package in Trusty:
  Fix Released
Status in linux-lts-wily source package in Trusty:
  Fix Released
Status in linux-lts-xenial source package in Trusty:
  Fix Released
Status in linux-mako source package in Trusty:
  Invalid
Status in linux-manta source package in Trusty:
  Invalid
Status in linux-raspi2 source package in Trusty:
  Invalid
Status in linux-ti-omap4 source package in Trusty:
  Invalid
Status in linux source package in Vivid:
  Fix Released
Status in linux-armadaxp source package in Vivid:
  Invalid
Status in linux-flo source package in Vivid:
  New
Status in linux-goldfish source package in Vivid:
  New
Status in linux-keystone source package in Vivid:
  Invalid
Status in linux-lts-quantal source package in Vivid:
  New
Status in linux-lts-raring source package in Vivid:
  New
Status in linux-lts-saucy source package in Vivid:
  New
Status in linux-lts-trusty source package in Vivid:
  New
Status in linux-lts-utopic source package in Vivid:
  Invalid
Status in linux-lts-vivid source package in Vivid:
  New
Status in linux-lts-wily source package in Vivid:
  New
Status in linux-lts-xenial source package in Vivid:
  New
Status in linux-mako source package in Vivid:
  New
Status in linux-manta source package in Vivid:
  New
Status in linux-raspi2 source package in Vivid:
  New
Status in linux-ti-omap4 source package in Vivid:
  Invalid
Status in linux source package in Wily:
  Fix Released
Status in linux-armadaxp source package in Wily:
  Invalid
Status in linux-flo source package in Wily:
  New
Status in linux-goldfish source package in Wily:
  New
Status in linux-keystone source package in Wily:
  Invalid
Status in linux-lts-quantal source package in Wily:
  Invalid
Status in linux-lts-raring source package in Wily:
  Invalid
Status in linux-lts-saucy source package in Wily:
  Invalid
Status in linux-lts-trusty source package in Wily:
  Invalid
Status in linux-lts-utopic source package in Wily:
  Invalid
Status in linux-lts-vivid source package in Wily:
  Invalid
Status in linux-lts-wily source package in Wily:
  

[Kernel-packages] [Bug 1555338] Re: Linux netfilter IPT_SO_SET_REPLACE memory corruption

[Steve Beattie]

** Changed in: linux-manta (Ubuntu Xenial)
   Status: New => Invalid

-- 
You received this bug notification because you are a member of Kernel
Packages, which is subscribed to linux-armadaxp in Ubuntu.
https://bugs.launchpad.net/bugs/1555338

Title:
  Linux netfilter IPT_SO_SET_REPLACE memory corruption

Status in linux package in Ubuntu:
  Fix Released
Status in linux-armadaxp package in Ubuntu:
  Invalid
Status in linux-flo package in Ubuntu:
  New
Status in linux-goldfish package in Ubuntu:
  New
Status in linux-keystone package in Ubuntu:
  Invalid
Status in linux-lts-quantal package in Ubuntu:
  Invalid
Status in linux-lts-raring package in Ubuntu:
  Invalid
Status in linux-lts-saucy package in Ubuntu:
  Invalid
Status in linux-lts-trusty package in Ubuntu:
  Invalid
Status in linux-lts-utopic package in Ubuntu:
  Invalid
Status in linux-lts-vivid package in Ubuntu:
  Invalid
Status in linux-lts-wily package in Ubuntu:
  Invalid
Status in linux-lts-xenial package in Ubuntu:
  Invalid
Status in linux-mako package in Ubuntu:
  New
Status in linux-manta package in Ubuntu:
  Invalid
Status in linux-raspi2 package in Ubuntu:
  New
Status in linux-ti-omap4 package in Ubuntu:
  Invalid
Status in linux source package in Precise:
  Fix Released
Status in linux-armadaxp source package in Precise:
  Fix Released
Status in linux-flo source package in Precise:
  Invalid
Status in linux-goldfish source package in Precise:
  Invalid
Status in linux-keystone source package in Precise:
  Invalid
Status in linux-lts-quantal source package in Precise:
  Invalid
Status in linux-lts-raring source package in Precise:
  Invalid
Status in linux-lts-saucy source package in Precise:
  Invalid
Status in linux-lts-trusty source package in Precise:
  Fix Released
Status in linux-lts-utopic source package in Precise:
  Invalid
Status in linux-lts-vivid source package in Precise:
  Invalid
Status in linux-lts-wily source package in Precise:
  Invalid
Status in linux-lts-xenial source package in Precise:
  Invalid
Status in linux-mako source package in Precise:
  Invalid
Status in linux-manta source package in Precise:
  Invalid
Status in linux-raspi2 source package in Precise:
  Invalid
Status in linux-ti-omap4 source package in Precise:
  Fix Released
Status in linux source package in Trusty:
  Fix Released
Status in linux-armadaxp source package in Trusty:
  Invalid
Status in linux-flo source package in Trusty:
  Invalid
Status in linux-goldfish source package in Trusty:
  Invalid
Status in linux-keystone source package in Trusty:
  Fix Released
Status in linux-lts-quantal source package in Trusty:
  Invalid
Status in linux-lts-raring source package in Trusty:
  Invalid
Status in linux-lts-saucy source package in Trusty:
  Invalid
Status in linux-lts-trusty source package in Trusty:
  Invalid
Status in linux-lts-utopic source package in Trusty:
  Fix Released
Status in linux-lts-vivid source package in Trusty:
  Fix Released
Status in linux-lts-wily source package in Trusty:
  Fix Released
Status in linux-lts-xenial source package in Trusty:
  Fix Released
Status in linux-mako source package in Trusty:
  Invalid
Status in linux-manta source package in Trusty:
  Invalid
Status in linux-raspi2 source package in Trusty:
  Invalid
Status in linux-ti-omap4 source package in Trusty:
  Invalid
Status in linux source package in Vivid:
  Fix Released
Status in linux-armadaxp source package in Vivid:
  Invalid
Status in linux-flo source package in Vivid:
  New
Status in linux-goldfish source package in Vivid:
  New
Status in linux-keystone source package in Vivid:
  Invalid
Status in linux-lts-quantal source package in Vivid:
  New
Status in linux-lts-raring source package in Vivid:
  New
Status in linux-lts-saucy source package in Vivid:
  New
Status in linux-lts-trusty source package in Vivid:
  New
Status in linux-lts-utopic source package in Vivid:
  Invalid
Status in linux-lts-vivid source package in Vivid:
  New
Status in linux-lts-wily source package in Vivid:
  New
Status in linux-lts-xenial source package in Vivid:
  New
Status in linux-mako source package in Vivid:
  New
Status in linux-manta source package in Vivid:
  New
Status in linux-raspi2 source package in Vivid:
  New
Status in linux-ti-omap4 source package in Vivid:
  Invalid
Status in linux source package in Wily:
  Fix Released
Status in linux-armadaxp source package in Wily:
  Invalid
Status in linux-flo source package in Wily:
  New
Status in linux-goldfish source package in Wily:
  New
Status in linux-keystone source package in Wily:
  Invalid
Status in linux-lts-quantal source package in Wily:
  Invalid
Status in linux-lts-raring source package in Wily:
  Invalid
Status in linux-lts-saucy source package in Wily:
  Invalid
Status in linux-lts-trusty source package in Wily:
  Invalid
Status in linux-lts-utopic source package in Wily:
  Invalid
Status in linux-lts-vivid source package in Wily:
  Invalid
Status in linux-lts-wily source package in Wily:
  Invalid

[Kernel-packages] [Bug 1555338] Re: Linux netfilter IPT_SO_SET_REPLACE memory corruption

[Launchpad Bug Tracker]

This bug was fixed in the package linux-lts-xenial - 4.4.0-14.30~14.04.2

---
linux-lts-xenial (4.4.0-14.30~14.04.2) trusty; urgency=low

  * Release Tracking Bug (LP: #1558247)

  * Current 4.4 kernel won't boot on powerpc (LP: #1557130)
- powerpc: Fix dedotify for binutils >= 2.26

  * ZFS: send fails to transmit some holes [corruption] (LP: #1557151)
- Illumos 6370 - ZFS send fails to transmit some holes

  * Request to cherry-pick uvcvideo patch for Xenial kernel support of RealSense
camera (LP: #1557138)
- UVC: Add support for ds4 depth camera

  * use after free of task_struct->numa_faults in task_numa_find_cpu (LP: 
#1527643)
- sched/numa: Fix use-after-free bug in the task_numa_compare

  * overlay fs regression: chmod fails with "Operation not permitted" on chowned
files (LP: #1555997)
- ovl: copy new uid/gid into overlayfs runtime inode

  * Miscellaneous Ubuntu changes
- SAUCE: Dump stack when X.509 certificates cannot be loaded

 -- Brad Figg   Thu, 17 Mar 2016 09:18:22 -0700

** Changed in: linux-lts-xenial (Ubuntu Trusty)
   Status: Invalid => Fix Released

-- 
You received this bug notification because you are a member of Kernel
Packages, which is subscribed to linux-armadaxp in Ubuntu.
https://bugs.launchpad.net/bugs/1555338

Title:
  Linux netfilter IPT_SO_SET_REPLACE memory corruption

Status in linux package in Ubuntu:
  Fix Released
Status in linux-armadaxp package in Ubuntu:
  Invalid
Status in linux-flo package in Ubuntu:
  New
Status in linux-goldfish package in Ubuntu:
  New
Status in linux-keystone package in Ubuntu:
  Invalid
Status in linux-lts-quantal package in Ubuntu:
  Invalid
Status in linux-lts-raring package in Ubuntu:
  Invalid
Status in linux-lts-saucy package in Ubuntu:
  Invalid
Status in linux-lts-trusty package in Ubuntu:
  Invalid
Status in linux-lts-utopic package in Ubuntu:
  Invalid
Status in linux-lts-vivid package in Ubuntu:
  Invalid
Status in linux-lts-wily package in Ubuntu:
  Invalid
Status in linux-lts-xenial package in Ubuntu:
  Invalid
Status in linux-mako package in Ubuntu:
  New
Status in linux-manta package in Ubuntu:
  New
Status in linux-raspi2 package in Ubuntu:
  New
Status in linux-ti-omap4 package in Ubuntu:
  Invalid
Status in linux source package in Precise:
  Fix Released
Status in linux-armadaxp source package in Precise:
  Fix Released
Status in linux-flo source package in Precise:
  Invalid
Status in linux-goldfish source package in Precise:
  Invalid
Status in linux-keystone source package in Precise:
  Invalid
Status in linux-lts-quantal source package in Precise:
  Invalid
Status in linux-lts-raring source package in Precise:
  Invalid
Status in linux-lts-saucy source package in Precise:
  Invalid
Status in linux-lts-trusty source package in Precise:
  Fix Released
Status in linux-lts-utopic source package in Precise:
  Invalid
Status in linux-lts-vivid source package in Precise:
  Invalid
Status in linux-lts-wily source package in Precise:
  Invalid
Status in linux-lts-xenial source package in Precise:
  Invalid
Status in linux-mako source package in Precise:
  Invalid
Status in linux-manta source package in Precise:
  Invalid
Status in linux-raspi2 source package in Precise:
  Invalid
Status in linux-ti-omap4 source package in Precise:
  Fix Released
Status in linux source package in Trusty:
  Fix Released
Status in linux-armadaxp source package in Trusty:
  Invalid
Status in linux-flo source package in Trusty:
  Invalid
Status in linux-goldfish source package in Trusty:
  Invalid
Status in linux-keystone source package in Trusty:
  Fix Released
Status in linux-lts-quantal source package in Trusty:
  Invalid
Status in linux-lts-raring source package in Trusty:
  Invalid
Status in linux-lts-saucy source package in Trusty:
  Invalid
Status in linux-lts-trusty source package in Trusty:
  Invalid
Status in linux-lts-utopic source package in Trusty:
  Fix Released
Status in linux-lts-vivid source package in Trusty:
  Fix Released
Status in linux-lts-wily source package in Trusty:
  Fix Released
Status in linux-lts-xenial source package in Trusty:
  Fix Released
Status in linux-mako source package in Trusty:
  Invalid
Status in linux-manta source package in Trusty:
  Invalid
Status in linux-raspi2 source package in Trusty:
  Invalid
Status in linux-ti-omap4 source package in Trusty:
  Invalid
Status in linux source package in Vivid:
  Fix Released
Status in linux-armadaxp source package in Vivid:
  Invalid
Status in linux-flo source package in Vivid:
  New
Status in linux-goldfish source package in Vivid:
  New
Status in linux-keystone source package in Vivid:
  Invalid
Status in linux-lts-quantal source package in Vivid:
  New
Status in linux-lts-raring source package in Vivid:
  New
Status in linux-lts-saucy source package in Vivid:
  New
Status in linux-lts-trusty source package in Vivid:
  New
Status in linux-lts-utopic source package in Vivid:
  Invalid
Status in 

[Kernel-packages] [Bug 1555338] Re: Linux netfilter IPT_SO_SET_REPLACE memory corruption

[Steve Beattie]

** Changed in: linux-raspi2 (Ubuntu Wily)
   Status: New => Fix Released

** Changed in: linux-lts-xenial (Ubuntu Trusty)
   Status: Fix Released => New

** Changed in: linux-lts-xenial (Ubuntu Trusty)
   Status: New => Invalid

-- 
You received this bug notification because you are a member of Kernel
Packages, which is subscribed to linux-armadaxp in Ubuntu.
https://bugs.launchpad.net/bugs/1555338

Title:
  Linux netfilter IPT_SO_SET_REPLACE memory corruption

Status in linux package in Ubuntu:
  Fix Released
Status in linux-armadaxp package in Ubuntu:
  Invalid
Status in linux-flo package in Ubuntu:
  New
Status in linux-goldfish package in Ubuntu:
  New
Status in linux-keystone package in Ubuntu:
  Invalid
Status in linux-lts-quantal package in Ubuntu:
  Invalid
Status in linux-lts-raring package in Ubuntu:
  Invalid
Status in linux-lts-saucy package in Ubuntu:
  Invalid
Status in linux-lts-trusty package in Ubuntu:
  Invalid
Status in linux-lts-utopic package in Ubuntu:
  Invalid
Status in linux-lts-vivid package in Ubuntu:
  Invalid
Status in linux-lts-wily package in Ubuntu:
  Invalid
Status in linux-lts-xenial package in Ubuntu:
  Invalid
Status in linux-mako package in Ubuntu:
  New
Status in linux-manta package in Ubuntu:
  New
Status in linux-raspi2 package in Ubuntu:
  New
Status in linux-ti-omap4 package in Ubuntu:
  Invalid
Status in linux source package in Precise:
  Fix Released
Status in linux-armadaxp source package in Precise:
  Fix Released
Status in linux-flo source package in Precise:
  Invalid
Status in linux-goldfish source package in Precise:
  Invalid
Status in linux-keystone source package in Precise:
  Invalid
Status in linux-lts-quantal source package in Precise:
  Invalid
Status in linux-lts-raring source package in Precise:
  Invalid
Status in linux-lts-saucy source package in Precise:
  Invalid
Status in linux-lts-trusty source package in Precise:
  Fix Released
Status in linux-lts-utopic source package in Precise:
  Invalid
Status in linux-lts-vivid source package in Precise:
  Invalid
Status in linux-lts-wily source package in Precise:
  Invalid
Status in linux-lts-xenial source package in Precise:
  Invalid
Status in linux-mako source package in Precise:
  Invalid
Status in linux-manta source package in Precise:
  Invalid
Status in linux-raspi2 source package in Precise:
  Invalid
Status in linux-ti-omap4 source package in Precise:
  Fix Released
Status in linux source package in Trusty:
  Fix Released
Status in linux-armadaxp source package in Trusty:
  Invalid
Status in linux-flo source package in Trusty:
  Invalid
Status in linux-goldfish source package in Trusty:
  Invalid
Status in linux-keystone source package in Trusty:
  Fix Released
Status in linux-lts-quantal source package in Trusty:
  Invalid
Status in linux-lts-raring source package in Trusty:
  Invalid
Status in linux-lts-saucy source package in Trusty:
  Invalid
Status in linux-lts-trusty source package in Trusty:
  Invalid
Status in linux-lts-utopic source package in Trusty:
  Fix Released
Status in linux-lts-vivid source package in Trusty:
  Fix Released
Status in linux-lts-wily source package in Trusty:
  Fix Released
Status in linux-lts-xenial source package in Trusty:
  Invalid
Status in linux-mako source package in Trusty:
  Invalid
Status in linux-manta source package in Trusty:
  Invalid
Status in linux-raspi2 source package in Trusty:
  Invalid
Status in linux-ti-omap4 source package in Trusty:
  Invalid
Status in linux source package in Vivid:
  Fix Released
Status in linux-armadaxp source package in Vivid:
  Invalid
Status in linux-flo source package in Vivid:
  New
Status in linux-goldfish source package in Vivid:
  New
Status in linux-keystone source package in Vivid:
  Invalid
Status in linux-lts-quantal source package in Vivid:
  New
Status in linux-lts-raring source package in Vivid:
  New
Status in linux-lts-saucy source package in Vivid:
  New
Status in linux-lts-trusty source package in Vivid:
  New
Status in linux-lts-utopic source package in Vivid:
  Invalid
Status in linux-lts-vivid source package in Vivid:
  New
Status in linux-lts-wily source package in Vivid:
  New
Status in linux-lts-xenial source package in Vivid:
  New
Status in linux-mako source package in Vivid:
  New
Status in linux-manta source package in Vivid:
  New
Status in linux-raspi2 source package in Vivid:
  New
Status in linux-ti-omap4 source package in Vivid:
  Invalid
Status in linux source package in Wily:
  Fix Released
Status in linux-armadaxp source package in Wily:
  Invalid
Status in linux-flo source package in Wily:
  New
Status in linux-goldfish source package in Wily:
  New
Status in linux-keystone source package in Wily:
  Invalid
Status in linux-lts-quantal source package in Wily:
  Invalid
Status in linux-lts-raring source package in Wily:
  Invalid
Status in linux-lts-saucy source package in Wily:
  Invalid
Status in linux-lts-trusty source package in Wily:
  Invalid
Status in 

[Kernel-packages] [Bug 1555338] Re: Linux netfilter IPT_SO_SET_REPLACE memory corruption

[Launchpad Bug Tracker]

This bug was fixed in the package linux-lts-xenial - 4.4.0-13.29~14.04.1

---
linux-lts-xenial (4.4.0-13.29~14.04.1) trusty; urgency=low

  [ Tim Gardner ]

  * Release Tracking Bug
- LP: #1556247

  * s390/mm: four page table levels vs. fork (LP: #1556141)
- s390/mm: four page table levels vs. fork

