Bug 19577

Summary: kernel security vulnerabilities (CVE-2016-7039, CVE-2016-6828, CVE-2016-5195)
Product: Mageia Reporter: Zombie Ryushu <zombie_ryushu>
Component: SecurityAssignee: QA Team <qa-bugs>
Status: RESOLVED FIXED QA Contact: Sec team <security>
Severity: critical    
Priority: High CC: andrewsfarm, davidwhodgins, sysadmin-bugs, tmb
Version: 5Keywords: validated_update
Target Milestone: ---   
Hardware: All   
OS: Linux   
URL: http://www.linuxsecurity.com/content/view/168633/
Whiteboard: MGA5-64-OK MGA5-32-OK advisory
Source RPM: kernel CVE: CVE-2016-7039, CVE-2016-6828, CVE-2016-5195
Status comment:
Bug Depends on:    
Bug Blocks: 19213    

Description Zombie Ryushu 2016-10-13 12:04:55 CEST 
Ubuntu is reporting some new CVEs that seem to be in Kernel 4.4, Rosa 2014 may not be affected by these, but 2016 might

USN-3099-1 fixed vulnerabilities in the Linux kernel for Ubuntu 16.04
LTS. This update provides the corresponding updates for the Linux
Hardware Enablement (HWE) kernel from Ubuntu 16.04 LTS for Ubuntu
14.04 LTS.

Vladimír Beneá discovered an unbounded recursion in the VLAN and TEB
Generic Receive Offload (GRO) processing implementations in the Linux
kernel, A remote attacker could use this to cause a stack corruption,
leading to a denial of service (system crash). (CVE-2016-7039)

Marco Grassi discovered a use-after-free condition could occur in the TCP
retransmit queue handling code in the Linux kernel. A local attacker could
use this to cause a denial of service (system crash) or possibly execute
arbitrary code. (CVE-2016-6828)

Pengfei Wang discovered a race condition in the Adaptec AAC RAID controller
driver in the Linux kernel when handling ioctl()s. A local attacker could
use this to cause a denial of service (system crash). (CVE-2016-6480)
Zombie Ryushu 2016-10-13 12:05:22 CEST

CVE: (none) => CVE-2016-6480

Comment 1 Thomas Backlund 2016-10-13 12:15:26 CEST 
Dont push any kernel updates to mga5 testing until current 4.4.22-1 is validated and pushed

CC: (none) => tmb

Rémi Verschelde 2016-10-13 12:44:23 CEST

Assignee: bugsquad => kernel

Comment 2 Thomas Backlund 2016-10-19 23:10:40 CEST 
CVE-2016-6480 was fixed in 4.4.20 already.

fix for CVE-2016-6828 is in upstream 4.4.23

The critical fix is actually CVE-2016-7039 that is a remote DOS vuln,

I've updated to 4.4.25 and added patches for
- CVE-2016-7039
- a mm race fix
- a linker PIE fix


Assigning to QA now so they are aware it will land soon-ish.

I will add rpm lists as soon as they land on mirrors so you know what to test

Priority: Normal => High
CVE: CVE-2016-6480 => CVE-2016-7039, CVE-2016-6828
Assignee: kernel => qa-bugs
Summary: kernel security vulnerability (CVE-2016-6480) => kernel security vulnerabilities (CVE-2016-7039, CVE-2016-6828)
Severity: normal => major

Thomas Andrews 2016-10-20 15:19:14 CEST

CC: (none) => andrewsfarm

Comment 3 Thomas Backlund 2016-10-20 17:22:25 CEST 
Now I think there is another critical CVE in this update, but I dont have references on it yet, so for now:



Advisory:
This update is based on the upstream 4.4.26 kernel and fixes atleast theese
security issues:

Marco Grassi discovered a use-after-free condition could occur in the TCP
retransmit queue handling code in the Linux kernel. A local attacker could
use this to cause a denial of service (system crash) or possibly execute
arbitrary code. (CVE-2016-6828)

Vladimir Benei discovered an unbounded recursion in the VLAN and TEB
Generic Receive Offload (GRO) processing implementations in the Linux
kernel, A remote attacker could use this to cause a stack corruption,
leading to a denial of service (system crash). (CVE-2016-7039)

For other fixes in this update, see the referenced changelogs.

