Bug 9954 - Update request: kernel-linus-3.4.45-1.mga2
: Update request: kernel-linus-3.4.45-1.mga2
Status: RESOLVED FIXED
Product: Mageia
Classification: Unclassified
Component: Security
: 2
: All Linux
: Normal Severity: normal
: ---
Assigned To: QA Team
: Sec team
:
: mga2-64-ok MGA2-32-OK
: validated_update
:
:
  Show dependency treegraph
 
Reported: 2013-05-02 22:59 CEST by Thomas Backlund
Modified: 2013-05-17 22:10 CEST (History)
2 users (show)

See Also:
Source RPM: kernel-linus-3.4.45-1.mga2.src.rpm
CVE:
Status comment:


Attachments

Description Thomas Backlund 2013-05-02 22:59:36 CEST
Fixes:
- fixes several CVEs, advisory will be written in a day or so...


SRPMS:
kernel-linus-3.4.43-1.mga2.src.rpm

i586:
kernel-linus-3.4.43-1.mga2-1-1.mga2.i586.rpm
kernel-linus-devel-3.4.43-1.mga2-1-1.mga2.i586.rpm
kernel-linus-devel-latest-3.4.43-1.mga2.i586.rpm
kernel-linus-doc-3.4.43-1.mga2.noarch.rpm
kernel-linus-latest-3.4.43-1.mga2.i586.rpm
kernel-linus-source-3.4.43-1.mga2-1-1.mga2.noarch.rpm
kernel-linus-source-latest-3.4.43-1.mga2.noarch.rpm

x86_64:
kernel-linus-3.4.43-1.mga2-1-1.mga2.x86_64.rpm
kernel-linus-devel-3.4.43-1.mga2-1-1.mga2.x86_64.rpm
kernel-linus-devel-latest-3.4.43-1.mga2.x86_64.rpm
kernel-linus-doc-3.4.43-1.mga2.noarch.rpm
kernel-linus-latest-3.4.43-1.mga2.x86_64.rpm
kernel-linus-source-3.4.43-1.mga2-1-1.mga2.noarch.rpm
kernel-linus-source-latest-3.4.43-1.mga2.noarch.rpm


Reproducible: 

Steps to Reproduce:
Comment 1 claire robinson 2013-05-03 17:45:06 CEST
Testing complete mga2 32

Installed rebooted, suspended, resumed.

Checked dkms builds..
# dkms status | grep 3.4.43
virtualbox, 4.1.24-1.mga2, 3.4.43-1.mga2, i586: installed

Installed a random dkms module (dkms-broadcom-wl) to make sure it compiled ok, which it did.
Comment 2 claire robinson 2013-05-03 17:47:45 CEST
Note to other testers: kernel-linus doesn't update grub to be the default boot kernel so to boot the new kernel you need to select it manually.

You can check which kernel you're booted into with:
# uname -r
3.4.43-1.mga2
Comment 3 Thomas Backlund 2013-05-07 10:27:41 CEST

Taking it back, 3.4.44 will land tomorrow with more CVEs fixed.
Comment 4 Thomas Backlund 2013-05-09 20:16:32 CEST
Advisory:

This updates kernel to upstream stable 3.4.44.

It also fixes the following security issues:

A security flaw was found in the way "/dev/ptmx", a character device used
to create a pseudo-terminal master (PTM) and slave (PTS) pair, of the
Linux kernel, used to transmit data through the PTM when a keystroke was
pressed. An  unprivileged, local user could use this flaw to determine
inter-keystroke timing (measure latency between keystrokes), possibly
allowing them to determine effective length of an password being typed in.
(CVE-2013-0160)

A flaw was found in the way the vhost kernel module handled descriptors
that spanned multiple regions. A privileged guest user in a KVM guest
could use this flaw to crash the host or, potentially, escalate their
privileges on the host. (CVE-2013-0311)

An integer overflow flaw, leading to a heap-based buffer overflow, was
found in the way the Intel i915 driver in the Linux kernel handled the
allocation of the buffer used for relocation copies. A local user with
console access could use this flaw to cause a denial of service or
escalate their privileges. (CVE-2013-0913)

The flush_signal_handlers function in kernel/signal.c in the Linux kernel
before 3.8.4 preserves the value of the sa_restorer field across an exec
operation, which makes it easier for local users to bypass the ASLR
protection mechanism via a crafted application containing a sigaction
system call. (CVE-2013-0914)