  * [Hyper-V] network performance patches for Xenial 16.04 (LP: #1556037)
- hv_netvsc: use skb_get_hash() instead of a homegrown implementation
- hv_netvsc: cleanup netdev feature flags for netvsc

  * fails to boot on megaraid (LP: #1552903)
- SAUCE: (noup) megaraid_sas: Don't issue kill adapter for MFI controllers 
in
  case of PD list DCMD failure

  * ALSA: hda - add codec support for Kabylake display audio codec (LP: 
#1556002)
- ALSA: hda - add codec support for Kabylake display audio codec

  * Backport upstream bugfixes to ubuntu-16.04 (LP: #1555765)
- cpufreq: powernv: Free 'chips' on module exit
- cpufreq: powernv: Hot-plug safe the kworker thread
- cpufreq: powernv: Remove cpu_to_chip_id() from hot-path
- cpufreq: powernv/tracing: Add powernv_throttle tracepoint
- cpufreq: powernv: Replace pr_info with trace print for throttle event
- SAUCE: (noup) cpufreq: powernv: Fix bugs in powernv_cpufreq_{init/exit}

  * Linux netfilter IPT_SO_SET_REPLACE memory corruption (LP: #1555338)
- SAUCE: [nf,v2] netfilter: x_tables: don't rely on well-behaving userspace

  * integer overflow in xt_alloc_table_info (LP: #1555353)
- SAUCE: (noup) netfilter: x_tables: check for size overflow

  * linux: auto-generate the reconstruct information from the git tag (LP: 
#143)
- [Packaging] reconstruct -- automatically reconstruct against base tag
- [Config] reconstruct -- update to autoreconstruct output
- [Packaging] reconstruct -- update when inserting final changes

  * Xenial update to v4.4.5 stable release (LP: #1555640)
- use ->d_seq to get coherency between ->d_inode and ->d_flags
- drivers: sh: Restore legacy clock domain on SuperH platforms
- Btrfs: fix deadlock running delayed iputs at transaction commit time
- btrfs: Fix no_space in write and rm loop
- btrfs: async-thread: Fix a use-after-free error for trace
- block: Initialize max_dev_sectors to 0
- PCI: keystone: Fix MSI code that retrieves struct pcie_port pointer
- parisc: Fix ptrace syscall number and return value modification
- mips/kvm: fix ioctl error handling
- kvm: x86: Update tsc multiplier on change.
- fbcon: set a default value to blink interval
- cifs: fix out-of-bounds access in lease parsing
- CIFS: Fix SMB2+ interim response processing for read requests
- Fix cifs_uniqueid_to_ino_t() function for s390x
- vfio: fix ioctl error handling
- KVM: x86: fix root cause for missed hardware breakpoints
- arm/arm64: KVM: Fix ioctl error handling
- iommu/amd: Apply workaround for ATS write permission check
- iommu/amd: Fix boot warning when device 00:00.0 is not iommu covered
- iommu/vt-d: Use BUS_NOTIFY_REMOVED_DEVICE in hotplug path
- target: Fix WRITE_SAME/DISCARD conversion to linux 512b sectors
- drm/ast: Fix incorrect register check for DRAM width
- drm/radeon/pm: update current crtc info after setting the powerstate
- drm/amdgpu/pm: update current crtc info after setting the powerstate
- drm/amdgpu: apply gfx_v8 fixes to gfx_v7 as well
- drm/amdgpu/gfx8: specify which engine to wait before vm flush
- drm/amdgpu: return from atombios_dp_get_dpcd only when error
- libata: fix HDIO_GET_32BIT ioctl
- libata: Align ata_device's id on a cacheline
- block: bio: introduce helpers to get the 1st and last bvec
- writeback: flush inode cgroup wb switches instead of pinning super_block
- Adding Intel Lewisburg device IDs for SATA
- arm64: vmemmap: use virtual projection of linear region
- PM / sleep / x86: Fix crash on graph trace through x86 suspend
- ata: ahci: don't mark HotPlugCapable Ports as external/removable
- tracing: Do not have 'comm' filter override event 'comm' field
- pata-rb532-cf: get rid of the irq_to_gpio() call
- Btrfs: fix loading of orphan roots leading to BUG_ON
- Revert "jffs2: Fix lock acquisition order bug in jffs2_write_begin"
- jffs2: Fix page lock / f->sem deadlock
- Fix directory hardlinks from deleted directories
- dmaengine: pxa_dma: fix cyclic transfers
- adv7604: fix tx 5v detect regression
- ALSA: usb-audio: Add a quirk for Plantronics DA45
- ALSA: ctl: Fix ioctls for X32 ABI
- ALSA: hda - Fix mic issues on Acer Aspire E1-472
- ALSA: rawmidi: Fix ioctls X32 ABI
- ALSA: timer: Fix ioctls for X32 ABI
- ALSA: pcm: Fix ioctls for X32 ABI
- ALSA: seq: oss: Don't drain at closing a client
- ALSA: hdspm: Fix wrong boolean ctl value accesses
- ALSA: hdsp: Fix wrong boolean ctl value accesses
- ALSA: hdspm: Fix zero-division
- ALSA: 

[Kernel-packages] [Bug 1555338] Re: Linux netfilter IPT_SO_SET_REPLACE memory corruption

[Launchpad Bug Tracker]

This bug was fixed in the package linux - 4.4.0-13.29

---
linux (4.4.0-13.29) xenial; urgency=low

  [ Tim Gardner ]

  * Release Tracking Bug
- LP: #1556247

  * s390/mm: four page table levels vs. fork (LP: #1556141)
- s390/mm: four page table levels vs. fork

  * [Hyper-V] network performance patches for Xenial 16.04 (LP: #1556037)
- hv_netvsc: use skb_get_hash() instead of a homegrown implementation
- hv_netvsc: cleanup netdev feature flags for netvsc

  * fails to boot on megaraid (LP: #1552903)
- SAUCE: (noup) megaraid_sas: Don't issue kill adapter for MFI controllers 
in
  case of PD list DCMD failure

  * ALSA: hda - add codec support for Kabylake display audio codec (LP: 
#1556002)
- ALSA: hda - add codec support for Kabylake display audio codec

  * Backport upstream bugfixes to ubuntu-16.04 (LP: #1555765)
- cpufreq: powernv: Free 'chips' on module exit
- cpufreq: powernv: Hot-plug safe the kworker thread
- cpufreq: powernv: Remove cpu_to_chip_id() from hot-path
- cpufreq: powernv/tracing: Add powernv_throttle tracepoint
- cpufreq: powernv: Replace pr_info with trace print for throttle event
- SAUCE: (noup) cpufreq: powernv: Fix bugs in powernv_cpufreq_{init/exit}

  * Linux netfilter IPT_SO_SET_REPLACE memory corruption (LP: #1555338)
- SAUCE: [nf,v2] netfilter: x_tables: don't rely on well-behaving userspace

  * integer overflow in xt_alloc_table_info (LP: #1555353)
- SAUCE: (noup) netfilter: x_tables: check for size overflow

  * linux: auto-generate the reconstruct information from the git tag (LP: 
#143)
- [Packaging] reconstruct -- automatically reconstruct against base tag
- [Config] reconstruct -- update to autoreconstruct output
- [Packaging] reconstruct -- update when inserting final changes

  * Xenial update to v4.4.5 stable release (LP: #1555640)
- use ->d_seq to get coherency between ->d_inode and ->d_flags
- drivers: sh: Restore legacy clock domain on SuperH platforms
- Btrfs: fix deadlock running delayed iputs at transaction commit time
- btrfs: Fix no_space in write and rm loop
- btrfs: async-thread: Fix a use-after-free error for trace
- block: Initialize max_dev_sectors to 0
- PCI: keystone: Fix MSI code that retrieves struct pcie_port pointer
- parisc: Fix ptrace syscall number and return value modification
- mips/kvm: fix ioctl error handling
- kvm: x86: Update tsc multiplier on change.
- fbcon: set a default value to blink interval
- cifs: fix out-of-bounds access in lease parsing
- CIFS: Fix SMB2+ interim response processing for read requests
- Fix cifs_uniqueid_to_ino_t() function for s390x
- vfio: fix ioctl error handling
- KVM: x86: fix root cause for missed hardware breakpoints
- arm/arm64: KVM: Fix ioctl error handling
- iommu/amd: Apply workaround for ATS write permission check
- iommu/amd: Fix boot warning when device 00:00.0 is not iommu covered
- iommu/vt-d: Use BUS_NOTIFY_REMOVED_DEVICE in hotplug path
- target: Fix WRITE_SAME/DISCARD conversion to linux 512b sectors
- drm/ast: Fix incorrect register check for DRAM width
- drm/radeon/pm: update current crtc info after setting the powerstate
- drm/amdgpu/pm: update current crtc info after setting the powerstate
- drm/amdgpu: apply gfx_v8 fixes to gfx_v7 as well
- drm/amdgpu/gfx8: specify which engine to wait before vm flush
- drm/amdgpu: return from atombios_dp_get_dpcd only when error
- libata: fix HDIO_GET_32BIT ioctl
- libata: Align ata_device's id on a cacheline
- block: bio: introduce helpers to get the 1st and last bvec
- writeback: flush inode cgroup wb switches instead of pinning super_block
- Adding Intel Lewisburg device IDs for SATA
- arm64: vmemmap: use virtual projection of linear region
- PM / sleep / x86: Fix crash on graph trace through x86 suspend
- ata: ahci: don't mark HotPlugCapable Ports as external/removable
- tracing: Do not have 'comm' filter override event 'comm' field
- pata-rb532-cf: get rid of the irq_to_gpio() call
- Btrfs: fix loading of orphan roots leading to BUG_ON
- Revert "jffs2: Fix lock acquisition order bug in jffs2_write_begin"
- jffs2: Fix page lock / f->sem deadlock
- Fix directory hardlinks from deleted directories
- dmaengine: pxa_dma: fix cyclic transfers
- adv7604: fix tx 5v detect regression
- ALSA: usb-audio: Add a quirk for Plantronics DA45
- ALSA: ctl: Fix ioctls for X32 ABI
- ALSA: hda - Fix mic issues on Acer Aspire E1-472
- ALSA: rawmidi: Fix ioctls X32 ABI
- ALSA: timer: Fix ioctls for X32 ABI
- ALSA: pcm: Fix ioctls for X32 ABI
- ALSA: seq: oss: Don't drain at closing a client
- ALSA: hdspm: Fix wrong boolean ctl value accesses
- ALSA: hdsp: Fix wrong boolean ctl value accesses
- ALSA: hdspm: Fix zero-division
- ALSA: timer: Fix broken compat timer user status 

[Kernel-packages] [Bug 1555338] Re: Linux netfilter IPT_SO_SET_REPLACE memory corruption

[Launchpad Bug Tracker]

This bug was fixed in the package linux-keystone - 3.13.0-53.78

---
linux-keystone (3.13.0-53.78) trusty; urgency=low

  [ Ike Panhc ]

  * Release Tracking Bug
- LP: #1555956
  * Rebase to Ubuntu-3.13.0-83.127

  [ Ubuntu: 3.13.0-83.127 ]

  * Release Tracking Bug
- LP: #1555839
  * SAUCE: [nf,v2] netfilter: x_tables: don't rely on well-behaving
userspace
- LP: #1555338

 -- Ike Panhc   Sat, 12 Mar 2016 10:03:08 +0800

** Changed in: linux-keystone (Ubuntu Trusty)
   Status: Fix Committed => Fix Released

-- 
You received this bug notification because you are a member of Kernel
Packages, which is subscribed to linux-armadaxp in Ubuntu.
https://bugs.launchpad.net/bugs/1555338

Title:
  Linux netfilter IPT_SO_SET_REPLACE memory corruption

Status in linux package in Ubuntu:
  Fix Committed
Status in linux-armadaxp package in Ubuntu:
  Invalid
Status in linux-flo package in Ubuntu:
  New
Status in linux-goldfish package in Ubuntu:
  New
Status in linux-keystone package in Ubuntu:
  Invalid
Status in linux-lts-quantal package in Ubuntu:
  Invalid
Status in linux-lts-raring package in Ubuntu:
  Invalid
Status in linux-lts-saucy package in Ubuntu:
  Invalid
Status in linux-lts-trusty package in Ubuntu:
  Invalid
Status in linux-lts-utopic package in Ubuntu:
  Invalid
Status in linux-lts-vivid package in Ubuntu:
  Invalid
Status in linux-lts-wily package in Ubuntu:
  Invalid
Status in linux-lts-xenial package in Ubuntu:
  Invalid
Status in linux-mako package in Ubuntu:
  New
Status in linux-manta package in Ubuntu:
  New
Status in linux-raspi2 package in Ubuntu:
  New
Status in linux-ti-omap4 package in Ubuntu:
  Invalid
Status in linux source package in Precise:
  Fix Released
Status in linux-armadaxp source package in Precise:
  Fix Released
Status in linux-flo source package in Precise:
  Invalid
Status in linux-goldfish source package in Precise:
  Invalid
Status in linux-keystone source package in Precise:
  Invalid
Status in linux-lts-quantal source package in Precise:
  Invalid
Status in linux-lts-raring source package in Precise:
  Invalid
Status in linux-lts-saucy source package in Precise:
  Invalid
Status in linux-lts-trusty source package in Precise:
  Fix Released
Status in linux-lts-utopic source package in Precise:
  Invalid
Status in linux-lts-vivid source package in Precise:
  Invalid
Status in linux-lts-wily source package in Precise:
  Invalid
Status in linux-lts-xenial source package in Precise:
  Invalid
Status in linux-mako source package in Precise:
  Invalid
Status in linux-manta source package in Precise:
  Invalid
Status in linux-raspi2 source package in Precise:
  Invalid
Status in linux-ti-omap4 source package in Precise:
  Fix Released
Status in linux source package in Trusty:
  Fix Released
Status in linux-armadaxp source package in Trusty:
  Invalid
Status in linux-flo source package in Trusty:
  Invalid
Status in linux-goldfish source package in Trusty:
  Invalid
Status in linux-keystone source package in Trusty:
  Fix Released
Status in linux-lts-quantal source package in Trusty:
  Invalid
Status in linux-lts-raring source package in Trusty:
  Invalid
Status in linux-lts-saucy source package in Trusty:
  Invalid
Status in linux-lts-trusty source package in Trusty:
  Invalid
Status in linux-lts-utopic source package in Trusty:
  Fix Released
Status in linux-lts-vivid source package in Trusty:
  Fix Released
Status in linux-lts-wily source package in Trusty:
  Fix Released
Status in linux-lts-xenial source package in Trusty:
  New
Status in linux-mako source package in Trusty:
  Invalid
Status in linux-manta source package in Trusty:
  Invalid
Status in linux-raspi2 source package in Trusty:
  Invalid
Status in linux-ti-omap4 source package in Trusty:
  Invalid
Status in linux source package in Vivid:
  Fix Released
Status in linux-armadaxp source package in Vivid:
  Invalid
Status in linux-flo source package in Vivid:
  New
Status in linux-goldfish source package in Vivid:
  New
Status in linux-keystone source package in Vivid:
  Invalid
Status in linux-lts-quantal source package in Vivid:
  New
Status in linux-lts-raring source package in Vivid:
  New
Status in linux-lts-saucy source package in Vivid:
  New
Status in linux-lts-trusty source package in Vivid:
  New
Status in linux-lts-utopic source package in Vivid:
  Invalid
Status in linux-lts-vivid source package in Vivid:
  New
Status in linux-lts-wily source package in Vivid:
  New
Status in linux-lts-xenial source package in Vivid:
  New
Status in linux-mako source package in Vivid:
  New
Status in linux-manta source package in Vivid:
  New
Status in linux-raspi2 source package in Vivid:
  New
Status in linux-ti-omap4 source package in Vivid:
  Invalid
Status in linux source package in Wily:
  Fix Released
Status in linux-armadaxp source package in Wily:
  Invalid
Status in linux-flo source package in Wily:
  New
Status in linux-goldfish source package in Wily:
  New

[Kernel-packages] [Bug 1555338] Re: Linux netfilter IPT_SO_SET_REPLACE memory corruption

[Launchpad Bug Tracker]

This bug was fixed in the package linux-armadaxp - 3.2.0-1664.88

---
linux-armadaxp (3.2.0-1664.88) precise; urgency=low

  [ Ike Panhc ]

  * Release Tracking Bug
- LP: #1555919
  * Rebase to Ubuntu-3.2.0-101.141

  [ Ubuntu: 3.2.0-101.141 ]

  * Release Tracking Bug
- LP: #1555809
  * SAUCE: [nf,v2] netfilter: x_tables: don't rely on well-behaving
userspace
- LP: #1555338

 -- Ike Panhc   Sat, 12 Mar 2016 10:40:37 +0800

** Changed in: linux-armadaxp (Ubuntu Precise)
   Status: Fix Committed => Fix Released

-- 
You received this bug notification because you are a member of Kernel
Packages, which is subscribed to linux-armadaxp in Ubuntu.
https://bugs.launchpad.net/bugs/1555338

