Package: release.debian.org
Severity: normal
Tags: jessie security
User: release.debian@packages.debian.org
Usertags: pu
Unfortunately, the microcode for the earlier AMD Piledriver processors being
distributed in the amd64-microcode packages currently in non-free oldstable,
stable, testing and unstable has been found to be extremely dangerous.
More details:
http://seclists.org/oss-sec/2016/q1/450
http://www.theregister.co.uk/2016/03/06/amd_microcode_6000836_fix/
https://www.reddit.com/r/linux/comments/47s8a8/new_amd_microcode_vulnerability_from_unprivileged/
An urgency=critical upload to unstable is already installed, and waiting for
the next mirror pulse.
I would like to update the packages in stable, with basically the same
package that was already uploaded to unstable. The only difference is an
extra debian/changelog entry for the stable upload.
Thank you!
debdiff output:
diffstat for amd64-microcode-2.20141028.1 amd64-microcode-2.20160316.1~deb8u1
README | 14 ++
debian/changelog | 33 +
debian/control |2 +-
microcode_amd_fam15h.bin |binary
microcode_amd_fam15h.bin.asc | 14 +++---
5 files changed, 55 insertions(+), 8 deletions(-)
diff -Nru amd64-microcode-2.20141028.1/debian/changelog
amd64-microcode-2.20160316.1~deb8u1/debian/changelog
--- amd64-microcode-2.20141028.1/debian/changelog 2014-12-18
13:36:29.0 -0200
+++ amd64-microcode-2.20160316.1~deb8u1/debian/changelog2016-03-19
14:22:44.0 -0300
@@ -1,3 +1,36 @@
+amd64-microcode (2.20160316.1~deb8u1) stable; urgency=critical
+
+ * This is exactly the same release as 2.20160316.1
+
+ -- Henrique de Moraes Holschuh Sat, 19 Mar 2016 14:21:54
-0300
+
+amd64-microcode (2.20160316.1) unstable; urgency=critical
+
+ * Upstream release 20160316 built from linux-firmware:
++ Updated Microcodes:
+ sig 0x00600f20, patch id 0x0600084f, 2016-01-25
++ This microcode updates fixes a critical erratum on NMI handling
+ introduced by microcode patch id 0x6000832 from the 20141028 update.
+ The erratum is also present on microcode patch id 0x6000836.
++ THIS IS A CRITICAL STABILITY AND SECURITY UPDATE FOR THE EARLIER
+ AMD PILEDRIVER PROCESSORS, including:
+ + AMD Opteron 3300, 4300, 6300
+ + AMD FX "Vishera" (43xx, 63xx, 83xx, 93xx, 95xx)
+ + AMD processors with family 21, model 2, stepping 0
+ * Robert Święcki, while fuzzing the kernel using the syzkaller tool,
+uncovered very strange behavior on an AMD FX-8320, later reproduced on
+other AMD Piledriver model 2, stepping 0 processors including the Opteron
+6300. Robert discovered, using his proof-of-concept exploit code, that
+the incorrect behavior allows an unpriviledged attacker on an unpriviledged
+VM to corrupt the return stack of the host kernel's NMI handler. At best,
+this results in unpredictable host behavior. At worst, it allows for an
+unpriviledged user on unpriviledged VM to carry a sucessful host-kernel
+ring 0 code injection attack.
+ * The erratum is timing-dependant, easily triggered by workloads that cause
+a high number of NMIs, such as running the "perf" tool.
+
+ -- Henrique de Moraes Holschuh Sat, 19 Mar 2016 14:02:44
-0300
+
amd64-microcode (2.20141028.1) unstable; urgency=medium
* Upstream release 20141028 built from linux-firmware:
diff -Nru amd64-microcode-2.20141028.1/debian/control
amd64-microcode-2.20160316.1~deb8u1/debian/control
--- amd64-microcode-2.20141028.1/debian/control 2014-12-18 13:29:09.0
-0200
+++ amd64-microcode-2.20160316.1~deb8u1/debian/control 2016-03-19
14:21:48.0 -0300
@@ -10,7 +10,7 @@
XS-Autobuild: yes
Package: amd64-microcode
-Architecture: i386 amd64
+Architecture: i386 amd64 x32
Depends: ${misc:Depends}
Breaks: intel-microcode (<< 2)
Description: Processor microcode firmware for AMD CPUs
Binary files
/tmp/fBt3hF3hZL/amd64-microcode-2.20141028.1/microcode_amd_fam15h.bin and
/tmp/Xa6pgjObby/amd64-microcode-2.20160316.1~deb8u1/microcode_amd_fam15h.bin
differ
diff -Nru amd64-microcode-2.20141028.1/microcode_amd_fam15h.bin.asc
amd64-microcode-2.20160316.1~deb8u1/microcode_amd_fam15h.bin.asc
--- amd64-microcode-2.20141028.1/microcode_amd_fam15h.bin.asc 2014-12-17
18:30:04.0 -0200
+++ amd64-microcode-2.20160316.1~deb8u1/microcode_amd_fam15h.bin.asc
2016-03-19 14:21:48.0 -0300
@@ -1,11 +1,11 @@
-BEGIN PGP SIGNATURE-
Version: GnuPG v1
-iQEcBAABAgAGBQJUTqLvAAoJEOS+UznzKK5zyaIIAKZcXmU+sBO4YGH5Aq2SdRYe
-rlwE5oeYNh+AdzzLm9EqHwSC+MciFI7HqQz8PvKAsfaoD17mQjonIXga8l2/w3OW
-/vIJjJnu9QB2C9XpjAiQCxS5QaMtIfEEjVld+MeHs6Ld3PwGuAXCkxKcJ2sHLZd3
-UcwwHxcm98KYouogjVZoJeb226cjz6fzUVJK9t9yi2S+SWmIvkjSZEI6W0WFoFCL
-x0jM7lFNcusGtg5K6UsyAdwPwvfbBN5FoV29/DaP+/HA4GP/W/cgbQxS72skDJg5