Bug 13869 - Update request: kernel-vserver-3.10.51-0.vs2.3.6.8.1.mga3/4
Summary: Update request: kernel-vserver-3.10.51-0.vs2.3.6.8.1.mga3/4
Status: RESOLVED FIXED
Alias: None
Product: Mageia
Classification: Unclassified
Component: Security (show other bugs)
Version: 4
Hardware: All Linux
Priority: Normal critical
Target Milestone: ---
Assignee: QA Team
QA Contact: Sec team
URL:
Whiteboard: MGA3TOO MGA3-32-OK MGA3-64-OK MGA4-32...
Keywords: validated_update
Depends on:
Blocks:
 
Reported: 2014-08-06 21:04 CEST by Thomas Backlund
Modified: 2014-08-18 11:15 CEST (History)
4 users (show)

See Also:
Source RPM: kernel-vserver-3.10.51-0.vs2.3.6.8.1.mga4
CVE:
Status comment:


Attachments

Description Thomas Backlund 2014-08-06 21:04:20 CEST
Updated kernel-vserver provides upstream 3.10.51 kernel and fixes the
following security issues:

Array index error in the aio_read_events_ring function in fs/aio.c in
the Linux kernel through 3.15.1 allows local users to obtain sensitive
information from kernel memory via a large head value (CVE-2014-0206).

The Netlink implementation in the Linux kernel through 3.14.1 does not
provide a mechanism for authorizing socket operations based on the
opener of a socket, which allows local users to bypass intended access
restrictions and modify network configurations by using a Netlink socket
for the (1) stdout or (2) stderr of a setuid program. (CVE-2014-0181)

media-device: fix infoleak in ioctl media_enum_entities()
(CVE-2014-1739)

The futex_requeue function in kernel/futex.c in the Linux kernel through
3.14.5 does not ensure that calls have two different futex addresses,
which allows local users to gain privileges via a crafted FUTEX_REQUEUE
command that facilitates unsafe waiter modification. (CVE-2014-3153)

kernel/auditsc.c in the Linux kernel through 3.14.5, when AUDITSYSCALL
is enabled with certain syscall rules, allows local users to obtain
potentially sensitive single-bit values from kernel memory or cause a
denial of service (OOPS) via a large value of a syscall number.
(CVE-2014-3917)

Andy Lutomirski has reported a vulnerability in Linux Kernel, which can
be exploited by malicious, local users to gain escalated privileges.
The vulnerability is caused due to an error related to checking Inode
capabilities, which can be exploited to conduct certain actions with
escalated privileges.
Successful exploitation requires a kernel built with user namespaces
(USER_NS) enabled. (CVE-2014-4014)

mm/shmem.c in the Linux kernel through 3.15.1 does not properly implement
the interaction between range notification and hole punching, which allows
local users to cause a denial of service (i_mutex hold) by using the mmap
system call to access a hole, as demonstrated by interfering with intended
shmem activity by blocking completion of (1) an MADV_REMOVE madvise call
or (2) an FALLOC_FL_PUNCH_HOLE fallocate call (CVE-2014-4171).

arch/x86/kernel/entry_32.S in the Linux kernel through 3.15.1 on 32-bit
x86 platforms, when syscall auditing is enabled and the sep CPU feature
flag is set, allows local users to cause a denial of service (OOPS and
system crash) via an invalid syscall number, as demonstrated by number
1000 (CVE-2014-4508). 

For other fixes, see the referenced changelogs.
                
