Bug 10654

Summary: Update request: kernel-rt-3.4.52-0.rt67.2.mga2
Product: Mageia Reporter: Thomas Backlund <tmb>
Component: SecurityAssignee: QA Team <qa-bugs>
Status: RESOLVED FIXED QA Contact: Sec team <security>
Severity: major    
Priority: Normal CC: davidwhodgins, philippedidier, sysadmin-bugs
Version: 2Keywords: validated_update
Target Milestone: ---   
Hardware: All   
OS: Linux   
Whiteboard: MGA2-64-OK MGA2-32-OK
Source RPM: kernel-rt-3.4.52-0.rt67.2.mga2 CVE:
Status comment:

Description Thomas Backlund 2013-06-29 16:11:16 CEST 
Advisory:
The pciback_enable_msi function in the PCI backend driver 
(drivers/xen/pciback/conf_space_capability_msi.c) in Xen for the Linux
kernel 2.6.18 and 3.8 allows guest OS users with PCI device access to
cause a denial of service via a large number of kernel log messages.
(CVE-2013-0231 / XSA-43)

Heap-based buffer overflow in the iscsi_add_notunderstood_response function
in drivers/target/iscsi/iscsi_target_parameters.c in the iSCSI target
subsystem in the Linux kernel through 3.9.4 allows remote attackers to
cause a denial of service (memory corruption and OOPS) or possibly execute
arbitrary code via a long key that is not properly handled during
construction of an error-response packet.
A reproduction case requires patching open-iscsi to send overly large
keys. Performing discovery in a loop will Oops the remote server.
(CVE-2013-2850)

Format string vulnerability in the b43_request_firmware function in
drivers/net/wireless/b43/main.c in the Broadcom B43 wireless driver in
the Linux kernel through 3.9.4 allows local users to gain privileges by
leveraging root access and including format string specifiers in an
fwpostfix modprobe parameter, leading to improper construction of an
error message. (CVE-2013-2852)

Other fixes:
Fix up alx AR8161 breakage (mga #10079)

For other -stable fixes, read the referenced changelogs

References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-0231
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-2850
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-2852
https://www.kernel.org/pub/linux/kernel/v3.x/ChangeLog-3.4.46
https://www.kernel.org/pub/linux/kernel/v3.x/ChangeLog-3.4.47
https://www.kernel.org/pub/linux/kernel/v3.x/ChangeLog-3.4.48
https://www.kernel.org/pub/linux/kernel/v3.x/ChangeLog-3.4.49
https://www.kernel.org/pub/linux/kernel/v3.x/ChangeLog-3.4.50
https://www.kernel.org/pub/linux/kernel/v3.x/ChangeLog-3.4.51


SRPM:
kernel-rt-3.4.51-0.rt62.1.mga2.src.rpm

i586:
kernel-rt-3.4.51-0.rt62.1.mga2-1-1.mga2.i586.rpm
kernel-rt-devel-3.4.51-0.rt62.1.mga2-1-1.mga2.i586.rpm
kernel-rt-devel-latest-3.4.51-0.rt62.1.mga2.i586.rpm
kernel-rt-doc-3.4.51-0.rt62.1.mga2.noarch.rpm
kernel-rt-latest-3.4.51-0.rt62.1.mga2.i586.rpm
kernel-rt-source-3.4.51-0.rt62.1.mga2-1-1.mga2.noarch.rpm
kernel-rt-source-latest-3.4.51-0.rt62.1.mga2.noarch.rpm

x86_64:
kernel-rt-3.4.51-0.rt62.1.mga2-1-1.mga2.x86_64.rpm
kernel-rt-devel-3.4.51-0.rt62.1.mga2-1-1.mga2.x86_64.rpm
kernel-rt-devel-latest-3.4.51-0.rt62.1.mga2.x86_64.rpm
kernel-rt-doc-3.4.51-0.rt62.1.mga2.noarch.rpm
kernel-rt-latest-3.4.51-0.rt62.1.mga2.x86_64.rpm
kernel-rt-source-3.4.51-0.rt62.1.mga2-1-1.mga2.noarch.rpm
kernel-rt-source-latest-3.4.51-0.rt62.1.mga2.noarch.rpm


Reproducible: 

Steps to Reproduce:
Comment 1 Thomas Backlund 2013-07-02 09:25:37 CEST 
Taking it back as there is a few more security fixes landing

