Bug 9210 - Update request: kernel-tmb-3.4.34-1.mga2
Summary: Update request: kernel-tmb-3.4.34-1.mga2
Status: RESOLVED FIXED
Alias: None
Product: Mageia
Classification: Unclassified
Component: Security (show other bugs)
Version: 2
Hardware: All Linux
Priority: High critical
Target Milestone: ---
Assignee: QA Team
QA Contact: Sec team
URL:
Whiteboard: MGA2-64-OK MGA2-32-OK
Keywords: validated_update
Depends on:
Blocks:
 
Reported: 2013-03-01 00:47 CET by Thomas Backlund
Modified: 2013-03-02 15:21 CET (History)
2 users (show)

See Also:
Source RPM: kernel-tmb-3.4.34-1.mga2
CVE:
Status comment:

Attachments
Add an attachment (proposed patch, testcase, etc.)

Description Thomas Backlund 2013-03-01 00:47:30 CET 
Advisory:
This updates kernel-tmb to upstream stable 3.4.34.

It also fixes the following security issues:

An unprivileged user can send a netlink message resulting in an
out-of-bounds access of the sock_diag_handlers[] array which, in turn,
allows userland to take over control while in kernel mode.
(CVE-2013-1763).

Linux kernel is prone to a local privilege-escalation vulnerability due
to a tmpfs use-after-free error. 
Local attackers can exploit the issue to execute arbitrary code with
kernel privileges or to crash the kernel, effectively denying service
to legitimate users (CVE-2013-1767).

Linux kernel built with Edgeport USB serial converter driver io_ti,
is vulnerable to a NULL pointer dereference flaw. It happens if the
device is disconnected while corresponding /dev/ttyUSB? file is in use.
An unprivileged user could use this flaw to crash the system, resulting
DoS (CVE-2013-1774).

References:
-----------
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-1763
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-1767
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-1774
http://www.kernel.org/pub/linux/kernel/v3.0/ChangeLog-3.4.34
http://www.kernel.org/pub/linux/kernel/v3.0/ChangeLog-3.4.33


i586:
-----
kernel-tmb-desktop-3.4.34-1.mga2-1-1.mga2.i586.rpm
kernel-tmb-desktop586-3.4.34-1.mga2-1-1.mga2.i586.rpm
kernel-tmb-desktop586-devel-3.4.34-1.mga2-1-1.mga2.i586.rpm
kernel-tmb-desktop586-devel-latest-3.4.34-1.mga2.i586.rpm
kernel-tmb-desktop586-latest-3.4.34-1.mga2.i586.rpm
kernel-tmb-desktop-devel-3.4.34-1.mga2-1-1.mga2.i586.rpm
kernel-tmb-desktop-devel-latest-3.4.34-1.mga2.i586.rpm
kernel-tmb-desktop-latest-3.4.34-1.mga2.i586.rpm
kernel-tmb-laptop-3.4.34-1.mga2-1-1.mga2.i586.rpm
kernel-tmb-laptop-devel-3.4.34-1.mga2-1-1.mga2.i586.rpm
kernel-tmb-laptop-devel-latest-3.4.34-1.mga2.i586.rpm
kernel-tmb-laptop-latest-3.4.34-1.mga2.i586.rpm
kernel-tmb-server-3.4.34-1.mga2-1-1.mga2.i586.rpm
kernel-tmb-server-devel-3.4.34-1.mga2-1-1.mga2.i586.rpm
kernel-tmb-server-devel-latest-3.4.34-1.mga2.i586.rpm
kernel-tmb-server-latest-3.4.34-1.mga2.i586.rpm
kernel-tmb-source-3.4.34-1.mga2-1-1.mga2.noarch.rpm
kernel-tmb-source-latest-3.4.34-1.mga2.noarch.rpm

