Bug 25240

Summary: Update request: kernel-5.2.7-1.mga7
Product: Mageia Reporter: Thomas Backlund <tmb>
Component: SecurityAssignee: QA Team <qa-bugs>
Status: RESOLVED FIXED QA Contact: Sec team <security>
Severity: normal    
Priority: Normal CC: brtians1, jim, sysadmin-bugs, tarazed25
Version: 7Keywords: advisory, validated_update
Target Milestone: ---   
Hardware: All   
OS: Linux   
Whiteboard: MGA7-64-OK, MGA7-32-OK
Source RPM: kernel CVE:
Status comment:
Bug Depends on: 25202    
Bug Blocks:    

Description Thomas Backlund 2019-08-08 11:31:54 CEST 
- update to kernel 5.2 branch
- security fixes, including: CVE-2019-1125 "SWAPGS" Spectre Vulnerability
- bugfixes

SRPMS:
kernel-5.2.7-1.mga7.src.rpm
kernel-userspace-headers-5.2.7-1.mga7.src.rpm

kmod-virtualbox-6.0.10-3.mga7.src.rpm

kmod-xtables-addons-3.3-57.mga7.src.rpm
xtables-addons-3.3-2.mga7.src.rpm



i586:
bpftool-5.2.7-1.mga7.i586.rpm
cpupower-5.2.7-1.mga7.i586.rpm
cpupower-devel-5.2.7-1.mga7.i586.rpm
kernel-desktop-5.2.7-1.mga7-1-1.mga7.i586.rpm
kernel-desktop586-5.2.7-1.mga7-1-1.mga7.i586.rpm
kernel-desktop586-devel-5.2.7-1.mga7-1-1.mga7.i586.rpm
kernel-desktop586-devel-latest-5.2.7-1.mga7.i586.rpm
kernel-desktop586-latest-5.2.7-1.mga7.i586.rpm
kernel-desktop-devel-5.2.7-1.mga7-1-1.mga7.i586.rpm
kernel-desktop-devel-latest-5.2.7-1.mga7.i586.rpm
kernel-desktop-latest-5.2.7-1.mga7.i586.rpm
kernel-doc-5.2.7-1.mga7.noarch.rpm
kernel-server-5.2.7-1.mga7-1-1.mga7.i586.rpm
kernel-server-devel-5.2.7-1.mga7-1-1.mga7.i586.rpm
kernel-server-devel-latest-5.2.7-1.mga7.i586.rpm
kernel-server-latest-5.2.7-1.mga7.i586.rpm
kernel-source-5.2.7-1.mga7-1-1.mga7.noarch.rpm
kernel-source-latest-5.2.7-1.mga7.noarch.rpm
kernel-userspace-headers-5.2.7-1.mga7.i586.rpm
libbpf0-5.2.7-1.mga7.i586.rpm
libbpf-devel-5.2.7-1.mga7.i586.rpm
perf-5.2.7-1.mga7.i586.rpm

virtualbox-kernel-5.2.7-desktop-1.mga7-6.0.10-3.mga7.i586.rpm
virtualbox-kernel-5.2.7-desktop586-1.mga7-6.0.10-3.mga7.i586.rpm
virtualbox-kernel-5.2.7-server-1.mga7-6.0.10-3.mga7.i586.rpm
virtualbox-kernel-desktop586-latest-6.0.10-3.mga7.i586.rpm
virtualbox-kernel-desktop-latest-6.0.10-3.mga7.i586.rpm
virtualbox-kernel-server-latest-6.0.10-3.mga7.i586.rpm

