Bug#818689: jessie-pu: package amd64-microcode/2.20160316.1~deb8u1

2016-03-19 Thread Adam D. Barratt
Control: tags -1 + pending

On Sat, 2016-03-19 at 16:30 -0300, Henrique de Moraes Holschuh wrote:
> On Sat, 19 Mar 2016, Adam D. Barratt wrote:
> > On Sat, 2016-03-19 at 15:50 -0300, Henrique de Moraes Holschuh wrote:
> > > Unfortunately, the microcode for the earlier AMD Piledriver processors 
> > > being
> > > distributed in the amd64-microcode packages currently in non-free 
> > > oldstable,
> > > stable, testing and unstable has been found to be extremely dangerous.
> > [...]
> > > I would like to update the packages in stable, with basically the same
> > > package that was already uploaded to unstable.  The only difference is an
> > > extra debian/changelog entry for the stable upload.
> > 
> > Please go ahead.
> 
> Thank you Adam!  Uploaded!

and flagged for acceptance in to p-u.

Regards,

Adam



Processed: Re: Bug#818689: jessie-pu: package amd64-microcode/2.20160316.1~deb8u1

2016-03-19 Thread Debian Bug Tracking System
Processing control commands:

> tags -1 + pending
Bug #818689 [release.debian.org] jessie-pu: package 
amd64-microcode/2.20160316.1~deb8u1
Added tag(s) pending.

-- 
818689: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=818689
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems



Bug#818689: jessie-pu: package amd64-microcode/2.20160316.1~deb8u1

2016-03-19 Thread Henrique de Moraes Holschuh
On Sat, 19 Mar 2016, Adam D. Barratt wrote:
> On Sat, 2016-03-19 at 15:50 -0300, Henrique de Moraes Holschuh wrote:
> > Unfortunately, the microcode for the earlier AMD Piledriver processors being
> > distributed in the amd64-microcode packages currently in non-free oldstable,
> > stable, testing and unstable has been found to be extremely dangerous.
> [...]
> > I would like to update the packages in stable, with basically the same
> > package that was already uploaded to unstable.  The only difference is an
> > extra debian/changelog entry for the stable upload.
> 
> Please go ahead.

Thank you Adam!  Uploaded!

-- 
  "One disk to rule them all, One disk to find them. One disk to bring
  them all and in the darkness grind them. In the Land of Redmond
  where the shadows lie." -- The Silicon Valley Tarot
  Henrique Holschuh



Bug#818689: jessie-pu: package amd64-microcode/2.20160316.1~deb8u1

2016-03-19 Thread Adam D. Barratt
Control: tags -1 + confirmed

On Sat, 2016-03-19 at 15:50 -0300, Henrique de Moraes Holschuh wrote:
> Unfortunately, the microcode for the earlier AMD Piledriver processors being
> distributed in the amd64-microcode packages currently in non-free oldstable,
> stable, testing and unstable has been found to be extremely dangerous.
[...]
> I would like to update the packages in stable, with basically the same
> package that was already uploaded to unstable.  The only difference is an
> extra debian/changelog entry for the stable upload.

Please go ahead.

Regards,

Adam



Processed: Re: Bug#818689: jessie-pu: package amd64-microcode/2.20160316.1~deb8u1

2016-03-19 Thread Debian Bug Tracking System
Processing control commands:

> tags -1 + confirmed
Bug #818689 [release.debian.org] jessie-pu: package 
amd64-microcode/2.20160316.1~deb8u1
Added tag(s) confirmed.

-- 
818689: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=818689
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems



Bug#818689: jessie-pu: package amd64-microcode/2.20160316.1~deb8u1

2016-03-19 Thread Henrique de Moraes Holschuh
Package: release.debian.org
Severity: normal
Tags: jessie security
User: release.debian@packages.debian.org
Usertags: pu

Unfortunately, the microcode for the earlier AMD Piledriver processors being
distributed in the amd64-microcode packages currently in non-free oldstable,
stable, testing and unstable has been found to be extremely dangerous.

More details:
http://seclists.org/oss-sec/2016/q1/450
http://www.theregister.co.uk/2016/03/06/amd_microcode_6000836_fix/
https://www.reddit.com/r/linux/comments/47s8a8/new_amd_microcode_vulnerability_from_unprivileged/

An urgency=critical upload to unstable is already installed, and waiting for
the next mirror pulse.

I would like to update the packages in stable, with basically the same
package that was already uploaded to unstable.  The only difference is an
extra debian/changelog entry for the stable upload.

