Bug 20747 - Update request: kernel-4.4.65-1.mga5
Summary: Update request: kernel-4.4.65-1.mga5
Status: RESOLVED FIXED
Alias: None
Product: Mageia
Classification: Unclassified
Component: Security (show other bugs)
Version: 5
Hardware: All Linux
Priority: Normal normal
Target Milestone: ---
Assignee: QA Team
QA Contact: Sec team
URL:
Whiteboard: advisory MGA5-64-OK MGA5-32-OK
Keywords: validated_update
Depends on: 20729
Blocks:
  Show dependency treegraph
 
Reported: 2017-04-29 00:35 CEST by Thomas Backlund
Modified: 2017-05-10 22:56 CEST (History)
8 users (show)

See Also:
Source RPM: kernel
CVE:
Status comment:


Attachments

Description Thomas Backlund 2017-04-29 00:35:16 CEST
New kernel with several fixed CVE's



SRPMS:
kernel-4.4.65-1.mga5.src.rpm
kernel-userspace-headers-4.4.65-1.mga5.src.rpm
kmod-xtables-addons-2.10-37.mga5.src.rpm



i586:
cpupower-4.4.65-1.mga5.i586.rpm
cpupower-devel-4.4.65-1.mga5.i586.rpm
kernel-desktop-4.4.65-1.mga5-1-1.mga5.i586.rpm
kernel-desktop586-4.4.65-1.mga5-1-1.mga5.i586.rpm
kernel-desktop586-devel-4.4.65-1.mga5-1-1.mga5.i586.rpm
kernel-desktop586-devel-latest-4.4.65-1.mga5.i586.rpm
kernel-desktop586-latest-4.4.65-1.mga5.i586.rpm
kernel-desktop-devel-4.4.65-1.mga5-1-1.mga5.i586.rpm
kernel-desktop-devel-latest-4.4.65-1.mga5.i586.rpm
kernel-desktop-latest-4.4.65-1.mga5.i586.rpm
kernel-doc-4.4.65-1.mga5.noarch.rpm
kernel-server-4.4.65-1.mga5-1-1.mga5.i586.rpm
kernel-server-devel-4.4.65-1.mga5-1-1.mga5.i586.rpm
kernel-server-devel-latest-4.4.65-1.mga5.i586.rpm
kernel-server-latest-4.4.65-1.mga5.i586.rpm
kernel-source-4.4.65-1.mga5-1-1.mga5.noarch.rpm
kernel-source-latest-4.4.65-1.mga5.noarch.rpm
kernel-userspace-headers-4.4.65-1.mga5.i586.rpm
perf-4.4.65-1.mga5.i586.rpm

xtables-addons-kernel-4.4.65-desktop-1.mga5-2.10-37.mga5.i586.rpm
xtables-addons-kernel-4.4.65-desktop586-1.mga5-2.10-37.mga5.i586.rpm
xtables-addons-kernel-4.4.65-server-1.mga5-2.10-37.mga5.i586.rpm
xtables-addons-kernel-desktop586-latest-2.10-37.mga5.i586.rpm
xtables-addons-kernel-desktop-latest-2.10-37.mga5.i586.rpm
xtables-addons-kernel-server-latest-2.10-37.mga5.i586.rpm



x86_64:
cpupower-4.4.65-1.mga5.x86_64.rpm
cpupower-devel-4.4.65-1.mga5.x86_64.rpm
kernel-desktop-4.4.65-1.mga5-1-1.mga5.x86_64.rpm
kernel-desktop-devel-4.4.65-1.mga5-1-1.mga5.x86_64.rpm
kernel-desktop-devel-latest-4.4.65-1.mga5.x86_64.rpm
kernel-desktop-latest-4.4.65-1.mga5.x86_64.rpm
kernel-doc-4.4.65-1.mga5.noarch.rpm
kernel-server-4.4.65-1.mga5-1-1.mga5.x86_64.rpm
kernel-server-devel-4.4.65-1.mga5-1-1.mga5.x86_64.rpm
kernel-server-devel-latest-4.4.65-1.mga5.x86_64.rpm
kernel-server-latest-4.4.65-1.mga5.x86_64.rpm
kernel-source-4.4.65-1.mga5-1-1.mga5.noarch.rpm
kernel-source-latest-4.4.65-1.mga5.noarch.rpm
kernel-userspace-headers-4.4.65-1.mga5.x86_64.rpm
perf-4.4.65-1.mga5.x86_64.rpm
xtables-addons-kernel-4.4.65-desktop-1.mga5-2.10-37.mga5.x86_64.rpm
xtables-addons-kernel-4.4.65-server-1.mga5-2.10-37.mga5.x86_64.rpm
xtables-addons-kernel-desktop-latest-2.10-37.mga5.x86_64.rpm
xtables-addons-kernel-server-latest-2.10-37.mga5.x86_64.rpm
Comment 1 Thomas Backlund 2017-04-29 00:37:07 CEST
virtualbox and vboxadditions kmods will be built after virtualbox update:
https://bugs.mageia.org/show_bug.cgi?id=20729