References:
https://www.kernel.org/pub/linux/kernel/v3.x/ChangeLog-3.10.51
https://www.kernel.org/pub/linux/kernel/v3.x/ChangeLog-3.10.50
https://www.kernel.org/pub/linux/kernel/v3.x/ChangeLog-3.10.49
https://www.kernel.org/pub/linux/kernel/v3.x/ChangeLog-3.10.48
https://www.kernel.org/pub/linux/kernel/v3.x/ChangeLog-3.10.47
https://www.kernel.org/pub/linux/kernel/v3.x/ChangeLog-3.10.46
https://www.kernel.org/pub/linux/kernel/v3.x/ChangeLog-3.10.45
https://www.kernel.org/pub/linux/kernel/v3.x/ChangeLog-3.10.44
https://www.kernel.org/pub/linux/kernel/v3.x/ChangeLog-3.10.43
https://www.kernel.org/pub/linux/kernel/v3.x/ChangeLog-3.10.42
https://www.kernel.org/pub/linux/kernel/v3.x/ChangeLog-3.10.41


Mga3:

SRPM:
kernel-vserver-3.10.51-0.vs2.3.6.8.1.mga3.src.rpm

i586:
ernel-vserver-3.10.51-0.vs2.3.6.8.1.mga3-1-1.mga3.i586.rpm
kernel-vserver-devel-3.10.51-0.vs2.3.6.8.1.mga3-1-1.mga3.i586.rpm
kernel-vserver-devel-latest-3.10.51-0.vs2.3.6.8.1.mga3.i586.rpm
kernel-vserver-doc-3.10.51-0.vs2.3.6.8.1.mga3.noarch.rpm
kernel-vserver-latest-3.10.51-0.vs2.3.6.8.1.mga3.i586.rpm
kernel-vserver-source-3.10.51-0.vs2.3.6.8.1.mga3-1-1.mga3.noarch.rpm
kernel-vserver-source-latest-3.10.51-0.vs2.3.6.8.1.mga3.noarch.rpm

x86_64:
kernel-vserver-3.10.51-0.vs2.3.6.8.1.mga3-1-1.mga3.x86_64.rpm
kernel-vserver-devel-3.10.51-0.vs2.3.6.8.1.mga3-1-1.mga3.x86_64.rpm
kernel-vserver-devel-latest-3.10.51-0.vs2.3.6.8.1.mga3.x86_64.rpm
kernel-vserver-doc-3.10.51-0.vs2.3.6.8.1.mga3.noarch.rpm
kernel-vserver-latest-3.10.51-0.vs2.3.6.8.1.mga3.x86_64.rpm
kernel-vserver-source-3.10.51-0.vs2.3.6.8.1.mga3-1-1.mga3.noarch.rpm
kernel-vserver-source-latest-3.10.51-0.vs2.3.6.8.1.mga3.noarch.rpm



Mga4:

SRPM:
kernel-vserver-3.10.51-0.vs2.3.6.8.1.mga4.src.rpm

i586:
ernel-vserver-3.10.51-0.vs2.3.6.8.1.mga4-1-1.mga4.i586.rpm
kernel-vserver-devel-3.10.51-0.vs2.3.6.8.1.mga4-1-1.mga4.i586.rpm
kernel-vserver-devel-latest-3.10.51-0.vs2.3.6.8.1.mga4.i586.rpm
kernel-vserver-doc-3.10.51-0.vs2.3.6.8.1.mga4.noarch.rpm
kernel-vserver-latest-3.10.51-0.vs2.3.6.8.1.mga4.i586.rpm
kernel-vserver-source-3.10.51-0.vs2.3.6.8.1.mga4-1-1.mga4.noarch.rpm
kernel-vserver-source-latest-3.10.51-0.vs2.3.6.8.1.mga4.noarch.rpm

x86_64:
kernel-vserver-3.10.51-0.vs2.3.6.8.1.mga4-1-1.mga4.x86_64.rpm
kernel-vserver-devel-3.10.51-0.vs2.3.6.8.1.mga4-1-1.mga4.x86_64.rpm
kernel-vserver-devel-latest-3.10.51-0.vs2.3.6.8.1.mga4.x86_64.rpm
kernel-vserver-doc-3.10.51-0.vs2.3.6.8.1.mga4.noarch.rpm
kernel-vserver-latest-3.10.51-0.vs2.3.6.8.1.mga4.x86_64.rpm
kernel-vserver-source-3.10.51-0.vs2.3.6.8.1.mga4-1-1.mga4.noarch.rpm
kernel-vserver-source-latest-3.10.51-0.vs2.3.6.8.1.mga4.noarch.rpm




