Bug 19725

Summary: Update request: kernel-4.4.30-2.mga5
Product: Mageia Reporter: Thomas Backlund <tmb>
Component: SecurityAssignee: QA Team <qa-bugs>
Status: RESOLVED FIXED QA Contact: Sec team <security>
Severity: normal    
Priority: Normal CC: andrewsfarm, jim, lewyssmith, sysadmin-bugs, wilcal.int
Version: 5Keywords: validated_update
Target Milestone: ---   
Hardware: All   
OS: Linux   
Whiteboard: MGA5-64-OK MGA5-32-OK advisory
Source RPM: kernel CVE:
Status comment:

Description Thomas Backlund 2016-11-06 17:45:48 CET 
So a new kernel with more security fixes, and some regression fixes for amdgpu/radeon when using displayport (since our 4.4.22 release, https://bugs.mageia.org/show_bug.cgi?id=19707, fix confirmed)

Now theese are already in "rabbit build tree" so they will be on mga 5.1 isos unless there are some big breakage...


So give them a spin and lets flush'em out soon-ish...

Advisory to follow....


SRPMS:
kernel-4.4.30-2.mga5.src.rpm
kernel-userspace-headers-4.4.30-2.mga5.src.rpm
kmod-vboxadditions-5.1.2-10.mga5.src.rpm
kmod-virtualbox-5.1.2-10.mga5.src.rpm
kmod-xtables-addons-2.10-15.mga5.src.rpm


i586:
cpupower-4.4.30-2.mga5.i586.rpm
cpupower-devel-4.4.30-2.mga5.i586.rpm
kernel-desktop-4.4.30-2.mga5-1-1.mga5.i586.rpm
kernel-desktop586-4.4.30-2.mga5-1-1.mga5.i586.rpm
kernel-desktop586-devel-4.4.30-2.mga5-1-1.mga5.i586.rpm
kernel-desktop586-devel-latest-4.4.30-2.mga5.i586.rpm
kernel-desktop586-latest-4.4.30-2.mga5.i586.rpm
kernel-desktop-devel-4.4.30-2.mga5-1-1.mga5.i586.rpm
kernel-desktop-devel-latest-4.4.30-2.mga5.i586.rpm
kernel-desktop-latest-4.4.30-2.mga5.i586.rpm
kernel-doc-4.4.30-2.mga5.noarch.rpm
kernel-server-4.4.30-2.mga5-1-1.mga5.i586.rpm
kernel-server-devel-4.4.30-2.mga5-1-1.mga5.i586.rpm
kernel-server-devel-latest-4.4.30-2.mga5.i586.rpm
kernel-server-latest-4.4.30-2.mga5.i586.rpm
kernel-source-4.4.30-2.mga5-1-1.mga5.noarch.rpm
kernel-source-latest-4.4.30-2.mga5.noarch.rpm
kernel-userspace-headers-4.4.30-2.mga5.i586.rpm
perf-4.4.30-2.mga5.i586.rpm

vboxadditions-kernel-4.4.30-desktop-2.mga5-5.1.2-10.mga5.i586.rpm
vboxadditions-kernel-4.4.30-desktop586-2.mga5-5.1.2-10.mga5.i586.rpm
vboxadditions-kernel-4.4.30-server-2.mga5-5.1.2-10.mga5.i586.rpm
vboxadditions-kernel-desktop586-latest-5.1.2-10.mga5.i586.rpm
vboxadditions-kernel-desktop-latest-5.1.2-10.mga5.i586.rpm
vboxadditions-kernel-server-latest-5.1.2-10.mga5.i586.rpm

virtualbox-kernel-4.4.30-desktop-2.mga5-5.1.2-10.mga5.i586.rpm
virtualbox-kernel-4.4.30-desktop586-2.mga5-5.1.2-10.mga5.i586.rpm
virtualbox-kernel-4.4.30-server-2.mga5-5.1.2-10.mga5.i586.rpm
virtualbox-kernel-desktop586-latest-5.1.2-10.mga5.i586.rpm
virtualbox-kernel-desktop-latest-5.1.2-10.mga5.i586.rpm
virtualbox-kernel-server-latest-5.1.2-10.mga5.i586.rpm

