Bug 21852 - Update request: kernel-4.4.92-1.mga5
Summary: Update request: kernel-4.4.92-1.mga5
Status: RESOLVED FIXED
Alias: None
Product: Mageia
Classification: Unclassified
Component: Security (show other bugs)
Version: 5
Hardware: All Linux
Priority: Normal normal
Target Milestone: ---
Assignee: QA Team
QA Contact: Sec team
URL:
Whiteboard: MGA5-64-OK MGA5-32-OK
Keywords: advisory, validated_update
Depends on:
Blocks: 21901
  Show dependency treegraph
 
Reported: 2017-10-13 20:05 CEST by Thomas Backlund
Modified: 2017-12-16 11:36 CET (History)
7 users (show)

See Also:
Source RPM: kernel
CVE:
Status comment:


Attachments

Description Thomas Backlund 2017-10-13 20:05:00 CEST
Nwe kernel update for several security + other fixes...

Advisory will follow...


SRPMS:
kernel-4.4.92-1.mga5.src.rpm
kernel-userspace-headers-4.4.92-1.mga5.src.rpm
kmod-vboxadditions-5.1.26-4.mga5.src.rpm
kmod-virtualbox-5.1.26-4.mga5.src.rpm
kmod-xtables-addons-2.10-48.mga5.src.rpm



i586:
cpupower-4.4.92-1.mga5.i586.rpm
cpupower-devel-4.4.92-1.mga5.i586.rpm
kernel-desktop-4.4.92-1.mga5-1-1.mga5.i586.rpm
kernel-desktop586-4.4.92-1.mga5-1-1.mga5.i586.rpm
kernel-desktop586-devel-4.4.92-1.mga5-1-1.mga5.i586.rpm
kernel-desktop586-devel-latest-4.4.92-1.mga5.i586.rpm
kernel-desktop586-latest-4.4.92-1.mga5.i586.rpm
kernel-desktop-devel-4.4.92-1.mga5-1-1.mga5.i586.rpm
kernel-desktop-devel-latest-4.4.92-1.mga5.i586.rpm
kernel-desktop-latest-4.4.92-1.mga5.i586.rpm
kernel-doc-4.4.92-1.mga5.noarch.rpm
kernel-server-4.4.92-1.mga5-1-1.mga5.i586.rpm
kernel-server-devel-4.4.92-1.mga5-1-1.mga5.i586.rpm
kernel-server-devel-latest-4.4.92-1.mga5.i586.rpm
kernel-server-latest-4.4.92-1.mga5.i586.rpm
kernel-source-4.4.92-1.mga5-1-1.mga5.noarch.rpm
kernel-source-latest-4.4.92-1.mga5.noarch.rpm
kernel-userspace-headers-4.4.92-1.mga5.i586.rpm
perf-4.4.92-1.mga5.i586.rpm

vboxadditions-kernel-4.4.92-desktop-1.mga5-5.1.26-4.mga5.i586.rpm
vboxadditions-kernel-4.4.92-desktop586-1.mga5-5.1.26-4.mga5.i586.rpm
vboxadditions-kernel-4.4.92-server-1.mga5-5.1.26-4.mga5.i586.rpm
vboxadditions-kernel-desktop586-latest-5.1.26-4.mga5.i586.rpm
vboxadditions-kernel-desktop-latest-5.1.26-4.mga5.i586.rpm
vboxadditions-kernel-server-latest-5.1.26-4.mga5.i586.rpm

virtualbox-kernel-4.4.92-desktop-1.mga5-5.1.26-4.mga5.i586.rpm
virtualbox-kernel-4.4.92-desktop586-1.mga5-5.1.26-4.mga5.i586.rpm
virtualbox-kernel-4.4.92-server-1.mga5-5.1.26-4.mga5.i586.rpm
virtualbox-kernel-desktop586-latest-5.1.26-4.mga5.i586.rpm
virtualbox-kernel-desktop-latest-5.1.26-4.mga5.i586.rpm
virtualbox-kernel-server-latest-5.1.26-4.mga5.i586.rpm

xtables-addons-kernel-4.4.92-desktop-1.mga5-2.10-48.mga5.i586.rpm
xtables-addons-kernel-4.4.92-desktop586-1.mga5-2.10-48.mga5.i586.rpm
xtables-addons-kernel-4.4.92-server-1.mga5-2.10-48.mga5.i586.rpm
xtables-addons-kernel-desktop586-latest-2.10-48.mga5.i586.rpm
xtables-addons-kernel-desktop-latest-2.10-48.mga5.i586.rpm
xtables-addons-kernel-server-latest-2.10-48.mga5.i586.rpm