Title:
  Linux netfilter IPT_SO_SET_REPLACE memory corruption

Status in linux package in Ubuntu:
  Fix Committed
Status in linux-armadaxp package in Ubuntu:
  Invalid
Status in linux-flo package in Ubuntu:
  New
Status in linux-goldfish package in Ubuntu:
  New
Status in linux-keystone package in Ubuntu:
  Invalid
Status in linux-lts-quantal package in Ubuntu:
  Invalid
Status in linux-lts-raring package in Ubuntu:
  Invalid
Status in linux-lts-saucy package in Ubuntu:
  Invalid
Status in linux-lts-trusty package in Ubuntu:
  Invalid
Status in linux-lts-utopic package in Ubuntu:
  Invalid
Status in linux-lts-vivid package in Ubuntu:
  Invalid
Status in linux-lts-wily package in Ubuntu:
  Invalid
Status in linux-lts-xenial package in Ubuntu:
  Invalid
Status in linux-mako package in Ubuntu:
  New
Status in linux-manta package in Ubuntu:
  New
Status in linux-raspi2 package in Ubuntu:
  New
Status in linux-ti-omap4 package in Ubuntu:
  Invalid
Status in linux source package in Precise:
  Fix Released
Status in linux-armadaxp source package in Precise:
  Fix Released
Status in linux-flo source package in Precise:
  Invalid
Status in linux-goldfish source package in Precise:
  Invalid
Status in linux-keystone source package in Precise:
  Invalid
Status in linux-lts-quantal source package in Precise:
  Invalid
Status in linux-lts-raring source package in Precise:
  Invalid
Status in linux-lts-saucy source package in Precise:
  Invalid
Status in linux-lts-trusty source package in Precise:
  Fix Released
Status in linux-lts-utopic source package in Precise:
  Invalid
Status in linux-lts-vivid source package in Precise:
  Invalid
Status in linux-lts-wily source package in Precise:
  Invalid
Status in linux-lts-xenial source package in Precise:
  Invalid
Status in linux-mako source package in Precise:
  Invalid
Status in linux-manta source package in Precise:
  Invalid
Status in linux-raspi2 source package in Precise:
  Invalid
Status in linux-ti-omap4 source package in Precise:
  Fix Released
Status in linux source package in Trusty:
  Fix Released
Status in linux-armadaxp source package in Trusty:
  Invalid
Status in linux-flo source package in Trusty:
  Invalid
Status in linux-goldfish source package in Trusty:
  Invalid
Status in linux-keystone source package in Trusty:
  Fix Committed
Status in linux-lts-quantal source package in Trusty:
  Invalid
Status in linux-lts-raring source package in Trusty:
  Invalid
Status in linux-lts-saucy source package in Trusty:
  Invalid
Status in linux-lts-trusty source package in Trusty:
  Invalid
Status in linux-lts-utopic source package in Trusty:
  Fix Released
Status in linux-lts-vivid source package in Trusty:
  Fix Released
Status in linux-lts-wily source package in Trusty:
  Fix Released
Status in linux-lts-xenial source package in Trusty:
  New
Status in linux-mako source package in Trusty:
  Invalid
Status in linux-manta source package in Trusty:
  Invalid
Status in linux-raspi2 source package in Trusty:
  Invalid
Status in linux-ti-omap4 source package in Trusty:
  Invalid
Status in linux source package in Vivid:
  Fix Released
Status in linux-armadaxp source package in Vivid:
  Invalid
Status in linux-flo source package in Vivid:
  New
Status in linux-goldfish source package in Vivid:
  New
Status in linux-keystone source package in Vivid:
  Invalid
Status in linux-lts-quantal source package in Vivid:
  New
Status in linux-lts-raring source package in Vivid:
  New
Status in linux-lts-saucy source package in Vivid:
  New
Status in linux-lts-trusty source package in Vivid:
  New
Status in linux-lts-utopic source package in Vivid:
  Invalid
Status in linux-lts-vivid source package in Vivid:
  New
Status in linux-lts-wily source package in Vivid:
  New
Status in linux-lts-xenial source package in Vivid:
  New
Status in linux-mako source package in Vivid:
  New
Status in linux-manta source package in Vivid:
  New
Status in linux-raspi2 source package in Vivid:
  New
Status in linux-ti-omap4 source package in Vivid:
  Invalid
Status in linux source package in Wily:
  Fix Released
Status in linux-armadaxp source package in Wily:
  Invalid
Status in linux-flo source package in Wily:
  New
Status in linux-goldfish source package in Wily:
  

[Kernel-packages] [Bug 1555338] Re: Linux netfilter IPT_SO_SET_REPLACE memory corruption

[Steve Beattie]

** Changed in: linux-lts-trusty (Ubuntu Precise)
   Status: New => Fix Released

** Changed in: linux-lts-trusty (Ubuntu Precise)
   Importance: Undecided => High

** Changed in: linux-lts-trusty (Ubuntu Wily)
   Status: New => Invalid

** Changed in: linux-lts-trusty (Ubuntu Wily)
   Importance: Undecided => High

** Changed in: linux-lts-trusty (Ubuntu Xenial)
   Status: New => Invalid

** Changed in: linux-lts-trusty (Ubuntu Xenial)
   Importance: Undecided => High

** Changed in: linux-lts-trusty (Ubuntu Trusty)
   Status: New => Invalid

** Changed in: linux-lts-trusty (Ubuntu Trusty)
   Importance: Undecided => High

** Changed in: linux-lts-wily (Ubuntu Precise)
   Status: New => Invalid

** Changed in: linux-lts-wily (Ubuntu Precise)
   Importance: Undecided => High

** Changed in: linux-lts-wily (Ubuntu Wily)
   Status: New => Invalid

** Changed in: linux-lts-wily (Ubuntu Wily)
   Importance: Undecided => High

** Changed in: linux-lts-wily (Ubuntu Xenial)
   Status: New => Invalid

** Changed in: linux-lts-wily (Ubuntu Xenial)
   Importance: Undecided => High

** Changed in: linux-lts-wily (Ubuntu Trusty)
   Status: New => Fix Released

** Changed in: linux-lts-wily (Ubuntu Trusty)
   Importance: Undecided => High

** Changed in: linux-lts-quantal (Ubuntu Precise)
   Status: New => Invalid

** Changed in: linux-lts-quantal (Ubuntu Precise)
   Importance: Undecided => High

** Changed in: linux-lts-quantal (Ubuntu Wily)
   Status: New => Invalid

** Changed in: linux-lts-quantal (Ubuntu Wily)
   Importance: Undecided => High

** Changed in: linux-lts-quantal (Ubuntu Xenial)
   Status: New => Invalid

** Changed in: linux-lts-quantal (Ubuntu Xenial)
   Importance: Undecided => High

** Changed in: linux-lts-quantal (Ubuntu Trusty)
   Status: New => Invalid

** Changed in: linux-lts-quantal (Ubuntu Trusty)
   Importance: Undecided => High

** Changed in: linux (Ubuntu Precise)
   Importance: Critical => High

** Changed in: linux (Ubuntu Wily)
   Importance: Critical => High

** Changed in: linux (Ubuntu Trusty)
   Importance: Critical => High

** Changed in: linux-ti-omap4 (Ubuntu Precise)
   Status: New => Fix Released

** Changed in: linux-ti-omap4 (Ubuntu Precise)
   Importance: Undecided => High

** Changed in: linux-ti-omap4 (Ubuntu Wily)
   Status: New => Invalid

** Changed in: linux-ti-omap4 (Ubuntu Wily)
   Importance: Undecided => High

** Changed in: linux-ti-omap4 (Ubuntu Xenial)
   Status: New => Invalid

** Changed in: linux-ti-omap4 (Ubuntu Xenial)
   Importance: Undecided => High

** Changed in: linux-ti-omap4 (Ubuntu Trusty)
   Status: New => Invalid

** Changed in: linux-ti-omap4 (Ubuntu Trusty)
   Importance: Undecided => High

** Changed in: linux-lts-raring (Ubuntu Precise)
   Status: New => Invalid

** Changed in: linux-lts-raring (Ubuntu Precise)
   Importance: Undecided => High

** Changed in: linux-lts-raring (Ubuntu Wily)
   Status: New => Invalid

** Changed in: linux-lts-raring (Ubuntu Wily)
   Importance: Undecided => High

** Changed in: linux-lts-raring (Ubuntu Xenial)
   Status: New => Invalid

** Changed in: linux-lts-raring (Ubuntu Xenial)
   Importance: Undecided => High

** Changed in: linux-lts-raring (Ubuntu Trusty)
   Status: New => Invalid

** Changed in: linux-lts-raring (Ubuntu Trusty)
   Importance: Undecided => High

** Changed in: linux-armadaxp (Ubuntu Precise)
   Importance: Critical => High

** Changed in: linux-armadaxp (Ubuntu Wily)
   Importance: Undecided => High

** Changed in: linux-armadaxp (Ubuntu Xenial)
   Importance: Undecided => High

** Changed in: linux-armadaxp (Ubuntu Trusty)
   Importance: Undecided => High

** Changed in: linux-lts-xenial (Ubuntu Precise)
   Status: New => Invalid

** Changed in: linux-lts-xenial (Ubuntu Precise)
   Importance: Undecided => High

** Changed in: linux-lts-xenial (Ubuntu Wily)
   Status: New => Invalid

** Changed in: linux-lts-xenial (Ubuntu Wily)
   Importance: Undecided => High

** Changed in: linux-lts-xenial (Ubuntu Xenial)
   Status: New => Invalid

** Changed in: linux-lts-xenial (Ubuntu Xenial)
   Importance: Undecided => High

** Changed in: linux-lts-xenial (Ubuntu Trusty)
   Importance: Undecided => High

** Changed in: linux-lts-saucy (Ubuntu Precise)
   Status: New => Invalid

** Changed in: linux-lts-saucy (Ubuntu Precise)
   Importance: Undecided => High

** Changed in: linux-lts-saucy (Ubuntu Wily)
   Status: New => Invalid

** Changed in: linux-lts-saucy (Ubuntu Wily)
   Importance: Undecided => High

** Changed in: linux-lts-saucy (Ubuntu Xenial)
   Status: New => Invalid

** Changed in: linux-lts-saucy (Ubuntu Xenial)
   Importance: Undecided => High

** Changed in: linux-lts-saucy (Ubuntu Trusty)
   Status: New => Invalid

** Changed in: linux-lts-saucy (Ubuntu Trusty)
   Importance: Undecided => High

** Changed in: linux-manta (Ubuntu Precise)
   Status: New => Invalid

[Kernel-packages] [Bug 1555338] Re: Linux netfilter IPT_SO_SET_REPLACE memory corruption

[Launchpad Bug Tracker]

** Branch linked: lp:ubuntu/trusty-security/linux-lts-vivid

** Branch linked: lp:ubuntu/trusty-updates/linux-lts-vivid

-- 
You received this bug notification because you are a member of Kernel
Packages, which is subscribed to linux-armadaxp in Ubuntu.
https://bugs.launchpad.net/bugs/1555338

Title:
  Linux netfilter IPT_SO_SET_REPLACE memory corruption

Status in linux package in Ubuntu:
  Fix Committed
Status in linux-armadaxp package in Ubuntu:
  Invalid
Status in linux-keystone package in Ubuntu:
  Invalid
Status in linux-lts-utopic package in Ubuntu:
  Invalid
Status in linux source package in Precise:
  Fix Released
Status in linux-armadaxp source package in Precise:
  Fix Committed
Status in linux-keystone source package in Precise:
  Invalid
Status in linux-lts-utopic source package in Precise:
  Invalid
Status in linux source package in Trusty:
  Fix Released
Status in linux-armadaxp source package in Trusty:
  Invalid
Status in linux-keystone source package in Trusty:
  Fix Committed
Status in linux-lts-utopic source package in Trusty:
  Fix Released
Status in linux source package in Vivid:
  Fix Released
Status in linux-armadaxp source package in Vivid:
  Invalid
Status in linux-keystone source package in Vivid:
  Invalid
Status in linux-lts-utopic source package in Vivid:
  Invalid
Status in linux source package in Wily:
  Fix Released
Status in linux-armadaxp source package in Wily:
  Invalid
Status in linux-keystone source package in Wily:
  Invalid
Status in linux-lts-utopic source package in Wily:
  Invalid
Status in linux source package in Xenial:
  Fix Committed
Status in linux-armadaxp source package in Xenial:
  Invalid
Status in linux-keystone source package in Xenial:
  Invalid
Status in linux-lts-utopic source package in Xenial:
  Invalid

Bug description:
  [Impact]
  [From https://code.google.com/p/google-security-research/issues/detail?id=758 
]

  A memory corruption vulnerability exists in the IPT_SO_SET_REPLACE
  ioctl in the netfilter code for iptables support. This ioctl is can be
  triggered by an unprivileged user on PF_INET sockets when unprivileged
  user namespaces are available (CONFIG_USER_NS=y). Android does not
  enable this option, but desktop/server distributions and Chrome OS
  will commonly enable this to allow for containers support or
  sandboxing.

  In the mark_source_chains function (net/ipv4/netfilter/ip_tables.c) it
  is possible for a user-supplied ipt_entry structure to have a large
  next_offset field. This field is not bounds checked prior to writing a
  counter value at the supplied offset:

  newpos = pos + e->next_offset;
  ...
  e = (struct ipt_entry *) (entry0 + newpos);
  e->counters.pcnt = pos;

  This means that an out of bounds 32-bit write can occur in a 64kb
  range from the allocated heap entry, with a controlled offset and a
  partially controlled write value ("pos") or zero. The attached proof-
  of-concept (netfilter_setsockopt_v3.c) triggers the corruption
  multiple times to set adjacent heap structures to zero.

  This issue affects (at least) kernel versions 3.10, 3.18 and 4.4. It
  appears that a similar codepath is accessible via
  arp_tables.c/ARPT_SO_SET_REPLACE as well.

  [Fix]
  http://thread.gmane.org/gmane.comp.security.firewalls.netfilter.devel/62150

  [Test Case]
  Download v3 testcase from 
https://code.google.com/p/google-security-research/issues/detail?id=758
  gcc net*v3.c -o v3
  ./v3

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/linux/+bug/1555338/+subscriptions

-- 
Mailing list: https://launchpad.net/~kernel-packages
Post to : kernel-packages@lists.launchpad.net
Unsubscribe : https://launchpad.net/~kernel-packages
More help   : https://help.launchpad.net/ListHelp

[Kernel-packages] [Bug 1555338] Re: Linux netfilter IPT_SO_SET_REPLACE memory corruption

[Launchpad Bug Tracker]

This bug was fixed in the package linux-lts-utopic -
3.16.0-67.87~14.04.1

---
linux-lts-utopic (3.16.0-67.87~14.04.1) trusty; urgency=low

  [ Brad Figg ]

  * Release Tracking Bug
- LP: #1555847

  [ Florian Westphal ]

  * SAUCE: [nf,v2] netfilter: x_tables: don't rely on well-behaving
userspace
- LP: #1555338

linux-lts-utopic (3.16.0-66.86~14.04.1) trusty; urgency=low

  [ Brad Figg ]

  * Release Tracking Bug
- LP: #1555277

  [ Upstream Kernel Changes ]

  * Revert "drm/radeon: call hpd_irq_event on resume"
- LP: #1554608

linux-lts-utopic (3.16.0-65.85~14.04.1) trusty; urgency=low

  [ Luis Henriques ]

  * Release Tracking Bug
- LP: #1552352

  [ Upstream Kernel Changes ]

  * Revert "firmware: dmi_scan: Fix UUID endianness for SMBIOS >= 2.6"
- LP: #1551419

linux-lts-utopic (3.16.0-64.84~14.04.1) trusty; urgency=low

  [ Kamal Mostafa ]

  * Release Tracking Bug
- LP: #1550605

  [ Kamal Mostafa ]

  * Merged back 3.16.0-63.83~14.04.1

linux-lts-utopic (3.16.0-63.83~14.04.1) trusty; urgency=low

  [ Brad Figg ]

  * Release Tracking Bug
- LP: #1548934

  [ Dan Streetman ]

  * SAUCE: nbd: ratelimit error msgs after socket close
- LP: #1505564

  [ Upstream Kernel Changes ]

  * Revert "workqueue: make sure delayed work run in local cpu"
- LP: #1546320
  * drm/nouveau/nv46: Change mc subdev oclass from nv44 to nv4c
- LP: #1543126
  * veth: don’t modify ip_summed; doing so treats packets with bad
checksums as good.
- LP: #1543126
  * sctp: sctp should release assoc when sctp_make_abort_user return NULL
in sctp_close
- LP: #1543126
  * connector: bump skb->users before callback invocation
- LP: #1543126
  * unix: properly account for FDs passed over unix sockets
- LP: #1543126
  * bridge: Only call /sbin/bridge-stp for the initial network namespace
- LP: #1543126
  * vxlan: fix test which detect duplicate vxlan iface
- LP: #1543126
  * net: sctp: prevent writes to cookie_hmac_alg from accessing invalid
memory
- LP: #1543126
  * tcp_yeah: don't set ssthresh below 2
- LP: #1543126
  * bonding: Prevent IPv6 link local address on enslaved devices
- LP: #1543126
  * phonet: properly unshare skbs in phonet_rcv()
- LP: #1543126
  * net: bpf: reject invalid shifts
- LP: #1543126
  * ipv6: update skb->csum when CE mark is propagated
- LP: #1543126
  * team: Replace rcu_read_lock with a mutex in team_vlan_rx_kill_vid
- LP: #1543126
  * xen-netback: respect user provided max_queues
- LP: #1543126
  * xen-netfront: respect user provided max_queues
- LP: #1543126
  * xen-netfront: print correct number of queues
- LP: #1543126
  * xen-netfront: update num_queues to real created
- LP: #1543126
  * sctp: Prevent soft lockup when sctp_accept() is called during a timeout
event
- LP: #1543126
  * sctp: convert sack_needed and sack_generation to bits
- LP: #1543126
  * sctp: start t5 timer only when peer rwnd is 0 and local state is
SHUTDOWN_PENDING
- LP: #1543126
  * nfs: Fix unused variable error
- LP: #1543126
  * [media] gspca: ov534/topro: prevent a division by 0
- LP: #1543126
  * [media] media: dvb-core: Don't force CAN_INVERSION_AUTO in oneshot mode
- LP: #1543126
  * tools lib traceevent: Fix output of %llu for 64 bit values read on 32
bit machines
- LP: #1543126
  * KVM: x86: expose MSR_TSC_AUX to userspace
- LP: #1543126
  * KVM: x86: correctly print #AC in traces
- LP: #1543126
  * drm/radeon: call hpd_irq_event on resume
- LP: #1543126
  * xhci: refuse loading if nousb is used
- LP: #1543126
  * arm64: Clear out any singlestep state on a ptrace detach operation
- LP: #1543126
  * time: Avoid signed overflow in timekeeping_get_ns()
- LP: #1543126
  * Bluetooth: Add support of Toshiba Broadcom based devices
- LP: #1522949, #1543126
  * rtlwifi: fix memory leak for USB device
- LP: #1543126
  * wlcore/wl12xx: spi: fix oops on firmware load
- LP: #1543126
  * EDAC: Fix the leak of mci->bus->name when bus_register fails
- LP: #1543126
  * EDAC, mc_sysfs: Fix freeing bus' name
- LP: #1543126
  * EDAC: Robustify workqueues destruction
- LP: #1543126
  * arm64: mm: ensure that the zero page is visible to the page table
walker
- LP: #1543126
  * powerpc: Make value-returning atomics fully ordered
- LP: #1543126
  * powerpc: Make {cmp}xchg* and their atomic_ versions fully ordered
- LP: #1543126
  * dm space map metadata: remove unused variable in brb_pop()
- LP: #1543126
  * dm thin: fix race condition when destroying thin pool workqueue
- LP: #1543126
  * futex: Drop refcount if requeue_pi() acquired the rtmutex
- LP: #1543126
  * arm64: mdscr_el1: avoid exposing DCC to userspace
- LP: #1543126
  * arm64: kernel: enforce pmuserenr_el0 initialization and restore
- LP: #1543126
  * drm/radeon: clean up fujitsu quirks
- LP: #1543126
  * mmc: sdio: Fix 

[Kernel-packages] [Bug 1555338] Re: Linux netfilter IPT_SO_SET_REPLACE memory corruption

[Launchpad Bug Tracker]

This bug was fixed in the package linux - 3.13.0-83.127

---
linux (3.13.0-83.127) trusty; urgency=low

  [ Brad Figg ]