dkms-xtables-addons-3.3-2.mga7.i586.rpm
iptaccount-3.3-2.mga7.i586.rpm
libaccount0-3.3-2.mga7.i586.rpm
libaccount-devel-3.3-2.mga7.i586.rpm
xtables-addons-3.3-2.mga7.i586.rpm
xtables-addons-kernel-5.2.7-desktop-1.mga7-3.3-57.mga7.i586.rpm
xtables-addons-kernel-5.2.7-desktop586-1.mga7-3.3-57.mga7.i586.rpm
xtables-addons-kernel-5.2.7-server-1.mga7-3.3-57.mga7.i586.rpm
xtables-addons-kernel-desktop586-latest-3.3-57.mga7.i586.rpm
xtables-addons-kernel-desktop-latest-3.3-57.mga7.i586.rpm
xtables-addons-kernel-server-latest-3.3-57.mga7.i586.rpm
xtables-geoip-3.3-2.mga7.noarch.rpm



x86_64:
bpftool-5.2.7-1.mga7.x86_64.rpm
cpupower-5.2.7-1.mga7.x86_64.rpm
cpupower-devel-5.2.7-1.mga7.x86_64.rpm
kernel-desktop-5.2.7-1.mga7-1-1.mga7.x86_64.rpm
kernel-desktop-devel-5.2.7-1.mga7-1-1.mga7.x86_64.rpm
kernel-desktop-devel-latest-5.2.7-1.mga7.x86_64.rpm
kernel-desktop-latest-5.2.7-1.mga7.x86_64.rpm
kernel-doc-5.2.7-1.mga7.noarch.rpm
kernel-server-5.2.7-1.mga7-1-1.mga7.x86_64.rpm
kernel-server-devel-5.2.7-1.mga7-1-1.mga7.x86_64.rpm
kernel-server-devel-latest-5.2.7-1.mga7.x86_64.rpm
kernel-server-latest-5.2.7-1.mga7.x86_64.rpm
kernel-source-5.2.7-1.mga7-1-1.mga7.noarch.rpm
kernel-source-latest-5.2.7-1.mga7.noarch.rpm
kernel-userspace-headers-5.2.7-1.mga7.x86_64.rpm
lib64bpf0-5.2.7-1.mga7.x86_64.rpm
lib64bpf-devel-5.2.7-1.mga7.x86_64.rpm
perf-5.2.7-1.mga7.x86_64.rpm

virtualbox-kernel-5.2.7-desktop-1.mga7-6.0.10-3.mga7.x86_64.rpm
virtualbox-kernel-5.2.7-server-1.mga7-6.0.10-3.mga7.x86_64.rpm
virtualbox-kernel-desktop-latest-6.0.10-3.mga7.x86_64.rpm
virtualbox-kernel-server-latest-6.0.10-3.mga7.x86_64.rpm

dkms-xtables-addons-3.3-2.mga7.x86_64.rpm
iptaccount-3.3-2.mga7.x86_64.rpm
lib64account0-3.3-2.mga7.x86_64.rpm
lib64account-devel-3.3-2.mga7.x86_64.rpm
xtables-addons-3.3-2.mga7.x86_64.rpm
xtables-addons-kernel-5.2.7-desktop-1.mga7-3.3-57.mga7.x86_64.rpm
xtables-addons-kernel-5.2.7-server-1.mga7-3.3-57.mga7.x86_64.rpm
xtables-addons-kernel-desktop-latest-3.3-57.mga7.x86_64.rpm
xtables-addons-kernel-server-latest-3.3-57.mga7.x86_64.rpm
xtables-geoip-3.3-2.mga7.noarch.rpm
Comment 1 Thomas Backlund 2019-08-08 11:40:22 CEST 
Note that this one is also already in Cauldron since ~1 day, so it's already being tested
Comment 2 Thomas Backlund 2019-08-08 11:45:21 CEST 
Works here on x86_64 server, desktop and laptop without issues...
Comment 3 Brian Rockwell 2019-08-08 20:04:57 CEST 
AMD x3, Nvidia 730GT (Nvidia 390 driver) - phys hardware

- cpupower-5.2.7-1.mga7.x86_64
- kernel-desktop-5.2.7-1.mga7-1-1.mga7.x86_64
- kernel-desktop-devel-5.2.7-1.mga7-1-1.mga7.x86_64
- kernel-desktop-devel-latest-5.2.7-1.mga7.x86_64
- kernel-desktop-latest-5.2.7-1.mga7.x86_64


Rebooted - it failed to nouveau after attempting to build 390 driver

I installed nvidia390.390-129 driver and dkms for it.