is validated and pushed to mirrors

Depends on: (none) => 20729

Comment 2 Thomas Backlund 2017-04-29 00:44:39 CEST
Advisory (also added to svn):

  This kernel update is based on upstream 4.4.65 and fixes atleast
  the following security issues:

  fs/namespace.c in the Linux kernel before 4.9 does not restrict how many
  mounts may exist in a mount namespace, which allows local users to cause
  a denial of service (memory consumption and deadlock) via MS_BIND mount
  system calls, as demonstrated by a loop that triggers exponential growth
  in the number of mounts (CVE-2016-6213).

  The xc2028_set_config function in drivers/media/tuners/tuner-xc2028.c in
  the Linux kernel before 4.6 allows local users to gain privileges or cause
  a denial of service (use-after-free) via vectors involving omission of the
  firmware name from a certain data structure (CVE-2016-7913).

  The nfnetlink_rcv_batch function in net/netfilter/nfnetlink.c in the Linux
  kernel before 4.5 does not check whether a batch message's length field is
  large enough, which allows local users to obtain sensitive information from
  kernel memory or cause a denial of service (infinite loop or out-of-bounds
  read) by leveraging the CAP_NET_ADMIN capability (CVE-2016-7917).

  The tipc_msg_build function in net/tipc/msg.c in the Linux kernel through
  4.8.11 does not validate the relationship between the minimum fragment
  length and the maximum packet size, which allows local users to gain
  privileges or cause a denial of service (heap-based buffer overflow) by
  leveraging the CAP_NET_ADMIN capability (CVE-2016-8632).

  drivers/vfio/pci/vfio_pci.c in the Linux kernel through 4.8.11 allows local
  users to bypass integer overflow checks, and cause a denial of service
  (memory corruption) or have unspecified other impact, by leveraging access
  to a vfio PCI device file for a VFIO_DEVICE_SET_IRQS ioctl call, aka a
  "state machine confusion bug" (CVE-2016-9083).

  drivers/vfio/pci/vfio_pci_intrs.c in the Linux kernel through 4.8.11
  misuses the kzalloc function, which allows local users to cause a denial
  of service (integer overflow) or have unspecified other impact by
  leveraging access to a vfio PCI device file (CVE-2016-9084).

  It was discovered that root can gain direct access to an internal keyring,
  such as '.builtin_trusted_keys' upstream, by joining it as its session
  keyring. This allows root to bypass module signature verification by adding
  a new public key of its own devising to the keyring (CVE-2016-9604).

  The ping_unhash function in net/ipv4/ping.c in the Linux kernel through
  4.10.8 is too late in obtaining a certain lock and consequently cannot
  ensure that disconnect function calls are safe, which allows local users
  to cause a denial of service (panic) by leveraging access to the protocol
  value of IPPROTO_ICMP in a socket system call (CVE-2017-2671).

  Race condition in kernel/events/core.c in the Linux kernel before 4.9.7
  allows local users to gain privileges via a crafted application that makes
  concurrent perf_event_open system calls for moving a software group into a
  hardware context. NOTE: this vulnerability exists because of an incomplete
  fix for CVE-2016-6786 (CVE-2017-6001).

  The keyring_search_aux function in security/keys/keyring.c in the Linux
  kernel through 3.14.79 allows local users to cause a denial of service
  (NULL pointer dereference and OOPS) via a request_key system call for the
  "dead" type (CVE-2017-6951).

  The packet_set_ring function in net/packet/af_packet.c in the Linux kernel
  through 4.10.6 does not properly validate certain block-size data, which
  allows local users to cause a denial of service (overflow) or possibly have
  unspecified other impact via crafted system calls (CVE-2017-7308).

  A vulnerability was found in the Linux kernel. It was found that
  keyctl_set_reqkey_keyring() function leaks thread keyring which allows
  unprivileged local user to exhaust kernel memory (CVE-2017-7472).