References:
https://cdn.kernel.org/pub/linux/kernel/v4.x/ChangeLog-4.4.23
https://cdn.kernel.org/pub/linux/kernel/v4.x/ChangeLog-4.4.24
https://cdn.kernel.org/pub/linux/kernel/v4.x/ChangeLog-4.4.25
https://cdn.kernel.org/pub/linux/kernel/v4.x/ChangeLog-4.4.26



SRPMS:
kernel-4.4.26-1.mga5.src.rpm
kernel-userspace-headers-4.4.26-1.mga5.src.rpm
kmod-vboxadditions-5.1.2-8.mga5.src.rpm
kmod-virtualbox-5.1.2-8.mga5.src.rpm
kmod-xtables-addons-2.10-14.mga5.src.rpm



i586:
cpupower-4.4.26-1.mga5.i586.rpm
cpupower-devel-4.4.26-1.mga5.i586.rpm
kernel-desktop-4.4.26-1.mga5-1-1.mga5.i586.rpm
kernel-desktop586-4.4.26-1.mga5-1-1.mga5.i586.rpm
kernel-desktop586-devel-4.4.26-1.mga5-1-1.mga5.i586.rpm
kernel-desktop586-devel-latest-4.4.26-1.mga5.i586.rpm
kernel-desktop586-latest-4.4.26-1.mga5.i586.rpm
kernel-desktop-devel-4.4.26-1.mga5-1-1.mga5.i586.rpm
kernel-desktop-devel-latest-4.4.26-1.mga5.i586.rpm
kernel-desktop-latest-4.4.26-1.mga5.i586.rpm
kernel-doc-4.4.26-1.mga5.noarch.rpm
kernel-server-4.4.26-1.mga5-1-1.mga5.i586.rpm
kernel-server-devel-4.4.26-1.mga5-1-1.mga5.i586.rpm
kernel-server-devel-latest-4.4.26-1.mga5.i586.rpm
kernel-server-latest-4.4.26-1.mga5.i586.rpm
kernel-source-4.4.26-1.mga5-1-1.mga5.noarch.rpm
kernel-source-latest-4.4.26-1.mga5.noarch.rpm
kernel-userspace-headers-4.4.26-1.mga5.i586.rpm
perf-4.4.26-1.mga5.i586.rpm

vboxadditions-kernel-4.4.26-desktop-1.mga5-5.1.2-8.mga5.i586.rpm
vboxadditions-kernel-4.4.26-desktop586-1.mga5-5.1.2-8.mga5.i586.rpm
vboxadditions-kernel-4.4.26-server-1.mga5-5.1.2-8.mga5.i586.rpm
vboxadditions-kernel-desktop586-latest-5.1.2-8.mga5.i586.rpm
vboxadditions-kernel-desktop-latest-5.1.2-8.mga5.i586.rpm
vboxadditions-kernel-server-latest-5.1.2-8.mga5.i586.rpm

virtualbox-kernel-4.4.26-desktop-1.mga5-5.1.2-8.mga5.i586.rpm
virtualbox-kernel-4.4.26-desktop586-1.mga5-5.1.2-8.mga5.i586.rpm
virtualbox-kernel-4.4.26-server-1.mga5-5.1.2-8.mga5.i586.rpm
virtualbox-kernel-desktop586-latest-5.1.2-8.mga5.i586.rpm
virtualbox-kernel-desktop-latest-5.1.2-8.mga5.i586.rpm
virtualbox-kernel-server-latest-5.1.2-8.mga5.i586.rpm

