| Summary: | qemu-kvm new security issue CVE-2012-3515 | ||
|---|---|---|---|
| Product: | Mageia | Reporter: | David Walser <luigiwalser> |
| Component: | Security | Assignee: | QA Team <qa-bugs> |
| Status: | RESOLVED FIXED | QA Contact: | |
| Severity: | critical | ||
| Priority: | Normal | CC: | davidwhodgins, sysadmin-bugs, thierry.vignaud, tmb |
| Version: | 2 | Keywords: | validated_update |
| Target Milestone: | --- | ||
| Hardware: | i586 | ||
| OS: | Linux | ||
| URL: | http://lwn.net/Vulnerabilities/514963/ | ||
| Whiteboard: | MGA1TOO MGA2-64-OK has_procdure MGA2-32-OK MGA1-64-OK MGA1-32-OK | ||
| Source RPM: | qemu | CVE: | |
| Status comment: | |||
|
Description
David Walser
2012-09-05 22:13:43 CEST
Failed build log: http://pkgsubmit.mageia.org/uploads/failure/cauldron/core/release/20120905195217.luigiwalser.valstar.22046/log/qemu-1.0-8.mga3/build.0.20120905195314.log
David Walser
2012-09-05 22:16:10 CEST
Version:
2 =>
Cauldron
David Walser
2012-09-05 22:56:57 CEST
CC:
(none) =>
tmb Thierry has updated to 1.2.0 in Cauldron to fix this (hopefully it builds :o). Thanks Thierry. CC:
(none) =>
thierry.vignaud Cauldron build succeeded. Version:
Cauldron =>
2 Patched packages uploaded for Mageia 1 and Mageia 2. Advisory: ======================== Updated qemu-kvm packages fix security vulnerability: A flaw was found in the way QEMU handled VT100 terminal escape sequences when emulating certain character devices. A guest user with privileges to write to a character device that is emulated on the host using a virtual console back-end could use this flaw to crash the qemu-kvm process on the host or, possibly, escalate their privileges on the host (CVE-2012-3515). References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-3515 https://rhn.redhat.com/errata/RHSA-2012-1234.html ======================== Updated packages in core/updates_testing: ======================== qemu-0.14.0-5.3.mga1 qemu-img-0.14.0-5.3.mga1 qemu-1.0-6.2.mga2 qemu-img-1.0-6.2.mga2 from SRPMS: qemu-0.14.0-5.3.mga1.src.rpm qemu-1.0-6.2.mga2.src.rpm Assignee:
bugsquad =>
qa-bugs
David Walser
2012-09-06 00:11:37 CEST
Severity:
normal =>
critical Testing complete on Mageia 2 x86-64. Testing using the procedure at https://bugs.mageia.org/show_bug.cgi?id=6694#c3 I again had to use the divider=10 kernel option, when booting the kernel in the installer, to allow the mkinitrd to finish in under 10 minutes, as per bug 44. I did run into problems booting into the installation after it was installed, as it stops after mounting /home, but that is more likely a Mageia 3, or lack of firmware problem, as I used the Mageia 3 alpha 1 iso, for the installation. qemu is so much slower than VirtualBox. I have the kvm module loaded, but that doesn't seem to make any difference. Any suggestions on how to speed things up for further tests? As it is, even on my new system, it's painfully slow. CC:
(none) =>
davidwhodgins Btw, the actual command I'm using to run the installed image is qemu-system-i386 -hda mageia.qcow2 -boot d -net nic -net user -m 2048 -localtime Testing complete. Could someone from the sysadmin team push the srpm qemu-1.0-6.2.mga2.src.rpm from Mageia 2 Core Updates Testing to Core Updates and the srpm qemu-0.14.0-5.3.mga1.src.rpm from Mageia 1 Core Updates Testing to Core Updates. Advisory: Updated qemu-kvm packages fix security vulnerability: A flaw was found in the way QEMU handled VT100 terminal escape sequences when emulating certain character devices. A guest user with privileges to write to a character device that is emulated on the host using a virtual console back-end could use this flaw to crash the qemu-kvm process on the host or, possibly, escalate their privileges on the host (CVE-2012-3515). References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-3515 https://rhn.redhat.com/errata/RHSA-2012-1234.html https://bugs.mageia.org/show_bug.cgi?id=7367 Keywords:
(none) =>
validated_update Update pushed: https://wiki.mageia.org/en/Support/Advisories/MGASA-2012-0263 Status:
NEW =>
RESOLVED |