Hello, I get this when making a new virtual machine using virt-manager. 'unsupported configuration: USB redirection is not supported by this version of QEMU' Looking into the qemu-1.6.2 source and the ./configure file you see: # check for usbredirparser for usb network redirection support if test "$usb_redir" != "no" ; then if $pkg_config --atleast-version=0.6 libusbredirparser-0.5 >/dev/null 2>&1 ; then usb_redir="yes" usb_redir_cflags=$($pkg_config --cflags libusbredirparser-0.5 2>/dev/null) usb_redir_libs=$($pkg_config --libs libusbredirparser-0.5 2>/dev/null) QEMU_CFLAGS="$QEMU_CFLAGS $usb_redir_cflags" libs_softmmu="$libs_softmmu $usb_redir_libs" else if test "$usb_redir" = "yes"; then feature_not_found "usb-redir" fi usb_redir="no" fi fi So, either bump (again) usbredir to 0.6 and recompile qemu-1.6.2 against it or revert the usbredir 0.5 API changes in qemu-1.6.2. I found there's a patch for that (patch -R) named "kvm-usb-redir-Convert-to-new-libusbredirparser-0.5-API.patch", but I have not tried that. [oden@localhost ~]$ ldd /usr/bin/qemu-* | grep usbredir [oden@localhost ~]$ Locally built qemu-1.6.2 with usbredir 0.6: [oden@localhost ~]$ ldd /usr/bin/qemu-* | grep usbredir libusbredirparser.so.1 => /lib64/libusbredirparser.so.1 (0x00007f3c68d55000) [...] Cheers. Reproducible: Steps to Reproduce:
Thanks Oden! Advisory: ---------------------------------------- The qemu update in MGASA-2014-0426 did not have USB redirection support because Qemu 1.6.2 requires an updated libusbredirparser library. This update has been built against the updated usbredirparser library. References: http://advisories.mageia.org/MGASA-2014-0426.html ---------------------------------------- Updated packages in core/updates_testing: ---------------------------------------- usbredir-0.6-1.mga4 libusbredirhost1-0.6-1.mga4 libusbredirhost-devel-0.6-1.mga4 libusbredirparser1-0.6-1.mga4 libusbredirparser-devel-0.6-1.mga4 usbredir-devel-0.6-1.mga4 qemu-1.6.2-1.3.mga4 qemu-img-1.6.2-1.3.mga4 from SRPMS: usbredir-0.6-1.mga4.src.rpm qemu-1.6.2-1.3.mga4.src.rpm
Assignee: bugsquad => qa-bugsSeverity: major => normal
Debian has issued an advisory today (November 6): https://lists.debian.org/debian-security-announce/2014/msg00254.html The DSA will eventually be posted here: https://www.debian.org/security/2014/dsa-3066 They fixed two security issues, CVE-2014-3689 and CVE-2014-7815. Fedora has also fixed those in git in these commits for qemu 1.6.2 in Fedora 20 and qemu 2.1.2 in Fedora 21: http://pkgs.fedoraproject.org/cgit/qemu.git/commit/?h=f20&id=1369de9828d30fbe0a30e93dc4862056dd2c39b3 http://pkgs.fedoraproject.org/cgit/qemu.git/commit/?h=f21&id=725f84b743630e6b365b79d4d5272427ecb6150b I've synced the patches from Fedora and submitted new builds in Mageia 4 and Cauldron. Fedora's updates are still in testing, but I'd like to add their advisory URLs in the advisory once they are released. For now I'll just use the DSA link. Advisory: ======================== Updated qemu packages fix security vulnerabilities: The Advanced Threat Research team at Intel Security reported that guest provided parameter were insufficiently validated in rectangle functions in the vmware-vga driver. A privileged guest user could use this flaw to write into qemu address space on the host, potentially escalating their privileges to those of the qemu host process (CVE-2014-3689). James Spadaro of Cisco reported insufficiently sanitized bits_per_pixel from the client in the QEMU VNC display driver. An attacker having access to the guest's VNC console could use this flaw to crash the guest (CVE-2014-7815). Additionally, the qemu update in MGASA-2014-0426 did not have USB redirection support because Qemu 1.6.2 requires an updated libusbredirparser library. This update has been built against the updated usbredirparser library. References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-3689 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-7815 http://advisories.mageia.org/MGASA-2014-0426.html https://www.debian.org/security/2014/dsa-3066 ======================== Updated packages in core/updates_testing: ======================== usbredir-0.6-1.mga4 libusbredirhost1-0.6-1.mga4 libusbredirhost-devel-0.6-1.mga4 libusbredirparser1-0.6-1.mga4 libusbredirparser-devel-0.6-1.mga4 usbredir-devel-0.6-1.mga4 qemu-1.6.2-1.4.mga4 qemu-img-1.6.2-1.4.mga4 from SRPMS: usbredir-0.6-1.mga4.src.rpm qemu-1.6.2-1.4.mga4.src.rpm
