Bug 21149 - Update request: kernel-tmb-4.4.74-1.mga5
Summary: Update request: kernel-tmb-4.4.74-1.mga5
Status: RESOLVED FIXED
Alias: None
Product: Mageia
Classification: Unclassified
Component: Security (show other bugs)
Version: 5
Hardware: All Linux
Priority: High critical
Target Milestone: ---
Assignee: QA Team
QA Contact: Sec team
URL:
Whiteboard: advisory MGA5-32-OK MGA5-64-OK
Keywords: validated_update
Depends on:
Blocks:
 
Reported: 2017-06-26 11:01 CEST by Thomas Backlund
Modified: 2017-06-26 23:52 CEST (History)
3 users (show)

See Also:
Source RPM: kernel-tmb
CVE:
Status comment:

Attachments
Add an attachment (proposed patch, testcase, etc.)

Description Thomas Backlund 2017-06-26 11:01:18 CEST 
Fixes for stack smash (CVE-2017-1000364) and other CVEs, advisory will follow

SRPMS:
kernel-tmb-4.4.74-1.mga5.src.rpm


i586:
kernel-tmb-desktop-4.4.74-1.mga5-1-1.mga5.i586.rpm
kernel-tmb-desktop-devel-4.4.74-1.mga5-1-1.mga5.i586.rpm
kernel-tmb-desktop-devel-latest-4.4.74-1.mga5.i586.rpm
kernel-tmb-desktop-latest-4.4.74-1.mga5.i586.rpm
kernel-tmb-source-4.4.74-1.mga5-1-1.mga5.noarch.rpm
kernel-tmb-source-latest-4.4.74-1.mga5.noarch.rpm


x86_64:
kernel-tmb-desktop-4.4.74-1.mga5-1-1.mga5.x86_64.rpm
kernel-tmb-desktop-devel-4.4.74-1.mga5-1-1.mga5.x86_64.rpm
kernel-tmb-desktop-devel-latest-4.4.74-1.mga5.x86_64.rpm
kernel-tmb-desktop-latest-4.4.74-1.mga5.x86_64.rpm
kernel-tmb-source-4.4.74-1.mga5-1-1.mga5.noarch.rpm
kernel-tmb-source-latest-4.4.74-1.mga5.noarch.rpm
Thomas Backlund 2017-06-26 11:01:29 CEST

Priority: Normal => High

Comment 1 Len Lawrence 2017-06-26 17:59:13 CEST 
x86_64
Gigabyte Sniper Z.97
Intel Core i7-4790K 4.00GHz
nvidia GeForce GTX 770

Trouble finding a mirror but the packages eventually showed up and installed cleanly.
Rebooted OK after recompiling the nvidia and virtualbox modules.  Mate desktop is fully functional including LibreOffice.

$ uname -r
4.4.74-tmb-desktop-1.mga5

CC: (none) => tarazed25

Comment 2 Thomas Backlund 2017-06-26 21:23:52 CEST 
Advisory, also added to svn:

  This kernel-tmb update is based on upstream 4.4.74 and fixes atleast
  the following security issues:

  The ipxitf_ioctl function in net/ipx/af_ipx.c in the Linux kernel through
  4.11.1 mishandles reference counts, which allows local users to cause a
  denial of service (use-after-free) or possibly have unspecified other
  impact via a failed SIOCGIFADDR ioctl call for an IPX interface
  (CVE-2017-7487).

  The inet_csk_clone_lock function in net/ipv4/inet_connection_sock.c in the
  Linux kernel through 4.10.15 allows attackers to cause a denial of service
  (double free) or possibly have unspecified other impact by leveraging use
  of the accept system call (CVE-2017-8890).

  The IPv6 fragmentation implementation in the Linux kernel through 4.11.1
  does not consider that the nexthdr field may be associated with an invalid
  option, which allows local users to cause a denial of service (out-of-bounds
  read and BUG) or possibly have unspecified other impact via crafted socket
  and send system calls (CVE-2017-9074).

  The sctp_v6_create_accept_sk function in net/sctp/ipv6.c in the Linux kernel
  through 4.11.1 mishandles inheritance, which allows local users to cause a
  denial of service or possibly have unspecified other impact via crafted
  system calls, a related issue to CVE-2017-8890 (CVE-2017-9075).

