Bug 27597 - microcode new security issues CVE-2020-869[4568]
Summary: microcode new security issues CVE-2020-869[4568]
Status: RESOLVED FIXED
Alias: None
Product: Mageia
Classification: Unclassified
Component: Security (show other bugs)
Version: 7
Hardware: All Linux
Priority: Normal major
Target Milestone: ---
Assignee: QA Team
QA Contact: Sec team
URL:
Whiteboard: MGA7-64-OK
Keywords: advisory, validated_update
Depends on:
Blocks:
 
Reported: 2020-11-11 17:57 CET by David Walser
Modified: 2020-11-16 10:19 CET (History)
5 users (show)

See Also:
Source RPM: microcode-0.2020616-1.mga7.nonfree.src.rpm
CVE:
Status comment:


Attachments

Description David Walser 2020-11-11 17:57:22 CET
RedHat has issued an advisory today (November 11):
https://access.redhat.com/errata/RHSA-2020:5085

The issues are fixed upstream in 20201027.

Mageia 7 is also affected.

We should make sure the fix in Bug 26995 is applied to Mageia 7 as well.
David Walser 2020-11-11 17:57:29 CET

Whiteboard: (none) => MGA7TOO

Comment 1 Nicolas Salguero 2020-11-12 09:46:52 CET
Suggested advisory:
========================

The updated package fixes a packaging issue and security vulnerabilities:

Insufficient access control in the Linux kernel driver for some Intel(R) Processors may allow an authenticated user to potentially enable information disclosure via local access. (CVE-2020-8694)

Observable discrepancy in the RAPL interface for some Intel(R) Processors may allow a privileged user to potentially enable information disclosure via local access. (CVE-2020-8695)

Improper removal of sensitive information before storage or transfer in some Intel(R) Processors may allow an authenticated user to potentially enable information disclosure via local access. (CVE-2020-8696)

Improper isolation of shared resources in some Intel(R) Processors may allow an authenticated user to potentially enable information disclosure via local access. (CVE-2020-8698)

References:
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-8694
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-8695
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-8696
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-8698
https://www.intel.com/content/www/us/en/security-center/advisory/intel-sa-00389.html
https://www.intel.com/content/www/us/en/security-center/advisory/intel-sa-00381.html
https://access.redhat.com/errata/RHSA-2020:5085
https://bugs.mageia.org/show_bug.cgi?id=26995
========================

Updated package in nonfree/updates_testing:
========================
microcode-0.20201110-1.mga7.nonfree

from SRPM:
microcode-0.20201110-1.mga7.nonfree.src.rpm

Status: NEW => ASSIGNED
Assignee: nicolas.salguero => qa-bugs
Summary: microcode new security issues CVE-2020-869[568] => microcode new security issues CVE-2020-869[4568]
Version: Cauldron => 7
Whiteboard: MGA7TOO => (none)
Source RPM: microcode-0.2020616-2.mga8.nonfree.src.rpm => microcode-0.2020616-1.mga7.nonfree.src.rpm

Nicolas Salguero 2020-11-12 09:47:10 CET

CC: (none) => nicolas.salguero

Comment 2 Morgan Leijström 2020-11-12 23:24:09 CET
No problem here a couple hours on my workstation, with BOINC exercising the CPU and GPU full wile I surf bugs, edit photos, etc...

That said i do not know why journal say microcode date = 2019-02-13
- i guess my CPU i7-3770 is old and no patch later than that for it?


nov 12 21:08:53 svarten.tribun kernel: microcode: microcode updated early to revision 0x21, date = 2019-02-13
nov 12 21:08:53 svarten.tribun kernel: SRBDS: Vulnerable: No microcode
nov 12 21:08:53 svarten.tribun kernel: microcode: sig=0x306a9, pf=0x2, revision=0x21
nov 12 21:08:53 svarten.tribun kernel: microcode: Microcode Update Driver: v2.2.

CC: (none) => fri

Comment 3 Herman Viaene 2020-11-13 15:43:11 CET
MGA7-64 MATE on Peaq C1011
No installation issues
Doing normal things, reading documents, viewing photos, net access, etc.... All seems normal

CC: (none) => herman.viaene

Comment 4 Aurelien Oudelet 2020-11-13 18:03:09 CET
Mageia 7 x86_64 Intel Core i5 6600K Skylake.
Update to microcode-0.20201110-1.mga7.nonfree is OK.
Reboot is OK
Basic computer use is OK.
No thermal issue.

$ journalctl -b | grep microcode
nov. 13 17:07:47 mageia.local kernel: microcode: microcode updated early to revision 0xe2, date = 2020-07-14
nov. 13 17:07:47 mageia.local kernel: microcode: sig=0x506e3, pf=0x2, revision=0xe2
nov. 13 17:07:47 mageia.local kernel: microcode: Microcode Update Driver: v2.2.
This system does not seem to be vulnerable according to Intel Advisories.

Tested case of a M7 new installation under a VM with Classic ISO, for bug 26995:
Installer can't let me choose updates_testing repo.

Validating update. Package and advisory in Comment 1.
Advisory pushed to SVN.

CC: (none) => ouaurelien

Aurelien Oudelet 2020-11-13 18:04:58 CET

CC: (none) => sysadmin-bugs
Keywords: (none) => advisory, validated_update
Whiteboard: (none) => MGA7-64-OK

Comment 5 Mageia Robot 2020-11-13 22:22:17 CET
An update for this issue has been pushed to the Mageia Updates repository.

https://advisories.mageia.org/MGASA-2020-0422.html

Resolution: (none) => FIXED
Status: ASSIGNED => RESOLVED

Comment 6 David Walser 2020-11-14 23:13:01 CET
Does this regression affect us?
https://ubuntu.com/security/notices/USN-4628-2
Comment 7 Thomas Backlund 2020-11-16 10:19:41 CET
(In reply to David Walser from comment #6)
> Does this regression affect us?
> https://ubuntu.com/security/notices/USN-4628-2

Yes, the broken microcode is in the 20201110 firmware release.

There is also now an upstream 20201112 release that adds another microcode (but no fix for this yet)

Note You need to log in before you can comment on or make changes to this bug.