Bug 50003 – linux: Multiple issues (4.4)

Bug 50003 - linux: Multiple issues (4.4)


Summary:	linux: Multiple issues (4.4)

Status:	CLOSED FIXED

Product:	UCS
Classification:	Unclassified
Component:	Security updates
Version:	UCS 4.4
Hardware:	All Linux

Importance:	P3 normal (vote)
Target Milestone:	UCS 4.4-1-errata
Assigned To:	Quality Assurance
QA Contact:	Philipp Hahn

URL:
Keywords:

Depends on:
Blocks:
	Show dependency tree / graph

Reported:	2019-08-13 08:46 CEST by Quality Assurance
Modified:	2019-08-14 16:35 CEST (History)
CC List:	0 users

See Also:
What kind of report is it?:	Security Issue
What type of bug is this?:	---
Who will be affected by this bug?:	---
How will those affected feel about the bug?:	---
User Pain:
Enterprise Customer affected?:
School Customer affected?:
ISV affected?:
Waiting Support:
Flags outvoted (downgraded) after PO Review:
Ticket number:
Bug group (optional):
Max CVSS v3 score:	7.3 (CVSS:3.0/AV:L/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:H)

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Quality Assurance

2019-08-13 08:46:35 CEST

New Debian linux 4.9.168-1+deb9u5 fixes:
This update addresses the following issues:
* non-maskable interrupts triggerable by guests (xsa120) (CVE-2015-8553)
* Information Exposure through dmesg data from a "pages/cpu" printk call  (CVE-2018-5995)
* race condition in smp_task_timedout() and smp_task_done() in  drivers/scsi/libsas/sas_expander.c leads to use-after-free (CVE-2018-20836)
* Use-after-free in __blk_drain_queue() function in block/blk-core.c  (CVE-2018-20856)
* hw: Spectre SWAPGS gadget vulnerability (CVE-2019-1125)
* denial of service vector through vfio DMA mappings (CVE-2019-3882)
* vhost_net: infinite loop while receiving packets leads to DoS  (CVE-2019-3900)
* null-pointer dereference in hci_uart_set_flow_control (CVE-2019-10207)
* net: weak IP ID generation leads to remote device tracking (CVE-2019-10638)
* net: using kernel space address bits to derive IP ID may potentially break  KASLR (CVE-2019-10639)
* OOB writes in parse_hid_report_descriptor in drivers/input/tablet/gtco.c  (CVE-2019-13631)
* denial of service in arch/powerpc/kernel/signal_32.c and  arch/powerpc/kernel/signal_64.c via sigreturn() system call  (CVE-2019-13648)
* integer overflow and OOB read in drivers/block/floppy.c (CVE-2019-14283)
* denial of service in drivers/block/floppy.c by setup_format_params  division-by-zero (CVE-2019-14284)

Comment 1 Quality Assurance

2019-08-13 09:00:38 CEST

--- mirror/ftp/4.4/unmaintained/component/4.4-1-errata/source/linux_4.9.168-1+deb9u4.dsc
+++ apt/ucs_4.4-0-errata4.4-1/source/linux_4.9.168-1+deb9u5.dsc
@@ -1,3 +1,42 @@
+4.9.168-1+deb9u5 [Sun, 11 Aug 2019 15:53:40 +0100] Ben Hutchings <ben@decadent.org.uk>:
+
+  * [amd64] Add mitigation for Spectre v1 swapgs (CVE-2019-1125):
+    - cpufeatures: Sort feature word 7
+    - speculation: Prepare entry code for Spectre v1 swapgs mitigations
+    - speculation: Enable Spectre v1 swapgs mitigations
+    - entry: Use JMP instead of JMPQ
+    - speculation/swapgs: Exclude ATOMs from speculation through SWAPGS
+  * [x86] xen/pciback: Don't disable PCI_COMMAND on PCI device reset.
+    (CVE-2015-8553)
+    - Add Breaks relation to incompatible qemu-system-x86 versions
+  * ipv6: check sk sk_type and protocol early in ip_mroute_set/getsockopt
+  * percpu: stop printing kernel addresses (CVE-2018-5995)
+  * scsi: libsas: fix a race condition when smp task timeout (CVE-2018-20836)
+  * block: blk_init_allocated_queue() set q->fq as NULL in the fail case
+    (CVE-2018-20856)
+  * vfio/type1: Limit DMA mappings per container (CVE-2019-3882)
+  * Bluetooth: hci_uart: check for missing tty operations (CVE-2019-10207)
+  * siphash: add cryptographically secure PRF
+  * inet: switch IP ID generator to siphash (CVE-2019-10638, CVE-2019-10639)
+  * Input: gtco - bounds check collection indent level (CVE-2019-13631)
+  * [ppc64el] tm: Fix oops on sigreturn on systems without TM (CVE-2019-13648)
+  * floppy: fix div-by-zero in setup_format_params (CVE-2019-14284)
+  * floppy: fix out-of-bounds read in next_valid_format
+  * floppy: fix invalid pointer dereference in drive_name
+  * floppy: fix out-of-bounds read in copy_buffer (CVE-2019-14283)
+  * inet: Avoid ABI change for IP ID hash change
+  * vhost: Fix possible infinite loop (CVE-2019-3900):
+    - vhost-net: set packet weight of tx polling to 2 * vq size
+    - vhost_net: use packet weight for rx handler, too
+    - vhost_net: introduce vhost_exceeds_weight()
+    - vhost: introduce vhost_exceeds_weight()
+    - vhost_net: fix possible infinite loop
+    - vhost: scsi: add weight support
+  * vhost: Ignore ABI changes
+  * netfilter: ctnetlink: don't use conntrack/expect object addresses as id
+  * xen: let alloc_xenballooned_pages() fail if not enough memory free
+  * tcp: Clear sk_send_head after purging the write queue
+
 4.9.168-1+deb9u4 [Fri, 19 Jul 2019 13:41:00 +0200] Salvatore Bonaccorso <carnil@debian.org>:
 
   * ptrace: Fix ->ptracer_cred handling for PTRACE_TRACEME (CVE-2019-13272)

<http://10.200.17.11/4.4-1/#51094133496162801>

Comment 2 Philipp Hahn

2019-08-13 11:48:45 CEST

OK: apt install linux-image-4.9.0-9-amd64-signed=... linux-image-4.9.0-9-amd64=4.9...
OK: amd64 @ kvm + SeaBIOS
OK: amd64 @ kvm + OVMF + SB
OK: amd64 @ xen16
OK: cat /sys/kernel/security/securelevel ; echo
OK: i386 @ kvm
OK: uname -a
OK: dmesg
+ Spectre V1 : Mitigation: usercopy/swapgs barriers and __user pointer sanitization
OK: YAML
OK: announce-errata -V

Comment 3 Erik Damrose

2019-08-14 16:35:30 CEST

<http://errata.software-univention.de/ucs/4.4/228.html>
<http://errata.software-univention.de/ucs/4.4/229.html>