Bug 9209 - Update request: kernel-3.4.34-1.mga2
: Update request: kernel-3.4.34-1.mga2
Status: RESOLVED FIXED
Product: Mageia
Classification: Unclassified
Component: Security
: 2
: All Linux
: High Severity: critical
: ---
Assigned To: QA Team
: Sec team
:
: has_procedure mga2-64-ok MGA2-32-OK
: validated_update
:
:
  Show dependency treegraph
 
Reported: 2013-03-01 00:47 CET by Thomas Backlund
Modified: 2013-03-02 15:19 CET (History)
3 users (show)

See Also:
Source RPM: kernel-3.4.34-1.mga2
CVE:


Attachments

Description Thomas Backlund 2013-03-01 00:47:09 CET
Advisory:
This updates kernel to upstream stable 3.4.34.

It also fixes the following security issues:

An unprivileged user can send a netlink message resulting in an
out-of-bounds access of the sock_diag_handlers[] array which, in turn,
allows userland to take over control while in kernel mode.
(CVE-2013-1763).

Linux kernel is prone to a local privilege-escalation vulnerability due
to a tmpfs use-after-free error. 
Local attackers can exploit the issue to execute arbitrary code with
kernel privileges or to crash the kernel, effectively denying service
to legitimate users (CVE-2013-1767).

Linux kernel built with Edgeport USB serial converter driver io_ti,
is vulnerable to a NULL pointer dereference flaw. It happens if the
device is disconnected while corresponding /dev/ttyUSB? file is in use.
An unprivileged user could use this flaw to crash the system, resulting
DoS (CVE-2013-1774).

References:
-----------
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-1763
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-1767
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-1774
http://www.kernel.org/pub/linux/kernel/v3.0/ChangeLog-3.4.34
http://www.kernel.org/pub/linux/kernel/v3.0/ChangeLog-3.4.33


i586:
-----
cpupower-3.4.34-1.mga2.i586.rpm
cpupower-devel-3.4.34-1.mga2.i586.rpm
kernel-desktop-3.4.34-1.mga2-1-1.mga2.i586.rpm
kernel-desktop586-3.4.34-1.mga2-1-1.mga2.i586.rpm
kernel-desktop586-devel-3.4.34-1.mga2-1-1.mga2.i586.rpm
kernel-desktop586-devel-latest-3.4.34-1.mga2.i586.rpm
kernel-desktop586-latest-3.4.34-1.mga2.i586.rpm
kernel-desktop-devel-3.4.34-1.mga2-1-1.mga2.i586.rpm
kernel-desktop-devel-latest-3.4.34-1.mga2.i586.rpm
kernel-desktop-latest-3.4.34-1.mga2.i586.rpm
kernel-doc-3.4.34-1.mga2.noarch.rpm
kernel-linus-source-latest-3.4.34-1.mga2.noarch.rpm
kernel-netbook-3.4.34-1.mga2-1-1.mga2.i586.rpm
kernel-netbook-devel-3.4.34-1.mga2-1-1.mga2.i586.rpm
kernel-netbook-devel-latest-3.4.34-1.mga2.i586.rpm
kernel-netbook-latest-3.4.34-1.mga2.i586.rpm
kernel-server-3.4.34-1.mga2-1-1.mga2.i586.rpm
kernel-server-devel-3.4.34-1.mga2-1-1.mga2.i586.rpm
kernel-server-devel-latest-3.4.34-1.mga2.i586.rpm
kernel-server-latest-3.4.34-1.mga2.i586.rpm
kernel-source-3.4.34-1.mga2-1-1.mga2.noarch.rpm
kernel-source-latest-3.4.34-1.mga2.noarch.rpm
kernel-userspace-headers-3.4.34-1.mga2.i586.rpm
perf-3.4.34-1.mga2.i586.rpm

