Kernel Side-channel Attacks (CVE-2017-5753, CVE-2017-5715, CVE-2017-5754)

[l2dy]

a.k.a. Meltdown and Spectre, https://meltdownattack.com/

https://news.opensuse.org/2018/01/04/current-status-opensuse-and-spectre-meltdown-vulnerabilities/

For openSUSE Tumbleweed we have ported patches on top of Linux Kernel 4.14 and a submission against the Factory projects has been done.

Additionally, these updates are accompanied also by ucode-intel, kernel-firmware and qemu updates needed for one variant of the Spectre Attack.

According to https://access.redhat.com/security/vulnerabilities/speculativeexecution (in the Resolve tab), more packages (e.g. libvirt) are affected.

Affected packages:

• linux-kernel*
• linux-firmware
• intel-ucode
• firefox
• libvirt
• qemu
• llvm (https://reviews.llvm.org/D41723)
• nvidia*
• webkit2gtk

References:

• https://googleprojectzero.blogspot.com/2018/01/reading-privileged-memory-with-side.html
• https://security.googleblog.com/2018/01/more-details-about-mitigations-for-cpu_4.html
• Debian Security Advisory DSA-4078

[l2dy]

firefox: security update to 57.0.4

https://www.mozilla.org/en-US/security/advisories/mfsa2018-01/

[MingcongBai]

@l2dy @cth451 Please double time to get this issue addressed. I'll notify you when staging-master merge is completed.

[MingcongBai]

@l2dy I don't think Intel has released any new microcode package yet.

[MingcongBai]

As for Qemu:

"Right now, there are no public patches to KVM that expose the new CPUID bits and MSRs to the virtual machines, therefore there is no urgent need to update QEMU; remember that updating the host kernel is enough to protect the host from malicious guests. Nevertheless, updates will be posted to the qemu-devel mailing list in the next few days, and a 2.11.1 patch release will be released with the fix."

[MingcongBai]

LLVM patch already accepted. Applying.

EDIT: No patch is available for 5.0 yet, I wouldn't rush to risk a bad backport.

[MingcongBai]

@l2dy AOSA please, for Firefox.

[l2dy]

Use AOSA-2018-0004 for firefox.

[cthbleachbit]

main variant fixed in 637c0e75046 lts variant fixed in ce81885e82e

[l2dy]

Use AOSA-2018-0017 for linux-kernel. Use AOSA-2018-0018 for linux-kernel-lts.

[l2dy]

@l2dy I don't think Intel has released any new microcode package yet.

According to this Project Zero blog post, Intel was made aware of this issue around 2017-06-01, so the microcode update released on 2017/11/17 (updated in 674ed023cf3cd24a1e5a68f9c0c8d470a49f1891 in our distro) may already contain some mitigations.

According to https://newsroom.intel.com/news-releases/intel-issues-updates-protect-systems-security-exploits/, Intel is still working on firmware updates as of Jan. 4, 2018.

[MingcongBai]

@l2dy Please assign one AOSA for NVIDIA mainline update 02363e65971c683d2189d00b272a571fd5279c73, and its optenv32 counterpart 397bc3c8ae2029120f7bf941133eb2a620b78414.

[MingcongBai]

While mainline NVIDIA driver packages now contain mitigations for Spectre, it is not sure if NVIDIA will be willing to provide a fix to the 340 legacy branch yet - fingers crossed.

https://devtalk.nvidia.com/default/topic/1028537/spectre-fix-backport-for-340/

[l2dy]

Use AOSA-2018-0020 for mainline NVIDIA driver.

[l2dy]

Use AOSA-2018-0021 for linux-kernel. Use AOSA-2018-0022 for linux-kernel-libre.

[l2dy]

webkit2gtk: security update to 2.18.5

https://webkitgtk.org/security/WSA-2018-0001.html

[l2dy]

intel-ucode: security update to 20180108

https://downloadcenter.intel.com/download/27431/Linux-Processor-Microcode-Data-File

[MingcongBai]

@l2dy Please assign AOSAs for the upper two commits.

[l2dy]

Use AOSA-2018-0024 for intel-ucode. Use AOSA-2018-0025 for webkit2gtk.

[MingcongBai]

NVIDIA 340.106 has been released with KPTI support.

[l2dy]

Use AOSA-2018-0059 for NVIDIA driver 340.106.

[MingcongBai]

Intel released microcode 20180312.

[MingcongBai]

Microcode updated with b8275af4fa621b294a26fb53bf6a4c7d22c74fb6. Requesting an AOSA.

[l2dy]

Use AOSA-2018-0146 for intel-ucode update to 20180312.

[l2dy]

Intel released microcode 20180425.

https://bugzilla.redhat.com/show_bug.cgi?id=1574574

The update microcode for Intel should be included in RHEL-7 in version 20180425 to include the Spectre mitigation.

[MingcongBai]

Case closed. Now onto the next round.

[l2dy]

Use AOSA-2018-0246 for intel-ucode update to 20180425.

[l2dy]

@MingcongBai Do we have the latest AMD microcode for Spectre mitigation? https://bugzilla.redhat.com/show_bug.cgi?id=1574591

[MingcongBai]

Nope. Re-opening.

[MingcongBai]

Closing issue once again with this fix https://github.com/AOSC-Dev/aosc-os-abbs/commit/2abd1d1c4b78105199650583a4c4c57b868ef925.

[l2dy]

Use AOSA-2018-0257 for linux-firmware update to 20180525.