Univention Bugzilla – Bug 45242
linux: Multiple security issues (4.2)
Last modified: 2020-01-22 08:44:02 CET
Upstream Debian stretch-security package version 4.9.30-2+deb9u3 fixes these issues: * [x86] drm/vmwgfx: limit the number of mip levels in vmw_gb_surface_define_ioctl() (CVE-2017-7346) * rxrpc: Fix several cases where a padded len isn't checked in ticket decode (CVE-2017-7482) * brcmfmac: fix possible buffer overflow in brcmf_cfg80211_mgmt_tx() (CVE-2017-7541) * ipv6: avoid overflow of offset in ip6_find_1stfragopt (CVE-2017-7542) * [x86] drm/vmwgfx: Make sure backup_handle is always valid (CVE-2017-9605) * drm/virtio: don't leak bo on drm_gem_object_init failure (CVE-2017-10810) * xen-blkback: don't leak stack data via response ring (CVE-2017-10911) * mqueue: fix a use-after-free in sys_mq_notify() (CVE-2017-11176) * fs/exec.c: account for argv/envp pointers (CVE-2017-1000365) * dentry name snapshots (CVE-2017-7533) Additionally I find these security related commits in v4.9.33..v4.9.43: git log v4.9.33..v4.9.34 CVE-2017-1000364: 1be7107fbe18eed3e319a6c3e83c78254b693acb git log v4.9.34..v4.9.35 CVE-2017-7482: 5f2f97656ada8d811d3c1bef503ced266fcd53a0 CVE-2017-1000365: 98da7d08850fb8bdeb395d6368ed15753304aa0c CVE-2017-10911: 089bc0143f489bd3a4578bdff5f4ca68fb26f341 git log v4.9.35..v4.9.36 git log v4.9.36..v4.9.37 CVE-2017-10810: 385aee965b4e4c36551c362a334378d2985b722a git log v4.9.37..v4.9.38 CVE-2017-11176: f991af3daabaecff34684fd51fac80319d1baad1 git log v4.9.38..v4.9.39 CVE-2017-1000370: eab09532d40090698b05a07c1c87f39fdbc5fab5 CVE-2017-7541: 8f44c9a41386729fea410e688959ddaa9d51be7c git log v4.9.39..v4.9.40 CVE-2017-11473: dad5ab0db8deac535d03e3fe3d8f2892173fa6a4 git log v4.9.40..v4.9.41 CVE-2017-7533: 49d31c2f389acfe83417083e1208422b4091cd9e CVE-2017-12762: 9f5af546e6acc30f075828cb58c7f09665033967 git log v4.9.41..v4.9.42 CVE-2017-7542: 6399f1fae4ec29fab5ec76070435555e256ca3a6 CVE-2017-8831: 6fb05e0dd32e566facb96ea61a48c7488daa5ac3 CVE-2017-10663: 15d3042a937c13f5d9244241c7a9c8416ff6e82a git log v4.9.42..v4.9.43 CVE-2017-1000112: 85f1bd9a7b5a79d5baa8bf44af19658f7bf77bfa CVE-2017-1000111: c27927e372f0785f3303e8fad94b85945e2c97b7
CVE-2017-1000253 - load_elf_binary does not allocate sufficient space r17678 | Bug #45242: linux-4.9.51
r17679 | Bug #45242: linux-4.9.52 r17680 | Bug #45242: linux-4.9.52 ucs105 Package: linux Version: 4.9.30-2A~4.2.0.201709271647 Version: 4.9.30-2A~4.2.0.201709271649 Branch: ucs_4.2-0 Scope: errata4.2-2 OK diff <(linux-dmesg-norm 4.9.0-ucs104-amd64) <(linux-dmesg-norm 4.9.0-ucs105-amd64) 110,112c110,112 < 1 Freeing SMP alternatives memory: `SIZE` (`ADDR` - `ADDR`) < 1 Freeing initrd memory: `SIZE` (`ADDR` - `ADDR`) < 3 Freeing unused kernel memory: `SIZE` (`ADDR` - `ADDR`) --- > 1 Freeing SMP alternatives memory: `SIZE` > 1 Freeing initrd memory: `SIZE` > 3 Freeing unused kernel memory: `SIZE` b562d89aa69d | Bug #45242: Update to linux-4.9.52-ucs105 a76294c178af | Bug #45242: Re-add lost entry from errata4.2-0 Package: univention-kernel-image-signed Version: 3.0.2-6A~4.2.0.201709281352 Branch: ucs_4.2-0 Scope: errata4.2-2 6e21d4b743 | Bug #45242: Update to linux-4.9.52-ucs105 Package: univention-kernel-image Version: 10.0.0-8A~4.2.0.201709281400 Branch: ucs_4.2-0 Scope: errata4.2-2
As our EV Cert expired "Sep 20 12:00:00 2017 GMT", we need to build a new shim and grub, too.