Summary: Regression in qemu with MGASA-2014-0426 => qemu new security issues CVE-2014-3689 and CVE-2014-7815Component: RPM Packages => SecurityQA Contact: (none) => securitySource RPM: qemu => qemu-1.6.2-1.2.mga4.src.rpmSeverity: normal => major
Testing procedure: https://bugs.mageia.org/show_bug.cgi?id=13096#c34 If you want to test more than that, you can also see https://bugs.mageia.org/show_bug.cgi?id=6694#c3
CC: (none) => remiHardware: i586 => AllWhiteboard: (none) => has_procedure
URL: (none) => http://lwn.net/Vulnerabilities/619475/
Fedora has issued an advisory for this on November 1: https://lists.fedoraproject.org/pipermail/package-announce/2014-November/143312.html Adding the Fedora advisory to the References. Advisory: ======================== Updated qemu packages fix security vulnerabilities: The Advanced Threat Research team at Intel Security reported that guest provided parameter were insufficiently validated in rectangle functions in the vmware-vga driver. A privileged guest user could use this flaw to write into qemu address space on the host, potentially escalating their privileges to those of the qemu host process (CVE-2014-3689). James Spadaro of Cisco reported insufficiently sanitized bits_per_pixel from the client in the QEMU VNC display driver. An attacker having access to the guest's VNC console could use this flaw to crash the guest (CVE-2014-7815). Additionally, the qemu update in MGASA-2014-0426 did not have USB redirection support because Qemu 1.6.2 requires an updated libusbredirparser library. This update has been built against the updated usbredirparser library. References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-3689 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-7815 http://advisories.mageia.org/MGASA-2014-0426.html https://www.debian.org/security/2014/dsa-3066 https://lists.fedoraproject.org/pipermail/package-announce/2014-November/143312.html ======================== Updated packages in core/updates_testing: ======================== usbredir-0.6-1.mga4 libusbredirhost1-0.6-1.mga4 libusbredirhost-devel-0.6-1.mga4 libusbredirparser1-0.6-1.mga4 libusbredirparser-devel-0.6-1.mga4 usbredir-devel-0.6-1.mga4 qemu-1.6.2-1.4.mga4 qemu-img-1.6.2-1.4.mga4 from SRPMS: usbredir-0.6-1.mga4.src.rpm qemu-1.6.2-1.4.mga4.src.rpm
Tested in Mageia 4x32 on real Hardware First tested current packages : ----------------------------- qemu-1.6.2-1.2.mga4.i586 - qemu-img-1.6.2-1.2.mga4.i586 - libusb1.0-devel-1.0.17-2.mga4.i586 - libusbredirhost-devel-0.4.3-3.mga4.i586 - libusbredirparser-devel-0.4.3-3.mga4.i586 - usbredir-devel-0.4.3-3.mga4.i586 - libusbredirhost1-0.4.3-3.mga4.i586 - libusbredirparser0-0.4.3-3.mga4.i586 - usbredir-0.4.3-3.mga4.i586 Used procedure mentionned in comment 3 : https://bugs.mageia.org/show_bug.cgi?id=6694#c3 and procedure found here to test usbredir : https://bugs.mageia.org/show_bug.cgi?id=13201#c0 Could create a working virtual machine with mageia4-32 live install, use it, take a snapshot and reload the snapshot. Using qmenu through virtmanager, created another install from same livecd. Tried then to add a usb host device in virtmanager. The guest refused to start complaining : "Erreur lors du démarrage du domaine: internal error: Did not find USB device 18d1:4e21" Then updated to testing packages : -------------------------------- - libusbredirhost-devel-0.6-1.mga4.i586 - libusbredirhost1-0.6-1.mga4.i586 - libusbredirparser-devel-0.6-1.mga4.i586 - libusbredirparser1-0.6-1.mga4.i586 - qemu-1.6.2-1.4.mga4.i586 - qemu-img-1.6.2-1.4.mga4.i586 - usbredir-0.6-1.mga4.i586 - usbredir-devel-0.6-1.mga4.i586 Could re-use the 2 guest previously created. To be sure, installed 2 new virtual machine, one with qmenu command line, the other through virt-manager. Both performed well, I was able to take snapshots and reload them. Through virt-manager, added a usb host device. This time, I could reboot the guest with no complaint. However, in the guest, $ lsusb didn't return the usb device which was plugged in. Tried to plug it out, then back to no avail. Maybe there is another step to take which I don't know.