xtables-addons-kernel-4.4.30-desktop-2.mga5-2.10-15.mga5.i586.rpm
xtables-addons-kernel-4.4.30-desktop586-2.mga5-2.10-15.mga5.i586.rpm
xtables-addons-kernel-4.4.30-server-2.mga5-2.10-15.mga5.i586.rpm
xtables-addons-kernel-desktop586-latest-2.10-15.mga5.i586.rpm
xtables-addons-kernel-desktop-latest-2.10-15.mga5.i586.rpm
xtables-addons-kernel-server-latest-2.10-15.mga5.i586.rpm



x86_64:
cpupower-4.4.30-2.mga5.x86_64.rpm
cpupower-devel-4.4.30-2.mga5.x86_64.rpm
kernel-desktop-4.4.30-2.mga5-1-1.mga5.x86_64.rpm
kernel-desktop-devel-4.4.30-2.mga5-1-1.mga5.x86_64.rpm
kernel-desktop-devel-latest-4.4.30-2.mga5.x86_64.rpm
kernel-desktop-latest-4.4.30-2.mga5.x86_64.rpm
kernel-doc-4.4.30-2.mga5.noarch.rpm
kernel-server-4.4.30-2.mga5-1-1.mga5.x86_64.rpm
kernel-server-devel-4.4.30-2.mga5-1-1.mga5.x86_64.rpm
kernel-server-devel-latest-4.4.30-2.mga5.x86_64.rpm
kernel-server-latest-4.4.30-2.mga5.x86_64.rpm
kernel-source-4.4.30-2.mga5-1-1.mga5.noarch.rpm
kernel-source-latest-4.4.30-2.mga5.noarch.rpm
kernel-userspace-headers-4.4.30-2.mga5.x86_64.rpm
perf-4.4.30-2.mga5.x86_64.rpm

vboxadditions-kernel-4.4.30-desktop-2.mga5-5.1.2-10.mga5.x86_64.rpm
vboxadditions-kernel-4.4.30-server-2.mga5-5.1.2-10.mga5.x86_64.rpm
vboxadditions-kernel-desktop-latest-5.1.2-10.mga5.x86_64.rpm
vboxadditions-kernel-server-latest-5.1.2-10.mga5.x86_64.rpm

virtualbox-kernel-4.4.30-desktop-2.mga5-5.1.2-10.mga5.x86_64.rpm
virtualbox-kernel-4.4.30-server-2.mga5-5.1.2-10.mga5.x86_64.rpm
virtualbox-kernel-desktop-latest-5.1.2-10.mga5.x86_64.rpm
virtualbox-kernel-server-latest-5.1.2-10.mga5.x86_64.rpm

xtables-addons-kernel-4.4.30-desktop-2.mga5-2.10-15.mga5.x86_64.rpm
xtables-addons-kernel-4.4.30-server-2.mga5-2.10-15.mga5.x86_64.rpm
xtables-addons-kernel-desktop-latest-2.10-15.mga5.x86_64.rpm
xtables-addons-kernel-server-latest-2.10-15.mga5.x86_64.rpm
Comment 1 Thomas Backlund 2016-11-06 21:00:28 CET 
Advisory:

This update is based on the upstream 4.4.30 kernel and fixes atleast theese
security issues:

The filesystem implementation in the Linux kernel through 4.8.2 preserves
the setgid bit during a setxattr call, which allows local users to gain
group privileges by leveraging the existence of a setgid program with
restrictions on execute permissions (CVE-2016-7097).

Stack-based buffer overflow in the brcmf_cfg80211_start_ap function in 
drivers/net/wireless/broadcom/brcm80211/brcmfmac/cfg80211.c in the Linux
kernel before 4.7.5 allows local users to cause a denial of service
(system crash) or possibly have unspecified other impact via a long SSID
Information Element in a command to a Netlink socket (CVE-2016-8658).

