Ubuntu has issued an advisory today (June 10): http://www.ubuntu.com/usn/usn-2630-1/ Mageia 4 and Mageia 5 are affected. CVE-2015-3209 is rated as a high severity issue according to Ubuntu. Reproducible: Steps to Reproduce:
Whiteboard: (none) => MGA5TOO, MGA4TOO
For Cauldron, I've synced with Fedora 21, which currently has a fix for CVE-2015-4037. A fix for CVE-2015-3209 has not yet been committed, but it sounds like that's pending. It's not clear that they have any intention of fixing CVE-2015-410[3-6], so we may need to use the upstream patches linked from the Ubuntu CVE pages.
CC: (none) => mageiaAssignee: bugsquad => joequant
Debian has issued an advisory for this on June 13: https://www.debian.org/security/2015/dsa-3284
An additional CVE has been assigned (CVE-2015-3214): http://openwall.com/lists/oss-security/2015/06/17/5 A patch has been submitted upstream.
Summary: qemu new security issues CVE-2015-3209, CVE-2015-4037, and CVE-2015-410[3-6] => qemu new security issues CVE-2015-3209, CVE-2015-3214, CVE-2015-4037, and CVE-2015-410[3-6]
My June 11 sync with Fedora 21 is now checked into Mageia 5 SVN.
Another one (CVE-2015-5158): http://openwall.com/lists/oss-security/2015/07/23/6
Summary: qemu new security issues CVE-2015-3209, CVE-2015-3214, CVE-2015-4037, and CVE-2015-410[3-6] => qemu new security issues CVE-2015-3209, CVE-2015-3214, CVE-2015-4037, CVE-2015-410[3-6], CVE-2015-5158
(In reply to David Walser from comment #3) > An additional CVE has been assigned (CVE-2015-3214): > http://openwall.com/lists/oss-security/2015/06/17/5 > > A patch has been submitted upstream. LWN reference: http://lwn.net/Vulnerabilities/652550/ which also includes another new one, CVE-2015-5154. RedHat has issued an advisory for this today (July 27): https://rhn.redhat.com/errata/RHSA-2015-1507.html
Summary: qemu new security issues CVE-2015-3209, CVE-2015-3214, CVE-2015-4037, CVE-2015-410[3-6], CVE-2015-5158 => qemu new security issues CVE-2015-3209, CVE-2015-3214, CVE-2015-4037, CVE-2015-410[3-6], CVE-2015-515[48]
(In reply to David Walser from comment #5) > Another one (CVE-2015-5158): > http://openwall.com/lists/oss-security/2015/07/23/6 Ubuntu has issued an advisory for this on July 28: http://www.ubuntu.com/usn/usn-2692-1 LWN reference: http://lwn.net/Vulnerabilities/652794/
The qemu in Mageia seems to be too old for CVE-2015-5158. Will patch the other items.
Checked in updates for Mageia 4 and Mageia 5. Did nothing with cauldron, since the version of qemu there is old and it would work best to bump up the version.
CVE request for one more qemu issue: http://openwall.com/lists/oss-security/2015/08/06/3 I'll look at pushing updates once I have some time to look at it, probably soon.
(In reply to David Walser from comment #10) > CVE request for one more qemu issue: > http://openwall.com/lists/oss-security/2015/08/06/3 > > I'll look at pushing updates once I have some time to look at it, probably > soon. Assigned CVE-2015-5745: http://openwall.com/lists/oss-security/2015/08/06/5 I checked the patch into Mageia 4 and Mageia 5 SVN.
Joseph, I see you checked patches for CVE-2015-3214 and CVE-2015-5154 into SVN. What about all of the other CVEs (besides CVE-2015-5158, which you said may not apply)?
Summary: qemu new security issues CVE-2015-3209, CVE-2015-3214, CVE-2015-4037, CVE-2015-410[3-6], CVE-2015-515[48] => qemu new security issues CVE-2015-3209, CVE-2015-3214, CVE-2015-4037, CVE-2015-410[3-6], CVE-2015-515[48], CVE-2015-5745
I haven't checked in any other changes. Right now the status looks like CVE-2015-3209 - open CVE-2015-3214 - fix checked in CVE-2015-4037 - fix checked in CVE-2015-410[3-6] - open CVE-2015-515[48] - fix checked in for 5154, not valid for 5158 CVE-2015-5745 - open Redhat says they've issued patches for 3209 but I can't find thing in fedora.
Also CVE-2015-410[3-6] seem to be issues in xen and not qemu. that leaves 3209 and 5745.