Configured nvidia and rebooted - then it worked properly.

Does this depend on the nvidia390-390.129-1 modules?

CC: (none) => brtians1

Comment 4 Thomas Backlund 2019-08-08 20:13:34 CEST 
Ah, indeed I forgot to mention that we need to push nvidia390 before this goes out, sorry about that :/

Depends on: (none) => 25202

Comment 5 Len Lawrence 2019-08-08 20:23:10 CEST 
mga7, x86_64

Installed all the desktop packages plus kernel-firmware-nonfree.

Working fine here also on Intel Core i9-7900X type: MT MCP
NVIDIA GP102 [GeForce GTX 1080 Ti] - nvidia 430.40

CC: (none) => tarazed25

Comment 6 Len Lawrence 2019-08-09 00:19:49 CEST 
mga7, x86_64

Also running fine on an old Alienware X51 desktop machine.
Intel Core i7-2600 type: MT MCP
NVIDIA GF114 [GeForce GTX 555] - nvidia 390.129
Comment 7 James Kerr 2019-08-09 12:04:37 CEST 
on mga7-64  kernel-desktop  plasma

packages installed cleanly:
- cpupower-5.2.7-1.mga7.x86_64
- kernel-desktop-5.2.7-1.mga7-1-1.mga7.x86_64
- kernel-desktop-devel-5.2.7-1.mga7-1-1.mga7.x86_64
- kernel-desktop-devel-latest-5.2.7-1.mga7.x86_64
- kernel-desktop-latest-5.2.7-1.mga7.x86_64
- kernel-userspace-headers-5.2.7-1.mga7.x86_64
- virtualbox-kernel-5.2.7-desktop-1.mga7-6.0.10-3.mga7.x86_64
- virtualbox-kernel-desktop-latest-6.0.10-3.mga7.x86_64

system re-booted normally:

$ uname -r
5.2.7-desktop-1.mga7

# dkms status
virtualbox, 6.0.10-1.mga7, 5.2.7-desktop-1.mga7, x86_64: installed-binary from 5.2.7-desktop-1.mga7

vbox and clients launched normally

no regressions observed

looks OK for mga7-64 on this system:

Mobo: Dell model: 09WH54 v: UEFI [Legacy]: Dell v: 2.13.1 
CPU: Intel Core i7-6700
Graphics: Intel HD Graphics 530 (Skylake GT2)

also updated to kernel-desktop586-5.2.7-1 in a mga7 32 bit vbox VM - 
no regressions observed

CC: (none) => jim

Comment 8 Thomas Backlund 2019-08-10 15:25:35 CEST 
Advisory, added to svn:

type: security
subject: Updated kernel packages fix security vulnerabilities
CVE:
 - CVE-2019-1125
 - CVE-2019-10207
src:
  7:
   core:
     - kernel-5.2.7-1.mga7
     - kernel-userspace-headers-5.2.7-1.mga7
     - kmod-virtualbox-6.0.10-3.mga7
     - kmod-xtables-addons-3.3-57.mga7
     - xtables-addons-3.3-2.mga7
     - ldetect-lst-0.6.3-1.mga7
description: |
  This kernel update provides an update to the kernel 5.2 series, currently
  based on 5.2.7 adding support for newer hardware and other new features.
  It also fixes atleast the following security issues:

  A Spectre SWAPGS gadget was found in the Linux kernel's implementation of
  system interrupts. An attacker with local access could use this information
  to reveal private data through a Spectre like side channel (CVE-2019-1125).