  * Release Tracking Bug
- LP: #1555839

  [ Florian Westphal ]

  * SAUCE: [nf,v2] netfilter: x_tables: don't rely on well-behaving
userspace
- LP: #1555338

linux (3.13.0-82.126) trusty; urgency=low

  [ Brad Figg ]

  * Release Tracking Bug
- LP: #1554732

  [ Upstream Kernel Changes ]

  * Revert "drm/radeon: call hpd_irq_event on resume"
- LP: #1554608
  * net: generic dev_disable_lro() stacked device handling
- LP: #1547680

linux (3.13.0-81.125) trusty; urgency=low

  [ Luis Henriques ]

  * Release Tracking Bug
- LP: #1552316

  [ Upstream Kernel Changes ]

  * Revert "firmware: dmi_scan: Fix UUID endianness for SMBIOS >= 2.6"
- LP: #1551419
  * bcache: Fix a lockdep splat in an error path
- LP: #1551327

linux (3.13.0-80.124) trusty; urgency=low

  [ Brad Figg ]

  * Release Tracking Bug
- LP: #1548519

  [ Andy Whitcroft ]

  * [Debian] hv: hv_set_ifconfig -- convert to python3
- LP: #1506521
  * [Debian] hv: hv_set_ifconfig -- switch to approved indentation
- LP: #1540586
  * [Debian] hv: hv_set_ifconfig -- fix numerous parameter handling issues
- LP: #1540586

  [ Dan Streetman ]

  * SAUCE: nbd: ratelimit error msgs after socket close
- LP: #1505564

  [ Upstream Kernel Changes ]

  * Revert "workqueue: make sure delayed work run in local cpu"
- LP: #1546320
  * [media] gspca: ov534/topro: prevent a division by 0
- LP: #1542497
  * [media] media: dvb-core: Don't force CAN_INVERSION_AUTO in oneshot mode
- LP: #1542497
  * tools lib traceevent: Fix output of %llu for 64 bit values read on 32
bit machines
- LP: #1542497
  * KVM: x86: correctly print #AC in traces
- LP: #1542497
  * drm/radeon: call hpd_irq_event on resume
- LP: #1542497
  * xhci: refuse loading if nousb is used
- LP: #1542497
  * arm64: Clear out any singlestep state on a ptrace detach operation
- LP: #1542497
  * time: Avoid signed overflow in timekeeping_get_ns()
- LP: #1542497
  * rtlwifi: fix memory leak for USB device
- LP: #1542497
  * wlcore/wl12xx: spi: fix oops on firmware load
- LP: #1542497
  * EDAC, mc_sysfs: Fix freeing bus' name
- LP: #1542497
  * EDAC: Don't try to cancel workqueue when it's never setup
- LP: #1542497
  * EDAC: Robustify workqueues destruction
- LP: #1542497
  * powerpc: Make value-returning atomics fully ordered
- LP: #1542497
  * powerpc: Make {cmp}xchg* and their atomic_ versions fully ordered
- LP: #1542497
  * dm space map metadata: remove unused variable in brb_pop()
- LP: #1542497
  * dm thin: fix race condition when destroying thin pool workqueue
- LP: #1542497
  * futex: Drop refcount if requeue_pi() acquired the rtmutex
- LP: #1542497
  * drm/radeon: clean up fujitsu quirks
- LP: #1542497
  * mmc: sdio: Fix invalid vdd in voltage switch power cycle
- LP: #1542497
  * mmc: sdhci: Fix sdhci_runtime_pm_bus_on/off()
- LP: #1542497
  * udf: limit the maximum number of indirect extents in a row
- LP: #1542497
  * nfs: Fix race in __update_open_stateid()
- LP: #1542497
  * USB: cp210x: add ID for ELV Marble Sound Board 1
- LP: #1542497
  * NFSv4: Don't perform cached access checks before we've OPENed the file
- LP: #1542497
  * NFS: Fix attribute cache revalidation
- LP: #1542497
  * posix-clock: Fix return code on the poll method's error path
- LP: #1542497
  * rtlwifi: rtl8192de: Fix incorrect module parameter descriptions
- LP: #1542497
  * rtlwifi: rtl8192se: Fix module parameter initialization
- LP: #1542497
  * rtlwifi: rtl8192ce: Fix handling of module parameters
- LP: #1542497
  * rtlwifi: rtl8192cu: Add missing parameter setup
- LP: #1542497
  * bcache: fix a livelock when we cause a huge number of cache misses
- LP: #1542497
  * bcache: Add a cond_resched() call to gc
- LP: #1542497
  * bcache: clear BCACHE_DEV_UNLINK_DONE flag when attaching a backing
device
- LP: #1542497
  * bcache: fix a leak in bch_cached_dev_run()
- LP: #1542497
  * bcache: unregister reboot notifier if bcache fails to unregister device
- LP: #1542497
  * bcache: add mutex lock for bch_is_open
- LP: #1542497
  * bcache: allows use of register in udev to avoid "device_busy" error.
- LP: #1542497
  * bcache: Change refill_dirty() to always scan entire disk if necessary
- LP: #1542497
  * wlcore/wl12xx: spi: fix NULL pointer dereference (Oops)
- LP: #1542497
  * Input: i8042 - add Fujitsu Lifebook U745 to the nomux list
- LP: #1542497
  * libxfs: pack the agfl header structure so XFS_AGFL_SIZE is correct
- LP: #1542497
  * x86/xen: don't reset vcpu_info on a cancelled suspend
- LP: #1542497
  * udf: Prevent buffer overrun with multi-byte characters
- LP: #1542497
  * udf: Check output buffer length when converting name to CS0
- LP: #1542497
 

[Kernel-packages] [Bug 1555338] Re: Linux netfilter IPT_SO_SET_REPLACE memory corruption

[Launchpad Bug Tracker]

This bug was fixed in the package linux - 3.19.0-56.62

---
linux (3.19.0-56.62) vivid; urgency=low

  [ Brad Figg ]

  * Release Tracking Bug
- LP: #1555832

  [ Florian Westphal ]

  * SAUCE: [nf,v2] netfilter: x_tables: don't rely on well-behaving
userspace
- LP: #1555338

linux (3.19.0-55.61) vivid; urgency=low

  [ Brad Figg ]

  * Release Tracking Bug
- LP: #1554708

  [ Upstream Kernel Changes ]

  * Revert "drm/radeon: call hpd_irq_event on resume"
- LP: #1554608

linux (3.19.0-54.60) vivid; urgency=low

  [ Luis Henriques ]

  * Release Tracking Bug
- LP: #1552337

  [ Upstream Kernel Changes ]

  * Revert "firmware: dmi_scan: Fix UUID endianness for SMBIOS >= 2.6"
- LP: #1551419

linux (3.19.0-53.59) vivid; urgency=low

  [ Kamal Mostafa ]

  * Release Tracking Bug
- LP: #1550576

  [ Kamal Mostafa ]

  * Merged back 3.19.0-52.58

linux (3.19.0-52.58) vivid; urgency=low

  [ Brad Figg ]

  * Release Tracking Bug
- LP: #1548548

  [ Dan Streetman ]

  * SAUCE: nbd: ratelimit error msgs after socket close
- LP: #1505564

  [ Upstream Kernel Changes ]

  * Revert "ACPI / LPSS: allow to use specific PM domain during ->probe()"
- LP: #1542457
  * Revert "workqueue: make sure delayed work run in local cpu"
- LP: #1546320
  * net: ipmr: fix static mfc/dev leaks on table destruction
- LP: #1542457
  * drm/nouveau/nv46: Change mc subdev oclass from nv44 to nv4c
- LP: #1542457
  * ovl: allow zero size xattr
- LP: #1542457
  * ovl: use a minimal buffer in ovl_copy_xattr
- LP: #1542457
  * [media] vb2: fix a regression in poll() behavior for output,streams
- LP: #1542457
  * [media] gspca: ov534/topro: prevent a division by 0
- LP: #1542457
  * [media] media: dvb-core: Don't force CAN_INVERSION_AUTO in oneshot mode
- LP: #1542457
  * tools lib traceevent: Fix output of %llu for 64 bit values read on 32
bit machines
- LP: #1542457
  * KVM: x86: expose MSR_TSC_AUX to userspace
- LP: #1542457
  * KVM: x86: correctly print #AC in traces
- LP: #1542457
  * drm/radeon: call hpd_irq_event on resume
- LP: #1542457
  * xhci: refuse loading if nousb is used
- LP: #1542457
  * arm64: Clear out any singlestep state on a ptrace detach operation
- LP: #1542457
  * time: Avoid signed overflow in timekeeping_get_ns()
- LP: #1542457
  * ovl: root: copy attr
- LP: #1542457
  * Bluetooth: Add support of Toshiba Broadcom based devices
- LP: #1522949, #1542457
  * rtlwifi: fix memory leak for USB device
- LP: #1542457
  * wlcore/wl12xx: spi: fix oops on firmware load
- LP: #1542457
  * ovl: check dentry positiveness in ovl_cleanup_whiteouts()
- LP: #1542457
  * EDAC, mc_sysfs: Fix freeing bus' name
- LP: #1542457
  * EDAC: Robustify workqueues destruction
- LP: #1542457
  * arm64: mm: ensure that the zero page is visible to the page table
walker
- LP: #1542457
  * powerpc: Make value-returning atomics fully ordered
- LP: #1542457
  * powerpc: Make {cmp}xchg* and their atomic_ versions fully ordered
- LP: #1542457
  * dm space map metadata: remove unused variable in brb_pop()
- LP: #1542457
  * dm thin: fix race condition when destroying thin pool workqueue
- LP: #1542457
  * futex: Drop refcount if requeue_pi() acquired the rtmutex
- LP: #1542457
  * arm64: mdscr_el1: avoid exposing DCC to userspace
- LP: #1542457
  * arm64: kernel: enforce pmuserenr_el0 initialization and restore
- LP: #1542457
  * drm/radeon: Fix off-by-one errors in radeon_vm_bo_set_addr
- LP: #1542457
  * drm/radeon: clean up fujitsu quirks
- LP: #1542457
  * mmc: sdio: Fix invalid vdd in voltage switch power cycle
- LP: #1542457
  * mmc: sdhci: Fix DMA descriptor with zero data length
- LP: #1542457
  * mmc: sdhci: Fix sdhci_runtime_pm_bus_on/off()
- LP: #1542457
  * udf: limit the maximum number of indirect extents in a row
- LP: #1542457
  * [media] rc: sunxi-cir: Initialize the spinlock properly
- LP: #1542457
  * nfs: Fix race in __update_open_stateid()
- LP: #1542457
  * USB: cp210x: add ID for ELV Marble Sound Board 1
- LP: #1542457
  * NFSv4: Don't perform cached access checks before we've OPENed the file
- LP: #1542457
  * NFS: Ensure we revalidate attributes before using execute_ok()
- LP: #1542457
  * Thermal: initialize thermal zone device correctly
- LP: #1542457
  * Thermal: handle thermal zone device properly during system sleep
- LP: #1542457
  * Thermal: do thermal zone update after a cooling device registered
- LP: #1542457
  * posix-clock: Fix return code on the poll method's error path
- LP: #1542457
  * rtlwifi: rtl8723be: Fix module parameter initialization
- LP: #1542457
  * rtlwifi: rtl8723ae: Fix initialization of module parameters
- LP: #1542457
  * rtlwifi: rtl8821ae: Fix errors in parameter initialization
- LP: #1542457
  * rtlwifi: rtl8188ee: Fix module parameter initialization

[Kernel-packages] [Bug 1555338] Re: Linux netfilter IPT_SO_SET_REPLACE memory corruption

[Launchpad Bug Tracker]

This bug was fixed in the package linux - 3.2.0-101.141

---
linux (3.2.0-101.141) precise; urgency=low

  [ Brad Figg ]

  * Release Tracking Bug
- LP: #1555809

  [ Florian Westphal ]

  * SAUCE: [nf,v2] netfilter: x_tables: don't rely on well-behaving
userspace
- LP: #1555338

linux (3.2.0-100.140) precise; urgency=low

  [ Brad Figg ]

  * Release Tracking Bug
- LP: #1548504

  [ Upstream Kernel Changes ]

  * veth: don’t modify ip_summed; doing so treats packets with bad
checksums as good.
- LP: #1547207
  * ALSA: usb-audio: avoid freeing umidi object twice
- LP: #1546177
- CVE-2016-2384

 -- Brad Figg   Thu, 10 Mar 2016 13:05:32 -0800

** Changed in: linux (Ubuntu Precise)
   Status: Fix Committed => Fix Released

-- 
You received this bug notification because you are a member of Kernel
Packages, which is subscribed to linux-armadaxp in Ubuntu.
https://bugs.launchpad.net/bugs/1555338

Title:
  Linux netfilter IPT_SO_SET_REPLACE memory corruption

Status in linux package in Ubuntu:
  Fix Committed
Status in linux-armadaxp package in Ubuntu:
  Invalid
Status in linux-keystone package in Ubuntu:
  Invalid
Status in linux-lts-utopic package in Ubuntu:
  Invalid
Status in linux source package in Precise:
  Fix Released
Status in linux-armadaxp source package in Precise:
  Fix Committed
Status in linux-keystone source package in Precise:
  Invalid
Status in linux-lts-utopic source package in Precise:
  Invalid
Status in linux source package in Trusty:
  Fix Committed
Status in linux-armadaxp source package in Trusty:
  Invalid
Status in linux-keystone source package in Trusty:
  Fix Committed
Status in linux-lts-utopic source package in Trusty:
  Fix Committed
Status in linux source package in Vivid:
  Fix Committed
Status in linux-armadaxp source package in Vivid:
  Invalid
Status in linux-keystone source package in Vivid:
  Invalid
Status in linux-lts-utopic source package in Vivid:
  Invalid
Status in linux source package in Wily:
  Fix Released
Status in linux-armadaxp source package in Wily:
  Invalid
Status in linux-keystone source package in Wily:
  Invalid
Status in linux-lts-utopic source package in Wily:
  Invalid
Status in linux source package in Xenial:
  Fix Committed
Status in linux-armadaxp source package in Xenial:
  Invalid
Status in linux-keystone source package in Xenial:
  Invalid
Status in linux-lts-utopic source package in Xenial:
  Invalid

Bug description:
  [Impact]
  [From https://code.google.com/p/google-security-research/issues/detail?id=758 
]

  A memory corruption vulnerability exists in the IPT_SO_SET_REPLACE
  ioctl in the netfilter code for iptables support. This ioctl is can be
  triggered by an unprivileged user on PF_INET sockets when unprivileged
  user namespaces are available (CONFIG_USER_NS=y). Android does not
  enable this option, but desktop/server distributions and Chrome OS
  will commonly enable this to allow for containers support or
  sandboxing.

  In the mark_source_chains function (net/ipv4/netfilter/ip_tables.c) it
  is possible for a user-supplied ipt_entry structure to have a large
  next_offset field. This field is not bounds checked prior to writing a
  counter value at the supplied offset:

  newpos = pos + e->next_offset;
  ...
  e = (struct ipt_entry *) (entry0 + newpos);
  e->counters.pcnt = pos;

  This means that an out of bounds 32-bit write can occur in a 64kb
  range from the allocated heap entry, with a controlled offset and a
  partially controlled write value ("pos") or zero. The attached proof-
  of-concept (netfilter_setsockopt_v3.c) triggers the corruption
  multiple times to set adjacent heap structures to zero.

  This issue affects (at least) kernel versions 3.10, 3.18 and 4.4. It
  appears that a similar codepath is accessible via
  arp_tables.c/ARPT_SO_SET_REPLACE as well.

  [Fix]
  http://thread.gmane.org/gmane.comp.security.firewalls.netfilter.devel/62150

  [Test Case]
  Download v3 testcase from 
https://code.google.com/p/google-security-research/issues/detail?id=758
  gcc net*v3.c -o v3
  ./v3

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/linux/+bug/1555338/+subscriptions

-- 
Mailing list: https://launchpad.net/~kernel-packages
Post to : kernel-packages@lists.launchpad.net
Unsubscribe : https://launchpad.net/~kernel-packages
More help   : https://help.launchpad.net/ListHelp

[Kernel-packages] [Bug 1555338] Re: Linux netfilter IPT_SO_SET_REPLACE memory corruption

[Launchpad Bug Tracker]

This bug was fixed in the package linux - 4.2.0-34.39

---
linux (4.2.0-34.39) wily; urgency=low

  [ Brad Figg ]

  * Release Tracking Bug
- LP: #1555821

  [ Florian Westphal ]

  * SAUCE: [nf] netfilter: x_tables: check for size overflow
- LP: #1555353
  * SAUCE: [nf,v2] netfilter: x_tables: don't rely on well-behaving
userspace
- LP: #1555338

linux (4.2.0-33.38) wily; urgency=low

  [ Brad Figg ]

  * Release Tracking Bug
- LP: #1554649

  [ Upstream Kernel Changes ]

  * Revert "drm/radeon: call hpd_irq_event on resume"
- LP: #1554608
  * cxl: Fix PSL timebase synchronization detection
- LP: #1532914

linux (4.2.0-32.37) wily; urgency=low

  [ Kamal Mostafa ]

  * Release Tracking Bug
- LP: #1550045

  [ Kamal Mostafa ]

  * Merged back Ubuntu-4.2.0-31.36

linux (4.2.0-31.36) wily; urgency=low

  [ Brad Figg ]

  * Release Tracking Bug
- LP: #1548579

  [ Andy Whitcroft ]

  * [Debian] hv: hv_set_ifconfig -- convert to python3
- LP: #1506521
  * [Debian] hv: hv_set_ifconfig -- switch to approved indentation
- LP: #1540586
  * [Debian] hv: hv_set_ifconfig -- fix numerous parameter handling issues
- LP: #1540586

  [ Carol L Soto ]

  * SAUCE: IB/IPoIB: Do not set skb truesize since using one linearskb
- LP: #1541326

  [ Dan Streetman ]

  * SAUCE: nbd: ratelimit error msgs after socket close
- LP: #1505564

  [ Tim Gardner ]

  * Revert "SAUCE: (noup) cxlflash: Fix to avoid virtual LUN failover
failure"
- LP: #1541635
  * Revert "SAUCE: (noup) cxlflash: Fix to escalate LINK_RESET also on port
1"
- LP: #1541635
  * [Config] ARMV8_DEPRECATED=y
- LP: #1545542

  [ Upstream Kernel Changes ]