Well, CVE-2015-5745 isn't open, since I checked that fix in an hour and a half ago. CVE-2015-3209 and CVE-2015-410[3-6], you can get patches from Ubuntu or upstream here (click the CVE links at the bottom for the upstream commit links): http://www.ubuntu.com/usn/usn-2630-1/ Debian has patches for CVE-2015-3209 and CVE-2015-410[3-6] here: https://packages.debian.org/source/jessie/qemu
(In reply to Joseph Wang from comment #14) > Also CVE-2015-410[3-6] seem to be issues in xen and not qemu. that leaves > 3209 and 5745. No, those are in both qemu and xen (which isn't uncommon).
OK. I'll get those patches installed tomorrow.
Just merged in a whole bunch of patches for Mageia 4 and 5 This should fix all of the outstanding security issues.
(In reply to Joseph Wang from comment #18) > Just merged in a whole bunch of patches for Mageia 4 and 5 > > This should fix all of the outstanding security issues. Thanks! What are your plans for Cauldron?
Wait another month for people to find new security bugs and then upgrade to the latest version. qemu is a security nightmare, and rerolling bumping up to a new version is a pain. We've got a lot of time before Mageia 6, and I don't want to upgrade to the newest version too quickly.
(In reply to Joseph Wang from comment #20) > Wait another month for people to find new security bugs and then upgrade to > the latest version. > > qemu is a security nightmare, and rerolling bumping up to a new version is a > pain. We've got a lot > of time before Mageia 6, and I don't want to upgrade to the newest version > too quickly. LOL, you're not kidding. You could upgrade to 2.3.0 now (which would be a lot of work) but then soon you'd have to update it again to 2.4.0. Makes sense to just wait for now.
The other issue is that I'm not actively using qemu for anything. I'm using docker for virtualization, with a lot fewer moving parts and security issues.
(In reply to Joseph Wang from comment #22) > The other issue is that I'm not actively using qemu for anything. I'm using > docker for virtualization, with a lot fewer moving parts and security issues. Yeah, I'd imagine that works a lot better. What I don't understand about Docker though, is it basically bundles a bunch of packages in the container, so how do needed updates for those packages get handled?
I've synced Cauldron with Mageia 5 for now, but the build fails because of an issue with %find_lang (also affecting Firefox). Hopefully that'll get sorted out soon. Patched packages uploaded for Mageia 4 and Mageia 5. Advisory to come later. Testing procedures: https://bugs.mageia.org/show_bug.cgi?id=13096#c34 https://bugs.mageia.org/show_bug.cgi?id=6694#c3 Updated packages in core/updates_testing: ======================== qemu-1.6.2-1.12.mga4 qemu-img-1.6.2-1.12.mga4 qemu-2.1.3-2.3.mga5 qemu-img-2.1.3-2.3.mga5 from SRPMS: qemu-1.6.2-1.12.mga4.src.rpm qemu-2.1.3-2.3.mga5.src.rpm
CC: (none) => joequantVersion: Cauldron => 5Assignee: joequant => qa-bugsWhiteboard: MGA5TOO, MGA4TOO => MGA4TOO has_procedure
Advisory: ======================== Updated qemu packages fix security vulnerabilities: Matt Tait discovered that QEMU incorrectly handled the virtual PCNET driver. A malicious guest could use this issue to cause a denial of service, or possibly execute arbitrary code on the host as the user running the QEMU process (CVE-2015-3209). Kurt Seifried discovered that QEMU incorrectly handled certain temporary files. A local attacker could use this issue to cause a denial of service (CVE-2015-4037). Jan Beulich discovered that the QEMU Xen code incorrectly restricted write access to the host MSI message data field. A malicious guest could use this issue to cause a denial of service (CVE-2015-4103). Jan Beulich discovered that the QEMU Xen code incorrectly restricted access to the PCI MSI mask bits. A malicious guest could use this issue to cause a denial of service (CVE-2015-4104). Jan Beulich discovered that the QEMU Xen code incorrectly handled MSI-X error messages. A malicious guest could use this issue to cause a denial of service (CVE-2015-4105). Jan Beulich discovered that the QEMU Xen code incorrectly restricted write access to the PCI config space. A malicious guest could use this issue to cause a denial of service, obtain sensitive information, or possibly execute arbitrary code (CVE-2015-4106). A heap buffer overflow flaw was found in the