Reproducible: 

Steps to Reproduce:
Thomas Backlund 2014-08-06 21:04:40 CEST

Whiteboard: (none) => MGA3TOO

Comment 1 William Kenney 2014-08-10 19:32:41 CEST
In VirtualBox, M4, KDE, 32-bit

Package(s) under test:
kernel-vserver-latest

default install of kernel-vserver-latest

[root@localhost wilcal]# uname -a
Linux localhost 3.10.40-vserver-0.vs2.3.6.8.1.mga4 #1 SMP Fri May 16 17:18:24 UTC 2014 i686 i686 i686 GNU/Linux
[root@localhost wilcal]# dkms status
vboxadditions, 4.3.10-1.1.mga4, 3.12.25-desktop-3.mga4, i586: installed-binary from 3.12.25-desktop-3.mga4

install kernel-vserver-latest from updates_testing

[root@localhost wilcal]# uname -a
Linux localhost 3.10.51-vserver-0.vs2.3.6.8.1.mga4 #1 SMP Wed Aug 6 17:19:06 UTC 2014 i686 i686 i686 GNU/Linux
[root@localhost wilcal]# dkms status
vboxadditions, 4.3.10-1.1.mga4, 3.12.25-desktop-3.mga4, i586: installed-binary from 3.12.25-desktop-3.mga4

Test platform:
Intel Core i7-2600K Sandy Bridge 3.4GHz
GIGABYTE GA-Z68X-UD3-B3 LGA 1155 MoBo
GIGABYTE GV-N440D3-1GI Nvidia GeForce GT 440 (Fermi) 1GB
RTL8111/8168B PCI Express 1Gbit Ethernet
DRAM 16GB (4 x 4GB)
Mageia 4 64-bit, Nvidia driver
virtualbox-4.3.10-1.1.mga4.x86_64
virtualbox-guest-additions-4.3.10-1.1.mga4.x86_64

CC: (none) => wilcal.int

Comment 2 William Kenney 2014-08-10 19:54:30 CEST
In VirtualBox, M4, KDE, 64-bit

Package(s) under test:
kernel-vserver-latest

default install of kernel-vserver-latest

[root@localhost wilcal]# uname -a
Linux localhost 3.10.40-vserver-0.vs2.3.6.8.1.mga4 #1 SMP Fri May 16 17:34:08 UTC 2014 x86_64 x86_64 x86_64 GNU/Linux
[root@localhost wilcal]# dkms status
vboxadditions, 4.3.10-1.1.mga4, 3.12.20-desktop-1.mga4, x86_64: installed-binary from 3.12.20-desktop-1.mga4

kernel-vserver-latest boots to a working desktop and
applications work fine, 1600x1200 screen resolution

install kernel-vserver-latest from updates_testing

[root@localhost wilcal]# uname -a
Linux localhost 3.10.51-vserver-0.vs2.3.6.8.1.mga4 #1 SMP Wed Aug 6 17:23:36 UTC 2014 x86_64 x86_64 x86_64 GNU/Linux
[root@localhost wilcal]# dkms status
vboxadditions, 4.3.10-1.1.mga4, 3.12.20-desktop-1.mga4, x86_64: installed-binary from 3.12.20-desktop-1.mga4

kernel-vserver-latest boots to a working desktop and
applications work fine, 1600x1200 screen resolution