x86_64:
cpupower-4.4.92-1.mga5.x86_64.rpm
cpupower-devel-4.4.92-1.mga5.x86_64.rpm
kernel-desktop-4.4.92-1.mga5-1-1.mga5.x86_64.rpm
kernel-desktop-devel-4.4.92-1.mga5-1-1.mga5.x86_64.rpm
kernel-desktop-devel-latest-4.4.92-1.mga5.x86_64.rpm
kernel-desktop-latest-4.4.92-1.mga5.x86_64.rpm
kernel-doc-4.4.92-1.mga5.noarch.rpm
kernel-server-4.4.92-1.mga5-1-1.mga5.x86_64.rpm
kernel-server-devel-4.4.92-1.mga5-1-1.mga5.x86_64.rpm
kernel-server-devel-latest-4.4.92-1.mga5.x86_64.rpm
kernel-server-latest-4.4.92-1.mga5.x86_64.rpm
kernel-source-4.4.92-1.mga5-1-1.mga5.noarch.rpm
kernel-source-latest-4.4.92-1.mga5.noarch.rpm
kernel-userspace-headers-4.4.92-1.mga5.x86_64.rpm
perf-4.4.92-1.mga5.x86_64.rpm

vboxadditions-kernel-4.4.92-desktop-1.mga5-5.1.26-4.mga5.x86_64.rpm
vboxadditions-kernel-4.4.92-server-1.mga5-5.1.26-4.mga5.x86_64.rpm
vboxadditions-kernel-desktop-latest-5.1.26-4.mga5.x86_64.rpm
vboxadditions-kernel-server-latest-5.1.26-4.mga5.x86_64.rpm

virtualbox-kernel-4.4.92-desktop-1.mga5-5.1.26-4.mga5.x86_64.rpm
virtualbox-kernel-4.4.92-server-1.mga5-5.1.26-4.mga5.x86_64.rpm
virtualbox-kernel-desktop-latest-5.1.26-4.mga5.x86_64.rpm
virtualbox-kernel-server-latest-5.1.26-4.mga5.x86_64.rpm

xtables-addons-kernel-4.4.92-desktop-1.mga5-2.10-48.mga5.x86_64.rpm
xtables-addons-kernel-4.4.92-server-1.mga5-2.10-48.mga5.x86_64.rpm
xtables-addons-kernel-desktop-latest-2.10-48.mga5.x86_64.rpm
xtables-addons-kernel-server-latest-2.10-48.mga5.x86_64.rpm
Comment 1 William Kenney 2017-10-15 00:37:46 CEST
In a Vbox client, M5.1, KDE, 64bit

Testing: kernel-desktop-latest vboxadditions-kernel-desktop-latest

[root@localhost wilcal]# uname -a
Linux localhost 4.4.88-desktop-1.mga5 #1 SMP Thu Sep 14 00:03:58 UTC 2017 x86_64 x86_64 x86_64 GNU/Linux
[root@localhost wilcal]# urpmi kernel-desktop-latest
Package kernel-desktop-latest-4.4.88-1.mga5.x86_64 is already installed
[root@localhost wilcal]# urpmi vboxadditions-kernel-desktop-latest
Package vboxadditions-kernel-desktop-latest-5.1.26-3.mga5.x86_64 is already installed

Boots to a working desktop. Screen resolution is correct. Common apps work.

Installed kernel-desktop-latest vboxadditions-kernel-desktop-latest from updates testing

Reboot client

[root@localhost wilcal]# uname -a
Linux localhost 4.9.56-desktop-1.mga6 #1 SMP Thu Oct 12 22:55:31 UTC 2017 x86_64 x86_64 x86_64 GNU/Linux
[root@localhost wilcal]# urpmi kernel-desktop-latest
Package kernel-desktop-latest-4.9.56-1.mga6.x86_64 is already installed
[root@localhost wilcal]# urpmi vboxadditions-kernel-desktop-latest
Package vboxadditions-kernel-desktop-latest-5.1.26-6.mga6.x86_64 is already installed

Boots to a working desktop. Screen resolution is correct. Common apps work.