way QEMU's IDE subsystem handled I/O buffer access while processing certain ATAPI commands. A privileged guest user in a guest with the CDROM drive enabled could potentially use this flaw to execute arbitrary code on the host with the privileges of the host's QEMU process corresponding to the guest (CVE-2015-5154). An out-of-bounds memory access flaw, leading to memory corruption or possibly an information leak, was found in QEMU's pit_ioport_read() function. A privileged guest user in a QEMU guest, which had QEMU PIT emulation enabled, could potentially, in rare cases, use this flaw to execute arbitrary code on the host with the privileges of the hosting QEMU process (CVE-2015-3214). Qemu emulator built with the virtio-serial vmchannel support is vulnerable to a buffer overflow issue. It could occur while exchanging virtio control messages between guest & the host. A malicious guest could use this flaw to corrupt few bytes of Qemu memory area, potentially crashing the Qemu process (CVE-2015-5745). References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-3209 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-3214 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-4037 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-4103 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-4104 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-4105 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-4106 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-5154 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-5745 http://www.ubuntu.com/usn/usn-2630-1/ https://rhn.redhat.com/errata/RHSA-2015-1507.html http://openwall.com/lists/oss-security/2015/08/06/5
Summary: qemu new security issues CVE-2015-3209, CVE-2015-3214, CVE-2015-4037, CVE-2015-410[3-6], CVE-2015-515[48], CVE-2015-5745 => qemu new security issues CVE-2015-3209, CVE-2015-3214, CVE-2015-4037, CVE-2015-410[3-6], CVE-2015-5154, CVE-2015-5745
CC: (none) => davidwhodginsWhiteboard: MGA4TOO has_procedure => MGA4TOO has_procedure advisory
In VirtualBox, M4, KDE, 32-bit Package(s) under test: qemu qemu-img default install of qemu qemu-img [root@localhost wilcal]# urpmi qemu Package qemu-1.6.2-1.10.mga4.i586 is already installed [root@localhost wilcal]# urpmi qemu-img Package qemu-img-1.6.2-1.10.mga4.i586 is already installed Using test proceedure: https://bugs.mageia.org/show_bug.cgi?id=13096#c34 create /home/wilcal/qemu into that copy M4.1 KDE i586 boot.iso using a terminal in /home/wilcal/qemu run: qemu-kvm -net user -net nic,model=virtio -cdrom boot.iso -boot d -m 512 boot.iso opens and runs. Choose HTTP server. Selected DHCP network connection. Selected a mirror for Mageia 4. Stage2 is started. install qemu qemu-img from updates_testing [root@localhost wilcal]# urpmi qemu Package qemu-1.6.2-1.12.mga4.i586 is already installed [root@localhost wilcal]# urpmi qemu-img Package qemu-img-1.6.2-1.12.mga4.i586 is already installed using a terminal in /home/wilcal/qemu run: qemu-kvm -net user -net nic,model=virtio -cdrom boot.iso -boot d -m 512 boot.iso opens and runs. Choose HTTP server. Selected DHCP network connection. Selected a mirror for Mageia 4. Stage2 is started.
CC: (none) => wilcal.intWhiteboard: MGA4TOO has_procedure advisory => MGA4TOO has_procedure advisory MGA4-32-OK
In VirtualBox, M4, KDE, 64-bit Package(s) under test: qemu qemu-img default install of qemu qemu-img [root@localhost wilcal]# urpmi qemu Package qemu-1.6.2-1.10.mga4.x86_64 is already installed [root@localhost wilcal]# urpmi qemu-img Package qemu-img-1.6.2-1.10.mga4.x86_64 is already installed create /home/wilcal/qemu into that copy M4.1 KDE x86_64 boot.iso using a terminal in /home/wilcal/qemu run: qemu-kvm -net user -net nic,model=virtio -cdrom boot.iso -boot d -m 512 boot.iso opens and runs. Choose HTTP server. Selected DHCP network connection. Selected a mirror for Mageia 4. Stage2 is started. install qemu qemu-img from updates_testing [root@localhost wilcal]# urpmi qemu Package qemu-1.6.2-1.12.mga4.x86_64 is already installed [root@localhost wilcal]# urpmi qemu-img Package qemu-img-1.6.2-1.12.mga4.x86_64 is already installed using a terminal in /home/wilcal/qemu run: qemu-kvm -net user -net nic,model=virtio -cdrom boot.iso -boot d -m 512 boot.iso opens and runs. Choose HTTP server. Selected DHCP network connection. Selected a mirror for Mageia 4. Stage2 is started.