  The dccp_v6_request_recv_sock function in net/dccp/ipv6.c in the Linux kernel
  through 4.11.1 mishandles inheritance, which allows local users to cause a
  denial of service or possibly have unspecified other impact via crafted
  system calls, a related issue to CVE-2017-8890 (CVE-2017-9076).

  The tcp_v6_syn_recv_sock function in net/ipv6/tcp_ipv6.c in the Linux kernel
  through 4.11.1 mishandles inheritance, which allows local users to cause a
  denial of service or possibly have unspecified other impact via crafted
  system calls, a related issue to CVE-2017-8890 (CVE-2017-9077).

  The __ip6_append_data function in net/ipv6/ip6_output.c in the Linux kernel
  through 4.11.3 is too late in checking whether an overwrite of an skb data
  structure may occur, which allows local users to cause a denial of service
  (system crash) via crafted system calls (CVE-2017-9242).

  The vmw_gb_surface_define_ioctl function (accessible via
  DRM_IOCTL_VMW_GB_SURFACE_CREATE) in drivers/gpu/drm/vmwgfx/vmwgfx_surface.c
  in the Linux kernel through 4.11.4 defines a backup_handle variable but
  does not give it an initial value. If one attempts to create a GB surface,
  with a previously allocated DMA buffer to be used as a backup buffer, the
  backup_handle variable does not get written to and is then later returned
  to user space, allowing local users to obtain sensitive information from
  uninitialized kernel memory via a crafted ioctl call (CVE-2017-9605).

  A vulnerability was found in the Linux kernel's lp_setup() function where it
  doesn't apply any bounds checking when passing "lp=none". This can result
  into overflow of the parport_nr[] array. An attacker with control over kernel
  command line can overwrite kernel code and data with fixed (0xff) values
  (CVE-2017-1000363).

  A flaw was found in the way memory was being allocated on the stack for
  user space binaries. If heap (or different memory region) and stack memory
  regions were adjacent to each other, an attacker could use this flaw to
  jump over the stack guard gap, cause controlled memory corruption on process
  stack or the adjacent memory region, and thus increase their privileges on
  the system. This is a kernel-side mitigation which increases the stack guard
  gap size from one page to 1 MiB to make successful exploitation of this
  issue more difficult (CVE-2017-1000364).

  The Linux Kernel imposes a size restriction on the arguments and
  environmental strings passed through RLIMIT_STACK/RLIM_INFINITY(1/4 of
  the size), but does not take the argument and environment pointers into
  account, which allows attackers to bypass this limitation. This affects
  Linux Kernel versions 4.11.5 and earlier (CVE-2017-1000365).

  sound/core/timer.c in the Linux kernel before 4.11.5 is vulnerable to a
  data race in the ALSA /dev/snd/timer driver resulting in local users being
  able to read information belonging to other users, i.e., uninitialized
  memory contents may be disclosed when a read and an ioctl happen at the
  same time (CVE-2017-1000380).

  The block interface response structure has some discontiguous fields.
  Certain backends populate the structure fields of an otherwise
  uninitialized instance of this structure on their stacks, leaking
  data through the (internal or trailing) padding field. A malicious
  unprivileged guest may be able to obtain sensitive information from the
  host or other guests (XSA-216).

  Other changes in this kernel:
  - add support for rtl8812au wireless (mga#21043)
  - enable support for SMB2 (mga#20886)

For other upstream fixes in this update, see the referenced changelogs.

Whiteboard: (none) => advisory
Status: NEW => ASSIGNED

Comment 3 Lewis Smith 2017-06-26 22:03:29 CEST 
Testing M5_64 real hardware Radeon video

kernel-tmb-desktop-4.4.74-1.mga5-1-1.mga5
kernel-tmb-desktop-latest-4.4.74-1.mga5

 $ uname -r
 4.4.74-tmb-desktop-1.mga5

Using it, seems to work OK, including open file via LibreOffice File menu.

CC: (none) => lewyssmith

Comment 4 Thomas Backlund 2017-06-26 23:09:07 CEST 
Looks good enough... validating to get it out

Whiteboard: advisory => advisory MGA5-32-OK MGA5-64-OK
Keywords: (none) => validated_update
CC: (none) => sysadmin-bugs

Comment 5 Mageia Robot 2017-06-26 23:52:46 CEST 
An update for this issue has been pushed to the Mageia Updates repository.

http://advisories.mageia.org/MGASA-2017-0187.html

Status: ASSIGNED => RESOLVED
Resolution: (none) => FIXED
Note You need to log in before you can comment on or make changes to this bug.