Bug 6694 - qemu-kvm new security issue CVE-2012-2652
Summary: qemu-kvm new security issue CVE-2012-2652
Status: RESOLVED FIXED
Alias: None
Product: Mageia
Classification: Unclassified
Component: Security (show other bugs)
Version: 2
Hardware: i586 Linux
Priority: Normal normal
Target Milestone: ---
Assignee: QA Team
QA Contact:
URL: http://lwn.net/Vulnerabilities/505122/
Whiteboard: MGA1TOO mga2-64-OK MGA2-32-OK MGA1-64...
Keywords: validated_update
Depends on:
Blocks:
 
Reported: 2012-07-05 01:21 CEST by David Walser
Modified: 2012-07-30 17:59 CEST (History)
4 users (show)

See Also:
Source RPM: qemu-1.0-6.mga2.src.rpm
CVE:
Status comment:


Attachments

Description David Walser 2012-07-05 01:21:01 CEST
OpenSuSE has issued an advisory today (July 4):
http://lists.opensuse.org/opensuse-updates/2012-07/msg00012.html

The Novell bug has a link to the upstream fix:
https://bugzilla.novell.com/show_bug.cgi?id=764526
David Walser 2012-07-05 01:21:50 CEST

CC: (none) => n54
Whiteboard: (none) => MGA2TOO, MGA1TOO

Comment 1 David Walser 2012-07-11 00:24:38 CEST
Patched package uploaded for Mageia 1, Mageia 2, and Cauldron.

Advisory:
========================

Updated qemu packages fix security vulnerability:

A flaw was found in how qemu, in snapshot mode (-snapshot command line
argument), handled the creation and opening of the temporary file used
to store the difference of the virtualized guest's read-only image and
the current state.  In snapshot mode, bdrv_open() creates an empty
temporary file without checking for any mkstemp() or close() failures;
it also ignores the possibility of a buffer overrun given an
exceptionally long $TMPDIR.  Because qemu re-opens that file after
creation, it is possible to race qemu and insert a symbolic link with
the same expected name as the temporary file, pointing to an
attacker-chosen file.  This can be used to either overwrite the
destination file with the privileges of the user running qemu
(typically root), or to point to an attacker-readable file that could
expose data from the guest to the attacker (CVE-2012-2652).

References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-2652
https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2012-2652
http://lists.opensuse.org/opensuse-updates/2012-07/msg00012.html
========================

Updated packages in core/updates_testing:
========================
qemu-0.14.0-5.1.1.mga1
qemu-img-0.14.0-5.1.1.mga1
qemu-1.0-6.1.mga2
qemu-img-1.0-6.1.mga2

from SRPMS:
qemu-0.14.0-5.1.1.mga1.src.rpm
qemu-1.0-6.1.mga2.src.rpm

Version: Cauldron => 2
Assignee: bugsquad => qa-bugs
Whiteboard: MGA2TOO, MGA1TOO => MGA1TOO

Comment 2 claire robinson 2012-07-25 14:25:01 CEST
Testing Mageia 2 64bit
Comment 3 claire robinson 2012-07-25 17:56:03 CEST
Not used qemu really before so learning as I go..

$ qemu-img create mageia.qcow 5G
Formatting 'mageia.qcow', fmt=raw size=5368709120

convert it to qcow2 so you can save snapshots, not sure if this can be done when you create the disk.
$ qemu-img convert -O qcow2 mageia.qcow mageia.qcow2

$ qemu-system-i386 -cdrom ISOs/mageia-dual-1.iso -hda mageia.qcow2 -boot d -net nic -net user -m 512 -localtime

Installed Mageia 1. qemu is very slow so thanks to ennael for pointing out how to use kvm which speeds it up a bit.

# egrep -c '(svm|vmx)' /proc/cpuinfo
4

If it returns more than 0 then your cpu is capable.

# modprobe kvm

Run the VM.
$ qemu-system-i386 -hda mageia.qcow2 -boot d -net nic -net user -m 512 -localtime

Take a snapshot.
In qemu press ctrl-alt-2 (not F2) to switch to monitor mode. Type 'savevm test1'. You can check it has saved with 'info snapshots' then ctrl-alt-1 to switch back to the machine.

To load the snapshot
$ qemu-system-i386 -hda mageia.qcow2 -boot d -net nic -net user -m 512 -localtime -loadvm test1

It starts in Stopped mode so you have to ctrl-alt-2 and press 'c' then ctrl-alt-1 and wait, it takes a long time for me. Or from a running VM ctrl-alt-2 and loadvm test1, then ctrl-alt-1.

