--- Begin Message ---
- To: Debian Bug Tracking System <submit@bugs.debian.org>
- Subject: wheezy-pu: package amd64-microcode/1.20160316.1
- From: Henrique de Moraes Holschuh <hmh@debian.org>
- Date: Sat, 19 Mar 2016 19:23:31 -0300
- Message-id: <20160319222331.GA12989@khazad-dum.debian.net>
Package: release.debian.org
Severity: normal
Tags: wheezy security
User: release.debian.org@packages.debian.org
Usertags: pu
This is the non-free oldstable companion update for the same issue reported
in #818689:
Unfortunately, the microcode for the earlier AMD Piledriver processors being
distributed in the amd64-microcode packages currently in non-free oldstable,
stable, testing and unstable has been found to be extremely dangerous.
More details:
http://seclists.org/oss-sec/2016/q1/450
http://www.theregister.co.uk/2016/03/06/amd_microcode_6000836_fix/
https://www.reddit.com/r/linux/comments/47s8a8/new_amd_microcode_vulnerability_from_unprivileged/
I would like to update the packages in oldstable with the new microcode.
Thank you!
debdiff output:
diffstat for amd64-microcode-1.20141028.1 amd64-microcode-1.20160316.1
README | 14 ++++++++++++++
debian/changelog | 27 +++++++++++++++++++++++++++
microcode_amd_fam15h.bin |binary
microcode_amd_fam15h.bin.asc | 14 +++++++-------
4 files changed, 48 insertions(+), 7 deletions(-)
diff -Nru amd64-microcode-1.20141028.1/debian/changelog amd64-microcode-1.20160316.1/debian/changelog
--- amd64-microcode-1.20141028.1/debian/changelog 2015-01-20 11:05:42.000000000 -0200
+++ amd64-microcode-1.20160316.1/debian/changelog 2016-03-19 19:10:26.000000000 -0300
@@ -1,3 +1,30 @@
+amd64-microcode (1.20160316.1) oldstable; urgency=critical
+
+ * Upstream release 20160316 built from linux-firmware:
+ + Updated Microcodes:
+ sig 0x00600f20, patch id 0x0600084f, 2016-01-25
+ + This microcode updates fixes a critical erratum on NMI handling
+ introduced by microcode patch id 0x6000832 from the 20141028 update.
+ The erratum is also present on microcode patch id 0x6000836.
+ + THIS IS A CRITICAL STABILITY AND SECURITY UPDATE FOR THE EARLIER
+ AMD PILEDRIVER PROCESSORS, including:
+ + AMD Opteron 3300, 4300, 6300
+ + AMD FX "Vishera" (43xx, 63xx, 83xx, 93xx, 95xx)
+ + AMD processors with family 21, model 2, stepping 0
+ * Robert Święcki, while fuzzing the kernel using the syzkaller tool,
+ uncovered very strange behavior on an AMD FX-8320, later reproduced on
+ other AMD Piledriver model 2, stepping 0 processors including the Opteron
+ 6300. Robert discovered, using his proof-of-concept exploit code, that
+ the incorrect behavior allows an unpriviledged attacker on an unpriviledged
+ VM to corrupt the return stack of the host kernel's NMI handler. At best,
+ this results in unpredictable host behavior. At worst, it allows for an
+ unpriviledged user on unpriviledged VM to carry a sucessful host-kernel
+ ring 0 code injection attack.
+ * The erratum is timing-dependant, easily triggered by workloads that
+ cause a high number of NMIs, such as running the "perf" tool.