The IP stack in the Linux kernel before 4.6 allows remote attackers to
cause a denial of service (stack consumption and panic) or possibly have
unspecified other impact by triggering use of the GRO path for packets with
tunnel stacking, as demonstrated by interleaved IPv4 headers and GRE headers,
a related issue to CVE-2016-7039 (CVE-2016-8666).

The fix for CVE-2016-7039 added in MGASA-2016-0347 has been updated to the
final version merged upstream.

This update also resolves a regression where amdgpu and radeon users would
not get any display when using displayport (upstream regression introduced
in 4.4.21, mga#19707)

For other upstream fixes in this update, read the referenced changelogs.


References:
https://bugs.mageia.org/show_bug.cgi?id=19725
https://bugs.mageia.org/show_bug.cgi?id=19707
http://advisories.mageia.org/MGASA-2016-0347.html
https://cdn.kernel.org/pub/linux/kernel/v4.x/ChangeLog-4.4.27
https://cdn.kernel.org/pub/linux/kernel/v4.x/ChangeLog-4.4.28
https://cdn.kernel.org/pub/linux/kernel/v4.x/ChangeLog-4.4.29
https://cdn.kernel.org/pub/linux/kernel/v4.x/ChangeLog-4.4.30
Comment 2 Thomas Backlund 2016-11-06 21:34:04 CET 
x86_64 server kernel runs fine on 3 live servers here, and desktop kernel on a laptop.
Comment 3 William Kenney 2016-11-06 22:06:01 CET 
In VirtualBox, M5, KDE, 32-bit

boot with "nomodeset" kernel option

Package(s) under test:
kernel-desktop-latest vboxadditions-kernel-desktop-latest kernel-desktop-devel-latest

default install of kernel-desktop-latest

[root@localhost wilcal]# uname -a
Linux localhost.localdomain 4.4.26-desktop586-1.mga5 #1 SMP Thu Oct 20 09:31:15 UTC 2016 i686 i686 i686 GNU/Linux
[root@localhost wilcal]# urpmi kernel-desktop-latest
Package kernel-desktop-latest-4.4.26-1.mga5.i586 is already installed
[root@localhost wilcal]# urpmi vboxadditions-kernel-desktop-latest
Package vboxadditions-kernel-desktop-latest-5.1.2-8.mga5.i586 is already installed
[root@localhost wilcal]# urpmi kernel-desktop-devel-latest
Package kernel-desktop-devel-latest-4.4.26-1.mga5.i586 is already installed

System boots to a working desktop. Common apps work. Screen dimensions are correct.

install kernel-desktop-latest from updates_testing

[root@localhost wilcal]# uname -a
Linux localhost.localdomain 4.4.26-desktop586-1.mga5 #1 SMP Thu Oct 20 09:31:15 UTC 2016 i686 i686 i686 GNU/Linux
[root@localhost wilcal]# urpmi kernel-desktop-latest
Package kernel-desktop-latest-4.4.30-2.mga5.i586 is already installed
[root@localhost wilcal]# urpmi vboxadditions-kernel-desktop-latest
Package vboxadditions-kernel-desktop-latest-5.1.2-10.mga5.i586 is already installed
[root@localhost wilcal]# urpmi kernel-desktop-devel-latest
Package kernel-desktop-devel-latest-4.4.30-2.mga5.i586 is already installed

System boots to a working desktop. Common apps work. Screen dimensions are correct.

CC: (none) => wilcal.int

Comment 4 William Kenney 2016-11-06 22:06:30 CET 
In VirtualBox, M5, KDE, 64-bit

boot with "nomodeset" kernel option

Package(s) under test:
kernel-desktop-latest vboxadditions-kernel-desktop-latest kernel-desktop-devel-latest

default install of kernel-desktop-latest

[root@localhost wilcal]# uname -a
Linux localhost.localdomain 4.4.26-desktop-1.mga5 #1 SMP Thu Oct 20 09:30:12 UTC 2016 x86_64 x86_64 x86_64 GNU/Linux
[root@localhost wilcal]# urpmi kernel-desktop-latest
Package kernel-desktop-latest-4.4.26-1.mga5.x86_64 is already installed
[root@localhost wilcal]# urpmi vboxadditions-kernel-desktop-latest
Package vboxadditions-kernel-desktop-latest-5.1.2-8.mga5.x86_64 is already installed
[root@localhost wilcal]# urpmi kernel-desktop-devel-latest
Package kernel-desktop-devel-latest-4.4.26-1.mga5.x86_64 is already installed