  * x86/xen/p2m: hint at the last populated P2M entry
- LP: #1542941
  * mm: add dma_pool_zalloc() call to DMA API
- LP: #1543737
  * sctp: Prevent soft lockup when sctp_accept() is called during a timeout
event
- LP: #1543737
  * xen-netback: respect user provided max_queues
- LP: #1543737
  * xen-netfront: respect user provided max_queues
- LP: #1543737
  * xen-netfront: update num_queues to real created
- LP: #1543737
  * iio: adis_buffer: Fix out-of-bounds memory access
- LP: #1543737
  * KVM: PPC: Fix emulation of H_SET_DABR/X on POWER8
- LP: #1543737
  * KVM: PPC: Fix ONE_REG AltiVec support
- LP: #1543737
  * x86/irq: Call chip->irq_set_affinity in proper context
- LP: #1543737
  * drm/amdgpu: fix tonga smu resume
- LP: #1543737
  * perf kvm record/report: 'unprocessable sample' error while
recording/reporting guest data
- LP: #1543737
  * hrtimer: Handle remaining time proper for TIME_LOW_RES
- LP: #1543737
  * timerfd: Handle relative timers with CONFIG_TIME_LOW_RES proper
- LP: #1543737
  * posix-timers: Handle relative timers with CONFIG_TIME_LOW_RES proper
- LP: #1543737
  * itimers: Handle relative timers with CONFIG_TIME_LOW_RES proper
- LP: #1543737
  * drm/amdgpu: Use drm_calloc_large for VM page_tables array
- LP: #1543737
  * drm/amdgpu: fix amdgpu_bo_pin_restricted VRAM placing v2
- LP: #1543737
  * drm/radeon: properly byte swap vce firmware setup
- LP: #1543737
  * ACPI: Revert "ACPI / video: Add Dell Inspiron 5737 to the blacklist"
- LP: #1543737
  * ACPI / PCI / hotplug: unlock in error path in acpiphp_enable_slot()
- LP: #1543737
  * hwmon: (dell-smm) Blacklist Dell Studio XPS 8000
- LP: #1543737
  * usb: cdc-acm: handle unlinked urb in acm read callback
- LP: #1543737
  * usb: cdc-acm: send zero packet for intel 7260 modem
- LP: #1543737
  * cdc-acm:exclude Samsung phone 04e8:685d
- LP: #1543737
  * usb: hub: do not clear BOS field during reset device
- LP: #1543737
  * USB: cp210x: add ID for IAI USB to RS485 adaptor
- LP: #1543737
  * USB: visor: fix null-deref at probe
- LP: #1543737
  * USB: serial: visor: fix crash on detecting device without write_urbs
- LP: #1543737
  * USB: serial: option: Adding support for Telit LE922
- LP: #1543737
  * ALSA: seq: Fix incorrect sanity check at snd_seq_oss_synth_cleanup()
- LP: #1543737
  * ALSA: seq: Degrade the error message for too many opens
- LP: #1543737
  * USB: serial: ftdi_sio: add support for Yaesu SCU-18 cable
- LP: #1543737
  * arm64: kernel: fix architected PMU registers unconditional access
- LP: #1543737
  * USB: option: fix Cinterion AHxx enumeration
- LP: #1543737
  * ALSA: compress: Disable GET_CODEC_CAPS ioctl for some architectures
- LP: #1543737
  * ALSA: usb-audio: Fix TEAC UD-501/UD-503/NT-503 usb delay
- LP: #1543737
  * virtio_pci: fix use after free on release
- LP: #1543737
  * ALSA: bebob: Use a signed return type for get_formation_index
- LP: #1543737
  * arm64: errata: Add -mpc-relative-literal-loads to build flags
- LP: #1533009, #1543737
  * arm64: mm: avoid calling apply_to_page_range on empty range
- LP: #1543737
  * x86/mm: Fix types used in pgprot 

[Kernel-packages] [Bug 1555338] Re: Linux netfilter IPT_SO_SET_REPLACE memory corruption

[Steve Beattie]

This has been assigned CVE-2016-3134  ( http://www.openwall.com/lists
/oss-security/2016/03/14/1 ).

** CVE added: http://www.cve.mitre.org/cgi-
bin/cvename.cgi?name=2016-3134

-- 
You received this bug notification because you are a member of Kernel
Packages, which is subscribed to linux-armadaxp in Ubuntu.
https://bugs.launchpad.net/bugs/1555338

Title:
  Linux netfilter IPT_SO_SET_REPLACE memory corruption

Status in linux package in Ubuntu:
  Fix Committed
Status in linux-armadaxp package in Ubuntu:
  Invalid
Status in linux-keystone package in Ubuntu:
  Invalid
Status in linux-lts-utopic package in Ubuntu:
  Invalid
Status in linux source package in Precise:
  Fix Committed
Status in linux-armadaxp source package in Precise:
  Fix Committed
Status in linux-keystone source package in Precise:
  Invalid
Status in linux-lts-utopic source package in Precise:
  Invalid
Status in linux source package in Trusty:
  Fix Committed
Status in linux-armadaxp source package in Trusty:
  Invalid
Status in linux-keystone source package in Trusty:
  Fix Committed
Status in linux-lts-utopic source package in Trusty:
  Fix Committed
Status in linux source package in Vivid:
  Fix Committed
Status in linux-armadaxp source package in Vivid:
  Invalid
Status in linux-keystone source package in Vivid:
  Invalid
Status in linux-lts-utopic source package in Vivid:
  Invalid
Status in linux source package in Wily:
  Fix Committed
Status in linux-armadaxp source package in Wily:
  Invalid
Status in linux-keystone source package in Wily:
  Invalid
Status in linux-lts-utopic source package in Wily:
  Invalid
Status in linux source package in Xenial:
  Fix Committed
Status in linux-armadaxp source package in Xenial:
  Invalid
Status in linux-keystone source package in Xenial:
  Invalid
Status in linux-lts-utopic source package in Xenial:
  Invalid

Bug description:
  [Impact]
  [From https://code.google.com/p/google-security-research/issues/detail?id=758 
]

  A memory corruption vulnerability exists in the IPT_SO_SET_REPLACE
  ioctl in the netfilter code for iptables support. This ioctl is can be
  triggered by an unprivileged user on PF_INET sockets when unprivileged
  user namespaces are available (CONFIG_USER_NS=y). Android does not
  enable this option, but desktop/server distributions and Chrome OS
  will commonly enable this to allow for containers support or
  sandboxing.

  In the mark_source_chains function (net/ipv4/netfilter/ip_tables.c) it
  is possible for a user-supplied ipt_entry structure to have a large
  next_offset field. This field is not bounds checked prior to writing a
  counter value at the supplied offset:

  newpos = pos + e->next_offset;
  ...
  e = (struct ipt_entry *) (entry0 + newpos);
  e->counters.pcnt = pos;

  This means that an out of bounds 32-bit write can occur in a 64kb
  range from the allocated heap entry, with a controlled offset and a
  partially controlled write value ("pos") or zero. The attached proof-
  of-concept (netfilter_setsockopt_v3.c) triggers the corruption
  multiple times to set adjacent heap structures to zero.

  This issue affects (at least) kernel versions 3.10, 3.18 and 4.4. It
  appears that a similar codepath is accessible via
  arp_tables.c/ARPT_SO_SET_REPLACE as well.

  [Fix]
  http://thread.gmane.org/gmane.comp.security.firewalls.netfilter.devel/62150

  [Test Case]
  Download v3 testcase from 
https://code.google.com/p/google-security-research/issues/detail?id=758
  gcc net*v3.c -o v3
  ./v3

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/linux/+bug/1555338/+subscriptions

-- 
Mailing list: https://launchpad.net/~kernel-packages
Post to : kernel-packages@lists.launchpad.net
Unsubscribe : https://launchpad.net/~kernel-packages
More help   : https://help.launchpad.net/ListHelp

[Kernel-packages] [Bug 1555338] Re: Linux netfilter IPT_SO_SET_REPLACE memory corruption

[Launchpad Bug Tracker]

** Branch linked: lp:ubuntu/trusty-proposed/linux-lts-xenial

-- 
You received this bug notification because you are a member of Kernel
Packages, which is subscribed to linux-armadaxp in Ubuntu.
https://bugs.launchpad.net/bugs/1555338

Title:
  Linux netfilter IPT_SO_SET_REPLACE memory corruption

Status in linux package in Ubuntu:
  Fix Committed
Status in linux-armadaxp package in Ubuntu:
  Invalid
Status in linux-keystone package in Ubuntu:
  Invalid
Status in linux-lts-utopic package in Ubuntu:
  Invalid
Status in linux source package in Precise:
  Fix Committed
Status in linux-armadaxp source package in Precise:
  Fix Committed
Status in linux-keystone source package in Precise:
  Invalid
Status in linux-lts-utopic source package in Precise:
  Invalid
Status in linux source package in Trusty:
  Fix Committed
Status in linux-armadaxp source package in Trusty:
  Invalid
Status in linux-keystone source package in Trusty:
  Fix Committed
Status in linux-lts-utopic source package in Trusty:
  Fix Committed
Status in linux source package in Vivid:
  Fix Committed
Status in linux-armadaxp source package in Vivid:
  Invalid
Status in linux-keystone source package in Vivid:
  Invalid
Status in linux-lts-utopic source package in Vivid:
  Invalid
Status in linux source package in Wily:
  Fix Committed
Status in linux-armadaxp source package in Wily:
  Invalid
Status in linux-keystone source package in Wily:
  Invalid
Status in linux-lts-utopic source package in Wily:
  Invalid
Status in linux source package in Xenial:
  Fix Committed
Status in linux-armadaxp source package in Xenial:
  Invalid
Status in linux-keystone source package in Xenial:
  Invalid
Status in linux-lts-utopic source package in Xenial:
  Invalid

Bug description:
  [Impact]
  [From https://code.google.com/p/google-security-research/issues/detail?id=758 
]

  A memory corruption vulnerability exists in the IPT_SO_SET_REPLACE
  ioctl in the netfilter code for iptables support. This ioctl is can be
  triggered by an unprivileged user on PF_INET sockets when unprivileged
  user namespaces are available (CONFIG_USER_NS=y). Android does not
  enable this option, but desktop/server distributions and Chrome OS
  will commonly enable this to allow for containers support or
  sandboxing.

  In the mark_source_chains function (net/ipv4/netfilter/ip_tables.c) it
  is possible for a user-supplied ipt_entry structure to have a large
  next_offset field. This field is not bounds checked prior to writing a
  counter value at the supplied offset:

  newpos = pos + e->next_offset;
  ...
  e = (struct ipt_entry *) (entry0 + newpos);
  e->counters.pcnt = pos;

  This means that an out of bounds 32-bit write can occur in a 64kb
  range from the allocated heap entry, with a controlled offset and a
  partially controlled write value ("pos") or zero. The attached proof-
  of-concept (netfilter_setsockopt_v3.c) triggers the corruption
  multiple times to set adjacent heap structures to zero.

  This issue affects (at least) kernel versions 3.10, 3.18 and 4.4. It
  appears that a similar codepath is accessible via
  arp_tables.c/ARPT_SO_SET_REPLACE as well.

  [Fix]
  http://thread.gmane.org/gmane.comp.security.firewalls.netfilter.devel/62150

  [Test Case]
  Download v3 testcase from 
https://code.google.com/p/google-security-research/issues/detail?id=758
  gcc net*v3.c -o v3
  ./v3

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/linux/+bug/1555338/+subscriptions

-- 
Mailing list: https://launchpad.net/~kernel-packages
Post to : kernel-packages@lists.launchpad.net
Unsubscribe : https://launchpad.net/~kernel-packages
More help   : https://help.launchpad.net/ListHelp

[Kernel-packages] [Bug 1555338] Re: Linux netfilter IPT_SO_SET_REPLACE memory corruption

[Launchpad Bug Tracker]

** Branch linked: lp:ubuntu/trusty-proposed/linux-lts-wily

-- 
You received this bug notification because you are a member of Kernel
Packages, which is subscribed to linux-armadaxp in Ubuntu.
https://bugs.launchpad.net/bugs/1555338

Title:
  Linux netfilter IPT_SO_SET_REPLACE memory corruption

Status in linux package in Ubuntu:
  Fix Committed
Status in linux-armadaxp package in Ubuntu:
  Invalid
Status in linux-keystone package in Ubuntu:
  Invalid
Status in linux-lts-utopic package in Ubuntu:
  Invalid
Status in linux source package in Precise:
  Fix Committed
Status in linux-armadaxp source package in Precise:
  Fix Committed
Status in linux-keystone source package in Precise:
  Invalid
Status in linux-lts-utopic source package in Precise:
  Invalid
Status in linux source package in Trusty:
  Fix Committed
Status in linux-armadaxp source package in Trusty:
  Invalid
Status in linux-keystone source package in Trusty:
  Fix Committed
Status in linux-lts-utopic source package in Trusty:
  Fix Committed
Status in linux source package in Vivid:
  Fix Committed
Status in linux-armadaxp source package in Vivid:
  Invalid
Status in linux-keystone source package in Vivid:
  Invalid
Status in linux-lts-utopic source package in Vivid:
  Invalid
Status in linux source package in Wily:
  Fix Committed
Status in linux-armadaxp source package in Wily:
  Invalid
Status in linux-keystone source package in Wily:
  Invalid
Status in linux-lts-utopic source package in Wily:
  Invalid
Status in linux source package in Xenial:
  Fix Committed
Status in linux-armadaxp source package in Xenial:
  Invalid
Status in linux-keystone source package in Xenial:
  Invalid
Status in linux-lts-utopic source package in Xenial:
  Invalid

Bug description:
  [Impact]
  [From https://code.google.com/p/google-security-research/issues/detail?id=758 
]

  A memory corruption vulnerability exists in the IPT_SO_SET_REPLACE
  ioctl in the netfilter code for iptables support. This ioctl is can be
  triggered by an unprivileged user on PF_INET sockets when unprivileged
  user namespaces are available (CONFIG_USER_NS=y). Android does not
  enable this option, but desktop/server distributions and Chrome OS
  will commonly enable this to allow for containers support or
  sandboxing.

  In the mark_source_chains function (net/ipv4/netfilter/ip_tables.c) it
  is possible for a user-supplied ipt_entry structure to have a large
  next_offset field. This field is not bounds checked prior to writing a
  counter value at the supplied offset:

  newpos = pos + e->next_offset;
  ...
  e = (struct ipt_entry *) (entry0 + newpos);
  e->counters.pcnt = pos;

  This means that an out of bounds 32-bit write can occur in a 64kb
  range from the allocated heap entry, with a controlled offset and a
  partially controlled write value ("pos") or zero. The attached proof-
  of-concept (netfilter_setsockopt_v3.c) triggers the corruption
  multiple times to set adjacent heap structures to zero.

  This issue affects (at least) kernel versions 3.10, 3.18 and 4.4. It
  appears that a similar codepath is accessible via
  arp_tables.c/ARPT_SO_SET_REPLACE as well.

  [Fix]
  http://thread.gmane.org/gmane.comp.security.firewalls.netfilter.devel/62150

  [Test Case]
  Download v3 testcase from 
https://code.google.com/p/google-security-research/issues/detail?id=758
  gcc net*v3.c -o v3
  ./v3

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/linux/+bug/1555338/+subscriptions

-- 
Mailing list: https://launchpad.net/~kernel-packages
Post to : kernel-packages@lists.launchpad.net
Unsubscribe : https://launchpad.net/~kernel-packages
More help   : https://help.launchpad.net/ListHelp

[Kernel-packages] [Bug 1555338] Re: Linux netfilter IPT_SO_SET_REPLACE memory corruption

[Launchpad Bug Tracker]

** Branch linked: lp:ubuntu/trusty-proposed/linux-lts-vivid

-- 
You received this bug notification because you are a member of Kernel
Packages, which is subscribed to linux-armadaxp in Ubuntu.
https://bugs.launchpad.net/bugs/1555338

Title:
  Linux netfilter IPT_SO_SET_REPLACE memory corruption

Status in linux package in Ubuntu:
  Fix Committed
Status in linux-armadaxp package in Ubuntu:
  Invalid
Status in linux-keystone package in Ubuntu:
  Invalid
Status in linux-lts-utopic package in Ubuntu:
  Invalid
Status in linux source package in Precise:
  Fix Committed
Status in linux-armadaxp source package in Precise:
  Fix Committed
Status in linux-keystone source package in Precise:
  Invalid
Status in linux-lts-utopic source package in Precise:
  Invalid
Status in linux source package in Trusty:
  Fix Committed
Status in linux-armadaxp source package in Trusty:
  Invalid
Status in linux-keystone source package in Trusty:
  Fix Committed
Status in linux-lts-utopic source package in Trusty:
  Fix Committed
Status in linux source package in Vivid:
  Fix Committed
Status in linux-armadaxp source package in Vivid:
  Invalid
Status in linux-keystone source package in Vivid:
  Invalid
Status in linux-lts-utopic source package in Vivid:
  Invalid
Status in linux source package in Wily:
  Fix Committed
Status in linux-armadaxp source package in Wily:
  Invalid
Status in linux-keystone source package in Wily:
  Invalid
Status in linux-lts-utopic source package in Wily:
  Invalid
Status in linux source package in Xenial:
  Fix Committed
Status in linux-armadaxp source package in Xenial:
  Invalid
Status in linux-keystone source package in Xenial:
  Invalid
Status in linux-lts-utopic source package in Xenial:
  Invalid

Bug description:
  [Impact]
  [From https://code.google.com/p/google-security-research/issues/detail?id=758 
]

  A memory corruption vulnerability exists in the IPT_SO_SET_REPLACE
  ioctl in the netfilter code for iptables support. This ioctl is can be
  triggered by an unprivileged user on PF_INET sockets when unprivileged
  user namespaces are available (CONFIG_USER_NS=y). Android does not
  enable this option, but desktop/server distributions and Chrome OS
  will commonly enable this to allow for containers support or
  sandboxing.

  In the mark_source_chains function (net/ipv4/netfilter/ip_tables.c) it
  is possible for a user-supplied ipt_entry structure to have a large
  next_offset field. This field is not bounds checked prior to writing a
  counter value at the supplied offset:

  newpos = pos + e->next_offset;
  ...
  e = (struct ipt_entry *) (entry0 + newpos);
  e->counters.pcnt = pos;

  This means that an out of bounds 32-bit write can occur in a 64kb
  range from the allocated heap entry, with a controlled offset and a
  partially controlled write value ("pos") or zero. The attached proof-
  of-concept (netfilter_setsockopt_v3.c) triggers the corruption
  multiple times to set adjacent heap structures to zero.

  This issue affects (at least) kernel versions 3.10, 3.18 and 4.4. It
  appears that a similar codepath is accessible via
  arp_tables.c/ARPT_SO_SET_REPLACE as well.

