Bug 27597

Summary: microcode new security issues CVE-2020-869[4568]
Product: Mageia Reporter: David Walser <luigiwalser>
Component: SecurityAssignee: QA Team <qa-bugs>
Status: RESOLVED FIXED QA Contact: Sec team <security>
Severity: major    
Priority: Normal CC: fri, herman.viaene, nicolas.salguero, ouaurelien, sysadmin-bugs
Version: 7Keywords: advisory, validated_update
Target Milestone: ---   
Hardware: All   
OS: Linux   
Whiteboard: MGA7-64-OK
Source RPM: microcode-0.2020616-1.mga7.nonfree.src.rpm CVE:
Status comment:

Description David Walser 2020-11-11 17:57:22 CET 
RedHat has issued an advisory today (November 11):
https://access.redhat.com/errata/RHSA-2020:5085

The issues are fixed upstream in 20201027.

Mageia 7 is also affected.

We should make sure the fix in Bug 26995 is applied to Mageia 7 as well.
David Walser 2020-11-11 17:57:29 CET

Whiteboard: (none) => MGA7TOO

Comment 1 Nicolas Salguero 2020-11-12 09:46:52 CET 
Suggested advisory:
========================

The updated package fixes a packaging issue and security vulnerabilities:

Insufficient access control in the Linux kernel driver for some Intel(R) Processors may allow an authenticated user to potentially enable information disclosure via local access. (CVE-2020-8694)

Observable discrepancy in the RAPL interface for some Intel(R) Processors may allow a privileged user to potentially enable information disclosure via local access. (CVE-2020-8695)

Improper removal of sensitive information before storage or transfer in some Intel(R) Processors may allow an authenticated user to potentially enable information disclosure via local access. (CVE-2020-8696)

Improper isolation of shared resources in some Intel(R) Processors may allow an authenticated user to potentially enable information disclosure via local access. (CVE-2020-8698)

References:
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-8694
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-8695
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-8696
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-8698
https://www.intel.com/content/www/us/en/security-center/advisory/intel-sa-00389.html
https://www.intel.com/content/www/us/en/security-center/advisory/intel-sa-00381.html
https://access.redhat.com/errata/RHSA-2020:5085
https://bugs.mageia.org/show_bug.cgi?id=26995
========================

Updated package in nonfree/updates_testing:
========================
microcode-0.20201110-1.mga7.nonfree

from SRPM:
microcode-0.20201110-1.mga7.nonfree.src.rpm

Status: NEW => ASSIGNED
Assignee: nicolas.salguero => qa-bugs
Summary: microcode new security issues CVE-2020-869[568] => microcode new security issues CVE-2020-869[4568]
Version: Cauldron => 7
Whiteboard: MGA7TOO => (none)
Source RPM: microcode-0.2020616-2.mga8.nonfree.src.rpm => microcode-0.2020616-1.mga7.nonfree.src.rpm

Nicolas Salguero 2020-11-12 09:47:10 CET

CC: (none) => nicolas.salguero

Comment 2 Morgan Leijström 2020-11-12 23:24:09 CET 
No problem here a couple hours on my workstation, with BOINC exercising the CPU and GPU full wile I surf bugs, edit photos, etc...

That said i do not know why journal say microcode date = 2019-02-13
- i guess my CPU i7-3770 is old and no patch later than that for it?


nov 12 21:08:53 svarten.tribun kernel: microcode: microcode updated early to revision 0x21, date = 2019-02-13
nov 12 21:08:53 svarten.tribun kernel: SRBDS: Vulnerable: No microcode
nov 12 21:08:53 svarten.tribun kernel: microcode: sig=0x306a9, pf=0x2, revision=0x21
nov 12 21:08:53 svarten.tribun kernel: microcode: Microcode Update Driver: v2.2.

CC: (none) => fri

Comment 3 Herman Viaene 2020-11-13 15:43:11 CET 
MGA7-64 MATE on Peaq C1011
No installation issues
Doing normal things, reading documents, viewing photos, net access, etc.... All seems normal

CC: (none) => herman.viaene

Comment 4 Aurelien Oudelet 2020-11-13 18:03:09 CET 
Mageia 7 x86_64 Intel Core i5 6600K Skylake.
Update to microcode-0.20201110-1.mga7.nonfree is OK.
Reboot is OK
Basic computer use is OK.
No thermal issue.

$ journalctl -b | grep microcode
nov. 13 17:07:47 mageia.local kernel: microcode: microcode updated early to revision 0xe2, date = 2020-07-14
nov. 13 17:07:47 mageia.local kernel: microcode: sig=0x506e3, pf=0x2, revision=0xe2
nov. 13 17:07:47 mageia.local kernel: microcode: Microcode Update Driver: v2.2.
This system does not seem to be vulnerable according to Intel Advisories.

Tested case of a M7 new installation under a VM with Classic ISO, for bug 26995:
Installer can't let me choose updates_testing repo.

Validating update. Package and advisory in Comment 1.
Advisory pushed to SVN.

CC: (none) => ouaurelien

Aurelien Oudelet 2020-11-13 18:04:58 CET

CC: (none) => sysadmin-bugs
Keywords: (none) => advisory, validated_update
Whiteboard: (none) => MGA7-64-OK

Comment 5 Mageia Robot 2020-11-13 22:22:17 CET 
An update for this issue has been pushed to the Mageia Updates repository.

https://advisories.mageia.org/MGASA-2020-0422.html

Resolution: (none) => FIXED
Status: ASSIGNED => RESOLVED

Comment 6 David Walser 2020-11-14 23:13:01 CET 
Does this regression affect us?
https://ubuntu.com/security/notices/USN-4628-2
Comment 7 Thomas Backlund 2020-11-16 10:19:41 CET 
(In reply to David Walser from comment #6)
> Does this regression affect us?
> https://ubuntu.com/security/notices/USN-4628-2

Yes, the broken microcode is in the 20201110 firmware release.

There is also now an upstream 20201112 release that adds another microcode (but no fix for this yet)