Bug 45242 - linux: Multiple security issues (4.2)
linux: Multiple security issues (4.2)
Status: CLOSED FIXED
Product: UCS
Classification: Unclassified
Component: Security updates
UCS 4.2
Other Linux
: P5 normal (vote)
: UCS 4.2-2-errata
Assigned To: Philipp Hahn
Erik Damrose
https://hutten.knut.univention.de/med...
:
Depends on: 45471
Blocks: 45981
  Show dependency treegraph
 
Reported: 2017-08-22 15:06 CEST by Arvid Requate
Modified: 2020-01-22 08:44 CET (History)
3 users (show)

See Also:
What kind of report is it?: Security Issue
What type of bug is this?: ---
Who will be affected by this bug?: ---
How will those affected feel about the bug?: ---
User Pain:
Enterprise Customer affected?: Yes
School Customer affected?:
ISV affected?:
Waiting Support:
Flags outvoted (downgraded) after PO Review:
Ticket number: 2017091521000331
Bug group (optional): Security
Max CVSS v3 score: 7.8 (CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H)


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Arvid Requate univentionstaff 2017-08-22 15:06:47 CEST
Upstream Debian stretch-security package version 4.9.30-2+deb9u3 fixes these issues:

* [x86] drm/vmwgfx: limit the number of mip levels in vmw_gb_surface_define_ioctl() (CVE-2017-7346)
* rxrpc: Fix several cases where a padded len isn't checked in ticket decode (CVE-2017-7482)
* brcmfmac: fix possible buffer overflow in brcmf_cfg80211_mgmt_tx() (CVE-2017-7541)
* ipv6: avoid overflow of offset in ip6_find_1stfragopt (CVE-2017-7542)
* [x86] drm/vmwgfx: Make sure backup_handle is always valid (CVE-2017-9605)
* drm/virtio: don't leak bo on drm_gem_object_init failure (CVE-2017-10810)
* xen-blkback: don't leak stack data via response ring (CVE-2017-10911)
* mqueue: fix a use-after-free in sys_mq_notify() (CVE-2017-11176)
* fs/exec.c: account for argv/envp pointers (CVE-2017-1000365)
* dentry name snapshots (CVE-2017-7533)

Additionally I find these security related commits in v4.9.33..v4.9.43:

git log v4.9.33..v4.9.34
CVE-2017-1000364: 1be7107fbe18eed3e319a6c3e83c78254b693acb
git log v4.9.34..v4.9.35
CVE-2017-7482: 5f2f97656ada8d811d3c1bef503ced266fcd53a0
CVE-2017-1000365: 98da7d08850fb8bdeb395d6368ed15753304aa0c
CVE-2017-10911: 089bc0143f489bd3a4578bdff5f4ca68fb26f341
git log v4.9.35..v4.9.36
git log v4.9.36..v4.9.37
CVE-2017-10810: 385aee965b4e4c36551c362a334378d2985b722a
git log v4.9.37..v4.9.38
CVE-2017-11176: f991af3daabaecff34684fd51fac80319d1baad1
git log v4.9.38..v4.9.39
CVE-2017-1000370: eab09532d40090698b05a07c1c87f39fdbc5fab5
CVE-2017-7541: 8f44c9a41386729fea410e688959ddaa9d51be7c
git log v4.9.39..v4.9.40
CVE-2017-11473: dad5ab0db8deac535d03e3fe3d8f2892173fa6a4
git log v4.9.40..v4.9.41
CVE-2017-7533: 49d31c2f389acfe83417083e1208422b4091cd9e
CVE-2017-12762: 9f5af546e6acc30f075828cb58c7f09665033967
git log v4.9.41..v4.9.42
CVE-2017-7542: 6399f1fae4ec29fab5ec76070435555e256ca3a6
CVE-2017-8831: 6fb05e0dd32e566facb96ea61a48c7488daa5ac3
CVE-2017-10663: 15d3042a937c13f5d9244241c7a9c8416ff6e82a
git log v4.9.42..v4.9.43
CVE-2017-1000112: 85f1bd9a7b5a79d5baa8bf44af19658f7bf77bfa
CVE-2017-1000111: c27927e372f0785f3303e8fad94b85945e2c97b7
Comment 1 Philipp Hahn univentionstaff 2017-09-27 10:54:12 CEST
CVE-2017-1000253 - load_elf_binary does not allocate sufficient space

r17678 | Bug #45242: linux-4.9.51
Comment 2 Philipp Hahn univentionstaff 2017-09-29 08:14:37 CEST
r17679 | Bug #45242: linux-4.9.52
r17680 | Bug #45242: linux-4.9.52 ucs105