  For other upstream fixes in this update, see the referenced changelogs.
references:
 - https://bugs.mageia.org/show_bug.cgi?id=20747
 - https://cdn.kernel.org/pub/linux/kernel/v4.x/ChangeLog-4.4.60
 - https://cdn.kernel.org/pub/linux/kernel/v4.x/ChangeLog-4.4.61
 - https://cdn.kernel.org/pub/linux/kernel/v4.x/ChangeLog-4.4.62
 - https://cdn.kernel.org/pub/linux/kernel/v4.x/ChangeLog-4.4.63
 - https://cdn.kernel.org/pub/linux/kernel/v4.x/ChangeLog-4.4.64
 - https://cdn.kernel.org/pub/linux/kernel/v4.x/ChangeLog-4.4.65

Whiteboard: (none) => advisory

Comment 3 Len Lawrence 2017-05-01 19:23:51 CEST
Installed all the relevant packages on x86_64 real hardware
nvidia 375.39 (GTX 770)
 ‎
Intel(R) Core(TM) i7-4790K CPU @ 4.00GHz
RAM 2x8GB ChannelB-DIMM1 1333MHz
ASUS Gigabyte Sniper Z.97 motherboard

Installed cleanly.  Rebooted OK.  Desktop running fine.

CC: (none) => tarazed25

Comment 4 Len Lawrence 2017-05-01 22:21:13 CEST
x86_64 
MSI motherboard
nvidia GTX 970
Intel(R) Core(TM) i7-4790 CPU @ 3.60GHz
32GB RAM (4*8GB ChannelA-DIMM0 1600MHz)

Updated all packages.  Kernel modules rebuilt.
Rebooted to Mate desktop - everything running normally.
Comment 5 Len Lawrence 2017-05-01 22:21:44 CEST
Except that firefox keeps freezing.
Comment 6 Len Lawrence 2017-05-02 14:46:23 CEST
x86_64 MBR
Lenovo Ideapad Y500
nvidia GT650M
Intel(R) Core(TM) i7-3630QM CPU @ 2.40GHz
RAM 2x4GB DIMM

Smooth upgrade; dkms builds OK.
Rebooted to a working desktop and there do not appear to be any problems.
Comment 7 José Jorge 2017-05-03 09:56:15 CEST
Tested on 4 laptops i586 an x86_64.

CC: (none) => lists.jjorge

Comment 8 Herman Viaene 2017-05-05 16:39:46 CEST
MGA-32 on Asus A6000VM Xfce (MBR - nVidia)
No installatio issues.
Restarting after installation went after a while to a black screen and then hangs too long for me to wait (more than 10 min.)
Power down, and then restart OK
Opened Firefox (obviously) pdf, odp, jpg files, played movie and sound from newspaper site. All seems OK.

CC: (none) => herman.viaene

Comment 9 Thomas Backlund 2017-05-09 10:06:20 CEST
virtualbox update got pushed, so the kmods for this update is now built:

SRPMS:
kmod-vboxadditions-5.1.22-2.mga5.src.rpm
kmod-virtualbox-5.1.22-2.mga5.src.rpm


i586:
vboxadditions-kernel-4.4.65-desktop-1.mga5-5.1.22-2.mga5.i586.rpm
vboxadditions-kernel-4.4.65-desktop586-1.mga5-5.1.22-2.mga5.i586.rpm
vboxadditions-kernel-4.4.65-server-1.mga5-5.1.22-2.mga5.i586.rpm
vboxadditions-kernel-desktop586-latest-5.1.22-2.mga5.i586.rpm
vboxadditions-kernel-desktop-latest-5.1.22-2.mga5.i586.rpm
vboxadditions-kernel-server-latest-5.1.22-2.mga5.i586.rpm

virtualbox-kernel-4.4.65-desktop-1.mga5-5.1.22-2.mga5.i586.rpm
virtualbox-kernel-4.4.65-desktop586-1.mga5-5.1.22-2.mga5.i586.rpm
virtualbox-kernel-4.4.65-server-1.mga5-5.1.22-2.mga5.i586.rpm
virtualbox-kernel-desktop586-latest-5.1.22-2.mga5.i586.rpm
virtualbox-kernel-desktop-latest-5.1.22-2.mga5.i586.rpm
virtualbox-kernel-server-latest-5.1.22-2.mga5.i586.rpm


x86_64:
vboxadditions-kernel-4.4.65-desktop-1.mga5-5.1.22-2.mga5.x86_64.rpm
vboxadditions-kernel-4.4.65-server-1.mga5-5.1.22-2.mga5.x86_64.rpm
vboxadditions-kernel-desktop-latest-5.1.22-2.mga5.x86_64.rpm
vboxadditions-kernel-server-latest-5.1.22-2.mga5.x86_64.rpm

