| Summary: | Security update request: kernel | ||
|---|---|---|---|
| Product: | Mageia | Reporter: | Thomas Backlund <tmb> |
| Component: | Security | Assignee: | Security team <security_officers> |
| Status: | RESOLVED FIXED | QA Contact: | |
| Severity: | normal | ||
| Priority: | Normal | CC: | davidwhodgins, lists.jjorge, mageia, qa-bugs, stormi-mageia |
| Version: | 1 | ||
| Target Milestone: | --- | ||
| Hardware: | All | ||
| OS: | Linux | ||
| Whiteboard: | |||
| Source RPM: | kernel | CVE: | |
| Status comment: | |||
|
Sander Lepik
2011-06-22 20:18:52 CEST
CC:
(none) =>
sander.lepik
Nicolas Vigier
2011-06-22 23:52:41 CEST
CC:
(none) =>
boklm The only kernel packages in http://mageia.webconquest.com/distrib/1/i586/media/core/updates_testing are for kernel-linus from bug 1983 Any timeframe for arrival in updates testing? CC:
(none) =>
davidwhodgins Apparently BS killed off the builds both to Cauldron and updates_testing... I am in the process of adding a few more fixes before submitting it again A 2.6.38.8-4.mga is now in testing medias. in addition to the initial report, the following are now also fixed: - fix non-expanding xen-pvops macros - net/ipv4: Check for mistakenly passed in non-IPv4 address - Bluetooth: Prevent buffer overflow in l2cap config request (CVE-2011-2497) - Bluetooth: l2cap and rfcomm: fix 1 byte infoleak to userspace (CVE-2011-2492) - proc: restrict access to /proc/PID/io (CVE-2011-2495) - ext4: init timer earlier to avoid a kernel panic in __save_error_info (CVE-2011-2493) - nl80211: fix overflow in ssid_len (CVE-2011-2517) As for testing it: - check it installs, boots and runs - check that the different dkms* drivers builds and works - as for the CVE checks, I guess we need to check every POC on the oss-sec list. I have pushed a 2.6.38.8-5.mga2 (wich contains exactly the same fixes) to Cauldron to broaden the testbase for our first security update of core kernel (I already pushed 2.6.38.8-4.mga2, but some packages got MIA due to a BS DNS bug) And I will write a better advisory for this update in the next few days. Status:
NEW =>
ASSIGNED Tested in x86_64 : - dkms builds ok - but wlan ( dkms-broadcom-wl )was not running after that. Re-running draknet made the driver load... CC:
(none) =>
lists.jjorge tmb, would it be ok to push kernel-desktop-latest too to updates_testing so that those that added updates_testing media as update media would get the update as soon as available and report any obvious regression ? CC:
(none) =>
stormi In Mageia1 i586, only the kernel-desktop-2.6.38.8 and kernel-doc-2.6.38.8 are present on the mirrors (checked on distrib-coffee). All the other packages are missing. Yeah, I just noticed only x86_64 is fully uploaded on primary mirror... Ok, boklm fixed upload of missing rpms. For the kernel source package I ran "make xconfig" in the source directory. It failed with ... make[1]: *** No rule to make target `scripts/kconfig/.tmp_qtcheck', needed by `scripts/kconfig/qconf.o'. Stop. make: *** [xconfig] Error 2 Using "make menuconfig" works, so I don't consider this a show stopper. For kernel-doc, I just confirmed it installed and the files were present. I've installed and tested all five of the i586 kernels on my i686 system. For each kernel, I installed the kernel-?-latest and kernel-?-devel-latest packages. I've booted each kernel and can confirm dkms built the vboxhost module, I was able to start kde, have sound, and access the internet. I consider the i586 packages testing completed. The packages are kernel-doc kernel-desktop-2.6.38.8-4.mga kernel-source-2.6.38.8-4.mga kernel-desktop-latest kernel-desktop586-devel-latest kernel-desktop-devel-latest kernel-desktop-devel-2.6.38.8-4.mga kernel-desktop586-latest kernel-source-latest kernel-netbook-2.6.38.8-4.mga kernel-xen-pvops-2.6.38.8-4.mga kernel-netbook-devel-2.6.38.8-4.mga kernel-desktop586-2.6.38.8-4.mga kernel-xen-pvops-latest kernel-xen-pvops-devel-2.6.38.8-4.mga kernel-netbook-devel-latest kernel-netbook-latest kernel-server-devel-2.6.38.8-4.mga kernel-server-devel-latest kernel-desktop586-devel-2.6.38.8-4.mga kernel-server-2.6.38.8-4.mga kernel-server-latest kernel-xen-pvops-devel-latest The srpm is kernel-2.6.38.8-4.mga1.src.rpm Suggested advisory: ------ This updates the kernel to latest stable upstream 2.6.38.8. It also fixes the following CVE's: - Heap-based buffer overflow in the ldm_frag_add function in fs/partitions/ldm.c in the Linux kernel 2.6.37.2 and earlier might allow local users to gain privileges or obtain sensitive information via a crafted LDM partition table. (CVE-2011-1017) - Andrea Righi reported a case where an exiting task can race against ksmd::scan_get_next_rmap_item (http://lkml.org/lkml/2011/6/1/742) easily triggering a NULL pointer dereference in ksmd. (CVE-2011-2183) - A malicious user or buggy application can inject code and trigger an infinite loop in inet_diag_bc_audit(). (CVE-2011-2213) - The add_del_listener function in kernel/taskstats.c in the Linux kernel 2.6.39.1 