Bug 23544 - Upate request: kernel-tmb-4.14.69-1.mga6
Summary: Upate request: kernel-tmb-4.14.69-1.mga6
Status: RESOLVED FIXED
Alias: None
Product: Mageia
Classification: Unclassified
Component: Security (show other bugs)
Version: 6
Hardware: All Linux
Priority: Normal normal
Target Milestone: ---
Assignee: QA Team
QA Contact: Sec team
URL:
Whiteboard: mga6-64-ok, mga6-32-ok
Keywords: advisory, validated_update
Depends on:
Blocks:
 
Reported: 2018-09-07 19:48 CEST by Thomas Backlund
Modified: 2018-09-14 23:31 CEST (History)
4 users (show)

See Also:
Source RPM: kernel-tmb
CVE:
Status comment:


Attachments

Description Thomas Backlund 2018-09-07 19:48:28 CEST
more followup fixes for spectre and LITF security issues and some other security and bugfixes...

SRPMS:
kernel-tmb-4.14.68-1.mga6.src.rpm


i586:
kernel-tmb-desktop-4.14.68-1.mga6-1-1.mga6.i586.rpm
kernel-tmb-desktop-devel-4.14.68-1.mga6-1-1.mga6.i586.rpm
kernel-tmb-desktop-devel-latest-4.14.68-1.mga6.i586.rpm
kernel-tmb-desktop-latest-4.14.68-1.mga6.i586.rpm
kernel-tmb-source-4.14.68-1.mga6-1-1.mga6.noarch.rpm
kernel-tmb-source-latest-4.14.68-1.mga6.noarch.rpm


x86_64:
kernel-tmb-desktop-4.14.68-1.mga6-1-1.mga6.x86_64.rpm
kernel-tmb-desktop-devel-4.14.68-1.mga6-1-1.mga6.x86_64.rpm
kernel-tmb-desktop-devel-latest-4.14.68-1.mga6.x86_64.rpm
kernel-tmb-desktop-latest-4.14.68-1.mga6.x86_64.rpm
kernel-tmb-source-4.14.68-1.mga6-1-1.mga6.noarch.rpm
kernel-tmb-source-latest-4.14.68-1.mga6.noarch.rpm
Comment 1 Len Lawrence 2018-09-08 10:57:13 CEST
Mageia 6, x86_64

Intel core i7, NVIDIA GTX 770.

Creating: target|kernel|dracut args|basicmodules 
remove-boot-splash: Format of /boot/initrd-4.14.68-tmb-desktop-1.mga6.img not recognized

But otherwise OK.
Rebooted to Mate desktop - NETFLOW driver and other kernel modules rebuilt on the fly.
Desktop fully operational.  Hardware and memory stress tests ran OK.

CC: (none) => tarazed25

Comment 2 Len Lawrence 2018-09-08 12:00:17 CEST
Mageia 6, x86_64

Intel core i7, NVIDIA GTX 970

No problem with the update but something odd happened with the disk stress test.  
$ stress -d 3 -t 25
That did not terminate and gkrellm indicated that eth0 was heavily used throughout the test together with one of the cores.  Ctrl-C stopped the command in the terminal but disk activity continued for at least five minutes.

Tried a very short time interval but the process stuck again.
$ stress -d 2 -t 10
stress: info: [11376] dispatching hogs: 0 cpu, 0 io, 0 vm, 2 hdd
^C
[lcl@difda qa]$ ps aux | grep stress
lcl      11377  7.6  0.0   8108  1688 pts/2    D    10:54   0:07 stress -d 2 -t 10
lcl      11378  7.9  0.0   8108  1688 pts/2    D    10:54   0:07 stress -d 2 -t 10

Looks like it re-spawned right after the Ctrl-C.  It died eventually.
This seems to happen every now and again with kernel updates but everything else is working fine.
Comment 3 Len Lawrence 2018-09-08 12:17:14 CEST
Re comment #2