  [Fix]
  http://thread.gmane.org/gmane.comp.security.firewalls.netfilter.devel/62150

  [Test Case]
  Download v3 testcase from 
https://code.google.com/p/google-security-research/issues/detail?id=758
  gcc net*v3.c -o v3
  ./v3

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/linux/+bug/1555338/+subscriptions

-- 
Mailing list: https://launchpad.net/~kernel-packages
Post to : kernel-packages@lists.launchpad.net
Unsubscribe : https://launchpad.net/~kernel-packages
More help   : https://help.launchpad.net/ListHelp

[Kernel-packages] [Bug 1555338] Re: Linux netfilter IPT_SO_SET_REPLACE memory corruption

[Andy Whitcroft]

** Also affects: linux-keystone (Ubuntu)
   Importance: Undecided
   Status: New

** Also affects: linux-armadaxp (Ubuntu)
   Importance: Undecided
   Status: New

** Changed in: linux-keystone (Ubuntu Xenial)
   Status: New => Invalid

** Changed in: linux-keystone (Ubuntu Precise)
   Status: New => Invalid

** Changed in: linux-keystone (Ubuntu Wily)
   Status: New => Invalid

** Changed in: linux-armadaxp (Ubuntu Vivid)
   Status: New => Invalid

** Changed in: linux-armadaxp (Ubuntu Trusty)
   Status: New => Invalid

** Changed in: linux-keystone (Ubuntu Vivid)
   Status: New => Invalid

** Changed in: linux-armadaxp (Ubuntu)
   Status: New => Invalid

** Changed in: linux-armadaxp (Ubuntu Wily)
   Status: New => Invalid

** Changed in: linux-keystone (Ubuntu Trusty)
   Status: New => Fix Committed

** Changed in: linux-armadaxp (Ubuntu Precise)
   Status: New => Fix Committed

** Changed in: linux-keystone (Ubuntu Trusty)
   Importance: Undecided => Critical

** Changed in: linux-armadaxp (Ubuntu Precise)
   Importance: Undecided => Critical

-- 
You received this bug notification because you are a member of Kernel
Packages, which is subscribed to linux-lts-utopic in Ubuntu.
https://bugs.launchpad.net/bugs/1555338

Title:
  Linux netfilter IPT_SO_SET_REPLACE memory corruption

Status in linux package in Ubuntu:
  Fix Committed
Status in linux-armadaxp package in Ubuntu:
  Invalid
Status in linux-keystone package in Ubuntu:
  Invalid
Status in linux-lts-utopic package in Ubuntu:
  Invalid
Status in linux source package in Precise:
  Fix Committed
Status in linux-armadaxp source package in Precise:
  Fix Committed
Status in linux-keystone source package in Precise:
  Invalid
Status in linux-lts-utopic source package in Precise:
  Invalid
Status in linux source package in Trusty:
  Fix Committed
Status in linux-armadaxp source package in Trusty:
  Invalid
Status in linux-keystone source package in Trusty:
  Fix Committed
Status in linux-lts-utopic source package in Trusty:
  Fix Committed
Status in linux source package in Vivid:
  Fix Committed
Status in linux-armadaxp source package in Vivid:
  Invalid
Status in linux-keystone source package in Vivid:
  Invalid
Status in linux-lts-utopic source package in Vivid:
  Invalid
Status in linux source package in Wily:
  Fix Committed
Status in linux-armadaxp source package in Wily:
  Invalid
Status in linux-keystone source package in Wily:
  Invalid
Status in linux-lts-utopic source package in Wily:
  Invalid
Status in linux source package in Xenial:
  Fix Committed
Status in linux-armadaxp source package in Xenial:
  Invalid
Status in linux-keystone source package in Xenial:
  Invalid
Status in linux-lts-utopic source package in Xenial:
  Invalid

Bug description:
  [Impact]
  [From https://code.google.com/p/google-security-research/issues/detail?id=758 
]

  A memory corruption vulnerability exists in the IPT_SO_SET_REPLACE
  ioctl in the netfilter code for iptables support. This ioctl is can be
  triggered by an unprivileged user on PF_INET sockets when unprivileged
  user namespaces are available (CONFIG_USER_NS=y). Android does not
  enable this option, but desktop/server distributions and Chrome OS
  will commonly enable this to allow for containers support or
  sandboxing.

  In the mark_source_chains function (net/ipv4/netfilter/ip_tables.c) it
  is possible for a user-supplied ipt_entry structure to have a large
  next_offset field. This field is not bounds checked prior to writing a
  counter value at the supplied offset:

  newpos = pos + e->next_offset;
  ...
  e = (struct ipt_entry *) (entry0 + newpos);
  e->counters.pcnt = pos;

  This means that an out of bounds 32-bit write can occur in a 64kb
  range from the allocated heap entry, with a controlled offset and a
  partially controlled write value ("pos") or zero. The attached proof-
  of-concept (netfilter_setsockopt_v3.c) triggers the corruption
  multiple times to set adjacent heap structures to zero.

  This issue affects (at least) kernel versions 3.10, 3.18 and 4.4. It
  appears that a similar codepath is accessible via
  arp_tables.c/ARPT_SO_SET_REPLACE as well.

  [Fix]
  http://thread.gmane.org/gmane.comp.security.firewalls.netfilter.devel/62150

  [Test Case]
  Download v3 testcase from 
https://code.google.com/p/google-security-research/issues/detail?id=758
  gcc net*v3.c -o v3
  ./v3

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/linux/+bug/1555338/+subscriptions

-- 
Mailing list: https://launchpad.net/~kernel-packages
Post to : kernel-packages@lists.launchpad.net
Unsubscribe : https://launchpad.net/~kernel-packages
More help   : https://help.launchpad.net/ListHelp

[Kernel-packages] [Bug 1555338] Re: Linux netfilter IPT_SO_SET_REPLACE memory corruption

[Andy Whitcroft]

** Changed in: linux-lts-utopic (Ubuntu Trusty)
   Status: In Progress => Fix Committed

-- 
You received this bug notification because you are a member of Kernel
Packages, which is subscribed to linux-lts-utopic in Ubuntu.
https://bugs.launchpad.net/bugs/1555338

Title:
  Linux netfilter IPT_SO_SET_REPLACE memory corruption

Status in linux package in Ubuntu:
  Fix Committed
Status in linux-lts-utopic package in Ubuntu:
  Invalid
Status in linux source package in Precise:
  Fix Committed
Status in linux-lts-utopic source package in Precise:
  Invalid
Status in linux source package in Trusty:
  Fix Committed
Status in linux-lts-utopic source package in Trusty:
  Fix Committed
Status in linux source package in Vivid:
  Fix Committed
Status in linux-lts-utopic source package in Vivid:
  Invalid
Status in linux source package in Wily:
  Fix Committed
Status in linux-lts-utopic source package in Wily:
  Invalid
Status in linux source package in Xenial:
  Fix Committed
Status in linux-lts-utopic source package in Xenial:
  Invalid

Bug description:
  [Impact]
  [From https://code.google.com/p/google-security-research/issues/detail?id=758 
]

  A memory corruption vulnerability exists in the IPT_SO_SET_REPLACE
  ioctl in the netfilter code for iptables support. This ioctl is can be
  triggered by an unprivileged user on PF_INET sockets when unprivileged
  user namespaces are available (CONFIG_USER_NS=y). Android does not
  enable this option, but desktop/server distributions and Chrome OS
  will commonly enable this to allow for containers support or
  sandboxing.

  In the mark_source_chains function (net/ipv4/netfilter/ip_tables.c) it
  is possible for a user-supplied ipt_entry structure to have a large
  next_offset field. This field is not bounds checked prior to writing a
  counter value at the supplied offset:

  newpos = pos + e->next_offset;
  ...
  e = (struct ipt_entry *) (entry0 + newpos);
  e->counters.pcnt = pos;

  This means that an out of bounds 32-bit write can occur in a 64kb
  range from the allocated heap entry, with a controlled offset and a
  partially controlled write value ("pos") or zero. The attached proof-
  of-concept (netfilter_setsockopt_v3.c) triggers the corruption
  multiple times to set adjacent heap structures to zero.

  This issue affects (at least) kernel versions 3.10, 3.18 and 4.4. It
  appears that a similar codepath is accessible via
  arp_tables.c/ARPT_SO_SET_REPLACE as well.

  [Fix]
  http://thread.gmane.org/gmane.comp.security.firewalls.netfilter.devel/62150

  [Test Case]
  Download v3 testcase from 
https://code.google.com/p/google-security-research/issues/detail?id=758
  gcc net*v3.c -o v3
  ./v3

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/linux/+bug/1555338/+subscriptions

-- 
Mailing list: https://launchpad.net/~kernel-packages
Post to : kernel-packages@lists.launchpad.net
Unsubscribe : https://launchpad.net/~kernel-packages
More help   : https://help.launchpad.net/ListHelp

[Kernel-packages] [Bug 1555338] Re: Linux netfilter IPT_SO_SET_REPLACE memory corruption

[Andy Whitcroft]

** Changed in: linux-lts-utopic (Ubuntu Trusty)
   Importance: Undecided => Critical

** Changed in: linux (Ubuntu Wily)
   Importance: Undecided => Critical

** Changed in: linux (Ubuntu Vivid)
   Importance: Undecided => Critical

** Changed in: linux (Ubuntu Trusty)
   Importance: Undecided => Critical

** Changed in: linux (Ubuntu Precise)
   Importance: Undecided => Critical

** Changed in: linux (Ubuntu Precise)
 Assignee: (unassigned) => Chris J Arges (arges)

-- 
You received this bug notification because you are a member of Kernel
Packages, which is subscribed to linux-lts-utopic in Ubuntu.
https://bugs.launchpad.net/bugs/1555338

Title:
  Linux netfilter IPT_SO_SET_REPLACE memory corruption

Status in linux package in Ubuntu:
  Fix Committed
Status in linux-lts-utopic package in Ubuntu:
  Invalid
Status in linux source package in Precise:
  Fix Committed
Status in linux-lts-utopic source package in Precise:
  Invalid
Status in linux source package in Trusty:
  Fix Committed
Status in linux-lts-utopic source package in Trusty:
  In Progress
Status in linux source package in Vivid:
  Fix Committed
Status in linux-lts-utopic source package in Vivid:
  Invalid
Status in linux source package in Wily:
  Fix Committed
Status in linux-lts-utopic source package in Wily:
  Invalid
Status in linux source package in Xenial:
  Fix Committed
Status in linux-lts-utopic source package in Xenial:
  Invalid

Bug description:
  [Impact]
  [From https://code.google.com/p/google-security-research/issues/detail?id=758 
]

  A memory corruption vulnerability exists in the IPT_SO_SET_REPLACE
  ioctl in the netfilter code for iptables support. This ioctl is can be
  triggered by an unprivileged user on PF_INET sockets when unprivileged
  user namespaces are available (CONFIG_USER_NS=y). Android does not
  enable this option, but desktop/server distributions and Chrome OS
  will commonly enable this to allow for containers support or
  sandboxing.

  In the mark_source_chains function (net/ipv4/netfilter/ip_tables.c) it
  is possible for a user-supplied ipt_entry structure to have a large
  next_offset field. This field is not bounds checked prior to writing a
  counter value at the supplied offset:

  newpos = pos + e->next_offset;
  ...
  e = (struct ipt_entry *) (entry0 + newpos);
  e->counters.pcnt = pos;

  This means that an out of bounds 32-bit write can occur in a 64kb
  range from the allocated heap entry, with a controlled offset and a
  partially controlled write value ("pos") or zero. The attached proof-
  of-concept (netfilter_setsockopt_v3.c) triggers the corruption
  multiple times to set adjacent heap structures to zero.

  This issue affects (at least) kernel versions 3.10, 3.18 and 4.4. It
  appears that a similar codepath is accessible via
  arp_tables.c/ARPT_SO_SET_REPLACE as well.

  [Fix]
  http://thread.gmane.org/gmane.comp.security.firewalls.netfilter.devel/62150

  [Test Case]
  Download v3 testcase from 
https://code.google.com/p/google-security-research/issues/detail?id=758
  gcc net*v3.c -o v3
  ./v3

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/linux/+bug/1555338/+subscriptions

-- 
Mailing list: https://launchpad.net/~kernel-packages
Post to : kernel-packages@lists.launchpad.net
Unsubscribe : https://launchpad.net/~kernel-packages
More help   : https://help.launchpad.net/ListHelp

[Kernel-packages] [Bug 1555338] Re: Linux netfilter IPT_SO_SET_REPLACE memory corruption

[Steve Beattie]

** Tags added: kernel-cve-skip-description

-- 
You received this bug notification because you are a member of Kernel
Packages, which is subscribed to linux-lts-utopic in Ubuntu.
https://bugs.launchpad.net/bugs/1555338

Title:
  Linux netfilter IPT_SO_SET_REPLACE memory corruption

Status in linux package in Ubuntu:
  Fix Committed
Status in linux-lts-utopic package in Ubuntu:
  Invalid
Status in linux source package in Precise:
  Fix Committed
Status in linux-lts-utopic source package in Precise:
  Invalid
Status in linux source package in Trusty:
  Fix Committed
Status in linux-lts-utopic source package in Trusty:
  In Progress
Status in linux source package in Vivid:
  Fix Committed
Status in linux-lts-utopic source package in Vivid:
  Invalid
Status in linux source package in Wily:
  Fix Committed
Status in linux-lts-utopic source package in Wily:
  Invalid
Status in linux source package in Xenial:
  Fix Committed
Status in linux-lts-utopic source package in Xenial:
  Invalid

Bug description:
  [Impact]
  [From https://code.google.com/p/google-security-research/issues/detail?id=758 
]

  A memory corruption vulnerability exists in the IPT_SO_SET_REPLACE
  ioctl in the netfilter code for iptables support. This ioctl is can be
  triggered by an unprivileged user on PF_INET sockets when unprivileged
  user namespaces are available (CONFIG_USER_NS=y). Android does not
  enable this option, but desktop/server distributions and Chrome OS
  will commonly enable this to allow for containers support or
  sandboxing.

  In the mark_source_chains function (net/ipv4/netfilter/ip_tables.c) it
  is possible for a user-supplied ipt_entry structure to have a large
  next_offset field. This field is not bounds checked prior to writing a
  counter value at the supplied offset:

  newpos = pos + e->next_offset;
  ...
  e = (struct ipt_entry *) (entry0 + newpos);
  e->counters.pcnt = pos;

  This means that an out of bounds 32-bit write can occur in a 64kb
  range from the allocated heap entry, with a controlled offset and a
  partially controlled write value ("pos") or zero. The attached proof-
  of-concept (netfilter_setsockopt_v3.c) triggers the corruption
  multiple times to set adjacent heap structures to zero.

  This issue affects (at least) kernel versions 3.10, 3.18 and 4.4. It
  appears that a similar codepath is accessible via
  arp_tables.c/ARPT_SO_SET_REPLACE as well.

  [Fix]
  http://thread.gmane.org/gmane.comp.security.firewalls.netfilter.devel/62150

  [Test Case]
  Download v3 testcase from 
https://code.google.com/p/google-security-research/issues/detail?id=758
  gcc net*v3.c -o v3
  ./v3

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/linux/+bug/1555338/+subscriptions

-- 
Mailing list: https://launchpad.net/~kernel-packages
Post to : kernel-packages@lists.launchpad.net
Unsubscribe : https://launchpad.net/~kernel-packages
More help   : https://help.launchpad.net/ListHelp

[Kernel-packages] [Bug 1555338] Re: Linux netfilter IPT_SO_SET_REPLACE memory corruption

[Brad Figg]

** Changed in: linux (Ubuntu Vivid)
   Status: In Progress => Fix Committed

** Changed in: linux (Ubuntu Trusty)
   Status: In Progress => Fix Committed

-- 
You received this bug notification because you are a member of Kernel
Packages, which is subscribed to linux-lts-utopic in Ubuntu.
https://bugs.launchpad.net/bugs/1555338

Title:
  Linux netfilter IPT_SO_SET_REPLACE memory corruption

Status in linux package in Ubuntu:
  Fix Committed
Status in linux-lts-utopic package in Ubuntu:
  Invalid
Status in linux source package in Precise:
  Fix Committed
Status in linux-lts-utopic source package in Precise:
  Invalid
Status in linux source package in Trusty:
  Fix Committed
Status in linux-lts-utopic source package in Trusty:
  In Progress
Status in linux source package in Vivid:
  Fix Committed
Status in linux-lts-utopic source package in Vivid:
  Invalid
Status in linux source package in Wily:
  Fix Committed
Status in linux-lts-utopic source package in Wily:
  Invalid
Status in linux source package in Xenial:
  Fix Committed
Status in linux-lts-utopic source package in Xenial:
  Invalid

Bug description:
  [Impact]
  [From https://code.google.com/p/google-security-research/issues/detail?id=758 
]

  A memory corruption vulnerability exists in the IPT_SO_SET_REPLACE
  ioctl in the netfilter code for iptables support. This ioctl is can be
  triggered by an unprivileged user on PF_INET sockets when unprivileged
  user namespaces are available (CONFIG_USER_NS=y). Android does not
  enable this option, but desktop/server distributions and Chrome OS
  will commonly enable this to allow for containers support or
  sandboxing.

  In the mark_source_chains function (net/ipv4/netfilter/ip_tables.c) it
  is possible for a user-supplied ipt_entry structure to have a large
  next_offset field. This field is not bounds checked prior to writing a
  counter value at the supplied offset:

  newpos = pos + e->next_offset;
  ...
  e = (struct ipt_entry *) (entry0 + newpos);
  e->counters.pcnt = pos;

  This means that an out of bounds 32-bit write can occur in a 64kb
  range from the allocated heap entry, with a controlled offset and a
  partially controlled write value ("pos") or zero. The attached proof-
  of-concept (netfilter_setsockopt_v3.c) triggers the corruption
  multiple times to set adjacent heap structures to zero.

  This issue affects (at least) kernel versions 3.10, 3.18 and 4.4. It
  appears that a similar codepath is accessible via
  arp_tables.c/ARPT_SO_SET_REPLACE as well.

