CVE-2019-11190 and CVE-2019-11191 are two vulnerabilities of the same
type that affect elf and a.out binaries respectively. The elf code has
been fixed long ago, but the upstream fix for binfmt_aout.c doesn't
seem to be available yet.
We should simply drop support for a.out in our kernels since it is an
ancient format and its deprecation is already underway in mainline
kernel [1]. (Almost everyone uses elf these days.)
So unset CONFIG_IA32_AOUT from linux-aws's kernel config.
[1]. https://github.com/torvalds/linux/commit/08300f4402abc0eb3bc9c91b27a529836710d32d
Change-Id: I664194422144ccbc0c19362ed4828a65f9791048
Reviewed-on: http://photon-jenkins.eng.vmware.com:8082/7287
Tested-by: gerrit-photon <photon-checkins@vmware.com>
Reviewed-by: Srinidhi Rao <srinidhir@vmware.com>
(cherry picked from commit 76e4835b017fa33399ae1c2f374f4a06e0840b61)
Reviewed-on: http://photon-jenkins.eng.vmware.com:8082/7320
Reviewed-by: Srivatsa S. Bhat <srivatsab@vmware.com>
... | ... |
@@ -1,6 +1,6 @@ |
1 | 1 |
# |
2 | 2 |
# Automatically generated file; DO NOT EDIT. |
3 |
-# Linux/x86 4.19.26 Kernel Configuration |
|
3 |
+# Linux/x86 4.19.40 Kernel Configuration |
|
4 | 4 |
# |
5 | 5 |
|
6 | 6 |
# |
... | ... |
@@ -626,7 +626,7 @@ CONFIG_AMD_NB=y |
626 | 626 |
# Binary Emulations |
627 | 627 |
# |
628 | 628 |
CONFIG_IA32_EMULATION=y |
629 |
-CONFIG_IA32_AOUT=m |
|
629 |
+# CONFIG_IA32_AOUT is not set |
|
630 | 630 |
# CONFIG_X86_X32 is not set |
631 | 631 |
CONFIG_COMPAT_32=y |
632 | 632 |
CONFIG_COMPAT=y |
... | ... |
@@ -2,7 +2,7 @@ |
2 | 2 |
Summary: Kernel |
3 | 3 |
Name: linux-aws |
4 | 4 |
Version: 4.19.40 |
5 |
-Release: 2%{?kat_build:.%kat_build}%{?dist} |
|
5 |
+Release: 3%{?kat_build:.%kat_build}%{?dist} |
|
6 | 6 |
License: GPLv2 |
7 | 7 |
URL: http://www.kernel.org/ |
8 | 8 |
Group: System Environment/Kernel |
... | ... |
@@ -360,6 +360,8 @@ ln -sf %{name}-%{uname_r}.cfg /boot/photon.cfg |
360 | 360 |
%{_libdir}/perf/include/bpf/* |
361 | 361 |
|
362 | 362 |
%changelog |
363 |
+* Thu May 23 2019 Srivatsa S. Bhat (VMware) <srivatsa@csail.mit.edu> 4.19.40-3 |
|
364 |
+- Fix CVE-2019-11191 by deprecating a.out file format support. |
|
363 | 365 |
* Tue May 14 2019 Keerthana K <keerthanak@vmware.com> 4.19.40-2 |
364 | 366 |
- Fix to parse through /boot folder and update symlink (/boot/photon.cfg) if |
365 | 367 |
- mulitple kernels are installed and current linux kernel is removed. |