xtables-addons-kernel-4.4.26-desktop-1.mga5-2.10-14.mga5.i586.rpm
xtables-addons-kernel-4.4.26-desktop586-1.mga5-2.10-14.mga5.i586.rpm
xtables-addons-kernel-4.4.26-server-1.mga5-2.10-14.mga5.i586.rpm
xtables-addons-kernel-desktop586-latest-2.10-14.mga5.i586.rpm
xtables-addons-kernel-desktop-latest-2.10-14.mga5.i586.rpm
xtables-addons-kernel-server-latest-2.10-14.mga5.i586.rpm



x86_64:
cpupower-4.4.26-1.mga5.x86_64.rpm
cpupower-devel-4.4.26-1.mga5.x86_64.rpm
kernel-desktop-4.4.26-1.mga5-1-1.mga5.x86_64.rpm
kernel-desktop-devel-4.4.26-1.mga5-1-1.mga5.x86_64.rpm
kernel-desktop-devel-latest-4.4.26-1.mga5.x86_64.rpm
kernel-desktop-latest-4.4.26-1.mga5.x86_64.rpm
kernel-doc-4.4.26-1.mga5.noarch.rpm
kernel-server-4.4.26-1.mga5-1-1.mga5.x86_64.rpm
kernel-server-devel-4.4.26-1.mga5-1-1.mga5.x86_64.rpm
kernel-server-devel-latest-4.4.26-1.mga5.x86_64.rpm
kernel-server-latest-4.4.26-1.mga5.x86_64.rpm
kernel-source-4.4.26-1.mga5-1-1.mga5.noarch.rpm
kernel-source-latest-4.4.26-1.mga5.noarch.rpm
kernel-userspace-headers-4.4.26-1.mga5.x86_64.rpm
perf-4.4.26-1.mga5.x86_64.rpm

vboxadditions-kernel-4.4.26-desktop-1.mga5-5.1.2-8.mga5.x86_64.rpm
vboxadditions-kernel-4.4.26-server-1.mga5-5.1.2-8.mga5.x86_64.rpm
vboxadditions-kernel-desktop-latest-5.1.2-8.mga5.x86_64.rpm
vboxadditions-kernel-server-latest-5.1.2-8.mga5.x86_64.rpm

virtualbox-kernel-4.4.26-desktop-1.mga5-5.1.2-8.mga5.x86_64.rpm
virtualbox-kernel-4.4.26-server-1.mga5-5.1.2-8.mga5.x86_64.rpm
virtualbox-kernel-desktop-latest-5.1.2-8.mga5.x86_64.rpm
virtualbox-kernel-server-latest-5.1.2-8.mga5.x86_64.rpm

xtables-addons-kernel-4.4.26-desktop-1.mga5-2.10-14.mga5.x86_64.rpm
xtables-addons-kernel-4.4.26-server-1.mga5-2.10-14.mga5.x86_64.rpm
xtables-addons-kernel-desktop-latest-2.10-14.mga5.x86_64.rpm
xtables-addons-kernel-server-latest-2.10-14.mga5.x86_64.rpm

Severity: major => critical

Comment 4 Thomas Backlund 2016-10-20 17:25:29 CEST 
I have the x86_64 server kernels running on 2 live servers and the x86_64 desktop kernels on 2 live desktop systems
Comment 5 Thomas Backlund 2016-10-20 18:42:34 CEST 
And the "feeling" was right...

CVE-2016-5195 is out with a exploit in the wild,

so updated advisory:

This update is based on the upstream 4.4.26 kernel and fixes atleast theese
security issues:

A race condition was found in the way the Linux kernel's memory subsystem
handled the copy-on-write (COW) breakage of private read-only memory
mappings. An unprivileged local user could use this flaw to gain write
access to otherwise read-only memory mappings and thus increase their
privileges on the system. This could be abused by an attacker to modify
existing setuid files with instructions to elevate privileges. An exploit
using this technique has been found in the wild (CVE-2016-5195).

