Bug 4281

Summary: Update request: kernel-2.6.38.8-10.mga1
Product: Mageia Reporter: Thomas Backlund <tmb>
Component: SecurityAssignee: QA Team <qa-bugs>
Status: RESOLVED FIXED QA Contact:
Severity: normal    
Priority: Normal CC: davidwhodgins, pham182b, sysadmin-bugs
Version: 1Keywords: Security, validated_update
Target Milestone: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Source RPM: kernel CVE:
Status comment:
Bug Depends on:    
Bug Blocks: 4161    

Description Thomas Backlund 2012-01-25 18:15:53 CET 
There is now a kernel-2.6.38.8-10.mga1 to validate

Advisory:

This update addresses the following CVEs:
* CVE-2011-4622
  KVM: User space may create the PIT and forgets about setting up the irqchips.
  In that case, firing PIT IRQs will crash the host.

* CVE-2012-0038
  Commit ef14f0c1578dce4b688726eb2603e50b62d6665a ('xfs: use generic Posix ACL
  code') in 2.2.6.32-rc1 introduced a n integer overflow in the ACL handling
  code, which could further lead to heap-based buffer overflow via a crafted
  filesystem.

* CVE-2012-0044
  There is a potential integer overflow in drm_mode_dirtyfb_ioctl() if userspace
  passes in a large num_clips.  The call to kmalloc would allocate a small
  buffer, and the call to fb->funcs->dirty may result in a memory corruption.

* CVE-2012-0207
  Linux IGMP Remote Denial Of Service.
  Commit 5b7c84066733c5dfb0e4016d939757b38de189e4 ('ipv4: correct IGMP
  behavior on v3 query during v2-compatibility mode') added in 2.6.36-rc8
  added yet another case for query parsing, which can result in max_delay = 0.

NOTE!
  The 2.6.38 series kernels in Mageia 1 are not affected by CVE-2012-0056 
  ('kernel: proc: /proc/<pid>/mem mem_write insufficient permission checking')
  as the commit introducing the security issue was added in 2.6.39-rc1


Other fixes in this release:
* ALSA: usb-audio: fix possible hang and overflow in parse_uac2_sample_rate_range()

* dvb_frontend: fix race condition in stopping/starting frontend 
  (reported by coling)
Thomas Backlund 2012-01-25 18:18:38 CET

Blocks: (none) => 4161

Comment 1 claire robinson 2012-01-25 18:40:48 CET 
No POC's that I can find
Comment 2 Luan Pham 2012-01-25 21:48:34 CET 
Work fine on both i586 and x86_64 installation of Mageia1.

CC: (none) => pham182b

Comment 3 Dave Hodgins 2012-01-26 03:09:44 CET 
There is a POC at
http://www.dis9.com/cve-2012-0056-mempodipper-a-linux-local-root-exploit.html
however it doesn't work on mageia du to su having ...
readelf -h /bin/su|grep Type
  Type:                              DYN (Shared object file)

CC: (none) => davidwhodgins

Comment 4 Dave Hodgins 2012-01-26 04:11:10 CET 
Testing complete on i586 for the srpm
kernel-2.6.38.8-10.mga1.src.rpm

All 5 of the i586 kernels booted, including compiling dkms modules,
starting kde with sound etc.
Comment 5 claire robinson 2012-01-26 16:11:03 CET 
mempodipper is for the CVE which started with 2.6.39-rc1 so we just missed it fortunately! It's good that that's been verified now though.

Testing x86_64

No errors so far.
Comment 6 Dave Hodgins 2012-01-27 00:12:57 CET 
Given that exploits for this bug are now in the wild according to
http://linux.slashdot.org/story/12/01/25/2137243/exploits-emerge-for-linux-privilege-escalation-flaw?utm_source=rss1.0moreanon&utm_medium=feed
and that no problems have been found, I'll go ahead and validate this
update.

Could someone from the sysadmin team push the srpm
kernel-2.6.38.8-10.mga1.src.rpm
from Core Updates Testing to Core Updates.

Advisory: This kernel security update addresses the following CVEs:
* CVE-2011-4622
  KVM: User space may create the PIT and forgets about setting up the irqchips.
  In that case, firing PIT IRQs will crash the host.

* CVE-2012-0038
  Commit ef14f0c1578dce4b688726eb2603e50b62d6665a ('xfs: use generic Posix ACL
  code') in 2.2.6.32-rc1 introduced a n integer overflow in the ACL handling
  code, which could further lead to heap-based buffer overflow via a crafted
  filesystem.

* CVE-2012-0044
  There is a potential integer overflow in drm_mode_dirtyfb_ioctl() if
userspace
  passes in a large num_clips.  The call to kmalloc would allocate a small
  buffer, and the call to fb->funcs->dirty may result in a memory corruption.

* CVE-2012-0207
  Linux IGMP Remote Denial Of Service.
  Commit 5b7c84066733c5dfb0e4016d939757b38de189e4 ('ipv4: correct IGMP
  behavior on v3 query during v2-compatibility mode') added in 2.6.36-rc8
  added yet another case for query parsing, which can result in max_delay = 0.

NOTE!
  The 2.6.38 series kernels in Mageia 1 are not affected by CVE-2012-0056 
  ('kernel: proc: /proc/<pid>/mem mem_write insufficient permission checking')
  as the commit introducing the security issue was added in 2.6.39-rc1


Other fixes in this release:
* ALSA: usb-audio: fix possible hang and overflow in
parse_uac2_sample_rate_range()

* dvb_frontend: fix race condition in stopping/starting frontend 
  (reported by coling)

https://bugs.mageia.org/show_bug.cgi?id=4281

Keywords: (none) => Security, validated_update
CC: (none) => sysadmin-bugs

Comment 7 Thomas Backlund 2012-01-27 23:12:11 CET 
update pushed.

Status: NEW => RESOLVED
Resolution: (none) => FIXED