In the journal there were dozens of lines like:
Sep 08 10:42:40 difda pkexec[7792]: pam_systemd(polkit-1:session): Cannot create
Sep 08 10:42:40 difda pkexec[7792]: pam_unix(polkit-1:session): session opened f
Sep 08 10:42:43 difda mgaapplet[9716]: Packages are up to date
Sep 08 10:43:45 difda pkexec[13980]: lcl: Error executing command as another use
Sep 08 10:44:12 difda pkexec[16007]: lcl: Error executing command as another use

which may be completely irrelevant.
Comment 4 Len Lawrence 2018-09-08 16:42:13 CEST
Mageia 6, x86_64

Intel core i9, NVIDIA GTX 1080Ti

Updated without a problem and rebooted to Mate.  Desktop fully functional.
Stress tests, glmark2, kaffeine TV via WinTV Hauppauge USB adapter, all OK.
Comment 5 Herman Viaene 2018-09-10 15:45:52 CEST
MGA6-32 MATE on IBM Thinkpad R50e
At installation, I also deleted three kernels of the 4.14.5X range, all seems to go well.
After reboot
$ uname -a
Linux mach6.hviaene.thuis 4.14.65-desktop-1.mga6 #1 SMP Sat Aug 18 16:12:25 UTC 2018 i686 i686 i686 GNU/Linux
i.e. the previous kernel version.
Checked in MCC that the kernel packages were installed OK - confirm that. Looked at the startup options in MCC and saw that 4.14.68 is in the list, but apparently it hqs not been set as default.
Leaving this laptop as is in case someone might require more info on the current configuration.

CC: (none) => herman.viaene

Comment 6 Thomas Backlund 2018-09-10 16:17:31 CEST
Yeah, its by design.

Only core kernel updates sets/updates default kernel.

That so people installing several kernels dont get surprises
Comment 7 Len Lawrence 2018-09-10 20:45:19 CEST
@Herman re comment 5:

And if you think you might have difficulty identifying it you could always run 'drakboot --boot' as root and select it as the default.
Comment 8 Herman Viaene 2018-09-11 08:36:49 CEST
My message that I posted on the wrong bug - I didn't install the tmb kernel - was not registered, so I will answer on bug 23543.
Comment 9 Thomas Backlund 2018-09-12 14:20:35 CEST
So new  rpms fixing the SPI_INTEL_SPI issue in comment 17 and rebased on 4.14.69 for more security and bugfixes...

SRPMS:
kernel-tmb-4.14.69-1.mga6.src.rpm


i586:
kernel-tmb-desktop-4.14.69-1.mga6-1-1.mga6.i586.rpm
kernel-tmb-desktop-devel-4.14.69-1.mga6-1-1.mga6.i586.rpm
kernel-tmb-desktop-devel-latest-4.14.69-1.mga6.i586.rpm
kernel-tmb-desktop-latest-4.14.69-1.mga6.i586.rpm
kernel-tmb-source-4.14.69-1.mga6-1-1.mga6.noarch.rpm
kernel-tmb-source-latest-4.14.69-1.mga6.noarch.rpm


x86_64:
kernel-tmb-desktop-4.14.69-1.mga6-1-1.mga6.x86_64.rpm
kernel-tmb-desktop-devel-4.14.69-1.mga6-1-1.mga6.x86_64.rpm
kernel-tmb-desktop-devel-latest-4.14.69-1.mga6.x86_64.rpm
kernel-tmb-desktop-latest-4.14.69-1.mga6.x86_64.rpm
kernel-tmb-source-4.14.69-1.mga6-1-1.mga6.noarch.rpm
kernel-tmb-source-latest-4.14.69-1.mga6.noarch.rpm

Summary: Upate request: kernel-tmb-4.14.68-1.mga6 => Upate request: kernel-tmb-4.14.69-1.mga6

Comment 10 Len Lawrence 2018-09-13 11:34:00 CEST
x86_64, Intel Core i7 with NVIDIA GTX 970 graphics.