vboxadditions-kernel-3.4.34-desktop-1.mga2-4.1.24-5.mga2.i586.rpm
vboxadditions-kernel-3.4.34-desktop586-1.mga2-4.1.24-5.mga2.i586.rpm
vboxadditions-kernel-3.4.34-netbook-1.mga2-4.1.24-5.mga2.i586.rpm
vboxadditions-kernel-3.4.34-server-1.mga2-4.1.24-5.mga2.i586.rpm
vboxadditions-kernel-desktop586-latest-4.1.24-5.mga2.i586.rpm
vboxadditions-kernel-desktop-latest-4.1.24-5.mga2.i586.rpm
vboxadditions-kernel-netbook-latest-4.1.24-5.mga2.i586.rpm
vboxadditions-kernel-server-latest-4.1.24-5.mga2.i586.rpm

virtualbox-kernel-3.4.34-desktop-1.mga2-4.1.24-4.mga2.i586.rpm
virtualbox-kernel-3.4.34-desktop586-1.mga2-4.1.24-4.mga2.i586.rpm
virtualbox-kernel-3.4.34-netbook-1.mga2-4.1.24-4.mga2.i586.rpm
virtualbox-kernel-3.4.34-server-1.mga2-4.1.24-4.mga2.i586.rpm
virtualbox-kernel-desktop586-latest-4.1.24-4.mga2.i586.rpm
virtualbox-kernel-desktop-latest-4.1.24-4.mga2.i586.rpm
virtualbox-kernel-netbook-latest-4.1.24-4.mga2.i586.rpm
virtualbox-kernel-server-latest-4.1.24-4.mga2.i586.rpm

xtables-addons-kernel-3.4.34-desktop-1.mga2-1.41-22.mga2.i586.rpm
xtables-addons-kernel-3.4.34-desktop586-1.mga2-1.41-22.mga2.i586.rpm
xtables-addons-kernel-3.4.34-netbook-1.mga2-1.41-22.mga2.i586.rpm
xtables-addons-kernel-3.4.34-server-1.mga2-1.41-22.mga2.i586.rpm
xtables-addons-kernel-desktop586-latest-1.41-22.mga2.i586.rpm
xtables-addons-kernel-desktop-latest-1.41-22.mga2.i586.rpm
xtables-addons-kernel-netbook-latest-1.41-22.mga2.i586.rpm
xtables-addons-kernel-server-latest-1.41-22.mga2.i586.rpm

broadcom-wl-kernel-3.4.34-desktop-1.mga2-5.100.82.112-42.mga2.nonfree.i586.rpm
broadcom-wl-kernel-3.4.34-desktop586-1.mga2-5.100.82.112-42.mga2.nonfree.i586.rpm
broadcom-wl-kernel-3.4.34-netbook-1.mga2-5.100.82.112-42.mga2.nonfree.i586.rpm
broadcom-wl-kernel-3.4.34-server-1.mga2-5.100.82.112-42.mga2.nonfree.i586.rpm
broadcom-wl-kernel-desktop586-latest-5.100.82.112-42.mga2.nonfree.i586.rpm
broadcom-wl-kernel-desktop-latest-5.100.82.112-42.mga2.nonfree.i586.rpm
broadcom-wl-kernel-netbook-latest-5.100.82.112-42.mga2.nonfree.i586.rpm
broadcom-wl-kernel-server-latest-5.100.82.112-42.mga2.nonfree.i586.rpm

fglrx-kernel-3.4.34-desktop-1.mga2-8.961-18.mga2.nonfree.i586.rpm
fglrx-kernel-3.4.34-desktop586-1.mga2-8.961-18.mga2.nonfree.i586.rpm
fglrx-kernel-3.4.34-netbook-1.mga2-8.961-18.mga2.nonfree.i586.rpm
fglrx-kernel-3.4.34-server-1.mga2-8.961-18.mga2.nonfree.i586.rpm
fglrx-kernel-desktop586-latest-8.961-18.mga2.nonfree.i586.rpm
fglrx-kernel-desktop-latest-8.961-18.mga2.nonfree.i586.rpm
fglrx-kernel-netbook-latest-8.961-18.mga2.nonfree.i586.rpm
fglrx-kernel-server-latest-8.961-18.mga2.nonfree.i586.rpm