x86_64:
-------
kernel-tmb-desktop-3.4.34-1.mga2-1-1.mga2.x86_64.rpm
kernel-tmb-desktop-devel-3.4.34-1.mga2-1-1.mga2.x86_64.rpm
kernel-tmb-desktop-devel-latest-3.4.34-1.mga2.x86_64.rpm
kernel-tmb-desktop-latest-3.4.34-1.mga2.x86_64.rpm
kernel-tmb-laptop-3.4.34-1.mga2-1-1.mga2.x86_64.rpm
kernel-tmb-laptop-devel-3.4.34-1.mga2-1-1.mga2.x86_64.rpm
kernel-tmb-laptop-devel-latest-3.4.34-1.mga2.x86_64.rpm
kernel-tmb-laptop-latest-3.4.34-1.mga2.x86_64.rpm
kernel-tmb-server-3.4.34-1.mga2-1-1.mga2.x86_64.rpm
kernel-tmb-server-devel-3.4.34-1.mga2-1-1.mga2.x86_64.rpm
kernel-tmb-server-devel-latest-3.4.34-1.mga2.x86_64.rpm
kernel-tmb-server-latest-3.4.34-1.mga2.x86_64.rpm
kernel-tmb-source-3.4.34-1.mga2-1-1.mga2.noarch.rpm
kernel-tmb-source-latest-3.4.34-1.mga2.noarch.rpm

SRPMS:
------
kernel-tmb-3.4.34-1.mga2.src.rpm


Reproducible: 

Steps to Reproduce:
Thomas Backlund 2013-03-01 00:47:38 CET

Priority: Normal => High

Comment 1 claire robinson 2013-03-01 09:44:07 CET 
PoC: http://www.securityfocus.com/bid/58137/exploit
Comment 2 claire robinson 2013-03-01 18:13:29 CET 
Testing x86_64
Comment 3 claire robinson 2013-03-01 19:41:07 CET 
The dkms modules for the kernel in use are not built at the time the updates are applied. They are built for the other kernels.

# dkms status -m vboxadditions -v 4.1.24-1.mga2
vboxadditions, 4.1.24-1.mga2, 3.4.32-tmb-laptop-2.mga2, x86_64: installed 
vboxadditions, 4.1.24-1.mga2, 3.4.34-tmb-desktop-1.mga2, x86_64: installed 
vboxadditions, 4.1.24-1.mga2, 3.4.32-tmb-desktop-2.mga2, x86_64: installed 
vboxadditions, 4.1.24-1.mga2, 3.4.34-tmb-server-1.mga2, x86_64: installed 
vboxadditions, 4.1.24-1.mga2, 3.4.32-tmb-server-2.mga2, x86_64: installed 


# uname -a
Linux localhost 3.4.32-tmb-laptop-2.mga2 #1 SMP Mon Feb 18 21:36:53 UTC 2013 x86_64 x86_64 x86_64 GNU/Linux

They are built on reboot though so not sure if this is expected.

# dkms status -m vboxadditions -v 4.1.24-1.mga2
vboxadditions, 4.1.24-1.mga2, 3.4.32-tmb-laptop-2.mga2, x86_64: installed 
vboxadditions, 4.1.24-1.mga2, 3.4.34-tmb-desktop-1.mga2, x86_64: installed 
vboxadditions, 4.1.24-1.mga2, 3.4.34-tmb-laptop-1.mga2, x86_64: installed 
vboxadditions, 4.1.24-1.mga2, 3.4.32-tmb-desktop-2.mga2, x86_64: installed 
vboxadditions, 4.1.24-1.mga2, 3.4.34-tmb-server-1.mga2, x86_64: installed 
vboxadditions, 4.1.24-1.mga2, 3.4.32-tmb-server-2.mga2, x86_64: installed 

# uname -a
Linux localhost 3.4.34-tmb-laptop-1.mga2 #1 SMP Thu Feb 28 22:05:06 UTC 2013 x86_64 x86_64 x86_64 GNU/Linux

It doesn't appear to make it into the initrd though. It's not until it loads the module during boot that the mouse is freed for instance.

Apart from this all boot ok and the PoC is closed so if that is 'normal' then mga2-64-ok
Comment 4 Dave Hodgins 2013-03-02 02:30:50 CET 
Testing complete on Mageia 2 i586.  The poc doesn't work on i586, so
just testing that the updating works properly, etc.

Validating the update.

Could someone from the sysadmin team push the
 kernel-tmb-3.4.34-1.mga2  srpms
from Mageia 2 updates testing to updates.

See Description for list of srpms and advisory.

Keywords: (none) => validated_update
CC: (none) => davidwhodgins, sysadmin-bugs
Whiteboard: (none) => MGA2-64-OK MGA2-32-OK

Comment 5 Thomas Backlund 2013-03-02 15:21:55 CET 
Update pushed:
https://wiki.mageia.org/en/Support/Advisories/MGASA-2013-0080

Status: NEW => RESOLVED
Resolution: (none) => FIXED
Note You need to log in before you can comment on or make changes to this bug.