linux-aws: Deprecate a.out file format support to fix CVE-2019-11191

CVE-2019-11190 and CVE-2019-11191 are two vulnerabilities of the same type that affect elf and a.out binaries respectively. The elf code has been fixed long ago, but the upstream fix for binfmt_aout.c doesn't seem to be available yet. We should simply drop support for a.out in our kernels since it is an ancient format and its deprecation is already underway in mainline kernel [1]. (Almost everyone uses elf these days.) So unset CONFIG_IA32_AOUT from linux-aws's kernel config. [1]. torvalds/linux@08300f4 Change-Id: I664194422144ccbc0c19362ed4828a65f9791048 Reviewed-on: http://photon-jenkins.eng.vmware.com:8082/7287 Tested-by: gerrit-photon <[email protected]> Reviewed-by: Srinidhi Rao <[email protected]> (cherry picked from commit 76e4835) Reviewed-on: http://photon-jenkins.eng.vmware.com:8082/7320 Reviewed-by: Srivatsa S. Bhat <[email protected]>
heri99123 · May 28, 2019 · cf9c892 · cf9c892
1 parent 9ed0761
commit cf9c892
Show file tree

Hide file tree

Showing 2 changed files with 5 additions and 3 deletions.
diff --git a/SPECS/linux/config-aws b/SPECS/linux/config-aws
@@ -1,6 +1,6 @@
 #
 # Automatically generated file; DO NOT EDIT.
-# Linux/x86 4.19.26 Kernel Configuration
+# Linux/x86 4.19.40 Kernel Configuration
 #
 
 #
@@ -626,7 +626,7 @@ CONFIG_AMD_NB=y
 # Binary Emulations
 #
 CONFIG_IA32_EMULATION=y
-CONFIG_IA32_AOUT=m
+# CONFIG_IA32_AOUT is not set
 # CONFIG_X86_X32 is not set
 CONFIG_COMPAT_32=y
 CONFIG_COMPAT=y

diff --git a/SPECS/linux/linux-aws.spec b/SPECS/linux/linux-aws.spec
@@ -2,7 +2,7 @@
 Summary:        Kernel
 Name:           linux-aws
 Version:        4.19.40
-Release:        2%{?kat_build:.%kat_build}%{?dist}
+Release:        3%{?kat_build:.%kat_build}%{?dist}
 License:    	GPLv2
 URL:        	http://www.kernel.org/
 Group:        	System Environment/Kernel
@@ -360,6 +360,8 @@ ln -sf %{name}-%{uname_r}.cfg /boot/photon.cfg
 %{_libdir}/perf/include/bpf/*
 
 %changelog
+*   Thu May 23 2019 Srivatsa S. Bhat (VMware) <[email protected]> 4.19.40-3
+-   Fix CVE-2019-11191 by deprecating a.out file format support.
 *   Tue May 14 2019 Keerthana K <[email protected]> 4.19.40-2
 -   Fix to parse through /boot folder and update symlink (/boot/photon.cfg) if
 -   mulitple kernels are installed and current linux kernel is removed.