nvidia-current-kernel-3.4.34-desktop-1.mga2-295.71-13.mga2.nonfree.i586.rpm
nvidia-current-kernel-3.4.34-desktop586-1.mga2-295.71-13.mga2.nonfree.i586.rpm
nvidia-current-kernel-3.4.34-netbook-1.mga2-295.71-13.mga2.nonfree.i586.rpm
nvidia-current-kernel-3.4.34-server-1.mga2-295.71-13.mga2.nonfree.i586.rpm
nvidia-current-kernel-desktop586-latest-295.71-13.mga2.nonfree.i586.rpm
nvidia-current-kernel-desktop-latest-295.71-13.mga2.nonfree.i586.rpm
nvidia-current-kernel-netbook-latest-295.71-13.mga2.nonfree.i586.rpm
nvidia-current-kernel-server-latest-295.71-13.mga2.nonfree.i586.rpm


x86_64:
-------
cpupower-3.4.34-1.mga2.x86_64.rpm
cpupower-devel-3.4.34-1.mga2.x86_64.rpm
kernel-desktop-3.4.34-1.mga2-1-1.mga2.x86_64.rpm
kernel-desktop-devel-3.4.34-1.mga2-1-1.mga2.x86_64.rpm
kernel-desktop-devel-latest-3.4.34-1.mga2.x86_64.rpm
kernel-desktop-latest-3.4.34-1.mga2.x86_64.rpm
kernel-doc-3.4.34-1.mga2.noarch.rpm
kernel-netbook-3.4.34-1.mga2-1-1.mga2.x86_64.rpm
kernel-netbook-devel-3.4.34-1.mga2-1-1.mga2.x86_64.rpm
kernel-netbook-devel-latest-3.4.34-1.mga2.x86_64.rpm
kernel-netbook-latest-3.4.34-1.mga2.x86_64.rpm
kernel-server-3.4.34-1.mga2-1-1.mga2.x86_64.rpm
kernel-server-devel-3.4.34-1.mga2-1-1.mga2.x86_64.rpm
kernel-server-devel-latest-3.4.34-1.mga2.x86_64.rpm
kernel-server-latest-3.4.34-1.mga2.x86_64.rpm
kernel-source-3.4.34-1.mga2-1-1.mga2.noarch.rpm
kernel-source-latest-3.4.34-1.mga2.noarch.rpm
kernel-userspace-headers-3.4.34-1.mga2.x86_64.rpm
perf-3.4.34-1.mga2.x86_64.rpm

vboxadditions-kernel-3.4.34-desktop-1.mga2-4.1.24-5.mga2.x86_64.rpm
vboxadditions-kernel-3.4.34-netbook-1.mga2-4.1.24-5.mga2.x86_64.rpm
vboxadditions-kernel-3.4.34-server-1.mga2-4.1.24-5.mga2.x86_64.rpm
vboxadditions-kernel-desktop-latest-4.1.24-5.mga2.x86_64.rpm
vboxadditions-kernel-netbook-latest-4.1.24-5.mga2.x86_64.rpm
vboxadditions-kernel-server-latest-4.1.24-5.mga2.x86_64.rpm

virtualbox-kernel-3.4.34-desktop-1.mga2-4.1.24-4.mga2.x86_64.rpm
virtualbox-kernel-3.4.34-netbook-1.mga2-4.1.24-4.mga2.x86_64.rpm
virtualbox-kernel-3.4.34-server-1.mga2-4.1.24-4.mga2.x86_64.rpm
virtualbox-kernel-desktop-latest-4.1.24-4.mga2.x86_64.rpm
virtualbox-kernel-netbook-latest-4.1.24-4.mga2.x86_64.rpm
virtualbox-kernel-server-latest-4.1.24-4.mga2.x86_64.rpm

xtables-addons-kernel-3.4.34-desktop-1.mga2-1.41-22.mga2.x86_64.rpm
xtables-addons-kernel-3.4.34-netbook-1.mga2-1.41-22.mga2.x86_64.rpm
xtables-addons-kernel-3.4.34-server-1.mga2-1.41-22.mga2.x86_64.rpm
xtables-addons-kernel-desktop-latest-1.41-22.mga2.x86_64.rpm
xtables-addons-kernel-netbook-latest-1.41-22.mga2.x86_64.rpm
xtables-addons-kernel-server-latest-1.41-22.mga2.x86_64.rpm