CC: (none) => wilcal.int

Comment 2 William Kenney 2017-10-15 00:38:02 CEST
In a Vbox client, M5.1, KDE, 32bit

Testing: kernel-desktop-latest vboxadditions-kernel-desktop-latest

[root@localhost wilcal]# uname -a
Linux localhost 4.4.88-desktop-1.mga5 #1 SMP Thu Sep 14 00:19:53 UTC 2017 i686 i686 i686 GNU/Linux
[root@localhost wilcal]# urpmi kernel-desktop-latest
Package kernel-desktop-latest-4.4.88-1.mga5.i586 is already installed
[root@localhost wilcal]# urpmi vboxadditions-kernel-desktop-latest
Package vboxadditions-kernel-desktop-latest-5.1.26-3.mga5.i586 is already installed

Boots to a working desktop. Screen resolution is correct. Common apps work.

Installed kernel-desktop-latest vboxadditions-kernel-desktop-latest from updates testing

Reboot client

[root@localhost wilcal]# uname -a
Linux localhost 4.4.92-desktop-1.mga5 #1 SMP Thu Oct 12 20:29:18 UTC 2017 i686 i686 i686 GNU/Linux
[root@localhost wilcal]# urpmi kernel-desktop-latest
Package kernel-desktop-latest-4.4.92-1.mga5.i586 is already installed
[root@localhost wilcal]# urpmi vboxadditions-kernel-desktop-latest
Package vboxadditions-kernel-desktop-latest-5.1.26-4.mga5.i586 is already installed

Boots to a working desktop. Screen resolution is correct. Common apps work.
Comment 3 PC LX 2017-10-15 02:28:53 CEST
Installed and tested without issues.

A full day of normal use with many programs tested/used, without any noticeable issues.

System: Mageia 5, x86_64, Plasma DE, Intel CPU, nVidia GPU with proprietary driver nvidia340.

$ uname -a
Linux marte 4.4.92-desktop-1.mga5 #1 SMP Thu Oct 12 20:14:45 UTC 2017 x86_64 x86_64 x86_64 GNU/Linux
$ uptime 
 01:23:54 up 15:52,  3 users,  load average: 0,55, 0,59, 0,54
$ rpm -qa | grep 4\.4\.92 | sort
cpupower-4.4.92-1.mga5
kernel-desktop-4.4.92-1.mga5-1-1.mga5
kernel-desktop-devel-4.4.92-1.mga5-1-1.mga5
kernel-desktop-devel-latest-4.4.92-1.mga5
kernel-desktop-latest-4.4.92-1.mga5
kernel-userspace-headers-4.4.92-1.mga5
perf-4.4.92-1.mga5
$ rpm -qa | egrep 'virtualbox|nvidia' | sort
dkms-nvidia340-340.101-1.mga5.nonfree
dkms-virtualbox-5.1.26-1.mga5
nvidia340-cuda-opencl-340.101-1.mga5.nonfree
nvidia340-devel-340.101-1.mga5.nonfree
nvidia340-kernel-desktop-latest-340.96-6.mga5.nonfree
virtualbox-5.1.26-1.mga5
virtualbox-doc-5.1.26-1.mga5
x11-driver-video-nvidia340-340.101-1.mga5.nonfree

Whiteboard: (none) => MGA5-64-OK
CC: (none) => mageia

Comment 4 Len Lawrence 2017-10-15 03:48:30 CEST
mga5::x86_64

Intel(R) Core(TM) i7-4790K CPU @ 4.00GHz
NVIDIA Corporation GK104 [GeForce GTX 770

Ran the updates from updates testing and non free updates testing.

- cpupower-4.4.92-1.mga5.x86_64.rpm
- cpupower-devel-4.4.92-1.mga5.x86_64.rpm
- kernel-desktop-4.4.92-1.mga5-1-1.mga5.x86_64.rpm
- kernel-desktop-devel-4.4.92-1.mga5-1-1.mga5.x86_64.rpm
- kernel-desktop-devel-latest-4.4.92-1.mga5.x86_64.rpm
- kernel-desktop-latest-4.4.92-1.mga5.x86_64.rpm
- kernel-doc-4.4.92-1.mga5.noarch
- kernel-userspace-headers-4.4.92-1.mga5.x86_64

- kernel-source-4.4.92-1.mga5
- kernel-source-latest
- perf-4.4.92-1.mga5

These already installed:
virtualbox-kernel-4.4.92-desktop-1.mga5-5.1.26-4.mga5.x86_64
virtualbox-kernel-desktop-latest-5.1.26-6.mga6.x86_64
xtables-addons-kernel-desktop-latest-2.10-48.mga5.x86_64