and earlier does not prevent multiple registrations of exit handlers, which allows local users to cause a denial of service (memory and CPU consumption), and bypass the OOM Killer, via a crafted application. (CVE-2011-2484) - Structures "l2cap_conninfo" and "rfcomm_conninfo" have one padding byte each. This byte in "cinfo" is copied to userspace uninitialized. (CVE-2011-2492) - During ext4 mount, when we fail to open journal inode or root inode, the __save_error_info will mod_timer. But actually s_err_report isn't initialized yet and the kernel oops. The detailed information can be found https://bugzilla.kernel.org/show_bug.cgi?id=32082. (CVE-2011-2493) - /proc/PID/io may be used for gathering private information. E.g. for openssh and vsftpd daemons wchars/rchars may be used to learn the precise password length. (CVE-2011-2495) - A remote user can provide a small value for the command size field in the command header of an l2cap configuration request, resulting in an integer underflow when subtracting the size of the configuration request header. This results in copying a very large amount of data via memcpy() and destroying the kernel heap. (CVE-2011-2497) - In both trigger_scan and sched_scan operations, we were checking for the SSID length before assigning the value correctly. Since the memory was just kzalloc'ed, the check was always failing and SSID with over 32 characters were allowed to go through. This is causing a buffer overflow when copying the actual SSID to the proper place. (CVE-2011-2517) - In tomoyo_mount_acl() since 2.6.36, kern_path() was called without checking dev_name != NULL. As a result, an unprivileged user can trigger oops by issuing mount(NULL, "/", "ext3", 0, NULL) request. (CVE-2011-2518) Other fixes: - ath9k: fixes a few ath9k bugs and a ath9k crash (mga #144) - fat: Fix corrupt inode flags when remove ATTR_SYS flag - scsi: Fix oops caused by queue refcounting failure - amd-iommu fixes for endless loop and boot crash - intel-iommu fixes and speedups - a few i915 and radeon drm fixes - net/ipv4: Check for mistakenly passed in non-IPv4 address - option: add more hw ids - usb: some additional hw support, some stability fixes Comment 2 indicates x86-64 tested ok. Comment 9 shows i586 tested ok, and has the list of rpm/srpm packages. Comment 10 has the proposed advisory. Can someone from the sysadmin team push the kernel update from Core Updates Testing to Core Updates please. pushed to updates. Status:
ASSIGNED =>
RESOLVED
Nicolas Vigier
2014-05-08 18:04:21 CEST
CC:
boklm =>
(none) |
a 2.6.38.8-3.mga1 is just submitted to bs heading to updates_testing. It fixes 4 CVE's, has some oops, crash and fs corruption fixes, and some other fixes backported from upcoming 2.6.39.2-stable tree.. Full changelog: - update to 2.6.38.8 (CVE-2011-1017) * drop merged patches - inet_diag: fix inet_diag_bc_audit() (CVE-2011-2213) - ksm: fix race between ksmd and exiting task (CVE-2011-2183) - taskstats: don't allow duplicate entries in listener mode (CVE-2011-2484) - ath9k: revert changes that crashes the kernel (mga #144, regression since 2.6.35) - ath9k: fix two more bugs in tx power - ath9k: Reset chip on baseband hang - ath9k: set 40 Mhz rate only if hw is configured in ht40 - block: export blk_{get,put}_queue() - block: blkdev_get() should access ->bd_disk only after success - drm/i915: Add a no lvds quirk for the Asus EeeBox PC EB1007 - drm/radeon/kms: viewport height has to be even - drm/radeon/kms: fix for radeon on systems >4GB without hardware iommu - fat: Fix corrupt inode flags when remove ATTR_SYS flag - hwmon: coretemp: Relax target temperature range check - intel-iommu: Flush unmaps at domain_exit - intel-iommu: Only unlink device domains from iommu - intel-iommu: Check for identity mapping candidate using system dma mask - intel-iommu: Speed up processing of the identity_mapping function - intel-iommu: Dont cache iova above 32bit - intel-iommu: Use coherent DMA mask when requested - intel-iommu: Remove Host Bridge devices from identity mapping - intel-iommu: Add domain check in domain_remove_one_dev_info - nl80211: fix check for valid SSID size in scan operations - option: add Zoom 4597 modem USB IDs - option: add Alcatel X200 to sendsetup blacklist - option: add Prolink PH300 modem IDs - option: Add blacklist for ZTE K3765-Z - Revert "USB: option: add ID for ZTE MF 330" as its a usb hub - scsi: Fix oops caused by queue refcounting failure - TOMOYO: Fix oops in tomoyo_mount_acl() - usb: core: Tolerate protocol stall during hub and port status read - usb-storage: redo incorrect reads - usbnet/cdc_ncm: add missing .reset_resume hook - usb: cdc-acm: Adding second ACM channel support for Nokia E7 and C7 - usb: serial: add another 4N-GALAXY.DE PID to ftdi_sio driver - video: Fix use-after-free by vga16fb on rmmod - x86/amd-iommu: Fix 3 possible endless loops - x86/amd-iommu: Use only per-device dma_ops - x86/amd-iommu: Fix boot crash with hidden PCI devices - xen: fix off by one errors in multicalls.c