Bug 22544

Summary: Update request: kernel-linus 4.14.18
Product: Mageia Reporter: Thomas Backlund <tmb>
Component: SecurityAssignee: QA Team <qa-bugs>
Status: RESOLVED FIXED QA Contact: Sec team <security>
Severity: normal    
Priority: Normal CC: jim, sysadmin-bugs, tarazed25
Version: 6Keywords: advisory, validated_update
Target Milestone: ---   
Hardware: All   
OS: Linux   
Whiteboard: MGA6-64-OK, MGA6-32-OK
Source RPM: kernel-linus CVE:
Status comment:
Bug Depends on: 22525    
Bug Blocks:    

Description Thomas Backlund 2018-02-08 10:09:12 CET 
As core kernel now have catched up on Spectre/Meltdown mitigations (bug 22533), its time to update theese kernels too...

Advisory will follow...


SRPMS:
kernel-linus-4.14.18-1.mga6.src.rpm


i586:
kernel-linus-4.14.18-1.mga6-1-1.mga6.i586.rpm
kernel-linus-devel-4.14.18-1.mga6-1-1.mga6.i586.rpm
kernel-linus-devel-latest-4.14.18-1.mga6.i586.rpm
kernel-linus-doc-4.14.18-1.mga6.noarch.rpm
kernel-linus-latest-4.14.18-1.mga6.i586.rpm
kernel-linus-source-4.14.18-1.mga6-1-1.mga6.noarch.rpm
kernel-linus-source-latest-4.14.18-1.mga6.noarch.rpm


x86_64:
kernel-linus-4.14.18-1.mga6-1-1.mga6.x86_64.rpm
kernel-linus-devel-4.14.18-1.mga6-1-1.mga6.x86_64.rpm
kernel-linus-devel-latest-4.14.18-1.mga6.x86_64.rpm
kernel-linus-doc-4.14.18-1.mga6.noarch.rpm
kernel-linus-latest-4.14.18-1.mga6.x86_64.rpm
kernel-linus-source-4.14.18-1.mga6-1-1.mga6.noarch.rpm
kernel-linus-source-latest-4.14.18-1.mga6.noarch.rpm
Thomas Backlund 2018-02-08 10:09:22 CET

Depends on: (none) => 22525

Comment 1 Len Lawrence 2018-02-09 20:17:46 CET 
Started from 4.14.16-desktop-1.mga6 x86_64.
btrfs filesystem on /

Updated to kernel-linus.
Rebooted to Mate desktop.
System:    Host: vega Kernel: 4.14.18-1.mga6 x86_64
CPU:       Quad core Intel Core i7-4790K (-HT-MCP-) speed: 4400 MHz (max)
Machine:   Device: desktop Mobo: Gigabyte model: G1.Sniper Z97 v: x.x
Graphics:  Card-2: NVIDIA GK104 [GeForce GTX 770]
           GLX Version: 4.5.0 NVIDIA 384.111
RAM:       15.35 GB
Network:   Card-1: Qualcomm Atheros Killer E220x Gigabit Ethernet Controller
           driver: alx
           Card-2: Ralink RT3090 Wireless 802.11n 1T/1R PCIe driver: rt2800pci

Hardware stress tests, bluetooth sound, video, TV, networking, email all OK.

CC: (none) => tarazed25

Comment 2 Thomas Backlund 2018-02-11 17:45:31 CET 
Advisory, added to svn:


type: security
subject: Updated kernel-linus packages fix security vulnerabilities
CVE:
 - CVE-2017-5715
 - CVE-2017-5753
 - CVE-2017-15129
 - CVE-2017-17741
 - CVE-2017-1000410
src:
  6:
   core:
     - kernel-linus-4.14.18-1.mga6
description: |
  This kernel-linus update is based on the upstream 4.14.18 and and adds some
  support for mitigating  Spectre, variant 1 (CVE-2017-5753) and as it is
  built with the retpoline-aware gcc-5.5.0-1.mga6, it now provides full
  retpoline mitigation for Spectre, variant 2 (CVE-2017-5715).

  The BPF interpreter has been used as part of the spectre 2 attack
  CVE-2017-5715. To make attacker job harder introduce BPF_JIT_ALWAYS_ON
  config option that removes interpreter from the kernel in favor of JIT-only
  mode. This is now enabled by default in Mageia kernels.

  Other security fixes in this update:

  Linux kernel version 3.3-rc1 and later is affected by a vulnerability lies
  in the processing of incoming L2CAP commands - ConfigRequest, and
  ConfigResponse messages. This info leak is a result of uninitialized stack
  variables that may be returned to an attacker in their uninitialized state.
  By manipulating the code flows that precede the handling of these
  configuration messages, an attacker can also gain some control over which
  data will be held in the uninitialized stack variables. This can allow him
  to bypass KASLR, and stack canaries protection - as both pointers and stack
  canaries may be leaked in this manner (CVE-2017-1000410).