Test platform:
Intel Core i7-2600K Sandy Bridge 3.4GHz
GIGABYTE GA-Z68X-UD3-B3 LGA 1155 MoBo
GIGABYTE GV-N440D3-1GI Nvidia GeForce GT 440 (Fermi) 1GB
RTL8111/8168B PCI Express 1Gbit Ethernet
DRAM 16GB (4 x 4GB)
Mageia 4 64-bit, Nvidia driver
virtualbox-4.3.10-1.1.mga4.x86_64
virtualbox-guest-additions-4.3.10-1.1.mga4.x86_64
Comment 3 William Kenney 2014-08-12 17:30:14 CEST
For me this update works fine.
Testing complete for mga4 32-bit & 64-bit
Can we push this one?
Comment 4 Lewis Smith 2014-08-12 23:41:46 CEST
Testing MGA4 x64 real EFI hardware; ATI/Radeon video.
[Because Bill's test was in VirtualBox].

Installed with urpmi vserver-latest (3.10.40). On re-booting my EFI box, it did not show on the Grub2 menu. I found none of my 3 /boot/efi/EFI/Mageia*/grubx64.efi had been re-installed (all were old), so from another kernel I re-built that:
# grub2-install --target=x86_64-efi --efi-directory=/boot/efi --bootloader-id=mageia4
and re-booted. On choosing the now visible vserver entry, booting this aborted  due to video problems with 'press any key & good luck' sort of message. Ah! You have to install vserver-devel *as well*, so I did that (latest) & it booted and ran (after an initial pause) OK.

[Why cannot this dependancy be automated?]

Updated from Updates Testing to:
kernel-vserver-latest-3.10.51-0.vs2.3.6.8.1.mga4
kernel-vserver-devel-latest-3.10.51-0.vs2.3.6.8.1.mga4
and re-booted. Chosing the vserver kernel (again a pause) booted OK and I am working from it.

So for me MGA4-64-OK ; but I leave someone more authoritative to Whitboard that.

CC: (none) => lewyssmith

William Kenney 2014-08-14 22:30:23 CEST

Whiteboard: MGA3TOO => MGA3TOO MGA4-32-OK MGA4-64-OK

Comment 5 William Kenney 2014-08-15 16:22:40 CEST
In VirtualBox, M3, KDE, 32-bit

Package(s) under test:
kernel-vserver-latest

default install of kernel-vserver-latest

[root@localhost wilcal]# uname -a
Linux localhost 3.10.40-vserver-0.vs2.3.6.8.1.mga3 #1 SMP Fri May 16 17:37:25 UTC 2014 i686 i686 i686 GNU/Linux
[root@localhost wilcal]# dkms status
virtualbox, 4.3.10-1.mga3, 3.10.28-desktop-1.mga3, i586: installed 
vboxadditions, 4.2.12-2.mga3, 3.8.13-desktop-1.mga3, i586: installed-binary from 3.8.13-desktop-1.mga3

kernel-vserver-latest boots to a working desktop and
applications work fine, 1600x1200 screen resolution

install kernel-vserver-latest from updates_testing

[root@localhost wilcal]# uname -a
Linux localhost 3.10.51-vserver-0.vs2.3.6.8.1.mga3 #1 SMP Wed Aug 6 17:00:51 UTC 2014 i686 i686 i686 GNU/Linux
[root@localhost wilcal]# dkms status
virtualbox, 4.3.10-1.mga3, 3.10.28-desktop-1.mga3, i586: installed
vboxadditions, 4.2.12-2.mga3, 3.8.13-desktop-1.mga3, i586: installed-binary from 3.8.13-desktop-1.mga3

kernel-vserver-latest boots to a working desktop and
applications work fine, 1600x1200 screen resolution

Test platform:
Intel Core i7-2600K Sandy Bridge 3.4GHz
GIGABYTE GA-Z68X-UD3-B3 LGA 1155 MoBo
GIGABYTE GV-N440D3-1GI Nvidia GeForce GT 440 (Fermi) 1GB
RTL8111/8168B PCI Express 1Gbit Ethernet
DRAM 16GB (4 x 4GB)
Mageia 4 64-bit, Nvidia driver
virtualbox-4.3.10-1.1.mga4.x86_64
virtualbox-guest-additions-4.3.10-1.1.mga4.x86_64
Comment 6 William Kenney 2014-08-15 16:43:03 CEST
In VirtualBox, M3, KDE, 64-bit