A NULL pointer dereference was found in the Linux kernel's USB Inside
Out Edgeport Serial Driver implementation. An attacker with physical
access to a system could use this flaw to cause a denial of service.
(CVE-2013-1774)

A race condition in install_user_keyrings(), leading to a NULL pointer
dereference, was found in the key management facility. A local,
unprivileged user could use this flaw to cause a denial of service.
(CVE-2013-1792)

A flaw was found in the way KVM handled guest time updates when the
buffer the guest registered by writing to the MSR_KVM_SYSTEM_TIME machine
state register (MSR) crossed a page boundary. A privileged guest user
could use this flaw to crash the host or, potentially, escalate their
privileges, allowing them to execute arbitrary code at the host kernel
level. (CVE-2013-1796)

A potential use-after-free flaw was found in the way KVM handled guest
time updates when the GPA (guest physical address) the guest registered
by writing to the MSR_KVM_SYSTEM_TIME machine state register (MSR) fell
into a movable or removable memory region of the hosting user-space
process (by default, QEMU-KVM) on the host. If that memory region is
deregistered from KVM using KVM_SET_USER_MEMORY_REGION and the allocated
virtual memory reused, a privileged guest user could potentially use this
flaw to escalate their privileges on the host. (CVE-2013-1797)

A flaw was found in the way KVM emulated IOAPIC (I/O Advanced
Programmable Interrupt Controller). A missing validation check in the
ioapic_read_indirect() function could allow a privileged guest user to
crash the host, or read a substantial portion of host kernel memory.
(CVE-2013-1798)

fs/ext3/super.c in the Linux kernel before 3.8.4 uses incorrect arguments
to functions in certain circumstances related to printk input, which
allows local users to conduct format-string attacks and possibly gain
privileges via a crafted application. (CVE-2013-1848)

Heap-based buffer overflow in the wdm_in_callback function in 
drivers/usb/class/cdc-wdm.c in the Linux kernel before 3.8.4 allows
physically proximate attackers to cause a denial of service (system crash)
or possibly execute arbitrary code via a crafted cdc-wdm USB device.
(CVE-2013-1860)

The do_video_set_spu_palette function in fs/compat_ioctl.c in the Linux 
kernel before 3.6.5 on unspecified architectures lacks a certain error
check, which might allow local users to obtain sensitive information from
kernel stack memory via a crafted VIDEO_SET_SPU_PALETTE ioctl call on a
/dev/dvb device. (CVE-2013-1928)

Linux kernel built with the Broadcom tg3 ethernet driver is vulnerable
to a buffer overflow. This could occur when the tg3 driver reads and
copies firmware string from hardware's product data(VPD), if it exceeds
32 characters. A user with physical access to a machine could use this
flaw to crash the system or, potentially, escalate their privileges on
the system. (CVE-2013-1929)

The scm_set_cred function in include/net/scm.h in the Linux kernel before
3.8.11 uses incorrect uid and gid values during credentials passing, which
allows local users to gain privileges via a crafted application.
(CVE-2013-1979)

The report API in the crypto user configuration API in the Linux kernel
through 3.8.2 uses an incorrect C library function for copying strings,
which allows local users to obtain sensitive information from kernel
stack memory by leveraging the CAP_NET_ADMIN capability. (CVE-2013-2546)

The crypto_report_one function in crypto/crypto_user.c in the reportAPI
in the crypto user configuration API in the Linux kernel through 3.8.2
does not initialize certain structure members, which allows local users
to obtain sensitive information from kernel heap memory by leveraging
the CAP_NET_ADMIN capability. (CVE-2013-2547)

The crypto_report_one function in crypto/crypto_user.c in the report API
in the crypto user configuration API in the Linux kernel through 3.8.2
uses an incorrect length value during a copy operation, whichallows local
users to obtain sensitive information from kernel memory by leveraging
the CAP_NET_ADMIN capability. (CVE-2013-2548)

net/dcb/dcbnl.c in the Linux kernel before 3.8.4 does not initialize
certain structures, which allows local users to obtain sensitive
information from kernel stack memory via a crafted application.
(CVE-2013-2634)

The rtnl_fill_ifinfo function in net/core/rtnetlink.c in the Linux kernel
before 3.8.4 does not initialize a certain structure member, which allows
local users to obtain sensitive information from kernel stack memory via
a crafted application. (CVE-2013-2635)

net/bridge/br_mdb.c in the Linux kernel before 3.8.4 does not initialize
certain structures, which allows local users to obtain sensitive
information from kernel memory via a crafted application. (CVE-2013-2636)