8b60c503a3 Bug #45242: linux-4.9.52 yaml
Probably need backport of "v4.13-rc3~16^2~2^2~1" = "xen-blkfront: fix mq start/stop race" for Ticket#2017091521000331 If we do, we should request an official backport into stable/4.9.y, too. Additional issued fixed in 52..56: https://cdn.kernel.org/pub/linux/kernel/v4.x/ChangeLog-4.9.53 CVE-2017-12154: kvm: nVMX: Don't allow L2 to access the hardware CR8 CVE-2017-1000252: KVM: VMX: Do not BUG() on out-of-bounds guest IRQ CVE-2017-12153: nl80211: check for the required netlink attributes presence https://cdn.kernel.org/pub/linux/kernel/v4.x/ChangeLog-4.9.54 https://cdn.kernel.org/pub/linux/kernel/v4.x/ChangeLog-4.9.55 CVE-2017-7518: KVM: x86: fix singlestepping over syscall CVE-2017-0786: brcmfmac: add length check in brcmf_cfg80211_escan_handler() CVE-2017-1000255: powerpc/64s: Use emergency stack for kernel TM Bad Thing program checks https://cdn.kernel.org/pub/linux/kernel/v4.x/ChangeLog-4.9.56 cd linux && git log v4.9.52..v4.9.56 | grep --only '[0-9a-f]\{40\}' | sort -u > /tmp/linux49 cd kernel-sec && find -type f -exec grep -F -f /tmp/linux49 {} + CVE-2017-12192: NULL pointer dereference due to KEYCTL_READ on negative key CVE-2017-14156: atyfb_ioctl stack memory leak CVE-2017-14489: scsi: nlmsg not properly parsed in iscsi_if_rx function CVE-2017-14991: scsi: sg: fixup infoleak when using SG_GET_REQUEST_TABLE
r17682 | Bug #45242: linux-4.9.56 Package: linux Version: 4.9.30-2A~4.2.0.201710161640 Branch: ucs_4.2-0 Scope: errata4.2-2
QA: amd64@kvm OK QA: amd64@lynx OK QA: dmesg OK TODO: UEFI blocked by Bug #45471
TBD: 4.9.56+xen-patch sill crashes on Xen (Ticket#2017091521000331)
r17688 | Bug #45242: linux-4.9.60 r17689 | Bug #45242: Fix broken patch Package: linux Version: 4.9.30-2A~4.2.0.201711031638 Branch: ucs_4.2-0 Scope: errata4.2-2
yaml: 54a4842f11, fc2c49296a univention-kernel-image-signed: 20de78ecf1 Package: univention-kernel-image-signed Version: 3.0.2-6A~4.2.0.201711071050 Branch: ucs_4.2-0 Scope: errata4.2-2 OK: amd64 @ kvm OK: amd64 @ xen1 diff <(linux-dmesg-norm /tmp/4.9.0-ucs104-amd64) <(linux-dmesg-norm /tmp/4.9.0-ucs105-amd64) FYI: 4.9.61 is WIP and ETA November 8-9th FYI: Ticket#2017091521000331 remains unfixed
r17712 | Bug #45242: linux-4.9.63 dropped xen specific patch as it did not fix the issue Package: linux Version: 4.9.30-2A~4.2.0.201711191221 Branch: ucs_4.2-0 Scope: errata4.2-2 TODO: univention-kernel-image-signed
3ab109b6bb Bug #45242: Update to linux-4.9.63-ucs105 b229c8b156 Bug #45242: Resign linux-4.9.63-ucs105 with old key Package: univention-kernel-image-signed Version: 3.0.2-7A~4.2.0.201711210922 Version: 3.0.2-8A~4.2.0.201711211125 Branch: ucs_4.2-0 Scope: errata4.2-2 91728fcd7c Bug #45242: Resign linux-4.9.63-ucs105 with old key YAML 941f3911cb Bug #45242: linux-4.9.63 YAML 4.9.64 is scheduled for Tue Nov 21 14:35:13 UTC 2017, which has additional fixes: CVE-2017-16537: media: imon: Fix null-ptr-deref in imon_probe CVE-2017-16646: media: dib0700: fix invalid dvb_detach argument OK: zless /usr/share/doc/linux-image-`uname -r`/changelog.Debian.gz OK: diff <(linux-dmesg-norm 4.9.0-ucs104-amd64) <(linux-dmesg-norm 4.9.0-ucs105-amd64) OK: amd64 @ kvm OK: amd64 @ xen1 OK: amd64 UEFI SB @ kvm
r17717 | Bug #45242: linux-4.9.64 Package: linux Version: 4.9.30-2A~4.2.0.201711211801 Branch: ucs_4.2-0 Scope: errata4.2-2
aaf363642b Bug #45242: Update to linux-4.9.63-ucs105 Package: univention-kernel-image-signed Version: 3.0.2-9A~4.2.0.201711220905 Branch: ucs_4.2-0 Scope: errata4.2-2 OK: zless /usr/share/doc/linux-image-`uname -r`/changelog.Debian.gz OK: diff <(linux-dmesg-norm 4.9.0-ucs104-amd64) <(linux-dmesg-norm 4.9.0-ucs105-amd64) OK: amd64 @ kvm OK: amd64 @ xen1 OK: amd64 UEFI SB @ kvm
OK: 4.9.64 (univention-kernel-image-signed Changelog says .63 erroneously but has the correct signed image) OK: Kernel update and boot OK: Booting with new kernel on updated UCS installation, using the 'UEFI System' OK~: I moved the yaml files to 4.2-3, adjusted the version and added an ignore statement for the source scope of the built packages Verified
Retagged to 4.2-2-errata
<http://errata.software-univention.de/ucs/4.2/229.html> <http://errata.software-univention.de/ucs/4.2/230.html> <http://errata.software-univention.de/ucs/4.2/231.html>
(In reply to Arvid Requate from comment #17) > <http://errata.software-univention.de/ucs/4.2/229.html> An error happened during the release process and univention-kernel-image-signed was announced twice also as <http://errata.software-univention.de/ucs/4.2/228.html>