System boots to a working desktop. Common apps work. Screen dimensions are correct.

install kernel-desktop-latest from updates_testing

[root@localhost wilcal]# uname -a
Linux localhost.localdomain 4.4.30-desktop-2.mga5 #1 SMP Fri Nov 4 19:17:03 UTC 2016 x86_64 x86_64 x86_64 GNU/Linux
[root@localhost wilcal]# urpmi kernel-desktop-latest
Package kernel-desktop-latest-4.4.30-2.mga5.x86_64 is already installed
[root@localhost wilcal]# urpmi vboxadditions-kernel-desktop-latest
Package vboxadditions-kernel-desktop-latest-5.1.2-10.mga5.x86_64 is already installed
[root@localhost wilcal]# urpmi kernel-desktop-devel-latest
Package kernel-desktop-devel-latest-4.4.30-2.mga5.x86_64 is already installed

System boots to a working desktop. Common apps work. Screen dimensions are correct.
Comment 5 Thomas Andrews 2016-11-07 00:42:39 CET 
On real hardware:

AMD Athlon X2 7750, nvidia graphics using 340 driver, 64-bit server kernel.
Intel i3, Intel graphics, Intel wifi, 64-bit desktop kernel.

Both systems already had VirtualBox 5.1.8 installed, so the kernel modules were build locally by dkms.

Both systems function normally. No regressions noted. Thunderbird, Firefox, VLC, VirtualBox all work. Mageia VirtualBox guests still need "nomodeset" option to boot.

CC: (none) => andrewsfarm

Comment 6 Thomas Andrews 2016-11-07 01:28:12 CET 
On real hardware:

Dell Dimension E310, P4 processor, Intel graphics, BCM4318 wifi, 32-bit desktop kernel.

System appears to function normally. Common apps work. No regressions noted.
Comment 7 William Kenney 2016-11-07 02:48:57 CET 
On real hardware, M5, KDE, 64-bit

initial install:
kernel-desktop-latest
virtualbox vboxadditions-kernel-desktop-latest dkms-virtualbox
virtualbox-guest-additions virtualbox-kernel-desktop-latest x11-driver-video-vboxvideo
kernel-desktop-devel-latest nvidia-current-kernel-desktop-latest

[root@localhost wilcal]# uname -a
Linux localhost 4.4.26-desktop-1.mga5 #1 SMP Thu Oct 20 09:30:12 UTC 2016 x86_64 x86_64 x86_64 GNU/Linux
[root@localhost wilcal]# urpmi kernel-desktop-latest
Package kernel-desktop-latest-4.4.26-1.mga5.x86_64 is already installed
[root@localhost wilcal]# urpmi virtualbox
Package virtualbox-5.1.2-1.mga5.x86_64 is already installed
[root@localhost wilcal]# urpmi vboxadditions-kernel-desktop-latest
Package vboxadditions-kernel-desktop-latest-5.1.2-8.mga5.x86_64 is already installed
[root@localhost wilcal]# urpmi dkms-virtualbox
Package dkms-virtualbox-5.1.2-1.mga5.noarch is already installed
[root@localhost wilcal]# urpmi virtualbox-guest-additions
Package virtualbox-guest-additions-5.1.2-1.mga5.x86_64 is already installed
[root@localhost wilcal]# urpmi virtualbox-kernel-desktop-latest
Package virtualbox-kernel-desktop-latest-5.1.2-8.mga5.x86_64 is already installed
[root@localhost wilcal]# urpmi x11-driver-video-vboxvideo
Package x11-driver-video-vboxvideo-5.1.2-1.mga5.x86_64 is already installed
[root@localhost wilcal]# urpmi kernel-desktop-devel-latest
Package kernel-desktop-devel-latest-4.4.26-1.mga5.x86_64 is already installed
[root@localhost wilcal]# urpmi nvidia-current-kernel-desktop-latest
Package nvidia-current-kernel-desktop-latest-352.79-10.mga5.nonfree.x86_64 is already installed
[wilcal@localhost ~]$ lspci -k
01:00.0 VGA compatible controller: NVIDIA Corporation GF108 [GeForce GT 440] (rev a1)
        Subsystem: Gigabyte Technology Co., Ltd Device 3518
        Kernel driver in use: nvidia