Package: linux
Version: 4.9.30-2A~4.2.0.201709271647
Version: 4.9.30-2A~4.2.0.201709271649
Branch: ucs_4.2-0
Scope: errata4.2-2

OK diff <(linux-dmesg-norm 4.9.0-ucs104-amd64) <(linux-dmesg-norm 4.9.0-ucs105-amd64)
110,112c110,112
< 1     Freeing SMP alternatives memory: `SIZE` (`ADDR` - `ADDR`)
< 1     Freeing initrd memory: `SIZE` (`ADDR` - `ADDR`)
< 3     Freeing unused kernel memory: `SIZE` (`ADDR` - `ADDR`)
---
> 1     Freeing SMP alternatives memory: `SIZE`
> 1     Freeing initrd memory: `SIZE`
> 3     Freeing unused kernel memory: `SIZE`

b562d89aa69d | Bug #45242: Update to linux-4.9.52-ucs105
a76294c178af | Bug #45242: Re-add lost entry from errata4.2-0

Package: univention-kernel-image-signed
Version: 3.0.2-6A~4.2.0.201709281352
Branch: ucs_4.2-0
Scope: errata4.2-2

6e21d4b743 | Bug #45242: Update to linux-4.9.52-ucs105

Package: univention-kernel-image
Version: 10.0.0-8A~4.2.0.201709281400
Branch: ucs_4.2-0
Scope: errata4.2-2
Comment 3 Philipp Hahn univentionstaff 2017-09-29 10:41:59 CEST
As our EV Cert expired "Sep 20 12:00:00 2017 GMT", we need to build a new shim and grub, too.
Comment 4 Philipp Hahn univentionstaff 2017-09-29 15:35:02 CEST
8b60c503a3 Bug #45242: linux-4.9.52 yaml
Comment 5 Philipp Hahn univentionstaff 2017-10-16 11:08:34 CEST
Probably need backport of "v4.13-rc3~16^2~2^2~1" = "xen-blkfront: fix mq start/stop race" for Ticket#2017091521000331
If we do, we should request an official backport into stable/4.9.y, too.

Additional issued fixed in 52..56:
 https://cdn.kernel.org/pub/linux/kernel/v4.x/ChangeLog-4.9.53
  CVE-2017-12154: kvm: nVMX: Don't allow L2 to access the hardware CR8
  CVE-2017-1000252: KVM: VMX: Do not BUG() on out-of-bounds guest IRQ
  CVE-2017-12153: nl80211: check for the required netlink attributes presence
 https://cdn.kernel.org/pub/linux/kernel/v4.x/ChangeLog-4.9.54
 https://cdn.kernel.org/pub/linux/kernel/v4.x/ChangeLog-4.9.55
  CVE-2017-7518: KVM: x86: fix singlestepping over syscall
  CVE-2017-0786: brcmfmac: add length check in brcmf_cfg80211_escan_handler()
  CVE-2017-1000255: powerpc/64s: Use emergency stack for kernel TM Bad Thing program checks
 https://cdn.kernel.org/pub/linux/kernel/v4.x/ChangeLog-4.9.56

 cd linux && git log v4.9.52..v4.9.56  | grep --only '[0-9a-f]\{40\}' | sort -u > /tmp/linux49
 cd kernel-sec && find -type f -exec grep -F -f /tmp/linux49 {} +
  CVE-2017-12192: NULL pointer dereference due to KEYCTL_READ on negative key
  CVE-2017-14156: atyfb_ioctl stack memory leak
  CVE-2017-14489: scsi: nlmsg not properly parsed in iscsi_if_rx function
  CVE-2017-14991: scsi: sg: fixup infoleak when using SG_GET_REQUEST_TABLE
Comment 6 Philipp Hahn univentionstaff 2017-10-16 16:41:00 CEST
r17682 | Bug #45242: linux-4.9.56

Package: linux
Version: 4.9.30-2A~4.2.0.201710161640
Branch: ucs_4.2-0
Scope: errata4.2-2
Comment 7 Philipp Hahn univentionstaff 2017-10-17 12:12:28 CEST
QA: amd64@kvm OK
QA: amd64@lynx OK
QA: dmesg OK

TODO: UEFI blocked by Bug #45471
Comment 8 Philipp Hahn univentionstaff 2017-10-20 14:05:37 CEST
TBD: 4.9.56+xen-patch sill crashes on Xen (Ticket#2017091521000331)
Comment 9 Philipp Hahn univentionstaff 2017-11-03 17:03:58 CET
r17688 | Bug #45242: linux-4.9.60
r17689 | Bug #45242: Fix broken patch