Whiteboard: MGA4TOO has_procedure advisory MGA4-32-OK => MGA4TOO has_procedure advisory MGA4-32-OK MGA4-64-OK
In VirtualBox, M5, KDE, 32-bit Package(s) under test: qemu qemu-img default install of qemu qemu-img [root@localhost wilcal]# urpmi qemu Package qemu-2.1.3-2.mga5.i586 is already installed [root@localhost wilcal]# urpmi qemu-img Package qemu-img-2.1.3-2.mga5.i586 is already installed Using test proceedure: https://bugs.mageia.org/show_bug.cgi?id=13096#c34 create /home/wilcal/qemu into that copy M5 KDE i586 boot.iso using a terminal in /home/wilcal/qemu run: qemu-kvm -net user -net nic,model=virtio -cdrom boot.iso -boot d -m 512 boot.iso opens and runs. Choose HTTP server. Selected DHCP network connection. Selected a mirror for Mageia 4. Stage2 is started. install qemu qemu-img from updates_testing [root@localhost wilcal]# urpmi qemu Package qemu-2.1.3-2.3.mga5.i586 is already installed [root@localhost wilcal]# urpmi qemu-img Package qemu-img-2.1.3-2.3.mga5.i586 is already installed using a terminal in /home/wilcal/qemu run: qemu-kvm -net user -net nic,model=virtio -cdrom boot.iso -boot d -m 512 boot.iso opens and runs. Choose HTTP server. Selected DHCP network connection. Selected a mirror for Mageia 4. Stage2 is started.
Whiteboard: MGA4TOO has_procedure advisory MGA4-32-OK MGA4-64-OK => MGA4TOO has_procedure advisory MGA4-32-OK MGA4-64-OK MGA5-32-OK
In comment 28 comment: Selected a mirror for Mageia 4. Stage2 is started. should be: Selected a mirror for Mageia 5. Stage2 is started.
In VirtualBox, M5, KDE, 64-bit Package(s) under test: qemu qemu-img default install of qemu qemu-img [root@localhost wilcal]# urpmi qemu Package qemu-2.1.3-2.mga5.x86_64 is already installed [root@localhost wilcal]# urpmi qemu-img Package qemu-img-2.1.3-2.mga5.x86_64 is already installed create /home/wilcal/qemu into that copy M5 KDE x86_64 boot.iso using a terminal in /home/wilcal/qemu run: qemu-kvm -net user -net nic,model=virtio -cdrom boot.iso -boot d -m 512 boot.iso opens and runs. Choose HTTP server. Selected DHCP network connection. Selected a mirror for Mageia 5. Stage2 is started. install qemu qemu-img from updates_testing [root@localhost wilcal]# urpmi qemu Package qemu-2.1.3-2.3.mga5.x86_64 is already installed [root@localhost wilcal]# urpmi qemu-img Package qemu-img-2.1.3-2.3.mga5.x86_64 is already installed using a terminal in /home/wilcal/qemu run: qemu-kvm -net user -net nic,model=virtio -cdrom boot.iso -boot d -m 512 boot.iso opens and runs. Choose HTTP server. Selected DHCP network connection. Selected a mirror for Mageia 5. Stage2 is started.
Whiteboard: MGA4TOO has_procedure advisory MGA4-32-OK MGA4-64-OK MGA5-32-OK => MGA4TOO has_procedure advisory MGA4-32-OK MGA4-64-OK MGA5-32-OK MGA5-64-OK
http://mirrors.mageia.org/mirrors/distrib-coffee.ipsl.jussieu.fr was the mirror used for this testing
This update looks good to go David. What say you?
(In reply to William Kenney from comment #32) > This update looks good to go David. What say you? Yep.
Keywords: (none) => validated_updateCC: (none) => sysadmin-bugs
This update works fine. Testing complete for MGA4 & MGA5, 32-bit & 64-bit Validating the update. Could someone from the sysadmin team push to updates. Thanks
An update for this issue has been pushed to Mageia Updates repository. http://advisories.mageia.org/MGASA-2015-0310.html
Status: NEW => RESOLVEDResolution: (none) => FIXED
(In reply to David Walser from comment #11) > (In reply to David Walser from comment #10) > > CVE request for one more qemu issue: > > http://openwall.com/lists/oss-security/2015/08/06/3 > > > > I'll look at pushing updates once I have some time to look at it, probably > > soon. > > Assigned CVE-2015-5745: > http://openwall.com/lists/oss-security/2015/08/06/5 > > I checked the patch into Mageia 4 and Mageia 5 SVN. LWN reference: http://lwn.net/Vulnerabilities/654289/