Assignee: qa-bugs => tmb

Comment 2 Thomas Backlund 2013-07-04 20:41:28 CEST 
New advisory:

This kernel-rt update provides the upstream 3.4.52 kernel and fixes
the follwing security issues:

The pciback_enable_msi function in the PCI backend driver 
(drivers/xen/pciback/conf_space_capability_msi.c) in Xen for the Linux
kernel 2.6.18 and 3.8 allows guest OS users with PCI device access to
cause a denial of service via a large number of kernel log messages.
(CVE-2013-0231 / XSA-43)

ipv6: ip6_sk_dst_check() must not assume ipv6 dst
It's possible to use AF_INET6 sockets and to connect to an IPv4
destination. After this, socket dst cache is a pointer to a rtable,
not rt6_info. This bug can be exploited by local non-root users
to trigger various corruptions/crashes (CVE-2013-2232)

af_key: fix info leaks in notify messages
key_notify_sa_flush() and key_notify_policy_flush() miss to
initialize the sadb_msg_reserved member of the broadcasted message
and thereby leak 2 bytes of heap memory to listeners (CVE-2013-2234)

af_key: initialize satype in key_notify_policy_flush()
key_notify_policy_flush() miss to nitialize the sadb_msg_satype member
of the broadcasted message and thereby leak heap memory to listeners
(CVE-2013-2237)

Heap-based buffer overflow in the iscsi_add_notunderstood_response function
in drivers/target/iscsi/iscsi_target_parameters.c in the iSCSI target
subsystem in the Linux kernel through 3.9.4 allows remote attackers to
cause a denial of service (memory corruption and OOPS) or possibly execute
arbitrary code via a long key that is not properly handled during
construction of an error-response packet.
A reproduction case requires patching open-iscsi to send overly large
keys. Performing discovery in a loop will Oops the remote server.
(CVE-2013-2850)

Format string vulnerability in the b43_request_firmware function in
drivers/net/wireless/b43/main.c in the Broadcom B43 wireless driver in
the Linux kernel through 3.9.4 allows local users to gain privileges by
leveraging root access and including format string specifiers in an
fwpostfix modprobe parameter, leading to improper construction of an
error message. (CVE-2013-2852)

Other fixes:
Fix up alx AR8161 breakage (mga #10079)
The -rt patch has been updated to -rt65

For other -stable fixes, read the referenced changelogs

References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-0231
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-2232
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-2234
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-2237
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-2850
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-2852
https://www.kernel.org/pub/linux/kernel/v3.x/ChangeLog-3.4.46
https://www.kernel.org/pub/linux/kernel/v3.x/ChangeLog-3.4.47
https://www.kernel.org/pub/linux/kernel/v3.x/ChangeLog-3.4.48
https://www.kernel.org/pub/linux/kernel/v3.x/ChangeLog-3.4.49
https://www.kernel.org/pub/linux/kernel/v3.x/ChangeLog-3.4.50
https://www.kernel.org/pub/linux/kernel/v3.x/ChangeLog-3.4.51
https://www.kernel.org/pub/linux/kernel/v3.x/ChangeLog-3.4.52

Assignee: tmb => qa-bugs
Summary: Update request: kernel-rt-3.4.51-0.rt62.1.mga2 => Update request: kernel-rt-3.4.52-0.rt65.1.mga2
Source RPM: kernel-rt-3.4.51-0.rt62.1.mga2 => kernel-rt-3.4.52-0.rt65.1.mga2

Comment 3 Thomas Backlund 2013-07-04 20:44:06 CEST 
SRPM:
kernel-rt-3.4.52-0.rt65.1.mga2.src.rpm

i586:
kernel-rt-3.4.52-0.rt65.1.mga2-1-1.mga2.i586.rpm
kernel-rt-devel-3.4.52-0.rt65.1.mga2-1-1.mga2.i586.rpm
kernel-rt-devel-latest-3.4.52-0.rt65.1.mga2.i586.rpm
kernel-rt-doc-3.4.52-0.rt65.1.mga2.noarch.rpm
kernel-rt-latest-3.4.52-0.rt65.1.mga2.i586.rpm
kernel-rt-source-3.4.52-0.rt65.1.mga2-1-1.mga2.noarch.rpm
kernel-rt-source-latest-3.4.52-0.rt65.1.mga2.noarch.rpm