The crypto API in the Linux kernel through 3.9-rc8 does not initialize
certain length variables, which allows local users to obtain sensitive
information from kernel stack memory via a crafted recvmsg or recvfrom
system call, related to the hash_recvmsg function in crypto/algif_hash.c
and the skcipher_recvmsg function in crypto/algif_skcipher.c.
(CVE-2013-3076)

The vcc_recvmsg function in net/atm/common.c in the Linux kernel before
3.9-rc7 does not initialize a certain length variable, which allows local
users to obtain sensitive information from kernel stack memory via a
crafted recvmsg or recvfrom system call. (CVE-2013-3222)

The ax25_recvmsg function in net/ax25/af_ax25.c in the Linux kernel before
3.9-rc7 does not initialize a certain data structure, which allows local
users to obtain sensitive information from kernel stack memory via a
crafted recvmsg or recvfrom system call. (CVE-2013-3223)

The bt_sock_recvmsg function in net/bluetooth/af_bluetooth.c in the Linux
kernel before 3.9-rc7 does not properly initialize a certain length
variable, which allows local users to obtain sensitive information from
kernel stack memory via a crafted recvmsg or recvfrom system call.
(CVE-2013-3224)

The rfcomm_sock_recvmsg function in net/bluetooth/rfcomm/sock.c in the
Linux kernel before 3.9-rc7 does not initialize a certain length variable,
which allows local users to obtain sensitive information from kernel stack
memory via a crafted recvmsg or recvfrom system call. (CVE-2013-3225)

The caif_seqpkt_recvmsg function in net/caif/caif_socket.c in the Linux
kernel before 3.9-rc7 does not initialize a certain length variable, which
allows local users to obtain sensitive information from kernel stack
memory via a crafted recvmsg or recvfrom system call. (CVE-2013-3227)

The irda_recvmsg_dgram function in net/irda/af_irda.c in the Linux kernel
before 3.9-rc7 does not initialize a certain length variable, which allows
local users to obtain sensitive information from kernel stack memory via
a crafted recvmsg or recvfrom system call. (CVE-2013-3228)

The iucv_sock_recvmsg function in net/iucv/af_iucv.c in the Linux kernel
before 3.9-rc7 does not initialize a certain length variable, which allows
local users to obtain sensitive information from kernel stack memory via
a crafted recvmsg or recvfrom system call. (CVE-2013-3229)

The llc_ui_recvmsg function in net/llc/af_llc.c in the Linux kernel before
3.9-rc7 does not initialize a certain length variable, which allows local
users to obtain sensitive information from kernel stack memory via a
crafted recvmsg or recvfrom system call. (CVE-2013-3231)

The nr_recvmsg function in net/netrom/af_netrom.c in the Linux kernel
before 3.9-rc7 does not initialize a certain data structure, which allows
local users to obtain sensitive information from kernel stack memory via
a crafted recvmsg or recvfrom system call. (CVE-2013-3232)


The llcp_sock_recvmsg function in net/nfc/llcp/sock.c in the Linux kernel
before 3.9-rc7 does not initialize a certain length variable and a certain
data structure, which allows local users to obtain sensitive information
from kernel stack memory via a crafted recvmsg or recvfrom system call. 
(CVE-2013-3233)

The rose_recvmsg function in net/rose/af_rose.c in the Linux kernel before
3.9-rc7 does not initialize a certain data structure, which allows local
users to obtain sensitive information from kernel stack memory via a
crafted recvmsg or recvfrom system call. (CVE-2013-3234)

net/tipc/socket.c in the Linux kernel before 3.9-rc7 does not initialize
a certain data structure and a certain length variable, which allows local
users to obtain sensitive information from kernel stack memory via a
crafted recvmsg or recvfrom system call. (CVE-2013-3235)

Other changes:
For other changes in the -stable kernels, see the referenced changelogs.