M5 i586 Gnome Live-CD runs as a Vbox client.
Boots to a working desktop. Common apps work.
Screen sizes are correct.

install or check:
kernel-desktop-latest
virtualbox vboxadditions-kernel-desktop-latest dkms-virtualbox
virtualbox-guest-additions virtualbox-kernel-desktop-latest x11-driver-video-vboxvideo
kernel-desktop-devel-latest nvidia-current-kernel-desktop-latest
from updates_testing

[[root@localhost wilcal]# uname -a
Linux localhost 4.4.30-desktop-2.mga5 #1 SMP Fri Nov 4 19:17:03 UTC 2016 x86_64 x86_64 x86_64 GNU/Linux
[root@localhost wilcal]# urpmi kernel-desktop-latest
Package kernel-desktop-latest-4.4.30-2.mga5.x86_64 is already installed
[root@localhost wilcal]# urpmi virtualbox
Package virtualbox-5.1.2-1.mga5.x86_64 is already installed
[root@localhost wilcal]# urpmi vboxadditions-kernel-desktop-latest
Package vboxadditions-kernel-desktop-latest-5.1.2-10.mga5.x86_64 is already installed
[root@localhost wilcal]# urpmi dkms-virtualbox
Package dkms-virtualbox-5.1.2-1.mga5.noarch is already installed
[root@localhost wilcal]# urpmi virtualbox-guest-additions
Package virtualbox-guest-additions-5.1.2-1.mga5.x86_64 is already installed
[root@localhost wilcal]# urpmi virtualbox-kernel-desktop-latest
Package virtualbox-kernel-desktop-latest-5.1.2-10.mga5.x86_64 is already installed
[root@localhost wilcal]# urpmi x11-driver-video-vboxvideo
Package x11-driver-video-vboxvideo-5.1.2-1.mga5.x86_64 is already installed
[root@localhost wilcal]# urpmi kernel-desktop-devel-latest
Package kernel-desktop-devel-latest-4.4.30-2.mga5.x86_64 is already installed
[root@localhost wilcal]# urpmi nvidia-current-kernel-desktop-latest
Package nvidia-current-kernel-desktop-latest-352.79-10.mga5.nonfree.x86_64 is already installed
[wilcal@localhost ~]$ lspci -k
01:00.0 VGA compatible controller: NVIDIA Corporation GF108 [GeForce GT 440] (rev a1)
        Subsystem: Gigabyte Technology Co., Ltd Device 3518
        Kernel driver in use: nvidia

System boots to a working desktop. Common apps work.
Previously created M5 i586 Gnome Live-CD runs as a Vbox client.
M5 KDE x86_64 Live-DVD runs as a Vbox client.
M5 x86_64 KDE Live-DVD runs, installs and updates as a Vbox client.

Test platform:
Intel Core i7-2600K Sandy Bridge 3.4GHz
GIGABYTE GA-Z68X-UD3-B3 LGA 1155 MoBo
GIGABYTE GV-N440D3-1GI Nvidia GeForce GT 440 (Fermi) 1GB
RTL8111/8168B PCI Express 1Gbit Ethernet
DRAM 16GB (4 x 4GB)

looks good
Comment 8 James Kerr 2016-11-07 14:54:25 CET 
On mga5-32

Packages installed:

- cpupower-4.4.30-2.mga5.i586
- kernel-desktop-4.4.30-2.mga5-1-1.mga5.i586
- kernel-desktop-latest-4.4.30-2.mga5.i586