  [Fix]
  http://thread.gmane.org/gmane.comp.security.firewalls.netfilter.devel/62150

  [Test Case]
  Download v3 testcase from 
https://code.google.com/p/google-security-research/issues/detail?id=758
  gcc net*v3.c -o v3
  ./v3

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/linux/+bug/1555338/+subscriptions

-- 
Mailing list: https://launchpad.net/~kernel-packages
Post to : kernel-packages@lists.launchpad.net
Unsubscribe : https://launchpad.net/~kernel-packages
More help   : https://help.launchpad.net/ListHelp

[Kernel-packages] [Bug 1555338] Re: Linux netfilter IPT_SO_SET_REPLACE memory corruption

[Brad Figg]

** Changed in: linux (Ubuntu Wily)
   Status: In Progress => Fix Committed

-- 
You received this bug notification because you are a member of Kernel
Packages, which is subscribed to linux-lts-utopic in Ubuntu.
https://bugs.launchpad.net/bugs/1555338

Title:
  Linux netfilter IPT_SO_SET_REPLACE memory corruption

Status in linux package in Ubuntu:
  Fix Committed
Status in linux-lts-utopic package in Ubuntu:
  Invalid
Status in linux source package in Precise:
  Fix Committed
Status in linux-lts-utopic source package in Precise:
  Invalid
Status in linux source package in Trusty:
  In Progress
Status in linux-lts-utopic source package in Trusty:
  In Progress
Status in linux source package in Vivid:
  In Progress
Status in linux-lts-utopic source package in Vivid:
  Invalid
Status in linux source package in Wily:
  Fix Committed
Status in linux-lts-utopic source package in Wily:
  Invalid
Status in linux source package in Xenial:
  Fix Committed
Status in linux-lts-utopic source package in Xenial:
  Invalid

Bug description:
  [Impact]
  [From https://code.google.com/p/google-security-research/issues/detail?id=758 
]

  A memory corruption vulnerability exists in the IPT_SO_SET_REPLACE
  ioctl in the netfilter code for iptables support. This ioctl is can be
  triggered by an unprivileged user on PF_INET sockets when unprivileged
  user namespaces are available (CONFIG_USER_NS=y). Android does not
  enable this option, but desktop/server distributions and Chrome OS
  will commonly enable this to allow for containers support or
  sandboxing.

  In the mark_source_chains function (net/ipv4/netfilter/ip_tables.c) it
  is possible for a user-supplied ipt_entry structure to have a large
  next_offset field. This field is not bounds checked prior to writing a
  counter value at the supplied offset:

  newpos = pos + e->next_offset;
  ...
  e = (struct ipt_entry *) (entry0 + newpos);
  e->counters.pcnt = pos;

  This means that an out of bounds 32-bit write can occur in a 64kb
  range from the allocated heap entry, with a controlled offset and a
  partially controlled write value ("pos") or zero. The attached proof-
  of-concept (netfilter_setsockopt_v3.c) triggers the corruption
  multiple times to set adjacent heap structures to zero.

  This issue affects (at least) kernel versions 3.10, 3.18 and 4.4. It
  appears that a similar codepath is accessible via
  arp_tables.c/ARPT_SO_SET_REPLACE as well.

  [Fix]
  http://thread.gmane.org/gmane.comp.security.firewalls.netfilter.devel/62150

  [Test Case]
  Download v3 testcase from 
https://code.google.com/p/google-security-research/issues/detail?id=758
  gcc net*v3.c -o v3
  ./v3

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/linux/+bug/1555338/+subscriptions

-- 
Mailing list: https://launchpad.net/~kernel-packages
Post to : kernel-packages@lists.launchpad.net
Unsubscribe : https://launchpad.net/~kernel-packages
More help   : https://help.launchpad.net/ListHelp

[Kernel-packages] [Bug 1555338] Re: Linux netfilter IPT_SO_SET_REPLACE memory corruption

[Brad Figg]

** Changed in: linux (Ubuntu Precise)
   Status: New => Fix Committed

-- 
You received this bug notification because you are a member of Kernel
Packages, which is subscribed to linux-lts-utopic in Ubuntu.
https://bugs.launchpad.net/bugs/1555338

Title:
  Linux netfilter IPT_SO_SET_REPLACE memory corruption

Status in linux package in Ubuntu:
  Fix Committed
Status in linux-lts-utopic package in Ubuntu:
  Invalid
Status in linux source package in Precise:
  Fix Committed
Status in linux-lts-utopic source package in Precise:
  Invalid
Status in linux source package in Trusty:
  In Progress
Status in linux-lts-utopic source package in Trusty:
  In Progress
Status in linux source package in Vivid:
  In Progress
Status in linux-lts-utopic source package in Vivid:
  Invalid
Status in linux source package in Wily:
  In Progress
Status in linux-lts-utopic source package in Wily:
  Invalid
Status in linux source package in Xenial:
  Fix Committed
Status in linux-lts-utopic source package in Xenial:
  Invalid

Bug description:
  [Impact]
  [From https://code.google.com/p/google-security-research/issues/detail?id=758 
]

  A memory corruption vulnerability exists in the IPT_SO_SET_REPLACE
  ioctl in the netfilter code for iptables support. This ioctl is can be
  triggered by an unprivileged user on PF_INET sockets when unprivileged
  user namespaces are available (CONFIG_USER_NS=y). Android does not
  enable this option, but desktop/server distributions and Chrome OS
  will commonly enable this to allow for containers support or
  sandboxing.

  In the mark_source_chains function (net/ipv4/netfilter/ip_tables.c) it
  is possible for a user-supplied ipt_entry structure to have a large
  next_offset field. This field is not bounds checked prior to writing a
  counter value at the supplied offset:

  newpos = pos + e->next_offset;
  ...
  e = (struct ipt_entry *) (entry0 + newpos);
  e->counters.pcnt = pos;

  This means that an out of bounds 32-bit write can occur in a 64kb
  range from the allocated heap entry, with a controlled offset and a
  partially controlled write value ("pos") or zero. The attached proof-
  of-concept (netfilter_setsockopt_v3.c) triggers the corruption
  multiple times to set adjacent heap structures to zero.

  This issue affects (at least) kernel versions 3.10, 3.18 and 4.4. It
  appears that a similar codepath is accessible via
  arp_tables.c/ARPT_SO_SET_REPLACE as well.

  [Fix]
  http://thread.gmane.org/gmane.comp.security.firewalls.netfilter.devel/62150

  [Test Case]
  Download v3 testcase from 
https://code.google.com/p/google-security-research/issues/detail?id=758
  gcc net*v3.c -o v3
  ./v3

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/linux/+bug/1555338/+subscriptions

-- 
Mailing list: https://launchpad.net/~kernel-packages
Post to : kernel-packages@lists.launchpad.net
Unsubscribe : https://launchpad.net/~kernel-packages
More help   : https://help.launchpad.net/ListHelp

[Kernel-packages] [Bug 1555338] Re: Linux netfilter IPT_SO_SET_REPLACE memory corruption

[Chris J Arges]

** Changed in: linux (Ubuntu Trusty)
   Status: New => In Progress

** Changed in: linux (Ubuntu Trusty)
 Assignee: (unassigned) => Chris J Arges (arges)

** Changed in: linux (Ubuntu Vivid)
   Status: New => In Progress

** Changed in: linux-lts-utopic (Ubuntu Trusty)
   Status: New => In Progress

** Changed in: linux-lts-utopic (Ubuntu Trusty)
 Assignee: (unassigned) => Chris J Arges (arges)

-- 
You received this bug notification because you are a member of Kernel
Packages, which is subscribed to linux-lts-utopic in Ubuntu.
https://bugs.launchpad.net/bugs/1555338

Title:
  Linux netfilter IPT_SO_SET_REPLACE memory corruption

Status in linux package in Ubuntu:
  Fix Committed
Status in linux-lts-utopic package in Ubuntu:
  Invalid
Status in linux source package in Precise:
  New
Status in linux-lts-utopic source package in Precise:
  Invalid
Status in linux source package in Trusty:
  In Progress
Status in linux-lts-utopic source package in Trusty:
  In Progress
Status in linux source package in Vivid:
  In Progress
Status in linux-lts-utopic source package in Vivid:
  Invalid
Status in linux source package in Wily:
  In Progress
Status in linux-lts-utopic source package in Wily:
  Invalid
Status in linux source package in Xenial:
  Fix Committed
Status in linux-lts-utopic source package in Xenial:
  Invalid

Bug description:
  [Impact]
  [From https://code.google.com/p/google-security-research/issues/detail?id=758 
]

  A memory corruption vulnerability exists in the IPT_SO_SET_REPLACE
  ioctl in the netfilter code for iptables support. This ioctl is can be
  triggered by an unprivileged user on PF_INET sockets when unprivileged
  user namespaces are available (CONFIG_USER_NS=y). Android does not
  enable this option, but desktop/server distributions and Chrome OS
  will commonly enable this to allow for containers support or
  sandboxing.

  In the mark_source_chains function (net/ipv4/netfilter/ip_tables.c) it
  is possible for a user-supplied ipt_entry structure to have a large
  next_offset field. This field is not bounds checked prior to writing a
  counter value at the supplied offset:

  newpos = pos + e->next_offset;
  ...
  e = (struct ipt_entry *) (entry0 + newpos);
  e->counters.pcnt = pos;

  This means that an out of bounds 32-bit write can occur in a 64kb
  range from the allocated heap entry, with a controlled offset and a
  partially controlled write value ("pos") or zero. The attached proof-
  of-concept (netfilter_setsockopt_v3.c) triggers the corruption
  multiple times to set adjacent heap structures to zero.

  This issue affects (at least) kernel versions 3.10, 3.18 and 4.4. It
  appears that a similar codepath is accessible via
  arp_tables.c/ARPT_SO_SET_REPLACE as well.

  [Fix]
  http://thread.gmane.org/gmane.comp.security.firewalls.netfilter.devel/62150

  [Test Case]
  Download v3 testcase from 
https://code.google.com/p/google-security-research/issues/detail?id=758
  gcc net*v3.c -o v3
  ./v3

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/linux/+bug/1555338/+subscriptions

-- 
Mailing list: https://launchpad.net/~kernel-packages
Post to : kernel-packages@lists.launchpad.net
Unsubscribe : https://launchpad.net/~kernel-packages
More help   : https://help.launchpad.net/ListHelp

[Kernel-packages] [Bug 1555338] Re: Linux netfilter IPT_SO_SET_REPLACE memory corruption

[Tim Gardner]

v2 of the patch
http://thread.gmane.org/gmane.comp.security.firewalls.netfilter.devel/62150

-- 
You received this bug notification because you are a member of Kernel
Packages, which is subscribed to linux-lts-utopic in Ubuntu.
https://bugs.launchpad.net/bugs/1555338

Title:
  Linux netfilter IPT_SO_SET_REPLACE memory corruption

Status in linux package in Ubuntu:
  Fix Committed
Status in linux-lts-utopic package in Ubuntu:
  Invalid
Status in linux source package in Precise:
  New
Status in linux-lts-utopic source package in Precise:
  Invalid
Status in linux source package in Trusty:
  New
Status in linux-lts-utopic source package in Trusty:
  New
Status in linux source package in Vivid:
  New
Status in linux-lts-utopic source package in Vivid:
  Invalid
Status in linux source package in Wily:
  In Progress
Status in linux-lts-utopic source package in Wily:
  Invalid
Status in linux source package in Xenial:
  Fix Committed
Status in linux-lts-utopic source package in Xenial:
  Invalid

Bug description:
  [Impact]
  [From https://code.google.com/p/google-security-research/issues/detail?id=758 
]

  A memory corruption vulnerability exists in the IPT_SO_SET_REPLACE
  ioctl in the netfilter code for iptables support. This ioctl is can be
  triggered by an unprivileged user on PF_INET sockets when unprivileged
  user namespaces are available (CONFIG_USER_NS=y). Android does not
  enable this option, but desktop/server distributions and Chrome OS
  will commonly enable this to allow for containers support or
  sandboxing.

  In the mark_source_chains function (net/ipv4/netfilter/ip_tables.c) it
  is possible for a user-supplied ipt_entry structure to have a large
  next_offset field. This field is not bounds checked prior to writing a
  counter value at the supplied offset:

  newpos = pos + e->next_offset;
  ...
  e = (struct ipt_entry *) (entry0 + newpos);
  e->counters.pcnt = pos;

  This means that an out of bounds 32-bit write can occur in a 64kb
  range from the allocated heap entry, with a controlled offset and a
  partially controlled write value ("pos") or zero. The attached proof-
  of-concept (netfilter_setsockopt_v3.c) triggers the corruption
  multiple times to set adjacent heap structures to zero.

  This issue affects (at least) kernel versions 3.10, 3.18 and 4.4. It
  appears that a similar codepath is accessible via
  arp_tables.c/ARPT_SO_SET_REPLACE as well.

  [Fix]
  http://thread.gmane.org/gmane.comp.security.firewalls.netfilter.devel/62150

  [Test Case]
  Download v3 testcase from 
https://code.google.com/p/google-security-research/issues/detail?id=758
  gcc net*v3.c -o v3
  ./v3

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/linux/+bug/1555338/+subscriptions

-- 
Mailing list: https://launchpad.net/~kernel-packages
Post to : kernel-packages@lists.launchpad.net
Unsubscribe : https://launchpad.net/~kernel-packages
More help   : https://help.launchpad.net/ListHelp

[Kernel-packages] [Bug 1555338] Re: Linux netfilter IPT_SO_SET_REPLACE memory corruption

[Chris J Arges]

** Changed in: linux (Ubuntu Vivid)
   Status: In Progress => New

** Changed in: linux-lts-utopic (Ubuntu Trusty)
   Status: In Progress => New

** Changed in: linux-lts-utopic (Ubuntu Trusty)
 Assignee: Chris J Arges (arges) => (unassigned)

-- 
You received this bug notification because you are a member of Kernel
Packages, which is subscribed to linux-lts-utopic in Ubuntu.
https://bugs.launchpad.net/bugs/1555338

Title:
  Linux netfilter IPT_SO_SET_REPLACE memory corruption

Status in linux package in Ubuntu:
  Fix Committed
Status in linux-lts-utopic package in Ubuntu:
  Invalid
Status in linux source package in Precise:
  New
Status in linux-lts-utopic source package in Precise:
  Invalid
Status in linux source package in Trusty:
  New
Status in linux-lts-utopic source package in Trusty:
  New
Status in linux source package in Vivid:
  New
Status in linux-lts-utopic source package in Vivid:
  Invalid
Status in linux source package in Wily:
  In Progress
Status in linux-lts-utopic source package in Wily:
  Invalid
Status in linux source package in Xenial:
  Fix Committed
Status in linux-lts-utopic source package in Xenial:
  Invalid

Bug description:
  [Impact]
  [From https://code.google.com/p/google-security-research/issues/detail?id=758 
]

  A memory corruption vulnerability exists in the IPT_SO_SET_REPLACE
  ioctl in the netfilter code for iptables support. This ioctl is can be
  triggered by an unprivileged user on PF_INET sockets when unprivileged
  user namespaces are available (CONFIG_USER_NS=y). Android does not
  enable this option, but desktop/server distributions and Chrome OS
  will commonly enable this to allow for containers support or
  sandboxing.

  In the mark_source_chains function (net/ipv4/netfilter/ip_tables.c) it
  is possible for a user-supplied ipt_entry structure to have a large
  next_offset field. This field is not bounds checked prior to writing a
  counter value at the supplied offset:

  newpos = pos + e->next_offset;
  ...
  e = (struct ipt_entry *) (entry0 + newpos);
  e->counters.pcnt = pos;

  This means that an out of bounds 32-bit write can occur in a 64kb
  range from the allocated heap entry, with a controlled offset and a
  partially controlled write value ("pos") or zero. The attached proof-
  of-concept (netfilter_setsockopt_v3.c) triggers the corruption
  multiple times to set adjacent heap structures to zero.

  This issue affects (at least) kernel versions 3.10, 3.18 and 4.4. It
  appears that a similar codepath is accessible via
  arp_tables.c/ARPT_SO_SET_REPLACE as well.

  [Fix]
  http://thread.gmane.org/gmane.comp.security.firewalls.netfilter.devel/62150

  [Test Case]
  Download v3 testcase from 
https://code.google.com/p/google-security-research/issues/detail?id=758
  gcc net*v3.c -o v3
  ./v3

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/linux/+bug/1555338/+subscriptions

-- 
Mailing list: https://launchpad.net/~kernel-packages
Post to : kernel-packages@lists.launchpad.net
Unsubscribe : https://launchpad.net/~kernel-packages
More help   : https://help.launchpad.net/ListHelp

[Kernel-packages] [Bug 1555338] Re: Linux netfilter IPT_SO_SET_REPLACE memory corruption

[Chris J Arges]

** Changed in: linux (Ubuntu Vivid)
   Status: New => In Progress

** Changed in: linux (Ubuntu Vivid)
 Assignee: (unassigned) => Chris J Arges (arges)

** Changed in: linux-lts-utopic (Ubuntu Trusty)
   Status: New => In Progress

** Changed in: linux-lts-utopic (Ubuntu Trusty)
 Assignee: (unassigned) => Chris J Arges (arges)

** Description changed:

- [From https://code.google.com/p/google-security-
- research/issues/detail?id=758 ]
+ [Impact]
+ [From https://code.google.com/p/google-security-research/issues/detail?id=758 
]
  
  A memory corruption vulnerability exists in the IPT_SO_SET_REPLACE ioctl
  in the netfilter code for iptables support. This ioctl is can be
  triggered by an unprivileged user on PF_INET sockets when unprivileged
  user namespaces are available (CONFIG_USER_NS=y). Android does not
  enable this option, but desktop/server distributions and Chrome OS will
  commonly enable this to allow for containers support or sandboxing.
  
  In the mark_source_chains function (net/ipv4/netfilter/ip_tables.c) it
  is possible for a user-supplied ipt_entry structure to have a large
  next_offset field. This field is not bounds checked prior to writing a
  counter value at the supplied offset:
  
  newpos = pos + e->next_offset;
  ...
  e = (struct ipt_entry *) (entry0 + newpos);
  e->counters.pcnt = pos;
  
  This means that an out of bounds 32-bit write can occur in a 64kb range
  from the allocated heap entry, with a controlled offset and a partially
  controlled write value ("pos") or zero. The attached proof-of-concept
  (netfilter_setsockopt_v3.c) triggers the corruption multiple times to
  set adjacent heap structures to zero.
  
  This issue affects (at least) kernel versions 3.10, 3.18 and 4.4. It
  appears that a similar codepath is accessible via
  arp_tables.c/ARPT_SO_SET_REPLACE as well.
+ 
+ [Fix]
+ http://thread.gmane.org/gmane.comp.security.firewalls.netfilter.devel/62150
+ 
+ [Test Case]
+ Download v3 testcase from 
https://code.google.com/p/google-security-research/issues/detail?id=758
+ gcc net*v3.c -o v3
+ ./v3

-- 
You received this bug notification because you are a member of Kernel
Packages, which is subscribed to linux-lts-utopic in Ubuntu.
https://bugs.launchpad.net/bugs/1555338

Title:
  Linux netfilter IPT_SO_SET_REPLACE memory corruption

Status in linux package in Ubuntu:
  Fix Committed
Status in linux-lts-utopic package in Ubuntu:
  Invalid
Status in linux source package in Precise:
  New
Status in linux-lts-utopic source package in Precise:
  Invalid
Status in linux source package in Trusty:
  New
Status in linux-lts-utopic source package in Trusty:
  In Progress
Status in linux source package in Vivid:
  In Progress
Status in linux-lts-utopic source package in Vivid:
  Invalid
Status in linux source package in Wily:
  In Progress
Status in linux-lts-utopic source package in Wily:
  Invalid
Status in linux source package in Xenial:
  Fix Committed
Status in linux-lts-utopic source package in Xenial:
  Invalid

Bug description:
  [Impact]
  [From https://code.google.com/p/google-security-research/issues/detail?id=758 
]

  A memory corruption vulnerability exists in the IPT_SO_SET_REPLACE
  ioctl in the netfilter code for iptables support. This ioctl is can be
  triggered by an unprivileged user on PF_INET sockets when unprivileged
  user namespaces are available (CONFIG_USER_NS=y). Android does not
  enable this option, but desktop/server distributions and Chrome OS
  will commonly enable this to allow for containers support or
  sandboxing.