Thank you!


debdiff output:
diffstat for amd64-microcode-2.20141028.1 amd64-microcode-2.20160316.1~deb8u1

 README   |   14 ++
 debian/changelog |   33 +
 debian/control   |2 +-
 microcode_amd_fam15h.bin |binary
 microcode_amd_fam15h.bin.asc |   14 +++---
 5 files changed, 55 insertions(+), 8 deletions(-)

diff -Nru amd64-microcode-2.20141028.1/debian/changelog 
amd64-microcode-2.20160316.1~deb8u1/debian/changelog
--- amd64-microcode-2.20141028.1/debian/changelog   2014-12-18 
13:36:29.0 -0200
+++ amd64-microcode-2.20160316.1~deb8u1/debian/changelog2016-03-19 
14:22:44.0 -0300
@@ -1,3 +1,36 @@
+amd64-microcode (2.20160316.1~deb8u1) stable; urgency=critical
+
+  * This is exactly the same release as 2.20160316.1
+
+ -- Henrique de Moraes Holschuh   Sat, 19 Mar 2016 14:21:54 
-0300
+
+amd64-microcode (2.20160316.1) unstable; urgency=critical
+
+  * Upstream release 20160316 built from linux-firmware:
++ Updated Microcodes:
+  sig 0x00600f20, patch id 0x0600084f, 2016-01-25
++ This microcode updates fixes a critical erratum on NMI handling
+  introduced by microcode patch id 0x6000832 from the 20141028 update.
+  The erratum is also present on microcode patch id 0x6000836.
++ THIS IS A CRITICAL STABILITY AND SECURITY UPDATE FOR THE EARLIER
+  AMD PILEDRIVER PROCESSORS, including:
+  + AMD Opteron 3300, 4300, 6300
+  + AMD FX "Vishera" (43xx, 63xx, 83xx, 93xx, 95xx)
+  + AMD processors with family 21, model 2, stepping 0
+  * Robert Święcki, while fuzzing the kernel using the syzkaller tool,
+uncovered very strange behavior on an AMD FX-8320, later reproduced on
+other AMD Piledriver model 2, stepping 0 processors including the Opteron
+6300.  Robert discovered, using his proof-of-concept exploit code, that
+the incorrect behavior allows an unpriviledged attacker on an unpriviledged
+VM to corrupt the return stack of the host kernel's NMI handler.  At best,
+this results in unpredictable host behavior.  At worst, it allows for an
+unpriviledged user on unpriviledged VM to carry a sucessful host-kernel
+ring 0 code injection attack.
+  * The erratum is timing-dependant, easily triggered by workloads that cause
+a high number of NMIs, such as running the "perf" tool.
+
+ -- Henrique de Moraes Holschuh   Sat, 19 Mar 2016 14:02:44 
-0300
+
 amd64-microcode (2.20141028.1) unstable; urgency=medium
 
   * Upstream release 20141028 built from linux-firmware:
diff -Nru amd64-microcode-2.20141028.1/debian/control 
amd64-microcode-2.20160316.1~deb8u1/debian/control
--- amd64-microcode-2.20141028.1/debian/control 2014-12-18 13:29:09.0 
-0200
+++ amd64-microcode-2.20160316.1~deb8u1/debian/control  2016-03-19 
14:21:48.0 -0300
@@ -10,7 +10,7 @@
 XS-Autobuild: yes
 
 Package: amd64-microcode
-Architecture: i386 amd64
+Architecture: i386 amd64 x32
 Depends: ${misc:Depends}
 Breaks: intel-microcode (<< 2)
 Description: Processor microcode firmware for AMD CPUs
Binary files 
/tmp/fBt3hF3hZL/amd64-microcode-2.20141028.1/microcode_amd_fam15h.bin and 
/tmp/Xa6pgjObby/amd64-microcode-2.20160316.1~deb8u1/microcode_amd_fam15h.bin 
differ
diff -Nru amd64-microcode-2.20141028.1/microcode_amd_fam15h.bin.asc 
amd64-microcode-2.20160316.1~deb8u1/microcode_amd_fam15h.bin.asc
--- amd64-microcode-2.20141028.1/microcode_amd_fam15h.bin.asc   2014-12-17 
18:30:04.0 -0200
+++ amd64-microcode-2.20160316.1~deb8u1/microcode_amd_fam15h.bin.asc
2016-03-19 14:21:48.0 -0300
@@ -1,11 +1,11 @@
 -BEGIN PGP SIGNATURE-
 Version: GnuPG v1
 
-iQEcBAABAgAGBQJUTqLvAAoJEOS+UznzKK5zyaIIAKZcXmU+sBO4YGH5Aq2SdRYe
-rlwE5oeYNh+AdzzLm9EqHwSC+MciFI7HqQz8PvKAsfaoD17mQjonIXga8l2/w3OW
-/vIJjJnu9QB2C9XpjAiQCxS5QaMtIfEEjVld+MeHs6Ld3PwGuAXCkxKcJ2sHLZd3
-UcwwHxcm98KYouogjVZoJeb226cjz6fzUVJK9t9yi2S+SWmIvkjSZEI6W0WFoFCL
-x0jM7lFNcusGtg5K6UsyAdwPwvfbBN5FoV29/DaP+/HA4GP/W/cgbQxS72skDJg5