Bug 9871

Summary: qemu new security issue CVE-2013-1922
Product: Mageia Reporter: David Walser <luigiwalser>
Component: SecurityAssignee: QA Team <qa-bugs>
Status: RESOLVED FIXED QA Contact: Sec team <security>
Severity: major    
Priority: Normal CC: sysadmin-bugs, tmb
Version: 2Keywords: validated_update
Target Milestone: ---   
Hardware: i586   
OS: Linux   
URL: http://lwn.net/Vulnerabilities/548505/
Whiteboard: has_procedure mga2-64-ok mga2-32-ok
Source RPM: qemu-1.2.0-7.mga3.src.rpm CVE:
Status comment:

Description David Walser 2013-04-26 00:13:32 CEST 
Fedora has issued an advisory on April 21:
http://lists.fedoraproject.org/pipermail/package-announce/2013-April/103621.html

Mageia 2 is also affected.

Patch checked into SVN for Mageia 2 and Cauldron.

Currently testing a Cauldron build locally before asking for a freeze push.

Will submit the Mageia 2 build once it's available in Cauldron.

Reproducible: 

Steps to Reproduce:
David Walser 2013-04-26 00:13:41 CEST

Whiteboard: (none) => MGA2TOO

Comment 1 David Walser 2013-04-26 16:28:40 CEST 
Patched packages uploaded for Mageia 2 and Cauldron.

Advisory:
========================

Updated qemu packages fix security vulnerability:

A security flaw was found in the way qemu-nbd, the QEMU Disk Network Block
Device server tool of QEMU, performed detection of image formats (the image
format has been previously autodetected). A guest operating system
administrator could write a header to particular raw disk image format,
describing another format than original one for that disk image, leading to
scenario in which after restart of that guest, QEMU would detect new format
of the image, and could allow the guest to read any file on the host if QEMU
was sufficiently privileged (CVE-2013-1922).

References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-1922
http://lists.fedoraproject.org/pipermail/package-announce/2013-April/103621.html
========================

Updated packages in core/updates_testing:
========================
qemu-1.0-6.4.mga2
qemu-img-1.0-6.4.mga2

from qemu-1.0-6.4.mga2.src.rpm

Version: Cauldron => 2
Assignee: bugsquad => qa-bugs
Whiteboard: MGA2TOO => (none)

Comment 2 claire robinson 2013-04-30 19:18:38 CEST 
Procedure: https://bugs.mageia.org/show_bug.cgi?id=6694#c3

Whiteboard: (none) => has_procedure

Comment 3 claire robinson 2013-04-30 20:46:43 CEST 
Testing complete mga2 64

IIUC We don't have nbd-client in mga2 so although we can serve the image there is nothing to connect it with. eg. http://blogs.gnome.org/muelli/2010/03/mounting-qemu-qcow2-image-using-nbd/

$ qemu-nbd -p 1024 mageia.qcow2 &
[1] 16727

# netstat -pant | grep 1024
tcp   0    0 0.0.0.0:1024    0.0.0.0:*     LISTEN      16727/qemu-nbd

All other tests ok.

Whiteboard: has_procedure => has_procedure mga2-64-ok

Comment 4 claire robinson 2013-05-01 14:51:27 CEST 
Testing mga2 32
Comment 5 claire robinson 2013-05-01 16:25:22 CEST 
Testing complete mga2 32

Validating

Advisory & SRPM in comment 1

Could sysadmin please push from core/updates_testing to core/updates

Thanks!

Keywords: (none) => validated_update
Whiteboard: has_procedure mga2-64-ok => has_procedure mga2-64-ok mga2-32-ok
CC: (none) => sysadmin-bugs

Comment 6 Thomas Backlund 2013-05-02 19:32:27 CEST 
Update pushed:
https://wiki.mageia.org/en/Support/Advisories/MGASA-2013-0134

Status: NEW => RESOLVED
CC: (none) => tmb
Resolution: (none) => FIXED