  A flaw was found in the Linux kernel’s Bluetooth implementation of UART.
  An attacker with local access and write permissions to the Bluetooth
  hardware could use this flaw to issue a specially crafted ioctl function
  call and cause the system to crash (CVE-2019-10207).

  It also fixes an issue with newer Intel Wireless cards having firmware
  crashes with newer iwlwifi firmwares (mga#25143)

  For other uptstream features, changes and fixes in this update, see the
  referenced changelogs.
references:
 - https://bugs.mageia.org/show_bug.cgi?id=25240
 - https://bugs.mageia.org/show_bug.cgi?id=25143
 - https://kernelnewbies.org/Linux_5.2
 - https://cdn.kernel.org/pub/linux/kernel/v4.x/ChangeLog-5.2.1
 - https://cdn.kernel.org/pub/linux/kernel/v4.x/ChangeLog-5.2.2
 - https://cdn.kernel.org/pub/linux/kernel/v4.x/ChangeLog-5.2.3
 - https://cdn.kernel.org/pub/linux/kernel/v4.x/ChangeLog-5.2.4
 - https://cdn.kernel.org/pub/linux/kernel/v4.x/ChangeLog-5.2.5
 - https://cdn.kernel.org/pub/linux/kernel/v4.x/ChangeLog-5.2.6
 - https://cdn.kernel.org/pub/linux/kernel/v4.x/ChangeLog-5.2.7

Keywords: (none) => advisory

Comment 9 Brian Rockwell 2019-08-10 20:13:43 CEST 
PHys Hardware 

AMD A6-APU  --> R4 (Laptop)

Installed the desktop kernel, it working as designed.

$ uname -a
Linux localhost.localdomain 5.2.7-desktop-1.mga7 #1 SMP Wed Aug 7 10:32:19 UTC 2019 x86_64 x86_64 x86_64 GNU/Linux
Comment 10 Len Lawrence 2019-08-11 21:42:48 CEST 
x86_64

Quad Core: Intel Core i7-4790 type: MT MCP
NVIDIA GM204 [GeForce GTX 970] driver: nvidia v: 430.40

Installed or updated everything except the server packages.
nvidia and virtualbox modules rebuilt at the same time.

Had a look at the iptaccount modifications for shorewall but could not figure out what to use for eth1.  eth0 is fairly obvious but the name of the internet facing adapter on the router is not.

Rebooted smoothly to Mate desktop where everything is running fine.
# dkms status
virtualbox, 6.0.10-1.mga7, 5.2.7-desktop-1.mga7, x86_64: installed 
virtualbox, 6.0.10-1.mga7, 5.1.20-desktop-2.mga7, x86_64: installed 
nvidia-current, 430.40-1.mga7.nonfree, 5.2.7-desktop-1.mga7, x86_64: installed 
nvidia-current, 430.40-1.mga7.nonfree, 5.1.20-desktop-2.mga7, x86_64: installed 
xtables-addons, 3.3-2.mga7, 5.1.20-desktop-2.mga7, x86_64: installed 
xtables-addons, 3.3-2.mga7, 5.2.7-desktop-1.mga7, x86_64: installed-binary from 5.2.7-desktop-1.mga7
virtualbox, 6.0.10-1.mga7, 5.2.7-desktop-1.mga7, x86_64: installed-binary from 5.2.7-desktop-1.mga7
......
Thomas Backlund 2019-08-12 22:20:35 CEST

Keywords: (none) => validated_update
Whiteboard: (none) => MGA7-64-OK, MGA7-32-OK
CC: (none) => sysadmin-bugs

Comment 11 Mageia Robot 2019-08-12 23:09:38 CEST 
An update for this issue has been pushed to the Mageia Updates repository.

https://advisories.mageia.org/MGASA-2019-0220.html

Status: NEW => RESOLVED
Resolution: (none) => FIXED