Packages installed cleanly
Re-booted to KDE desktop
No regressions noted

OK for mga5-32 on this system:

mobo: ECS model: GeForce7050M-M v: 1.0
CPU:  Quad core AMD Phenom 9500 (-MCP-)
Graphics:  Card: NVIDIA GF108 [GeForce GT 630]
           Display Server: X.Org 1.16.4 drivers: v4l,nouveau 
Boot: legacy BIOS
Disk: GPT partitions

CC: (none) => jim

Comment 9 James Kerr 2016-11-07 16:05:32 CET 
On mga5-64

Packages installed:

- cpupower-4.4.30-2.mga5.x86_64
- kernel-desktop-4.4.30-2.mga5-1-1.mga5.x86_64
- kernel-desktop-latest-4.4.30-2.mga5.x86_64

Packages installed cleanly
Re-booted to KDE desktop
No regressions noted

OK for mga5-64 on this system:

mobo: ECS model: GeForce7050M-M v: 1.0
CPU:  Quad core AMD Phenom 9500 (-MCP-)
Graphics:  Card: NVIDIA GF108 [GeForce GT 630]
           Display Server: X.Org 1.16.4 drivers: v4l,nouveau 
Boot: legacy BIOS
Disk: GPT partitions
Comment 10 James Kerr 2016-11-07 18:01:40 CET 
on mga5-64

Packages installed:

- cpupower-4.4.30-2.mga5.x86_64
- kernel-desktop-4.4.30-2.mga5-1-1.mga5.x86_64
- kernel-desktop-latest-4.4.30-2.mga5.x86_64
- kernel-userspace-headers-4.4.30-2.mga5.x86_64
- virtualbox-kernel-4.4.30-desktop-2.mga5-5.1.2-10.mga5.x86_64
- virtualbox-kernel-desktop-latest-5.1.2-10.mga5.x86_64

Packages installed cleanly
Re-booted to KDE desktop
Virtualbox launched and VM runs normally
No regressions noted

OK for mga5-64 on this system:

System: Hewlett-Packard product: CQ2925EA v: 1.00
Mobo: PEGATRON model: 2AE2 v: 1.02 
CPU:  Dual core Intel Pentium G645T (-MCP-) 
Graphics:  Card: Intel 2nd Generation Core Processor Family Integrated Graphics 
           Display Server: X.Org 1.16.4 drivers: v4l,intel 
Boot: EFI
Disk: GPT partitions
Comment 11 Lewis Smith 2016-11-09 21:17:14 CET 
Mageia 5 x64 real h/w with AMD/ATI/Radeon video

 cpupower-4.4.30-2.mga5
 kernel-desktop-4.4.30-2.mga5-1-1.mga5
 kernel-desktop-devel-4.4.30-2.mga5-1-1.mga5
 kernel-desktop-devel-latest-4.4.30-2.mga5
 kernel-desktop-latest-4.4.30-2.mga5
 kernel-userspace-headers-4.4.30-2.mga5

Have used this intermittently (because of needing to remember to select it specifically from the Grub2 'advanced' boot menu) without visible problems.
For me OK.

CC: (none) => lewyssmith

Comment 12 David Walser 2016-11-09 21:25:15 CET 
Running fine for me on an i586 Dell laptop and a couple different x86_64 workstations.  I think this can be validated.
Comment 13 Lewis Smith 2016-11-10 10:44:40 CET 
Thank you David for the 'OK'. OK'd both architectures, validated, advisory uploaded.

Re Advisory: I first commited this with just 'kernel' SRPM, but have added the others from Comment 0. Puzzled by the version differences (SRPM & derived packages) for the 3 'kmod' SRPMs.

Keywords: (none) => validated_update
Whiteboard: (none) => MGA5-64-OK MGA5-32-OK advisory
CC: (none) => sysadmin-bugs

Comment 14 Mageia Robot 2016-11-10 15:08:06 CET 
An update for this issue has been pushed to the Mageia Updates repository.

http://advisories.mageia.org/MGASA-2016-0372.html

Status: NEW => RESOLVED
Resolution: (none) => FIXED