Bug 21519 - Update request: kernel-tmb-4.9.43-1.mga6
Summary: Update request: kernel-tmb-4.9.43-1.mga6
Status: RESOLVED FIXED
Alias: None
Product: Mageia
Classification: Unclassified
Component: Security (show other bugs)
Version: 6
Hardware: All Linux
Priority: Normal critical
Target Milestone: ---
Assignee: QA Team
QA Contact: Sec team
URL:
Whiteboard: mga6-32-ok advisory MGA6-64-OK
Keywords: validated_update
Depends on:
Blocks:
 
Reported: 2017-08-13 23:53 CEST by Thomas Backlund
Modified: 2017-08-23 17:43 CEST (History)
5 users (show)

See Also:
Source RPM: kernel-tmb
CVE:
Status comment:

Attachments
Add an attachment (proposed patch, testcase, etc.)

Description Thomas Backlund 2017-08-13 23:53:30 CEST 
New kernels to test, contains security fixes for atleast a local root exploit, advisory will follow...


SRPMS:
kernel-tmb-4.9.43-1.mga6.src.rpm


i586:
kernel-tmb-desktop-4.9.43-1.mga6-1-1.mga6.i586.rpm
kernel-tmb-desktop-devel-4.9.43-1.mga6-1-1.mga6.i586.rpm
kernel-tmb-desktop-devel-latest-4.9.43-1.mga6.i586.rpm
kernel-tmb-desktop-latest-4.9.43-1.mga6.i586.rpm
kernel-tmb-source-4.9.43-1.mga6-1-1.mga6.noarch.rpm
kernel-tmb-source-latest-4.9.43-1.mga6.noarch.rpm


x86_64:
kernel-tmb-desktop-4.9.43-1.mga6-1-1.mga6.x86_64.rpm
kernel-tmb-desktop-devel-4.9.43-1.mga6-1-1.mga6.x86_64.rpm
kernel-tmb-desktop-devel-latest-4.9.43-1.mga6.x86_64.rpm
kernel-tmb-desktop-latest-4.9.43-1.mga6.x86_64.rpm
kernel-tmb-source-4.9.43-1.mga6-1-1.mga6.noarch.rpm
kernel-tmb-source-latest-4.9.43-1.mga6.noarch.rpm
Comment 1 Len Lawrence 2017-08-14 18:27:55 CEST 
Mageia release 6 (Cauldron) for x86_64
4.9.34-desktop-3.mga6
Intel(R) Core(TM) i7-3630QM CPU @ 2.40GHz
NVIDIA Corporation GK107M [GeForce GT 650M] 
RAM  7.75 GB
Legacy boot

Replaced microcode-0.20170707-1.mga6.nonfree.noarch and installed
- kernel-tmb-desktop-4.9.43-1.mga6-1-1.mga6.x86_64
- kernel-tmb-desktop-devel-4.9.43-1.mga6-1-1.mga6.x86_64
- kernel-tmb-desktop-devel-latest-4.9.43-1.mga6.x86_64
- kernel-tmb-desktop-latest-4.9.43-1.mga6.x86_64
- kernel-tmb-source-4.9.43-1.mga6-1-1.mga6.noarch
- kernel-tmb-source-latest-4.9.43-1.mga6.noarch
# drakboot --boot
Rebooted to Mate.
$ uname -r
4.9.43-tmb-desktop-1.mga6
Desktop in working order.  Ran a few stress tests.  Sound and vision OK with vlc.  Networking and NFS shares OK.

CC: (none) => tarazed25

Comment 2 James Kerr 2017-08-15 19:06:54 CEST 
On mga6-64

Packages installed cleanly:
kernel-tmb-desktop-4.9.43-1.mga6-1-1.mga6
kernel-tmb-desktop-latest-4.9.43-1.mga6
kernel-tmb-desktop-devel-latest-4.9.43-1.mga6
kernel-tmb-desktop-devel-4.9.43-1.mga6-1-1.mga6

Executed drakboot
System rebooted normally from the default entry in the boot menu

No problems in normal use

Virtualbox and client launched normally

OK for mga6-64 on this system:

Dell product: Precision Tower 3620
Mobo: Dell model: 09WH54 
Card: Intel HD Graphics 530
CPU: Quad core Intel Core i7-6700 (-HT-MCP-)
PC-BIOS (legacy) boot
GPT partitions

CC: (none) => jim

Comment 3 James Kerr 2017-08-15 19:10:35 CEST 
On mga6-32 in a vbox VM

Packages installed cleanly:
- kernel-tmb-desktop-4.9.43-1.mga6-1-1.mga6.i586
- kernel-tmb-desktop-devel-4.9.43-1.mga6-1-1.mga6.i586
- kernel-tmb-desktop-devel-latest-4.9.43-1.mga6.i586
- kernel-tmb-desktop-latest-4.9.43-1.mga6.i586

I had to enable PAE in the VM in order to boot this kernel

System booted normally from the default entry in the boot menu
$ uname -r
4.9.43-tmb-desktop-1.mga6

No problems noted in normal use

OK for mga6-32 in a vbox VM
Comment 4 Len Lawrence 2017-08-16 09:23:25 CEST 
Mageia release 6 (Official) for x86_64
4.9.38-desktop-1.mga6
Intel(R) Core(TM) i7-4790 CPU @ 3.60GHz
NVIDIA Corporation GM204 [GeForce GTX 970] 
RAM 31.37 GB

Six packages installed.
$ drakboot --boot
Reinstalled bootloader
Rebooted to Mate.  Ran 30 second stress tests on RAM, CPU cores, IO, and HDD.
Desktop running fine.
$ uname -r
4.9.43-tmb-desktop-1.mga6
Comment 5 Brian Rockwell 2017-08-18 05:14:50 CEST 
AMD Athlon X2-3800 with Nvidia integrated graphics.

(physical hardware test on M6)

$ uname -a
Linux localhost.localdomain 4.9.43-tmb-desktop-1.mga6 #1 SMP PREEMPT Sun Aug 13 19:34:16 UTC 2017 i686 i686 i686 GNU/Linux

- Desktop is fine
- Libreoffice working
- Firefox working
- sound works able to play videos and music

CC: (none) => brtians1

Comment 6 Brian Rockwell 2017-08-18 15:10:25 CEST 
Spent more hours running this kernel.  Seems to be working as designed.  A number of high I/O and video events, no issues to report.

Whiteboard: (none) => mga6-32-ok

Comment 7 Thomas Backlund 2017-08-18 18:47:07 CEST 
Advisory:

  This kernel update is based on upstream 4.9.43 and fixes atleast the
  following security issues:

  The curseg->segno call in f2fs driver can be malformed so that it will have
  a value that triggers an out of boundary write that could cause memory
  corruption on the affected devices, leading to code execution in the kernel
  context. This would allow for more data to be accessed and controlled by
  the malware (CVE-2017-10663).

  The UDP Fragmentation Offload (UFO) feature is vulnerable to out-of-bounds
  writes causing exploitable memory corruption. If unprivileged user
  namespaces are available, this bug can be exploited to gain root privileges
  (CVE-2017-1000112).

  For other upstream fixes in this update, read the referenced changelogs.

Whiteboard: mga6-32-ok => mga6-32-ok advisory

Comment 8 Lewis Smith 2017-08-22 22:39:09 CEST 
Testing M6_64 real H/W with Radeon/ATI graphics

kernel-tmb-desktop-latest-4.9.43-1.mga6
kernel-tmb-desktop-4.9.43-1.mga6-1-1.mga6
 $ uname -r
4.9.43-tmb-desktop-1.mga6

Have been using this without problems. Giving it the 64-bit OK largely due to the several earlier & more serious good reports. Validating.

Whiteboard: mga6-32-ok advisory => mga6-32-ok advisory MGA6-64-OK
Keywords: (none) => validated_update
CC: (none) => lewyssmith, sysadmin-bugs

Comment 9 Mageia Robot 2017-08-23 17:43:46 CEST 
An update for this issue has been pushed to the Mageia Updates repository.

http://advisories.mageia.org/MGASA-2017-0296.html

Status: NEW => RESOLVED
Resolution: (none) => FIXED
Note You need to log in before you can comment on or make changes to this bug.