Package(s) under test:
kernel-vserver-latest

default install of kernel-vserver-latest

[root@localhost wilcal]# uname -a
Linux localhost 3.10.40-vserver-0.vs2.3.6.8.1.mga3 #1 SMP Fri May 16 17:50:04 UTC 2014 x86_64 x86_64 x86_64 GNU/Linux
[root@localhost wilcal]# dkms status
virtualbox, 4.3.10-1.mga3, 3.10.44-desktop-1.mga3, x86_64: installed
vboxadditions, 4.2.16-1.mga3, 3.10.24-desktop-2.mga3, x86_64: installed-binary from 3.10.24-desktop-2.mga3

kernel-vserver-latest boots to a working desktop and
applications work fine, 1600x1200 screen resolution

install kernel-vserver-latest from updates_testing

[root@localhost wilcal]# uname -a
Linux localhost 3.10.51-vserver-0.vs2.3.6.8.1.mga3 #1 SMP Wed Aug 6 17:07:47 UTC 2014 x86_64 x86_64 x86_64 GNU/Linux
[root@localhost wilcal]# dkms status
virtualbox, 4.3.10-1.mga3, 3.10.44-desktop-1.mga3, x86_64: installed
vboxadditions, 4.2.16-1.mga3, 3.10.24-desktop-2.mga3, x86_64: installed-binary from 3.10.24-desktop-2.mga3

kernel-vserver-latest boots to a working desktop and
applications work fine, 1600x1200 screen resolution

Test platform:
Intel Core i7-2600K Sandy Bridge 3.4GHz
GIGABYTE GA-Z68X-UD3-B3 LGA 1155 MoBo
GIGABYTE GV-N440D3-1GI Nvidia GeForce GT 440 (Fermi) 1GB
RTL8111/8168B PCI Express 1Gbit Ethernet
DRAM 16GB (4 x 4GB)
Mageia 4 64-bit, Nvidia driver
virtualbox-4.3.10-1.1.mga4.x86_64
virtualbox-guest-additions-4.3.10-1.1.mga4.x86_64
Comment 7 William Kenney 2014-08-15 16:47:16 CEST
For me this update works fine.
Testing complete for mga3 32-bit & 64-bit
Testing complete for mga4 32-bit & 64-bit
Validating the update.
Could someone from the sysadmin team push this to updates.
Thanks

Keywords: (none) => validated_update
Whiteboard: MGA3TOO MGA4-32-OK MGA4-64-OK => MGA3TOO MGA4-32-OK MGA4-64-OK MGA4-32-OK MGA4-64-OK
CC: (none) => sysadmin-bugs

William Kenney 2014-08-15 16:48:25 CEST

Whiteboard: MGA3TOO MGA4-32-OK MGA4-64-OK MGA4-32-OK MGA4-64-OK => MGA3TOO MGA3-32-OK MGA3-64-OK MGA4-32-OK MGA4-64-OK

Comment 8 Rémi Verschelde 2014-08-17 23:40:57 CEST
Advisory uploaded.

CC: (none) => remi
Whiteboard: MGA3TOO MGA3-32-OK MGA3-64-OK MGA4-32-OK MGA4-64-OK => MGA3TOO MGA3-32-OK MGA3-64-OK MGA4-32-OK MGA4-64-OK advisory

Comment 9 Mageia Robot 2014-08-18 11:15:48 CEST
An update for this issue has been pushed to Mageia Updates repository.

http://advisories.mageia.org/MGASA-2014-0332.html

Status: NEW => RESOLVED
Resolution: (none) => FIXED


Note You need to log in before you can comment on or make changes to this bug.