From 3d93b18d2615522f0cb8e4d95c74f14f6a3b60fc Mon Sep 17 00:00:00 2001 From: Laura Abbott Date: Wed, 20 Nov 2019 12:46:22 -0500 Subject: Drop the Fedora checks around pesign Now that we are packaging the certificates, there's no reason to have the extra check. pesign will take care of doing the right thing behind the scenes --- kernel.spec | 4 ---- 1 file changed, 4 deletions(-) (limited to 'kernel.spec') diff --git a/kernel.spec b/kernel.spec index ef0c936c1..3cf27d74a 100644 --- a/kernel.spec +++ b/kernel.spec @@ -1600,12 +1600,8 @@ BuildKernel() { fi %ifarch x86_64 aarch64 - %if 0%{?fedora} - %pesign -s -i $KernelImage -o vmlinuz.signed - %else %pesign -s -i $SignImage -o vmlinuz.signed -a %{secureboot_ca} -c %{secureboot_key} -n %{pesign_name} %endif - %endif %ifarch s390x ppc64le if [ -x /usr/bin/rpm-sign ]; then rpm-sign --key "%{pesign_name}" --lkmsign $SignImage --output vmlinuz.signed -- cgit From 222e96a09b3d8f5870a1d3b2fe03975eb3d80079 Mon Sep 17 00:00:00 2001 From: Laura Abbott Date: Wed, 20 Nov 2019 12:55:02 -0500 Subject: bump and build to check the pesign --- kernel.spec | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) (limited to 'kernel.spec') diff --git a/kernel.spec b/kernel.spec index 3cf27d74a..c88f199a5 100644 --- a/kernel.spec +++ b/kernel.spec @@ -77,7 +77,7 @@ Summary: The Linux kernel # For non-released -rc kernels, this will be appended after the rcX and # gitX tags, so a 3 here would become part of release "0.rcX.gitX.3" # -%global baserelease 1 +%global baserelease 2 %global fedora_build %{baserelease} # base_sublevel is the kernel version we're starting with and patching @@ -2508,6 +2508,9 @@ fi # # %changelog +* Wed Nov 20 2019 Laura Abbott - 5.4.0-0.rc8.git0.2 +- bump and build to check the pesign + * Mon Nov 18 2019 Jeremy Cline - 5.4.0-0.rc8.git0.1 - Linux v5.4-rc8 -- cgit From a1f67e60efa2670e838eea326fdbeff87808482a Mon Sep 17 00:00:00 2001 From: "Justin M. Forbes" Date: Thu, 21 Nov 2019 14:25:24 -0600 Subject: Fix a bunch of CVEs --- kernel.spec | 56 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 56 insertions(+) (limited to 'kernel.spec') diff --git a/kernel.spec b/kernel.spec index c88f199a5..31da1c149 100644 --- a/kernel.spec +++ b/kernel.spec @@ -810,6 +810,46 @@ Patch504: 0001-mm-kmemleak-skip-late_init-if-not-skip-disable.patch # https://lkml.org/lkml/2019/8/29/1772 Patch505: ARM-fix-__get_user_check-in-case-uaccess_-calls-are-not-inlined.patch +# CVE-2019-19071 rhbz 1774949 1774950 +Patch509: rsi-release-skb-if-rsi_prepare_beacon-fails.patch + +# CVE-2019-19070 rhbz 1774957 1774958 +Patch510: spi-gpio-prevent-memory-leak-in-spi_gpio_probe.patch + +# CVE-2019-19068 rhbz 1774963 1774965 +Patch511: rtl8xxxu-prevent-leaking-urb.patch + +# CVE-2019-19043 rhbz 1774972 1774973 +Patch512: net-next-v2-9-9-i40e-prevent-memory-leak-in-i40e_setup_macvlans.patch + +# CVE-2019-19066 rhbz 1774976 1774978 +Patch513: scsi-bfa-release-allocated-memory-in-case-of-error.patch + +# CVE-2019-19046 rhbz 1774988 1774989 +Patch514: ipmi-Fix-memory-leak-in-__ipmi_bmc_register.patch + +# CVE-2019-19050 rhbz 1774998 1775002 +# CVE-2019-19062 rhbz 1775021 1775023 +Patch515: crypto-user-fix-memory-leak-in-crypto_reportstat.patch + +# CVE-2019-19064 rhbz 1775010 1775011 +Patch516: spi-lpspi-fix-memory-leak-in-fsl_lpspi_probe.patch + +# CVE-2019-19063 rhbz 1775015 1775016 +Patch517: rtlwifi-prevent-memory-leak-in-rtl_usb_probe.patch + +# CVE-2019-19057 rhbz 1775050 1775051 +Patch520: mwifiex-pcie-Fix-memory-leak-in-mwifiex_pcie_init_evt_ring.patch + +# CVE-2019-19053 rhbz 1775956 1775110 +Patch521: rpmsg-char-release-allocated-memory.patch + +# CVE-2019-19056 rhbz 1775097 1775115 +Patch522: mwifiex-pcie-fix-memory-leak-in-mwifiex_pcie_alloc_cmdrsp_buf.patch + +# CVE-2019-19054 rhbz 1775063 1775117 +Patch524: media-rc-prevent-memory-leak-in-cx23888_ir_probe.patch + # END OF PATCH DEFINITIONS %endif @@ -2508,6 +2548,22 @@ fi # # %changelog +* Thu Nov 21 2019 Justin M. Forbes - 5.3.12-300 +- Fix CVE-2019-19071 (rhbz 1774949 1774950) +- Fix CVE-2019-19070 (rhbz 1774957 1774958) +- Fix CVE-2019-19068 (rhbz 1774963 1774965) +- Fix CVE-2019-19043 (rhbz 1774972 1774973) +- Fix CVE-2019-19066 (rhbz 1774976 1774978) +- Fix CVE-2019-19046 (rhbz 1774988 1774989) +- Fix CVE-2019-19050 (rhbz 1774998 1775002) +- Fix CVE-2019-19062 (rhbz 1775021 1775023) +- Fix CVE-2019-19064 (rhbz 1775010 1775011) +- Fix CVE-2019-19063 (rhbz 1775015 1775016) +- Fix CVE-2019-19057 (rhbz 1775050 1775051) +- Fix CVE-2019-19053 (rhbz 1775956 1775110) +- Fix CVE-2019-19056 (rhbz 1775097 1775115) +- Fix CVE-2019-19054 (rhbz 1775063 1775117) + * Wed Nov 20 2019 Laura Abbott - 5.4.0-0.rc8.git0.2 - bump and build to check the pesign -- cgit From 0cb0921c3398cae2c8d8c49aaf41c61c8196be6c Mon Sep 17 00:00:00 2001 From: Jeremy Cline Date: Fri, 22 Nov 2019 10:00:11 -0500 Subject: Reenable debugging options. --- kernel.spec | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) (limited to 'kernel.spec') diff --git a/kernel.spec b/kernel.spec index 31da1c149..c5c4fc13d 100644 --- a/kernel.spec +++ b/kernel.spec @@ -191,7 +191,7 @@ Summary: The Linux kernel # Set debugbuildsenabled to 1 for production (build separate debug kernels) # and 0 for rawhide (all kernels are debug kernels). # See also 'make debug' and 'make release'. -%define debugbuildsenabled 1 +%define debugbuildsenabled 0 %if 0%{?fedora} # Kernel headers are being split out into a separate package @@ -2548,6 +2548,9 @@ fi # # %changelog +* Fri Nov 22 2019 Jeremy Cline +- Reenable debugging options. + * Thu Nov 21 2019 Justin M. Forbes - 5.3.12-300 - Fix CVE-2019-19071 (rhbz 1774949 1774950) - Fix CVE-2019-19070 (rhbz 1774957 1774958) -- cgit From ac3be8bad1d86c6f981fe56ce5897e62bd88074b Mon Sep 17 00:00:00 2001 From: Jeremy Cline Date: Fri, 22 Nov 2019 10:00:29 -0500 Subject: Linux v5.4-rc8-15-g81429eb8d9ca --- kernel.spec | 7 +++++-- 1 file changed, 5 insertions(+), 2 deletions(-) (limited to 'kernel.spec') diff --git a/kernel.spec b/kernel.spec index c5c4fc13d..8e08f5cc1 100644 --- a/kernel.spec +++ b/kernel.spec @@ -77,7 +77,7 @@ Summary: The Linux kernel # For non-released -rc kernels, this will be appended after the rcX and # gitX tags, so a 3 here would become part of release "0.rcX.gitX.3" # -%global baserelease 2 +%global baserelease 1 %global fedora_build %{baserelease} # base_sublevel is the kernel version we're starting with and patching @@ -104,7 +104,7 @@ Summary: The Linux kernel # The rc snapshot level %global rcrev 8 # The git snapshot level -%define gitrev 0 +%define gitrev 1 # Set rpm version accordingly %define rpmversion 5.%{upstream_sublevel}.0 %endif @@ -2548,6 +2548,9 @@ fi # # %changelog +* Fri Nov 22 2019 Jeremy Cline - 5.4.0-0.rc8.git1.1 +- Linux v5.4-rc8-15-g81429eb8d9ca + * Fri Nov 22 2019 Jeremy Cline - Reenable debugging options. -- cgit From 97bb52b5db0b55b977f75767aa40ffafaf7289e2 Mon Sep 17 00:00:00 2001 From: Laura Abbott Date: Fri, 22 Nov 2019 11:01:28 -0500 Subject: bump and build to test new configs --- kernel.spec | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) (limited to 'kernel.spec') diff --git a/kernel.spec b/kernel.spec index 8e08f5cc1..18ee1c17c 100644 --- a/kernel.spec +++ b/kernel.spec @@ -77,7 +77,7 @@ Summary: The Linux kernel # For non-released -rc kernels, this will be appended after the rcX and # gitX tags, so a 3 here would become part of release "0.rcX.gitX.3" # -%global baserelease 1 +%global baserelease 2 %global fedora_build %{baserelease} # base_sublevel is the kernel version we're starting with and patching @@ -2548,6 +2548,9 @@ fi # # %changelog +* Fri Nov 22 2019 Laura Abbott - 5.4.0-0.rc8.git1.2 +- bump and build to test new configs + * Fri Nov 22 2019 Jeremy Cline - 5.4.0-0.rc8.git1.1 - Linux v5.4-rc8-15-g81429eb8d9ca -- cgit