+
+ -- Henrique de Moraes Holschuh <hmh@debian.org> Sat, 19 Mar 2016 19:10:20 -0300
+
amd64-microcode (1.20141028.1) stable; urgency=medium
* Upstream release 20141028 built from linux-firmware
Binary files /tmp/LkCOI20qcl/amd64-microcode-1.20141028.1/microcode_amd_fam15h.bin and /tmp/SRBRsoU9Tp/amd64-microcode-1.20160316.1/microcode_amd_fam15h.bin differ
diff -Nru amd64-microcode-1.20141028.1/microcode_amd_fam15h.bin.asc amd64-microcode-1.20160316.1/microcode_amd_fam15h.bin.asc
--- amd64-microcode-1.20141028.1/microcode_amd_fam15h.bin.asc 2015-01-14 11:56:07.000000000 -0200
+++ amd64-microcode-1.20160316.1/microcode_amd_fam15h.bin.asc 2016-03-19 19:06:27.000000000 -0300
@@ -1,11 +1,11 @@
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1
-iQEcBAABAgAGBQJUTqLvAAoJEOS+UznzKK5zyaIIAKZcXmU+sBO4YGH5Aq2SdRYe
-rlwE5oeYNh+AdzzLm9EqHwSC+MciFI7HqQz8PvKAsfaoD17mQjonIXga8l2/w3OW
-/vIJjJnu9QB2C9XpjAiQCxS5QaMtIfEEjVld+MeHs6Ld3PwGuAXCkxKcJ2sHLZd3
-UcwwHxcm98KYouogjVZoJeb226cjz6fzUVJK9t9yi2S+SWmIvkjSZEI6W0WFoFCL
-x0jM7lFNcusGtg5K6UsyAdwPwvfbBN5FoV29/DaP+/HA4GP/W/cgbQxS72skDJg5
-c/icP0ntAND2iprtTQXF9//mWdX2FLYD55eu+pShZmO8t4Qvq4tJgiVz3hJiK+U=
-=KBP3
+iQEcBAABAgAGBQJW6d1MAAoJEOS+UznzKK5zSxkH+gJLffKGRM9BHe0D0/fkb0Gs
+FZVp0eUNREOQoYwHJq9Ms1RebaZJkaUnd8SXCODJrqxDsxqUgunUtP6Qfh3Ru6fV
+n0wgFVISKSQVLDP+I/ANFbWA2KhV5e4LuLQp5cDSItv6916kmNlM5kxtJ5QBrNXu
+kr5bNReYgYTl7PSoCPuPfVILToG0ltZQMdKI1GImRCMVrYjGMbv8EyUC3r8ZbChG
+Lv6K0AsULA81lXBAW0JYlxu6cNv1MJ3mxttwCswaJNcd+Y11ZQA8r2sjJoWbNSlS
+nsDPLsUKE/RsW9MlMxiI2Jqo9PrZz923bu/cWMU1FPp+cJII0T7idWGUTVhQjc8=
+=MTxP
-----END PGP SIGNATURE-----
diff -Nru amd64-microcode-1.20141028.1/README amd64-microcode-1.20160316.1/README
--- amd64-microcode-1.20141028.1/README 2015-01-14 11:56:07.000000000 -0200
+++ amd64-microcode-1.20160316.1/README 2016-03-19 19:06:27.000000000 -0300
@@ -1,5 +1,19 @@
This amd64-microcode release was based on the linux-firmware tree.
+From: Sherry Hurwitz <sherry.hurwitz@amd.com>
+Subject: [PATCH 1/1] linux-firmware: Update AMD microcode patch firmware
+Date: 2016-03-17 06:56:11 GMT
+
+ linux-firmware: Update AMD microcode patch firmware
+
+ For AMD Family 15h Processors to fix bugs in prior microcode patch
+ file: amd-ucode/microcode_amd_fam15h.bin
+ md5sum: 2384ef1d8ec8ca3930b62d82ea5a3813
+
+ Version: 2016_03_16
+
+ Signed-off-by: Sherry Hurwitz <sherry.hurwitz@amd.com>
+
commit 8ac569dd3ca3ca685bd47ee86c1eeb6050864db3
Author: Sherry Hurwitz <sherry.hurwitz@amd.com>
Date: Thu Nov 6 19:38:26 2014 -0600
--
"One disk to rule them all, One disk to find them. One disk to bring
them all and in the darkness grind them. In the Land of Redmond
where the shadows lie." -- The Silicon Valley Tarot
Henrique Holschuh
--- End Message ---