Marco Grassi discovered a use-after-free condition could occur in the TCP
retransmit queue handling code in the Linux kernel. A local attacker could
use this to cause a denial of service (system crash) or possibly execute
arbitrary code. (CVE-2016-6828)

Vladimr Bene¡ discovered an unbounded recursion in the VLAN and TEB
Generic Receive Offload (GRO) processing implementations in the Linux
kernel, A remote attacker could use this to cause a stack corruption,
leading to a denial of service (system crash). (CVE-2016-7039)

For other fixes in this update, see the referenced changelogs.

References:
https://cdn.kernel.org/pub/linux/kernel/v4.x/ChangeLog-4.4.23
https://cdn.kernel.org/pub/linux/kernel/v4.x/ChangeLog-4.4.24
https://cdn.kernel.org/pub/linux/kernel/v4.x/ChangeLog-4.4.25
https://cdn.kernel.org/pub/linux/kernel/v4.x/ChangeLog-4.4.26

CVE: CVE-2016-7039, CVE-2016-6828 => CVE-2016-7039, CVE-2016-6828, CVE-2016-5195
Summary: kernel security vulnerabilities (CVE-2016-7039, CVE-2016-6828) => kernel security vulnerabilities (CVE-2016-7039, CVE-2016-6828, CVE-2016-5195)

Thomas Backlund 2016-10-20 19:04:33 CEST

Blocks: (none) => 19213

Comment 6 Dave Hodgins 2016-10-20 19:54:25 CEST 
Running 4.4.26-desktop-1.mga5 ok here now on an x86_64 host, and i586 vb
guest. Will test i586 host shortly.

CC: (none) => davidwhodgins

Comment 7 Thomas Andrews 2016-10-20 20:46:22 CEST 
Running 4.4.26-desktop on an Intel x86_64 host, and on an x86_64 guest. All seems good.

Running 4.4.26-server on an AMD i586 host, and all seems well except that an old and troublesome i586 guest will not boot, showing the same symptoms seen in testing vbox 5.1.4 and 5.1.6. I'm beginning to think something is messed up with that guest. A separate i586 guest, set up to boot the Mageia 5 Classical iso, boots with no problem.
Comment 8 Martin Whitaker 2016-10-20 20:51:51 CEST 
Tested kernel-desktop on two x86_64 systems:

System 1:
Intel Core i5-3550
Radeon HD 7850 (using both ati and fglrx drivers)
Atheros AR8161 Gigabit Ethernet

System 2:
Intel Core i7-3630QM
Optimus graphics (only using the intel driver)
Intel Centrino Wireless-N 2230

Tested VirtualBox on first system with both 64-bit and 32-bit guests.

Tested cpupower and perf on second system.

No regressions seen.
Comment 9 Dave Hodgins 2016-10-20 20:56:46 CEST 
During install on an i585 host install (x86_64 system), I get the message

Creating: target|kernel|dracut args|basicmodules 
remove-boot-splash: Format of /boot/initrd-4.4.26-server-1.mga5.img not recognized
You should restart your computer for kernel-server-4.4.26-1.mga5

Same for the desktop kernel. I don't recall seeing such a message before, but
the kernels both work, including the display of the boot splash, so definitly
not holding the update for this.

If no objections raised during the qa meeting in a few minutes, I'll then
validate the update.
Dave Hodgins 2016-10-20 21:07:50 CEST

Keywords: (none) => validated_update
Whiteboard: (none) => MGA5-64-OK MGA5-32-OK
CC: (none) => sysadmin-bugs

Comment 10 Thomas Backlund 2016-10-20 21:20:51 CEST 
advisory added

Whiteboard: MGA5-64-OK MGA5-32-OK => MGA5-64-OK MGA5-32-OK advisory

Comment 11 Mageia Robot 2016-10-20 21:31:54 CEST 
An update for this issue has been pushed to the Mageia Updates repository.

http://advisories.mageia.org/MGASA-2016-0347.html

Status: NEW => RESOLVED
Resolution: (none) => FIXED