Re: intel-microcode not fixing CVE-2018-3640, CVE-2018-3615 on Debian 10?

[Michael Stone <mstone@debian.org>]

On Fri, Jan 08, 2021 at 10:48:30PM +0100, Christoph Pflügler wrote:
> On 08.01.21 22:34, Michael Stone wrote:
> > On Fri, Jan 08, 2021 at 09:12:53PM +0100, Christoph Pflügler wrote:
> > > Installing package intel-microcode in Debian 10 (Buster) mitigates 
> > > most vulnerabilities as per spectre-meltdown-checker. However, 
> > > CVE-2018-3640 and CVE-2018-3615 are still displayed as unmitigated 
> > > after reboot, with spectre-meltdown-checker --explain (executed as 
> > > su) pointing to missing microcode upgrades.
> > >
> > > According to the Debian package description of intel-microcode, 
> > > the two vulnerabilities are fixed in the current version of the 
> > > package.
> > >
> > > This occurs in exactly the same way on two different machines, one 
> > > with an i5-3320M CPU and another one with an E3-1235L v5.
> > >
> > > If I remember correctly, I was all green as per 
> > > spectre-meltdown-checker in Debian 9 (Stretch).
> >
> > What version of intel-microcode do you have installed?
> intel-microcode:amd64/buster 3.20200616.1~deb10u1 uptodate, installed 
> from Debian non-free repository

With an E3 v5, linux 4.19.0-13, and intel-microcode 3.20200616.1 the 
checker reports green for those checks on my test system. Do you have 
the latest spectre-meltdown-checker, and are you running it as root? If 
I run the current version as an unprivileged user those checks come up 
red (presumably because it can't read the cpu registers it is trying to 
read).