Bug 12494

Summary: qemu new security issue CVE-2013-4377
Product: Mageia Reporter: David Walser <luigiwalser>
Component: SecurityAssignee: QA Team <qa-bugs>
Status: RESOLVED FIXED QA Contact: Sec team <security>
Severity: major    
Priority: Normal CC: rverschelde, stormi-mageia, sysadmin-bugs, tmb
Version: 4Keywords: validated_update
Target Milestone: ---   
Hardware: All   
OS: Linux   
URL: http://lwn.net/Vulnerabilities/583678/
Whiteboard: has_procedure MGA4-32-OK MGA4-64-OK advisory
Source RPM: qemu-1.6.1-2.mga4.src.rpm CVE:
Status comment:

Description David Walser 2014-01-31 19:49:51 CET 
Ubuntu has issued an advisory on January 30:
http://www.ubuntu.com/usn/usn-2092-1/

This issue was *not* fixed in 1.6.2, though the release announcement is here:
http://lists.nongnu.org/archive/html/qemu-stable/2013-12/msg00148.html

It was, however, fixed in this Fedora commit with patches 106-116:
http://pkgs.fedoraproject.org/cgit/qemu.git/commit/?h=f20&id=2983660f65e196adaefdadc807effe9c1af85cb3

The version in Mageia 3 is too old to be affected, so only Mageia 4 is.

Reproducible: 

Steps to Reproduce:
David Walser 2014-01-31 19:50:01 CET

Whiteboard: (none) => MGA4TOO

Comment 1 David Walser 2014-02-05 22:00:51 CET 
Updated and patched packages uploaded for Mageia 4 and Cauldron.

Advisory:
========================

Updated qemu packages fix security vulnerability:

Sibiao Luo discovered that QEMU incorrectly handled device hot-unplugging.
A local user could possibly use this flaw to cause a denial of service
(CVE-2013-4377).

Additionally, qemu has been updated to 1.6.2, fixing several other bugs.

References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-4377
http://lists.nongnu.org/archive/html/qemu-stable/2013-12/msg00148.html
http://www.ubuntu.com/usn/usn-2092-1/
========================

Updated packages in core/updates_testing:
========================
qemu-1.6.2-1.mga4
qemu-img-1.6.2-1.mga4

from qemu-1.6.2-1.mga4

Version: Cauldron => 4
Assignee: bugsquad => qa-bugs
Whiteboard: MGA4TOO => (none)

Comment 2 Samuel Verschelde 2014-02-10 19:59:09 CET 
Testing procedure: https://bugs.mageia.org/show_bug.cgi?id=6694#c3

CC: (none) => stormi
Whiteboard: (none) => has_procedure

Comment 3 Rémi Verschelde 2014-02-10 22:50:08 CET 
Testing complete on Mageia 4 i586, following the procedure linked in comment 2.
No regressions found.

CC: (none) => remi
Whiteboard: has_procedure => has_procedure MGA4-32-OK

Comment 4 Manuel Hiebel 2014-02-11 18:45:00 CET 
Using above procedure, everything ok.
Someone with commit right can upload advisory and validate.

Whiteboard: has_procedure MGA4-32-OK => has_procedure MGA4-32-OK MGA4-64-OK

Manuel Hiebel 2014-02-11 18:45:44 CET

Hardware: i586 => All

Comment 5 Rémi Verschelde 2014-02-12 09:39:33 CET 
Validating update.

Advisory uploaded, could a sysadmin push the update to core/updates for Mageia 4? Thanks!

Keywords: (none) => validated_update
Whiteboard: has_procedure MGA4-32-OK MGA4-64-OK => has_procedure MGA4-32-OK MGA4-64-OK advisory
CC: (none) => sysadmin-bugs

Comment 6 Thomas Backlund 2014-02-12 18:46:41 CET 
Update pushed:
http://advisories.mageia.org/MGASA-2014-0060.html

Status: NEW => RESOLVED
CC: (none) => tmb
Resolution: (none) => FIXED