$ drakboot --boot
$ reboot
Rebooted to Mate desktop.
$ uname -r
4.4.92-desktop-1.mga5
Two Desktop icons confirmed that the network shared directories had been mounted.
$ ls pad/qa | wc -l
231

Ran stress tests and glmark2.
There was an initial problem with the disk bashing test.  Three processes were spawned which did not terminate and could not be killed with SIGTERM - status D.  Logging out and in usually killed them but one time they came back to life and continued for a while before running out of steam.  These tests were run in a network mounted directory.  The problem did not recur when the test was run from a local directory.  A lesson learned.

pulseaudio running.  Watched terrestrial HD TV using vlc.  Managed to get sound via Bluetooth and blueman.   
Remote SSH login to another machine on the LAN was OK using known_hosts.

Other common desktop applications running fine.

CC: (none) => tarazed25

Comment 5 James Kerr 2017-10-15 16:37:00 CEST
kernel-desktop on mga5-64

Packages installed cleanly:

- cpupower-4.4.92-1.mga5.x86_64
- kernel-desktop-4.4.92-1.mga5-1-1.mga5.x86_64
- kernel-desktop-latest-4.4.92-1.mga5.x86_64
- kernel-userspace-headers-4.4.92-1.mga5.x86_64
- virtualbox-kernel-4.4.92-desktop-1.mga5-5.1.26-4.mga5.x86_64
- virtualbox-kernel-desktop-latest-5.1.26-4.mga5.x86_64

System re-booted nrmally:
$ uname -r
4.4.92-desktop-1.mga5

no regressions noted

virtualbox and client launched normally

OK for mga5-64 on this system:

Dell product: Precision Tower 3620
Mobo: Dell model: 09WH54 
Card: Intel HD Graphics 530
CPU: Quad core Intel Core i7-6700 (-HT-MCP-)
PC-BIOS boot
GPT partitions

CC: (none) => jim

Comment 6 James Kerr 2017-10-15 16:40:22 CEST
kernel-desktop on mga5-32 in a vbox VM:

Packages installed cleanly:

- cpupower-4.4.92-1.mga5.i586
- kernel-desktop-4.4.92-1.mga5-1-1.mga5.i586
- kernel-desktop-latest-4.4.92-1.mga5.i586
- kernel-userspace-headers-4.4.92-1.mga5.i586
- vboxadditions-kernel-4.4.92-desktop-1.mga5-5.1.26-4.mga5.i586
- vboxadditions-kernel-desktop-latest-5.1.26-4.mga5.i586

VM re-booted normally:
[jim@mga5-32 ~]$ uname -r
4.4.92-desktop-1.mga5

No regressions noted

OK for mga5-32 in a vbox VM
Comment 7 Len Lawrence 2017-10-15 20:10:04 CEST
mga5::x86_64

4.4.88-desktop-1.mga5
Intel(R) Core(TM) i7-4790 CPU @ 3.60GHz
NVIDIA Corporation GM204 [GeForce GTX 970] 
nvidia 384.59
Mobo: MSI model: Z97-G43 (MS-7816) v: 3.0

Updates:
- cpupower-4.4.92-1.mga5.x86_64
- cpupower-devel-4.4.92-1.mga5.x86_64
- kernel-desktop-4.4.92-1.mga5-1-1.mga5.x86_64
- kernel-desktop-devel-4.4.92-1.mga5-1-1.mga5.x86_64
- kernel-desktop-devel-latest-4.4.92-1.mga5.x86_64
- kernel-desktop-latest-4.4.92-1.mga5.x86_64
- kernel-doc-4.4.92-1.mga5.noarch
- kernel-userspace-headers-4.4.92-1.mga5.x86_64
- ldetect-lst-0.1.346.8-1.mga5.x86_64
- ldetect-lst-devel-0.1.346.8-1.mga5.x86_64
- perf-4.4.92-1.mga5.x86_64
- xtables-addons-kernel-4.4.92-desktop-1.mga5-2.10-48.mga5.x86_64
- xtables-addons-kernel-desktop-latest-2.10-48.mga5.x86_64
- virtualbox-kernel-4.4.92-desktop-1.mga5-5.1.26-4.mga5.x86_64
- virtualbox-kernel-desktop-latest-5.1.26-4.mga5.x86_64

nvidia-current module built during the installation.