broadcom-wl-kernel-3.4.34-desktop-1.mga2-5.100.82.112-42.mga2.nonfree.x86_64.rpm
broadcom-wl-kernel-3.4.34-netbook-1.mga2-5.100.82.112-42.mga2.nonfree.x86_64.rpm
broadcom-wl-kernel-3.4.34-server-1.mga2-5.100.82.112-42.mga2.nonfree.x86_64.rpm
broadcom-wl-kernel-desktop-latest-5.100.82.112-42.mga2.nonfree.x86_64.rpm
broadcom-wl-kernel-netbook-latest-5.100.82.112-42.mga2.nonfree.x86_64.rpm
broadcom-wl-kernel-server-latest-5.100.82.112-42.mga2.nonfree.x86_64.rpm

fglrx-kernel-3.4.34-desktop-1.mga2-8.961-18.mga2.nonfree.x86_64.rpm
fglrx-kernel-3.4.34-netbook-1.mga2-8.961-18.mga2.nonfree.x86_64.rpm
fglrx-kernel-3.4.34-server-1.mga2-8.961-18.mga2.nonfree.x86_64.rpm
fglrx-kernel-desktop-latest-8.961-18.mga2.nonfree.x86_64.rpm
fglrx-kernel-netbook-latest-8.961-18.mga2.nonfree.x86_64.rpm
fglrx-kernel-server-latest-8.961-18.mga2.nonfree.x86_64.rpm

nvidia-current-kernel-3.4.34-desktop-1.mga2-295.71-13.mga2.nonfree.x86_64.rpm
nvidia-current-kernel-3.4.34-netbook-1.mga2-295.71-13.mga2.nonfree.x86_64.rpm
nvidia-current-kernel-3.4.34-server-1.mga2-295.71-13.mga2.nonfree.x86_64.rpm
nvidia-current-kernel-desktop-latest-295.71-13.mga2.nonfree.x86_64.rpm
nvidia-current-kernel-netbook-latest-295.71-13.mga2.nonfree.x86_64.rpm
nvidia-current-kernel-server-latest-295.71-13.mga2.nonfree.x86_64.rpm


SRPMS:
------
kernel-3.4.34-1.mga2.src.rpm
kernel-userspace-headers-3.4.34-1.mga2.src.rpm
kmod-vboxadditions-4.1.24-5.mga2.src.rpm
kmod-virtualbox-4.1.24-4.mga2.src.rpm
kmod-xtables-addons-1.41-22.mga2.src.rpm

kmod-broadcom-wl-5.100.82.112-42.mga2.nonfree.src.rpm
kmod-fglrx-8.961-18.mga2.nonfree.src.rpm
kmod-nvidia-current-295.71-13.mga2.nonfree.src.rpm


Reproducible: 

Steps to Reproduce:
Comment 1 claire robinson 2013-03-01 09:43:33 CET
PoC: http://www.securityfocus.com/bid/58137/exploit
Comment 2 claire robinson 2013-03-01 10:24:22 CET
Confirmed we're vulnerable using this one:
http://downloads.securityfocus.com/vulnerabilities/exploits/58137_1.c

Saved it as kbug.c

$ gcc -o kbug kbug.c 
kbug.c: In function ‘main’:
kbug.c:55:3: warning: incompatible implicit declaration of built-in function ‘memcpy’ [enabled by default]
kbug.c:55:3: warning: passing argument 1 of ‘memcpy’ makes pointer from integer without a cast [enabled by default]
kbug.c:55:3: note: expected ‘void *’ but argument is of type ‘int’
kbug.c:59:10: warning: incompatible implicit declaration of built-in function ‘execl’ [enabled by default]

Shows warnings but does work. Escalates privileges to root. 

$ ./kbug
-sh-4.2# cd /root
-sh-4.2# ls
drakx/  tmp/
-sh-4.2# touch test
-sh-4.2# ls
drakx/  test  tmp/
-sh-4.2# ls -l test
-rw-r--r-- 1 root root 0 Mar  1 09:19 test
-sh-4.2# exit

Testing x86_64
Comment 3 claire robinson 2013-03-01 13:35:50 CET
Installed all the kernels and -latest from the list and started MageiaUpdate from terminal so I could watch the output.