CC: (none) => olchal
Ubuntu has issued an advisory today (November 13): http://www.ubuntu.com/usn/usn-2409-1/ CVE-2014-5388 was introduced in 1.7, so we're not affected. CVE-2014-5263 is a minor issue, but as we've not OK'd this update yet, I've included the upstream patch to fix it. The other CVEs were fixed in either our previous update or this one already. LWN reference: http://lwn.net/Vulnerabilities/620335/ Advisory: ======================== Updated qemu packages fix security vulnerabilities: The Advanced Threat Research team at Intel Security reported that guest provided parameter were insufficiently validated in rectangle functions in the vmware-vga driver. A privileged guest user could use this flaw to write into qemu address space on the host, potentially escalating their privileges to those of the qemu host process (CVE-2014-3689). It was discovered that QEMU incorrectly handled USB xHCI controller live migration. An attacker could possibly use this issue to cause a denial of service, or possibly execute arbitrary code (CVE-2014-5263). James Spadaro of Cisco reported insufficiently sanitized bits_per_pixel from the client in the QEMU VNC display driver. An attacker having access to the guest's VNC console could use this flaw to crash the guest (CVE-2014-7815). Additionally, the qemu update in MGASA-2014-0426 did not have USB redirection support because Qemu 1.6.2 requires an updated libusbredirparser library. This update has been built against the updated usbredirparser library. References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-3689 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-5263 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-7815 http://advisories.mageia.org/MGASA-2014-0426.html https://www.debian.org/security/2014/dsa-3066 http://www.ubuntu.com/usn/usn-2409-1/ https://lists.fedoraproject.org/pipermail/package-announce/2014-November/143312.html ======================== Updated packages in core/updates_testing: ======================== usbredir-0.6-1.mga4 libusbredirhost1-0.6-1.mga4 libusbredirhost-devel-0.6-1.mga4 libusbredirparser1-0.6-1.mga4 libusbredirparser-devel-0.6-1.mga4 usbredir-devel-0.6-1.mga4 qemu-1.6.2-1.5.mga4 qemu-img-1.6.2-1.5.mga4 from SRPMS: usbredir-0.6-1.mga4.src.rpm qemu-1.6.2-1.5.mga4.src.rpm
Testing complete mga4 64 Before ------ Confirmed the problem with USB redirection. Using virt-manager (similar to vbox). To use this you should first start the libvirtd service. Create the machine and start it, display the hardware details and click at the bottom to Add Hardware. You can add USB Redirection in there. When the machine is reset/restarted it will attempt to add USB redirection and the machine will fail to start.. Error starting domain: unsupported configuration: USB redirection is not supported by this version of QEMU After ----- Restarted virt-manager and viewed the hardware settings again, noted the addition of Redirected USB at the bottom. Also in the machine menu "Virtual Machine" there is now an option for USB Redirection which allows USB devices connected to the host to be redirected to the running guest.
Whiteboard: has_procedure => has_procedure mga4-64-ok
Testing complete Mageia 4 i586. Used virt-manager to create a new VM based on a VMDK disk from a Virtualbox VM I had originally created by exporting from VMWare.
Whiteboard: has_procedure mga4-64-ok => has_procedure mga4-32-ok mga4-64-ok
Validating, advisory uploaded.
Keywords: (none) => validated_updateWhiteboard: has_procedure mga4-32-ok mga4-64-ok => has_procedure mga4-32-ok mga4-64-ok advisoryCC: (none) => sysadmin-bugs
An update for this issue has been pushed to Mageia Updates repository. http://advisories.mageia.org/MGASA-2014-0467.html
Status: NEW => RESOLVEDResolution: (none) => FIXED