I will test the update shortly. Been doing other things today :\
Comment 4 claire robinson 2012-07-25 18:09:21 CEST
Testing with -snapshot on the command too, not sure what the difference is.
Comment 5 claire robinson 2012-07-25 18:34:48 CEST
Testing complete x86_64 mga 2

tested qemu-img with..

$ qemu-img info mageia.qcow2
image: mageia.qcow2
file format: qcow2
virtual size: 5.0G (5368709120 bytes)
disk size: 949M
cluster_size: 65536
Snapshot list:
ID        TAG                 VM SIZE                DATE       VM CLOCK
1         test1                  124M 2012-07-25 16:25:38   00:02:42.274

$ qemu-img snapshot -d test1 mageia.qcow2

$ qemu-img info mageia.qcow2
image: mageia.qcow2
file format: qcow2
virtual size: 5.0G (5368709120 bytes)
disk size: 949M
cluster_size: 65536

$ qemu-img check mageia.qcow2

No regressions noticed with any of the above.
claire robinson 2012-07-25 18:35:04 CEST

Whiteboard: MGA1TOO => MGA1TOO mga2-64-OK

Comment 6 Dave Hodgins 2012-07-29 22:38:17 CEST
Testing complete for Mageia 2 i586

Testing on a 64 bit system, as my 32 bit cpu doesn't have the needed features.

Thanks for the detailed procedure Claire.

I'll Test Mageia 1, once I've installed them on this 64 bit system.

CC: (none) => davidwhodgins
Whiteboard: MGA1TOO mga2-64-OK => MGA1TOO mga2-64-OK MGA2-32-OK

Comment 7 Dave Hodgins 2012-07-30 00:56:32 CEST
Testing complete on Mageia 1 64 bit.

The command qemu-system-i386 does not exist in the Mageia 1 x86-64
version, so I used qemu-system-x86_64 instead.

Gave it 2 GB ram, and ran a Mageia 2 live kde cd. Very slow but once it
does get booted, it's working.

I'll install and then test with Mageia 1 i586 shortly.

Whiteboard: MGA1TOO mga2-64-OK MGA2-32-OK => MGA1TOO mga2-64-OK MGA2-32-OK MGA1-64-OK

Comment 8 Dave Hodgins 2012-07-30 02:42:41 CEST
Testing complete on Mageia 1 i586.

Could someone from the sysadmin team push the srpm
qemu-1.0-6.1.mga2.src.rpm
from Mageia 2 Core Updates Testing to Core Updates and the srpm
qemu-0.14.0-5.1.1.mga1.src.rpm
from Mageia 1 Core Updates Testing to Core Updates.

Advisory: Updated qemu packages fix security vulnerability:

A flaw was found in how qemu, in snapshot mode (-snapshot command line
argument), handled the creation and opening of the temporary file used
to store the difference of the virtualized guest's read-only image and
the current state.  In snapshot mode, bdrv_open() creates an empty
temporary file without checking for any mkstemp() or close() failures;
it also ignores the possibility of a buffer overrun given an
exceptionally long $TMPDIR.  Because qemu re-opens that file after
creation, it is possible to race qemu and insert a symbolic link with
the same expected name as the temporary file, pointing to an
attacker-chosen file.  This can be used to either overwrite the
destination file with the privileges of the user running qemu
(typically root), or to point to an attacker-readable file that could
expose data from the guest to the attacker (CVE-2012-2652).

References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-2652
https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2012-2652
http://lists.opensuse.org/opensuse-updates/2012-07/msg00012.html

https://bugs.mageia.org/show_bug.cgi?id=6694

Keywords: (none) => validated_update
CC: (none) => sysadmin-bugs
Whiteboard: MGA1TOO mga2-64-OK MGA2-32-OK MGA1-64-OK => MGA1TOO mga2-64-OK MGA2-32-OK MGA1-64-OK MGA1-32-OK

Comment 9 Thomas Backlund 2012-07-30 17:59:29 CEST
Update pushed:
https://wiki.mageia.org/en/Support/Advisories/MGASA-2012-0185

Status: NEW => RESOLVED
CC: (none) => tmb
Resolution: (none) => FIXED


Note You need to log in before you can comment on or make changes to this bug.