Ensured all dkms were installed on all kernels as the updates installed and none were missed:

DKMS: install Completed.
vboxadditions, 4.1.24-1.mga2, 3.4.32-netbook-2.mga2, x86_64: installed-binary from 3.4.32-netbook-2.mga2
vboxadditions, 4.1.24-1.mga2, 3.4.32-server-2.mga2, x86_64: installed-binary from 3.4.32-server-2.mga2
vboxadditions, 4.1.24-1.mga2, 3.4.34-server-1.mga2, x86_64: installed-binary from 3.4.34-server-1.mga2
vboxadditions, 4.1.24-1.mga2, 3.4.34-netbook-1.mga2, x86_64: installed-binary from 3.4.34-netbook-1.mga2
vboxadditions, 4.1.24-1.mga2, 3.4.32-desktop-2.mga2, x86_64: installed-binary from 3.4.32-desktop-2.mga2
vboxadditions, 4.1.24-1.mga2, 3.4.34-desktop-1.mga2, x86_64: installed-binary from 3.4.34-desktop-1.mga2

DKMS: install Completed.
xtables-addons, 1.41-3.mga2, 3.4.32-netbook-2.mga2, x86_64: installed-binary from 3.4.32-netbook-2.mga2
xtables-addons, 1.41-3.mga2, 3.4.32-server-2.mga2, x86_64: installed-binary from 3.4.32-server-2.mga2
xtables-addons, 1.41-3.mga2, 3.4.34-server-1.mga2, x86_64: installed-binary from 3.4.34-server-1.mga2
xtables-addons, 1.41-3.mga2, 3.4.34-netbook-1.mga2, x86_64: installed-binary from 3.4.34-netbook-1.mga2
xtables-addons, 1.41-3.mga2, 3.4.32-desktop-2.mga2, x86_64: installed-binary from 3.4.32-desktop-2.mga2
xtables-addons, 1.41-3.mga2, 3.4.34-desktop-1.mga2, x86_64: installed-binary from 3.4.34-desktop-1.mga2

DKMS: install Completed.
virtualbox, 4.1.24-1.mga2, 3.4.32-netbook-2.mga2, x86_64: installed-binary from 3.4.32-netbook-2.mga2
virtualbox, 4.1.24-1.mga2, 3.4.32-server-2.mga2, x86_64: installed-binary from 3.4.32-server-2.mga2
virtualbox, 4.1.24-1.mga2, 3.4.34-server-1.mga2, x86_64: installed-binary from 3.4.34-server-1.mga2
virtualbox, 4.1.24-1.mga2, 3.4.34-netbook-1.mga2, x86_64: installed-binary from 3.4.34-netbook-1.mga2
virtualbox, 4.1.24-1.mga2, 3.4.32-desktop-2.mga2, x86_64: installed-binary from 3.4.32-desktop-2.mga2
virtualbox, 4.1.24-1.mga2, 3.4.34-desktop-1.mga2, x86_64: installed-binary from 3.4.34-desktop-1.mga2

DKMS: install Completed.
fglrx, 8.961-2.mga2.nonfree, 3.4.32-netbook-2.mga2, x86_64: installed-binary from 3.4.32-netbook-2.mga2
fglrx, 8.961-2.mga2.nonfree, 3.4.32-server-2.mga2, x86_64: installed-binary from 3.4.32-server-2.mga2
fglrx, 8.961-2.mga2.nonfree, 3.4.34-server-1.mga2, x86_64: installed-binary from 3.4.34-server-1.mga2
fglrx, 8.961-2.mga2.nonfree, 3.4.34-netbook-1.mga2, x86_64: installed-binary from 3.4.34-netbook-1.mga2
fglrx, 8.961-2.mga2.nonfree, 3.4.32-desktop-2.mga2, x86_64: installed-binary from 3.4.32-desktop-2.mga2
fglrx, 8.961-2.mga2.nonfree, 3.4.34-desktop-1.mga2, x86_64: installed-binary from 3.4.34-desktop-1.mga2