  In the mark_source_chains function (net/ipv4/netfilter/ip_tables.c) it
  is possible for a user-supplied ipt_entry structure to have a large
  next_offset field. This field is not bounds checked prior to writing a
  counter value at the supplied offset:

  newpos = pos + e->next_offset;
  ...
  e = (struct ipt_entry *) (entry0 + newpos);
  e->counters.pcnt = pos;

  This means that an out of bounds 32-bit write can occur in a 64kb
  range from the allocated heap entry, with a controlled offset and a
  partially controlled write value ("pos") or zero. The attached proof-
  of-concept (netfilter_setsockopt_v3.c) triggers the corruption
  multiple times to set adjacent heap structures to zero.

  This issue affects (at least) kernel versions 3.10, 3.18 and 4.4. It
  appears that a similar codepath is accessible via
  arp_tables.c/ARPT_SO_SET_REPLACE as well.

  [Fix]
  http://thread.gmane.org/gmane.comp.security.firewalls.netfilter.devel/62150

  [Test Case]
  Download v3 testcase from 
https://code.google.com/p/google-security-research/issues/detail?id=758
  gcc net*v3.c -o v3
  ./v3

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/linux/+bug/1555338/+subscriptions

-- 
Mailing list: https://launchpad.net/~kernel-packages
Post to : kernel-packages@lists.launchpad.net
Unsubscribe : https://launchpad.net/~kernel-packages
More help   : 

[Kernel-packages] [Bug 1555338] Re: Linux netfilter IPT_SO_SET_REPLACE memory corruption

[Chris J Arges]

** Changed in: linux (Ubuntu Wily)
   Status: New => In Progress

** Changed in: linux (Ubuntu Wily)
 Assignee: (unassigned) => Chris J Arges (arges)

-- 
You received this bug notification because you are a member of Kernel
Packages, which is subscribed to linux-lts-utopic in Ubuntu.
https://bugs.launchpad.net/bugs/1555338

Title:
  Linux netfilter IPT_SO_SET_REPLACE memory corruption

Status in linux package in Ubuntu:
  Fix Committed
Status in linux-lts-utopic package in Ubuntu:
  Invalid
Status in linux source package in Precise:
  New
Status in linux-lts-utopic source package in Precise:
  Invalid
Status in linux source package in Trusty:
  New
Status in linux-lts-utopic source package in Trusty:
  New
Status in linux source package in Vivid:
  New
Status in linux-lts-utopic source package in Vivid:
  Invalid
Status in linux source package in Wily:
  In Progress
Status in linux-lts-utopic source package in Wily:
  Invalid
Status in linux source package in Xenial:
  Fix Committed
Status in linux-lts-utopic source package in Xenial:
  Invalid

Bug description:
  [From https://code.google.com/p/google-security-
  research/issues/detail?id=758 ]

  A memory corruption vulnerability exists in the IPT_SO_SET_REPLACE
  ioctl in the netfilter code for iptables support. This ioctl is can be
  triggered by an unprivileged user on PF_INET sockets when unprivileged
  user namespaces are available (CONFIG_USER_NS=y). Android does not
  enable this option, but desktop/server distributions and Chrome OS
  will commonly enable this to allow for containers support or
  sandboxing.

  In the mark_source_chains function (net/ipv4/netfilter/ip_tables.c) it
  is possible for a user-supplied ipt_entry structure to have a large
  next_offset field. This field is not bounds checked prior to writing a
  counter value at the supplied offset:

  newpos = pos + e->next_offset;
  ...
  e = (struct ipt_entry *) (entry0 + newpos);
  e->counters.pcnt = pos;

  This means that an out of bounds 32-bit write can occur in a 64kb
  range from the allocated heap entry, with a controlled offset and a
  partially controlled write value ("pos") or zero. The attached proof-
  of-concept (netfilter_setsockopt_v3.c) triggers the corruption
  multiple times to set adjacent heap structures to zero.

  This issue affects (at least) kernel versions 3.10, 3.18 and 4.4. It
  appears that a similar codepath is accessible via
  arp_tables.c/ARPT_SO_SET_REPLACE as well.

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/linux/+bug/1555338/+subscriptions

-- 
Mailing list: https://launchpad.net/~kernel-packages
Post to : kernel-packages@lists.launchpad.net
Unsubscribe : https://launchpad.net/~kernel-packages
More help   : https://help.launchpad.net/ListHelp

[Kernel-packages] [Bug 1555338] Re: Linux netfilter IPT_SO_SET_REPLACE memory corruption

[Tim Gardner]

** Changed in: linux (Ubuntu Xenial)
   Status: In Progress => Fix Committed

-- 
You received this bug notification because you are a member of Kernel
Packages, which is subscribed to linux-lts-utopic in Ubuntu.
https://bugs.launchpad.net/bugs/1555338

Title:
  Linux netfilter IPT_SO_SET_REPLACE memory corruption

Status in linux package in Ubuntu:
  Fix Committed
Status in linux-lts-utopic package in Ubuntu:
  Invalid
Status in linux source package in Precise:
  New
Status in linux-lts-utopic source package in Precise:
  Invalid
Status in linux source package in Trusty:
  New
Status in linux-lts-utopic source package in Trusty:
  New
Status in linux source package in Vivid:
  New
Status in linux-lts-utopic source package in Vivid:
  Invalid
Status in linux source package in Wily:
  New
Status in linux-lts-utopic source package in Wily:
  Invalid
Status in linux source package in Xenial:
  Fix Committed
Status in linux-lts-utopic source package in Xenial:
  Invalid

Bug description:
  [From https://code.google.com/p/google-security-
  research/issues/detail?id=758 ]

  A memory corruption vulnerability exists in the IPT_SO_SET_REPLACE
  ioctl in the netfilter code for iptables support. This ioctl is can be
  triggered by an unprivileged user on PF_INET sockets when unprivileged
  user namespaces are available (CONFIG_USER_NS=y). Android does not
  enable this option, but desktop/server distributions and Chrome OS
  will commonly enable this to allow for containers support or
  sandboxing.

  In the mark_source_chains function (net/ipv4/netfilter/ip_tables.c) it
  is possible for a user-supplied ipt_entry structure to have a large
  next_offset field. This field is not bounds checked prior to writing a
  counter value at the supplied offset:

  newpos = pos + e->next_offset;
  ...
  e = (struct ipt_entry *) (entry0 + newpos);
  e->counters.pcnt = pos;

  This means that an out of bounds 32-bit write can occur in a 64kb
  range from the allocated heap entry, with a controlled offset and a
  partially controlled write value ("pos") or zero. The attached proof-
  of-concept (netfilter_setsockopt_v3.c) triggers the corruption
  multiple times to set adjacent heap structures to zero.

  This issue affects (at least) kernel versions 3.10, 3.18 and 4.4. It
  appears that a similar codepath is accessible via
  arp_tables.c/ARPT_SO_SET_REPLACE as well.

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/linux/+bug/1555338/+subscriptions

-- 
Mailing list: https://launchpad.net/~kernel-packages
Post to : kernel-packages@lists.launchpad.net
Unsubscribe : https://launchpad.net/~kernel-packages
More help   : https://help.launchpad.net/ListHelp

[Kernel-packages] [Bug 1555338] Re: Linux netfilter IPT_SO_SET_REPLACE memory corruption

[Chris J Arges]

** Changed in: linux-lts-utopic (Ubuntu Xenial)
   Status: New => Invalid

-- 
You received this bug notification because you are a member of Kernel
Packages, which is subscribed to linux-lts-utopic in Ubuntu.
https://bugs.launchpad.net/bugs/1555338

Title:
  Linux netfilter IPT_SO_SET_REPLACE memory corruption

Status in linux package in Ubuntu:
  In Progress
Status in linux-lts-utopic package in Ubuntu:
  Invalid
Status in linux source package in Precise:
  New
Status in linux-lts-utopic source package in Precise:
  Invalid
Status in linux source package in Trusty:
  New
Status in linux-lts-utopic source package in Trusty:
  New
Status in linux source package in Vivid:
  New
Status in linux-lts-utopic source package in Vivid:
  Invalid
Status in linux source package in Wily:
  New
Status in linux-lts-utopic source package in Wily:
  Invalid
Status in linux source package in Xenial:
  In Progress
Status in linux-lts-utopic source package in Xenial:
  Invalid

Bug description:
  [From https://code.google.com/p/google-security-
  research/issues/detail?id=758 ]

  A memory corruption vulnerability exists in the IPT_SO_SET_REPLACE
  ioctl in the netfilter code for iptables support. This ioctl is can be
  triggered by an unprivileged user on PF_INET sockets when unprivileged
  user namespaces are available (CONFIG_USER_NS=y). Android does not
  enable this option, but desktop/server distributions and Chrome OS
  will commonly enable this to allow for containers support or
  sandboxing.

  In the mark_source_chains function (net/ipv4/netfilter/ip_tables.c) it
  is possible for a user-supplied ipt_entry structure to have a large
  next_offset field. This field is not bounds checked prior to writing a
  counter value at the supplied offset:

  newpos = pos + e->next_offset;
  ...
  e = (struct ipt_entry *) (entry0 + newpos);
  e->counters.pcnt = pos;

  This means that an out of bounds 32-bit write can occur in a 64kb
  range from the allocated heap entry, with a controlled offset and a
  partially controlled write value ("pos") or zero. The attached proof-
  of-concept (netfilter_setsockopt_v3.c) triggers the corruption
  multiple times to set adjacent heap structures to zero.

  This issue affects (at least) kernel versions 3.10, 3.18 and 4.4. It
  appears that a similar codepath is accessible via
  arp_tables.c/ARPT_SO_SET_REPLACE as well.

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/linux/+bug/1555338/+subscriptions

-- 
Mailing list: https://launchpad.net/~kernel-packages
Post to : kernel-packages@lists.launchpad.net
Unsubscribe : https://launchpad.net/~kernel-packages
More help   : https://help.launchpad.net/ListHelp

[Kernel-packages] [Bug 1555338] Re: Linux netfilter IPT_SO_SET_REPLACE memory corruption

[Chris J Arges]

** Also affects: linux (Ubuntu Wily)
   Importance: Undecided
   Status: New

** Also affects: linux (Ubuntu Vivid)
   Importance: Undecided
   Status: New

** Also affects: linux (Ubuntu Precise)
   Importance: Undecided
   Status: New

** Also affects: linux (Ubuntu Trusty)
   Importance: Undecided
   Status: New

** Also affects: linux-lts-utopic (Ubuntu)
   Importance: Undecided
   Status: New

** Changed in: linux-lts-utopic (Ubuntu Precise)
   Status: New => Invalid

** Changed in: linux-lts-utopic (Ubuntu Vivid)
   Status: New => Invalid

** Changed in: linux-lts-utopic (Ubuntu Wily)
   Status: New => Invalid

-- 
You received this bug notification because you are a member of Kernel
Packages, which is subscribed to linux in Ubuntu.
https://bugs.launchpad.net/bugs/1555338

Title:
  Linux netfilter IPT_SO_SET_REPLACE memory corruption

Status in linux package in Ubuntu:
  In Progress
Status in linux-lts-utopic package in Ubuntu:
  New
Status in linux source package in Precise:
  New
Status in linux-lts-utopic source package in Precise:
  Invalid
Status in linux source package in Trusty:
  New
Status in linux-lts-utopic source package in Trusty:
  New
Status in linux source package in Vivid:
  New
Status in linux-lts-utopic source package in Vivid:
  Invalid
Status in linux source package in Wily:
  New
Status in linux-lts-utopic source package in Wily:
  Invalid
Status in linux source package in Xenial:
  In Progress
Status in linux-lts-utopic source package in Xenial:
  New

Bug description:
  [From https://code.google.com/p/google-security-
  research/issues/detail?id=758 ]

  A memory corruption vulnerability exists in the IPT_SO_SET_REPLACE
  ioctl in the netfilter code for iptables support. This ioctl is can be
  triggered by an unprivileged user on PF_INET sockets when unprivileged
  user namespaces are available (CONFIG_USER_NS=y). Android does not
  enable this option, but desktop/server distributions and Chrome OS
  will commonly enable this to allow for containers support or
  sandboxing.

  In the mark_source_chains function (net/ipv4/netfilter/ip_tables.c) it
  is possible for a user-supplied ipt_entry structure to have a large
  next_offset field. This field is not bounds checked prior to writing a
  counter value at the supplied offset:

  newpos = pos + e->next_offset;
  ...
  e = (struct ipt_entry *) (entry0 + newpos);
  e->counters.pcnt = pos;

  This means that an out of bounds 32-bit write can occur in a 64kb
  range from the allocated heap entry, with a controlled offset and a
  partially controlled write value ("pos") or zero. The attached proof-
  of-concept (netfilter_setsockopt_v3.c) triggers the corruption
  multiple times to set adjacent heap structures to zero.

  This issue affects (at least) kernel versions 3.10, 3.18 and 4.4. It
  appears that a similar codepath is accessible via
  arp_tables.c/ARPT_SO_SET_REPLACE as well.

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/linux/+bug/1555338/+subscriptions

-- 
Mailing list: https://launchpad.net/~kernel-packages
Post to : kernel-packages@lists.launchpad.net
Unsubscribe : https://launchpad.net/~kernel-packages
More help   : https://help.launchpad.net/ListHelp

[Kernel-packages] [Bug 1555338] Re: Linux netfilter IPT_SO_SET_REPLACE memory corruption

[Tim Gardner]

** Also affects: linux (Ubuntu Xenial)
   Importance: High
   Status: Confirmed

** Changed in: linux (Ubuntu Xenial)
   Status: Confirmed => In Progress

** Changed in: linux (Ubuntu Xenial)
 Assignee: (unassigned) => Tim Gardner (timg-tpi)

-- 
You received this bug notification because you are a member of Kernel
Packages, which is subscribed to linux in Ubuntu.
https://bugs.launchpad.net/bugs/1555338

Title:
  Linux netfilter IPT_SO_SET_REPLACE memory corruption

Status in linux package in Ubuntu:
  In Progress
Status in linux source package in Xenial:
  In Progress

Bug description:
  [From https://code.google.com/p/google-security-
  research/issues/detail?id=758 ]

  A memory corruption vulnerability exists in the IPT_SO_SET_REPLACE
  ioctl in the netfilter code for iptables support. This ioctl is can be
  triggered by an unprivileged user on PF_INET sockets when unprivileged
  user namespaces are available (CONFIG_USER_NS=y). Android does not
  enable this option, but desktop/server distributions and Chrome OS
  will commonly enable this to allow for containers support or
  sandboxing.

  In the mark_source_chains function (net/ipv4/netfilter/ip_tables.c) it
  is possible for a user-supplied ipt_entry structure to have a large
  next_offset field. This field is not bounds checked prior to writing a
  counter value at the supplied offset:

  newpos = pos + e->next_offset;
  ...
  e = (struct ipt_entry *) (entry0 + newpos);
  e->counters.pcnt = pos;

  This means that an out of bounds 32-bit write can occur in a 64kb
  range from the allocated heap entry, with a controlled offset and a
  partially controlled write value ("pos") or zero. The attached proof-
  of-concept (netfilter_setsockopt_v3.c) triggers the corruption
  multiple times to set adjacent heap structures to zero.

  This issue affects (at least) kernel versions 3.10, 3.18 and 4.4. It
  appears that a similar codepath is accessible via
  arp_tables.c/ARPT_SO_SET_REPLACE as well.

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/linux/+bug/1555338/+subscriptions

-- 
Mailing list: https://launchpad.net/~kernel-packages
Post to : kernel-packages@lists.launchpad.net
Unsubscribe : https://launchpad.net/~kernel-packages
More help   : https://help.launchpad.net/ListHelp

[Kernel-packages] [Bug 1555338] Re: Linux netfilter IPT_SO_SET_REPLACE memory corruption

[Steve Beattie]

upstream proposed fix: http://marc.info/?l=netfilter-
devel=145757134822741=2

** Information type changed from Private Security to Public Security

-- 
You received this bug notification because you are a member of Kernel
Packages, which is subscribed to linux in Ubuntu.
https://bugs.launchpad.net/bugs/1555338

Title:
  Linux netfilter IPT_SO_SET_REPLACE memory corruption

Status in linux package in Ubuntu:
  Confirmed

Bug description:
  [From https://code.google.com/p/google-security-
  research/issues/detail?id=758 ]

  A memory corruption vulnerability exists in the IPT_SO_SET_REPLACE
  ioctl in the netfilter code for iptables support. This ioctl is can be
  triggered by an unprivileged user on PF_INET sockets when unprivileged
  user namespaces are available (CONFIG_USER_NS=y). Android does not
  enable this option, but desktop/server distributions and Chrome OS
  will commonly enable this to allow for containers support or
  sandboxing.

  In the mark_source_chains function (net/ipv4/netfilter/ip_tables.c) it
  is possible for a user-supplied ipt_entry structure to have a large
  next_offset field. This field is not bounds checked prior to writing a
  counter value at the supplied offset:

  newpos = pos + e->next_offset;
  ...
  e = (struct ipt_entry *) (entry0 + newpos);
  e->counters.pcnt = pos;

  This means that an out of bounds 32-bit write can occur in a 64kb
  range from the allocated heap entry, with a controlled offset and a
  partially controlled write value ("pos") or zero. The attached proof-
  of-concept (netfilter_setsockopt_v3.c) triggers the corruption
  multiple times to set adjacent heap structures to zero.

  This issue affects (at least) kernel versions 3.10, 3.18 and 4.4. It
  appears that a similar codepath is accessible via
  arp_tables.c/ARPT_SO_SET_REPLACE as well.

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/linux/+bug/1555338/+subscriptions

-- 
Mailing list: https://launchpad.net/~kernel-packages
Post to : kernel-packages@lists.launchpad.net
Unsubscribe : https://launchpad.net/~kernel-packages
More help   : https://help.launchpad.net/ListHelp