x86_64:
kernel-rt-3.4.52-0.rt65.1.mga2-1-1.mga2.x86_64.rpm
kernel-rt-devel-3.4.52-0.rt65.1.mga2-1-1.mga2.x86_64.rpm
kernel-rt-devel-latest-3.4.52-0.rt65.1.mga2.x86_64.rpm
kernel-rt-doc-3.4.52-0.rt65.1.mga2.noarch.rpm
kernel-rt-latest-3.4.52-0.rt65.1.mga2.x86_64.rpm
kernel-rt-source-3.4.52-0.rt65.1.mga2-1-1.mga2.noarch.rpm
kernel-rt-source-latest-3.4.52-0.rt65.1.mga2.noarch.rpm
Comment 4 Philippe Didier 2013-07-06 01:00:28 CEST 
MGA2 32bits

kernel-rt-3.4.52-0.rt65.1.mga2-1-1.mga2.i586.rpm
kernel-rt-devel-3.4.52-0.rt65.1.mga2-1-1.mga2.i586.rpm

ASUS M2N SLI mainboard
Nvidia Geforce 210 graphic card
two internal SATA harddisks    (using sata_nv module)
one internal IDE harddisk      (using pata_amd module)
one external usb harddisk 
one external firewire harddisk
one internal IDE DVD writer    (using pata_amd module)
one internal IDE DVD reader    (using pata_amd module)

during installation dkms built the nvidia module


Boot begins well (same as  kernel-server-3.4.52-1.mga2-1-1.mga2.i586.rpm)

But it freezes half the way when starting X :
black screen
no possibility to use Alt+Ctl+Del 
need to Alt+sysRq+r
        Alt+sysRq+s
        Alt+sysRq+e
        Alt+sysRq+i
        Alt+sysRq+u
        Alt+sysRq+b

It's not a regression : same problem as previous kernel-rt : they can only work with nouveau ... not with the nvidia built module 
(need to modify xorg.conf to use the kernel-rt)

CC: (none) => philippedidier

Comment 5 Thomas Backlund 2013-07-12 17:53:09 CEST 
Additional fixes:
- fixes links in /boot
- updates to -rt67

SRPM:
kernel-rt-3.4.52-0.rt67.2.mga2.src.rpm

i586:
kernel-rt-3.4.52-0.rt67.2.mga2-1-1.mga2.i586.rpm
kernel-rt-devel-3.4.52-0.rt67.2.mga2-1-1.mga2.i586.rpm
kernel-rt-devel-latest-3.4.52-0.rt67.2.mga2.i586.rpm
kernel-rt-doc-3.4.52-0.rt67.2.mga2.noarch.rpm
kernel-rt-latest-3.4.52-0.rt67.2.mga2.i586.rpm
kernel-rt-source-3.4.52-0.rt67.2.mga2-1-1.mga2.noarch.rpm
kernel-rt-source-latest-3.4.52-0.rt67.2.mga2.noarch.rpm

x86_64:
kernel-rt-3.4.52-0.rt67.2.mga2-1-1.mga2.x86_64.rpm
kernel-rt-devel-3.4.52-0.rt67.2.mga2-1-1.mga2.x86_64.rpm
kernel-rt-devel-latest-3.4.52-0.rt67.2.mga2.x86_64.rpm
kernel-rt-doc-3.4.52-0.rt67.2.mga2.noarch.rpm
kernel-rt-latest-3.4.52-0.rt67.2.mga2.x86_64.rpm
kernel-rt-source-3.4.52-0.rt67.2.mga2-1-1.mga2.noarch.rpm
kernel-rt-source-latest-3.4.52-0.rt67.2.mga2.noarch.rpm
Thomas Backlund 2013-07-12 17:53:35 CEST

Summary: Update request: kernel-rt-3.4.52-0.rt65.1.mga2 => Update request: kernel-rt-3.4.52-0.rt67.2.mga2
Source RPM: kernel-rt-3.4.52-0.rt65.1.mga2 => kernel-rt-3.4.52-0.rt67.2.mga2

Comment 6 Dave Hodgins 2013-07-15 21:13:11 CEST 
Testing complete. Validating the update.

Could someone from the sysadmin team push 10654.adv

Keywords: (none) => validated_update
Whiteboard: (none) => MGA2-64-OK MGA2-32-OK
CC: (none) => davidwhodgins, sysadmin-bugs

Comment 7 Thomas Backlund 2013-07-16 09:38:51 CEST 
Update pushed:
http://advisories.mageia.org/MGASA-2013-0211.html

Status: NEW => RESOLVED
Resolution: (none) => FIXED