Tried the tmb kernel.  The Mate desktop was running fine and glmark2 was back to its usual low score.
Comment 11 Thomas Backlund 2018-09-13 22:53:14 CEST
Advisory, added to svn:

type: security
subject: Updated kernel-tmb packages fix security vulnerabilities
CVE:
 - CVE-2018-6554
 - CVE-2018-6555
src:
  6:
   core:
     - kernel-tmb-4.14.69-1.mga6
description: |
  This kernel-tmb update is based on the upstream 4.14.69 and adds additional
  fixes for the L1TF and Spectre security issues. It also fixes atleast
  the following security issues:

  Memory leak in the irda_bind function in net/irda/af_irda.c and later in
  drivers/staging/irda/net/af_irda.c in the Linux kernel before 4.17 allows
  local users to cause a denial of service (memory consumption) by repeatedly
  binding an AF_IRDA socket (CVE-2018-6554).

  The irda_setsockopt function in net/irda/af_irda.c and later in
  drivers/staging/irda/net/af_irda.c in the Linux kernel before 4.17 allows
  local users to cause a denial of service (ias_object use-after-free and
  system crash) or possibly have unspecified other impact via an AF_IRDA
  socket (CVE-2018-6554).

  Other fixes in this update:
  * WireGuard has been updated to 0.0.20180904
  * all SPI_INTEL_SPI config options have been disable to prevent a potential
    bios corrupting bug (mga#23560)

  For other changes in this update, see the referenced changelogs.
references:
 - https://bugs.mageia.org/show_bug.cgi?id=23544
 - https://bugs.mageia.org/show_bug.cgi?id=23560
 - https://cdn.kernel.org/pub/linux/kernel/v4.x/ChangeLog-4.14.66
 - https://cdn.kernel.org/pub/linux/kernel/v4.x/ChangeLog-4.14.67
 - https://cdn.kernel.org/pub/linux/kernel/v4.x/ChangeLog-4.14.68
 - https://cdn.kernel.org/pub/linux/kernel/v4.x/ChangeLog-4.14.69

Keywords: (none) => advisory

Comment 12 Thomas Backlund 2018-09-14 22:16:20 CEST
Enough tests, validating

CC: (none) => sysadmin-bugs
Keywords: (none) => validated_update
Whiteboard: (none) => mga6-64-ok, mga6-32-ok

Comment 13 Mageia Robot 2018-09-14 22:42:43 CEST
An update for this issue has been pushed to the Mageia Updates repository.

https://advisories.mageia.org/MGASA-2018-0374.html

Status: NEW => RESOLVED
Resolution: (none) => FIXED

Comment 14 William Kenney 2018-09-14 23:31:45 CEST
On real hardware, M6, Plasma, 64-bit

Testing: kernel-tmb-desktop-latest cpupower

The following 3 packages are going to be installed:

- cpupower-4.14.69-1.mga6.x86_64
- kernel-tmb-desktop-4.14.69-1.mga6-1-1.mga6.x86_64
- kernel-tmb-desktop-latest-4.14.69-1.mga6.x86_64

[root@localhost wilcal]# uname -a
Linux localhost 4.14.69-tmb-desktop-1.mga6 #1 SMP PREEMPT Wed Sep 12 12:48:16 UTC 2018 x86_64 x86_64 x86_64 GNU/Linux
[root@localhost wilcal]# urpmi kernel-tmb-desktop-latest
Package kernel-tmb-desktop-latest-4.14.69-1.mga6.x86_64 is already installed
[root@localhost wilcal]# urpmi cpupower
Package cpupower-4.14.69-1.mga6.x86_64 is already installed

Boots to a working desktop. Screen resolution is correct. Common apps work.

Test platform:
Intel Core i5-4460 Haswell Quad-Core 3.2GHz LGA 115
Gigabyte GA-B85M-D3H LGA 1150 Intel B85 chipset
Integrated Graphics Processor - Intel HD Graphics support
Audito chipset - Realtek ALC892, 7.1 channels
Corsair Vengeance 8GB ( 2 x 4GB ) 240-pin DDR3 SDRAM 1600

CC: (none) => wilcal.int


Note You need to log in before you can comment on or make changes to this bug.