References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-0160
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-0311
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-0913
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-0914
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-1774
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-1792
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-1796
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-1797
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-1798
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-1848
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-1860
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-1928
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-1929
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-1979
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-2546
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-2547
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-2548
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-2634
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-2635
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-2636
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-3076
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-3222
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-3223
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-3224
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-3225
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-3227
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-3228
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-3229
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-3231
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-3232
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-3233
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-3234
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-3235
http://www.kernel.org/pub/linux/kernel/v3.0/ChangeLog-3.4.35
http://www.kernel.org/pub/linux/kernel/v3.0/ChangeLog-3.4.36
http://www.kernel.org/pub/linux/kernel/v3.0/ChangeLog-3.4.37
http://www.kernel.org/pub/linux/kernel/v3.0/ChangeLog-3.4.38
http://www.kernel.org/pub/linux/kernel/v3.0/ChangeLog-3.4.39
http://www.kernel.org/pub/linux/kernel/v3.0/ChangeLog-3.4.40
http://www.kernel.org/pub/linux/kernel/v3.0/ChangeLog-3.4.41
http://www.kernel.org/pub/linux/kernel/v3.0/ChangeLog-3.4.42
http://www.kernel.org/pub/linux/kernel/v3.0/ChangeLog-3.4.43
http://www.kernel.org/pub/linux/kernel/v3.0/ChangeLog-3.4.44
https://bugs.mageia.org/show_bug.cgi?id=9954
Comment 5 Thomas Backlund 2013-05-09 20:20:34 CEST
SRPMS:
kernel-linus-3.4.44-1.mga2.src.rpm

i586:
kernel-linus-3.4.44-1.mga2-1-1.mga2.i586.rpm
kernel-linus-devel-3.4.44-1.mga2-1-1.mga2.i586.rpm
kernel-linus-devel-latest-3.4.44-1.mga2.i586.rpm
kernel-linus-doc-3.4.44-1.mga2.noarch.rpm
kernel-linus-latest-3.4.44-1.mga2.i586.rpm
kernel-linus-source-3.4.44-1.mga2-1-1.mga2.noarch.rpm
kernel-linus-source-latest-3.4.44-1.mga2.noarch.rpm

x86_64:
kernel-linus-3.4.44-1.mga2-1-1.mga2.x86_64.rpm
kernel-linus-devel-3.4.44-1.mga2-1-1.mga2.x86_64.rpm
kernel-linus-devel-latest-3.4.44-1.mga2.x86_64.rpm
kernel-linus-doc-3.4.44-1.mga2.noarch.rpm
kernel-linus-latest-3.4.44-1.mga2.x86_64.rpm
kernel-linus-source-3.4.44-1.mga2-1-1.mga2.noarch.rpm
kernel-linus-source-latest-3.4.44-1.mga2.noarch.rpm
Comment 6 Thomas Backlund 2013-05-10 12:51:13 CEST
and taking it back... 3.4.45 is being "rushed out" tomorrow for another security fix...
Comment 7 Thomas Backlund 2013-05-12 19:54:37 CEST
And 3.4.45 is ready for test:

SRPMS:
kernel-linus-3.4.45-1.mga2.src.rpm

i586:
kernel-linus-3.4.45-1.mga2-1-1.mga2.i586.rpm
kernel-linus-devel-3.4.45-1.mga2-1-1.mga2.i586.rpm
kernel-linus-devel-latest-3.4.45-1.mga2.i586.rpm
kernel-linus-doc-3.4.45-1.mga2.noarch.rpm
kernel-linus-latest-3.4.45-1.mga2.i586.rpm
kernel-linus-source-3.4.45-1.mga2-1-1.mga2.noarch.rpm
kernel-linus-source-latest-3.4.45-1.mga2.noarch.rpm

x86_64:
kernel-linus-3.4.45-1.mga2-1-1.mga2.x86_64.rpm
kernel-linus-devel-3.4.45-1.mga2-1-1.mga2.x86_64.rpm
kernel-linus-devel-latest-3.4.45-1.mga2.x86_64.rpm
kernel-linus-doc-3.4.45-1.mga2.noarch.rpm
kernel-linus-latest-3.4.45-1.mga2.x86_64.rpm
kernel-linus-source-3.4.45-1.mga2-1-1.mga2.noarch.rpm
kernel-linus-source-latest-3.4.45-1.mga2.noarch.rpm
Comment 8 Dave Hodgins 2013-05-17 03:57:43 CEST
Testing complete on Mageia 2 i586 and x86_64.

Could someone from the sysadmin push the kernel updates
from Mageia 2 Core Updates Testing to Core Updates.

See above for list of srpms and advisory.
Comment 9 Thomas Backlund 2013-05-17 22:10:52 CEST
Update pushed:
https://wiki.mageia.org/en/Support/Advisories/MGASA-2013-0148

Note You need to log in before you can comment on or make changes to this bug.