  A use-after-free vulnerability was found in network namespaces code
  affecting the Linux kernel before 4.14.11. The function get_net_ns_by_id()
  in net/core/net_namespace.c does not check for the net::count value after
  it has found a peer network in netns_ids idr, which could lead to double
  free and memory corruption. This vulnerability could allow an unprivileged
  local user to induce kernel memory corruption on the system, leading to a
  crash. Due to the nature of the flaw, privilege escalation cannot be fully
  ruled out, although it is thought to be unlikely (CVE-2017-15129).

  The KVM implementation in the Linux kernel through 4.14.7 allows attackers
  to obtain potentially sensitive information from kernel memory, aka a
  write_mmio stack-based out-of-bounds read, related to arch/x86/kvm/x86.c
  and include/trace/events/kvm.h (CVE-2017-17741).

  For other fixes in this update, read the referenced changelogs.
references:
 - https://bugs.mageia.org/show_bug.cgi?id=22544
 - https://cdn.kernel.org/pub/linux/kernel/v4.x/ChangeLog-4.14.14
 - https://cdn.kernel.org/pub/linux/kernel/v4.x/ChangeLog-4.14.15
 - https://cdn.kernel.org/pub/linux/kernel/v4.x/ChangeLog-4.14.16
 - https://cdn.kernel.org/pub/linux/kernel/v4.x/ChangeLog-4.14.17
 - https://cdn.kernel.org/pub/linux/kernel/v4.x/ChangeLog-4.14.18

Keywords: (none) => advisory

Comment 3 Len Lawrence 2018-02-11 17:54:39 CET 
Installed linus desktop files.

Rebooted to Mate desktop, building nvidia and virtualbox kmods on the way.
System:    Host: difda Kernel: 4.14.18-1.mga6 x86_64
CPU:       Quad core Intel Core i7-4790 (-HT-MCP-) speed/max: 3861/4000 MHz
Machine:   Device: desktop Mobo: MSI model: Z97-G43 (MS-7816) v: 3.0
Graphics:  Card: NVIDIA GM204 [GeForce GTX 970]
           GLX Version: 4.5.0 NVIDIA 384.111
RAM:       31.37 GB
Network:   Card: Realtek RTL8111/8168/8411 PCI Express Gigabit Ethernet Controller
           driver: r8169

Ran stress tests and glmark2.
Networking and NFS OK.  Resumed a session under virtualbox which started a 330 package update.  Sound and video running - vlc and a video with subtitles.
Installed task-printing and started cups server.  Added an HP wifi printer under HPLIP and printed a test-page.  All looking good so far.
Comment 4 James Kerr 2018-02-12 13:21:59 CET 
On mga6-64 plasma

packages installed cleanly:
- kernel-linus-4.14.18-1.mga6-1-1.mga6.x86_64
- kernel-linus-latest-4.14.18-1.mga6.x86_64

system re-booted normally
$ uname -r
4.14.18-1.mga6

Tested several commonly used applications
No regressions noted

OK for mga6-64 on this system:

Machine:   Device: desktop System: Hewlett-Packard product: CQ2925EA
           Mobo: PEGATRON model: 2AE2 v: 1.02 UEFI: AMI v: 8.08
CPU:       Dual core Intel Pentium G645T (-MCP-) cache: 3072 KB 
Graphics:  Card: Intel 2nd Generation Core Processor Family
           Display Server: Mageia X.org 119.5 drivers: v4l,intel

CC: (none) => jim

Comment 5 James Kerr 2018-02-13 15:14:12 CET 
on mga6-32 XFCE

packages installed cleanly:
- kernel-linus-4.14.18-1.mga6-1-1.mga6.i586
- kernel-linus-devel-4.14.18-1.mga6-1-1.mga6.i586
- kernel-linus-devel-latest-4.14.18-1.mga6.i586
- kernel-linus-latest-4.14.18-1.mga6.i586

system re-booted normally:
$ uname -r
4.14.18-1.mga6

# dkms status -m nvidia304
nvidia304, 304.137-2.mga6.nonfree, 4.14.18-tmb-desktop-1.mga6, i586: installed 
nvidia304, 304.137-2.mga6.nonfree, 4.14.18-server-1.mga6, i586: installed 
nvidia304, 304.137-2.mga6.nonfree, 4.14.18-1.mga6, i586: installed 

tested several commonly used applications

looks OK for mga6-32 on this system:

Machine:   Device: desktop Mobo: ECS model: GeForce7050M-M 
CPU:       Quad core AMD Phenom 9500 (-MCP-)
Graphics:  Card: NVIDIA C68 [GeForce 7050 PV / nForce 630a]
           Display Server: Mageia X.org 119.5 drivers: nvidia,v4l
Comment 6 Thomas Backlund 2018-02-15 21:58:47 CET 

Validating as its tested om both arches

Keywords: (none) => validated_update
Whiteboard: (none) => MGA6-64-OK, MGA6-32-OK
CC: (none) => sysadmin-bugs

Comment 7 Mageia Robot 2018-02-15 22:18:37 CET 
An update for this issue has been pushed to the Mageia Updates repository.

https://advisories.mageia.org/MGASA-2018-0127.html

Status: NEW => RESOLVED
Resolution: (none) => FIXED