Package: linux
Version: 4.9.30-2A~4.2.0.201711031638
Branch: ucs_4.2-0
Scope: errata4.2-2
Comment 10 Philipp Hahn univentionstaff 2017-11-07 12:57:03 CET
yaml: 54a4842f11, fc2c49296a
univention-kernel-image-signed: 20de78ecf1

Package: univention-kernel-image-signed
Version: 3.0.2-6A~4.2.0.201711071050
Branch: ucs_4.2-0
Scope: errata4.2-2

OK: amd64 @ kvm
OK: amd64 @ xen1
  diff <(linux-dmesg-norm /tmp/4.9.0-ucs104-amd64) <(linux-dmesg-norm /tmp/4.9.0-ucs105-amd64)

FYI: 4.9.61 is WIP and ETA November 8-9th
FYI: Ticket#2017091521000331 remains unfixed
Comment 11 Philipp Hahn univentionstaff 2017-11-19 12:23:54 CET
r17712 | Bug #45242: linux-4.9.63
 dropped xen specific patch as it did not fix the issue

Package: linux
Version: 4.9.30-2A~4.2.0.201711191221
Branch: ucs_4.2-0
Scope: errata4.2-2

TODO: univention-kernel-image-signed
Comment 12 Philipp Hahn univentionstaff 2017-11-21 11:33:58 CET
3ab109b6bb Bug #45242: Update to linux-4.9.63-ucs105
b229c8b156 Bug #45242: Resign linux-4.9.63-ucs105 with old key

Package: univention-kernel-image-signed
Version: 3.0.2-7A~4.2.0.201711210922
Version: 3.0.2-8A~4.2.0.201711211125
Branch: ucs_4.2-0
Scope: errata4.2-2

91728fcd7c Bug #45242: Resign linux-4.9.63-ucs105 with old key YAML
941f3911cb Bug #45242: linux-4.9.63 YAML

4.9.64 is scheduled for Tue Nov 21 14:35:13 UTC 2017, which has additional fixes:
 CVE-2017-16537: media: imon: Fix null-ptr-deref in imon_probe
 CVE-2017-16646: media: dib0700: fix invalid dvb_detach argument

OK: zless /usr/share/doc/linux-image-`uname -r`/changelog.Debian.gz
OK: diff <(linux-dmesg-norm 4.9.0-ucs104-amd64) <(linux-dmesg-norm 4.9.0-ucs105-amd64)
OK: amd64 @ kvm
OK: amd64 @ xen1
OK: amd64 UEFI SB @ kvm
Comment 13 Philipp Hahn univentionstaff 2017-11-21 18:03:03 CET
r17717 | Bug #45242: linux-4.9.64

Package: linux
Version: 4.9.30-2A~4.2.0.201711211801
Branch: ucs_4.2-0
Scope: errata4.2-2
Comment 14 Philipp Hahn univentionstaff 2017-11-22 09:31:14 CET
aaf363642b Bug #45242: Update to linux-4.9.63-ucs105

Package: univention-kernel-image-signed
Version: 3.0.2-9A~4.2.0.201711220905
Branch: ucs_4.2-0
Scope: errata4.2-2

OK: zless /usr/share/doc/linux-image-`uname -r`/changelog.Debian.gz
OK: diff <(linux-dmesg-norm 4.9.0-ucs104-amd64) <(linux-dmesg-norm 4.9.0-ucs105-amd64)
OK: amd64 @ kvm
OK: amd64 @ xen1
OK: amd64 UEFI SB @ kvm
Comment 15 Erik Damrose univentionstaff 2017-11-23 11:56:54 CET
OK: 4.9.64 (univention-kernel-image-signed Changelog says .63 erroneously but has the correct signed image)
OK: Kernel update and boot
OK: Booting with new kernel on updated UCS installation, using the 'UEFI System'
OK~: I moved the yaml files to 4.2-3, adjusted the version and added an ignore statement for the source scope of the built packages
Verified
Comment 16 Erik Damrose univentionstaff 2017-11-23 14:00:37 CET
Retagged to 4.2-2-errata
Comment 18 Philipp Hahn univentionstaff 2020-01-22 08:44:02 CET
(In reply to Arvid Requate from comment #17)
> <http://errata.software-univention.de/ucs/4.2/229.html>

An error happened during the release process and univention-kernel-image-signed was announced twice also as
<http://errata.software-univention.de/ucs/4.2/228.html>