DKMS: install Completed.
broadcom-wl, 5.100.82.112-7.mga2.nonfree, 3.4.32-netbook-2.mga2, x86_64: installed-binary from 3.4.32-netbook-2.mga2
broadcom-wl, 5.100.82.112-7.mga2.nonfree, 3.4.32-server-2.mga2, x86_64: installed-binary from 3.4.32-server-2.mga2
broadcom-wl, 5.100.82.112-7.mga2.nonfree, 3.4.34-server-1.mga2, x86_64: installed-binary from 3.4.34-server-1.mga2
broadcom-wl, 5.100.82.112-7.mga2.nonfree, 3.4.34-netbook-1.mga2, x86_64: installed-binary from 3.4.34-netbook-1.mga2
broadcom-wl, 5.100.82.112-7.mga2.nonfree, 3.4.32-desktop-2.mga2, x86_64: installed-binary from 3.4.32-desktop-2.mga2
broadcom-wl, 5.100.82.112-7.mga2.nonfree, 3.4.34-desktop-1.mga2, x86_64: installed-binary from 3.4.34-desktop-1.mga2

DKMS: install Completed.
nvidia-current, 295.71-1.mga2.nonfree, 3.4.32-netbook-2.mga2, x86_64: installed-binary from 3.4.32-netbook-2.mga2
nvidia-current, 295.71-1.mga2.nonfree, 3.4.32-server-2.mga2, x86_64: installed-binary from 3.4.32-server-2.mga2
nvidia-current, 295.71-1.mga2.nonfree, 3.4.34-server-1.mga2, x86_64: installed-binary from 3.4.34-server-1.mga2
nvidia-current, 295.71-1.mga2.nonfree, 3.4.34-netbook-1.mga2, x86_64: installed-binary from 3.4.34-netbook-1.mga2
nvidia-current, 295.71-1.mga2.nonfree, 3.4.32-desktop-2.mga2, x86_64: installed-binary from 3.4.32-desktop-2.mga2
nvidia-current, 295.71-1.mga2.nonfree, 3.4.34-desktop-1.mga2, x86_64: installed-binary from 3.4.34-desktop-1.mga2


Rebooted into each kernel checked with uname -a, recompiled the PoC for each one (not sure this is necessary) and checked to ensure it failed.

$ ./kbug
-sh-4.2$ whoami
claire
-sh-4.2$ cd /root
-sh: cd: /root: Permission denied

Also checked with dkms after the reboot, eg:

# dkms status -m virtualbox -v 4.1.24-1.mga2
virtualbox, 4.1.24-1.mga2, 3.4.32-netbook-2.mga2, x86_64: installed-binary from 3.4.32-netbook-2.mga2
virtualbox, 4.1.24-1.mga2, 3.4.32-server-2.mga2, x86_64: installed-binary from 3.4.32-server-2.mga2
virtualbox, 4.1.24-1.mga2, 3.4.34-server-1.mga2, x86_64: installed-binary from 3.4.34-server-1.mga2
virtualbox, 4.1.24-1.mga2, 3.4.34-netbook-1.mga2, x86_64: installed-binary from 3.4.34-netbook-1.mga2
virtualbox, 4.1.24-1.mga2, 3.4.32-desktop-2.mga2, x86_64: installed-binary from 3.4.32-desktop-2.mga2
virtualbox, 4.1.24-1.mga2, 3.4.34-desktop-1.mga2, x86_64: installed-binary from 3.4.34-desktop-1.mga2

It takes a long time to respond but shows all updates applied ok.
Comment 4 Philippe Didier 2013-03-02 00:33:23 CET
kernel-server-3.4.34-1.mga2-1-1.mga2.i586.rpm
kernel-server-devel-3.4.34-1.mga2-1-1.mga2.i586.rpm
installed on MGA2 32 bits

the nvidia module is built by dkms during the installation

Booting on it is OK (the nvidia module is used)
No regression found

I didn't test the vulnerability

Philippe
Comment 5 Dave Hodgins 2013-03-02 02:31:08 CET
Also tested Mageia 2 i586.  The poc doesn't work on i586, so
just testing that the updating works properly, etc.

Validating the update.

Could someone from the sysadmin team push the
kernel-3.4.34-1.mga2  srpms
from Mageia 2 updates testing to updates.

See Description for list of srpms and advisory.
Comment 6 Thomas Backlund 2013-03-02 15:19:13 CET
Update pushed:
https://wiki.mageia.org/en/Support/Advisories/MGASA-2013-0079

Note You need to log in before you can comment on or make changes to this bug.