virtualbox-kernel-4.4.65-desktop-1.mga5-5.1.22-2.mga5.x86_64.rpm
virtualbox-kernel-4.4.65-server-1.mga5-5.1.22-2.mga5.x86_64.rpm
virtualbox-kernel-desktop-latest-5.1.22-2.mga5.x86_64.rpm
virtualbox-kernel-server-latest-5.1.22-2.mga5.x86_64.rpm
Comment 10 Thomas Backlund 2017-05-09 10:07:25 CEST
And Mageia infra has been running the x86_64 server kernel for ~1 week now without problems
Comment 11 Brian Rockwell 2017-05-09 19:47:28 CEST
32-bit  Installed desktop within VM on AMD x3 hardware AMD Radeon  Seems to be working as designed.

$ uname -a
Linux localhost 4.4.65-desktop-1.mga5 #1 SMP Fri Apr 28 14:45:58 UTC 2017 i686 i686 i686 GNU/Linux

CC: (none) => brtians1

Comment 12 Brian Rockwell 2017-05-09 21:33:31 CEST
64-bit Install and execution working as designed.  I've also tested that VBox is still working.  Actually running an mga6 install in VB on the update kernel now.

AMD x3 and AMD Integrated video (Radeon).

$ uname -a
Linux localhost 4.4.65-desktop-1.mga5 #1 SMP Fri Apr 28 14:15:56 UTC 2017 x86_64 x86_64 x86_64 GNU/Linux

--------------

The following 4 packages are going to be installed:

- cpupower-4.4.65-1.mga5.x86_64
- kernel-desktop-4.4.65-1.mga5-1-1.mga5.x86_64
- virtualbox-kernel-4.4.65-desktop-1.mga5-5.1.22-2.mga5.x86_64
- virtualbox-kernel-desktop-latest-5.1.22-2.mga5.x86_64

53MB of additional disk space will be used.

47MB of packages will be retrieved.

Is it ok to continue?

-------------

Firefox, network, writer and VBox are working.
Comment 13 James Kerr 2017-05-10 13:24:22 CEST
On mga5-64

Packages installed cleanly:

- cpupower-4.4.65-1.mga5.x86_64
- kernel-desktop-4.4.65-1.mga5-1-1.mga5.x86_64
- kernel-desktop-latest-4.4.65-1.mga5.x86_64
- virtualbox-kernel-4.4.65-desktop-1.mga5-5.1.22-2.mga5.x86_64
- virtualbox-kernel-desktop-latest-5.1.22-2.mga5.x86_64

System rebooted normally
No regressions noted
virtualbox and clients - OK

OK for mga5-64 on this system:

Dell product: Precision Tower 3620
Mobo: Dell model: 09WH54 
Card: Intel HD Graphics 530
CPU: Quad core Intel Core i7-6700 (-HT-MCP-)

CC: (none) => jim

Comment 14 Lewis Smith 2017-05-10 19:54:10 CEST
Testing x64 real EFI hardware.
 cpupower-4.4.65-1.mga5
 kernel-desktop-latest-4.4.65-1.mga5
 kernel-desktop-4.4.65-1.mga5-1-1.mga5
 kernel-desktop-devel-latest-4.4.65-1.mga5
 kernel-userspace-headers-4.4.65-1.mga5
 kernel-desktop-devel-4.4.65-1.mga5-1-1.mga5
Have been using these without problems. OK for me.

CC: (none) => lewyssmith

Comment 15 Manuel Hiebel 2017-05-10 19:56:20 CEST
No issue here with 7 years laptop (x86_64)
Comment 16 Dave Hodgins 2017-05-10 21:59:14 CEST
Testing of both i586 and x86_64 installs here ok, with all kernels, as usual.

As CVE-2017-7308 is exploitable per https://googleprojectzero.blogspot.ca/2017/05/exploiting-linux-kernel-via-packet.html
and no problems found, validating the update.

Whiteboard: advisory => advisory MGA5-64-OK MGA5-32-OK
Keywords: (none) => validated_update
CC: (none) => davidwhodgins, sysadmin-bugs

Comment 17 Mageia Robot 2017-05-10 22:56:59 CEST
An update for this issue has been pushed to the Mageia Updates repository.

http://advisories.mageia.org/MGASA-2017-0136.html

Status: NEW => RESOLVED
Resolution: (none) => FIXED


Note You need to log in before you can comment on or make changes to this bug.