$ drakboot --boot

Rebooted to Mate desktop.
Video and graphics across the LAN on remote login.
Network shares mounted and usable - read/write working.
stellarium OK.  Installed gwenview and 183 KDE support packages and browsed an image directory.  Everything else was working.

Installed virtualbox and booted one of the guest systems and configured it.
Ran stress in all four modes.  OK.
Fedora glmark2 2012.12.  This ran four times faster than the mga6 version.
Comment 8 Thomas Backlund 2017-10-19 23:31:30 CEST
Advisory (also added to svn)


This kernel update is based on upstream 4.4.92 and fixes atleast the
following security issues:

A security flaw was discovered in nl80211_set_rekey_data() function in the
Linux kernel since v3.1-rc1 through v4.13. This function does not check
whether the required attributes are present in a netlink request. This
request can be issued by a user with CAP_NET_ADMIN privilege and may result
in NULL dereference and a system crash (CVE-2017-12153).

Linux kernel built with the KVM visualization support (CONFIG_KVM), with
nested visualization (nVMX) feature enabled (nested=1), is vulnerable to a
crash due to disabled external interrupts. As L2 guest could acce s (r/w)
hardware CR8 register of the host(L0). In a nested visualization setup,
L2 guest user could use this flaw to potentially crash the host(L0)
resulting in DoS (CVE-2017-12154).

The tcp_disconnect function in net/ipv4/tcp.c in the Linux kernel before
4.12 allows local users to cause a denial of service (__tcp_select_window
divide-by-zero error and system crash) by triggering a disconnect within a
certain tcp_recvmsg code path (CVE-2017-14106).

The atyfb_ioctl function in drivers/video/fbdev/aty/atyfb_base.c in the
Linux kernel through 4.12.10 does not initialize a certain data structure,
which allows local users to obtain sensitive information from kernel stack
memory by reading locations associated with padding bytes (CVE-2017-14156).

It was found that the iscsi_if_rx() function in scsi_transport_iscsi.c in
the Linux kernel since v2.6.24-rc1 through 4.13.2 allows local users to
cause a denial of service (a system panic) by making a number of certain
syscalls by leveraging incorrect length validation in the kernel code
(CVE-2017-14489).

The sg_ioctl function in drivers/scsi/sg.c in the Linux kernel before 4.13.4
allows local users to obtain sensitive information from uninitialized kernel
heap-memory locations via an SG_GET_REQUEST_TABLE ioctl call for /dev/sg0
(CVE-2017-14991).

A reachable assertion failure flaw was found in the Linux kernel built with
KVM virtualisation(CONFIG_KVM) support with Virtual Function I/O feature
(CONFIG_VFIO) enabled. This failure could occur if a malicious guest device
sent a virtual interrupt (guest IRQ) with a larger (>1024) index value
(CVE-2017-1000252).

Keywords: (none) => advisory

Thomas Backlund 2017-10-20 08:44:28 CEST

Blocks: (none) => 21901

Comment 9 Herman Viaene 2017-10-20 17:56:58 CEST
MGA5-32 on Asus A6000VM Xfce
No installation issues
Tested .doc file, played movie and music file, viewed some pictures, visited website wit text, pictures and movie. All OK, no obvious problems

CC: (none) => herman.viaene

Comment 10 Herman Viaene 2017-10-24 10:23:41 CEST
No issues found using this while running other tests. OK for me.

Whiteboard: MGA5-64-OK => MGA5-64-OK MGA5-32-OK

Comment 11 William Kenney 2017-10-24 21:48:56 CEST
Lets move this one on.
This update works fine.
Testing complete for MGA6, 32-bit & 64-bit
Validating the update.
Could someone from the sysadmin team push to updates.
Thanks

Keywords: (none) => validated_update
CC: (none) => sysadmin-bugs

Comment 12 William Kenney 2017-10-24 21:50:31 CEST
Correction to: Testing complete for MGA6, 32-bit & 64-bit

Should be: Testing complete for MGA5, 32-bit & 64-bit
Comment 13 Mageia Robot 2017-10-24 22:10:25 CEST
An update for this issue has been pushed to the Mageia Updates repository.

https://advisories.mageia.org/MGASA-2017-0386.html

Status: NEW => RESOLVED
Resolution: (none) => FIXED

Comment 14 Thomas Backlund 2017-12-16 11:36:56 CET
*** Bug 21663 has been marked as a duplicate of this bug. ***

CC: (none) => luigiwalser


Note You need to log in before you can comment on or make changes to this bug.