Bug 7006 - qemu-kvm missing update for security issues CVE-2011-2527 and CVE-2012-0029
Summary: qemu-kvm missing update for security issues CVE-2011-2527 and CVE-2012-0029
Status: RESOLVED FIXED
Alias: None
Product: Mageia
Classification: Unclassified
Component: Security (show other bugs)
Version: 1
Hardware: i586 Linux
Priority: Normal normal
Target Milestone: ---
Assignee: QA Team
QA Contact:
URL: http://lwn.net/Vulnerabilities/452825/
Whiteboard: has_procedure MGA1-64-OK MGA1-32-OK
Keywords: validated_update
Depends on:
Blocks:
 
Reported: 2012-08-10 21:01 CEST by David Walser
Modified: 2012-08-18 11:58 CEST (History)
3 users (show)

See Also:
Source RPM: qemu-0.14.0-5.1.1.mga1.src.rpm
CVE:
Status comment:

Attachments
Add an attachment (proposed patch, testcase, etc.)

Description David Walser 2012-08-10 21:01:49 CEST 
Fedora has issued an advisory on May 29:
http://lists.fedoraproject.org/pipermail/package-announce/2012-June/081972.html

Patched package for Mageia 1 uploaded.

Advisory:
========================

Updated qemu packages fix security vulnerabilities:

The change_process_uid function in os-posix.c in Qemu 0.14.0 and earlier
does not properly drop group privileges when the -runas option is used,
which allows local guest users to access restricted files on the host
(CVE-2011-2527).

Heap-based buffer overflow in the process_tx_desc function in the e1000
emulation (hw/e1000.c) in qemu-kvm 0.12, and possibly other versions,
allows guest OS users to cause a denial of service (QEMU crash) and possibly
execute arbitrary code via crafted legacy mode packets (CVE-2012-0029).

References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-2527
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-0029
http://lists.fedoraproject.org/pipermail/package-announce/2012-June/081972.html
========================

Updated packages in core/updates_testing:
========================
qemu-0.14.0-5.2.mga1
qemu-img-0.14.0-5.2.mga1

from qemu-0.14.0-5.2.mga1.src.rpm
Comment 1 Dave Hodgins 2012-08-16 04:37:27 CEST 
No poc that I could see.

I'll test Mageia 1 x86-64 shortly using the procedure from
https://bugs.mageia.org/show_bug.cgi?id=6694#c3

CC: (none) => davidwhodgins
Whiteboard: (none) => has_procedure

Comment 2 Dave Hodgins 2012-08-16 05:55:26 CEST 
Testing complete on Mageia 1 x86-64.

I'll test Mageia 1 i586 shortly.

Whiteboard: has_procedure => has_procedure MGA1-64-OK

Comment 3 Dave Hodgins 2012-08-16 09:37:13 CEST 
Testing on Mageia 1 i586 complete.

Could someone from the sysadmin team push the srpm
qemu-0.14.0-5.2.mga1.src.rpm
from Mageia 1 Core Updates Testing to Core Updates.

Advisory: Updated qemu packages fix security vulnerabilities:

The change_process_uid function in os-posix.c in Qemu 0.14.0 and earlier
does not properly drop group privileges when the -runas option is used,
which allows local guest users to access restricted files on the host
(CVE-2011-2527).

Heap-based buffer overflow in the process_tx_desc function in the e1000
emulation (hw/e1000.c) in qemu-kvm 0.12, and possibly other versions,
allows guest OS users to cause a denial of service (QEMU crash) and possibly
execute arbitrary code via crafted legacy mode packets (CVE-2012-0029).

References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-2527
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-0029
http://lists.fedoraproject.org/pipermail/package-announce/2012-June/081972.html

https://bugs.mageia.org/show_bug.cgi?id=7006

Keywords: (none) => validated_update
CC: (none) => sysadmin-bugs
Whiteboard: has_procedure MGA1-64-OK => has_procedure MGA1-64-OK MGA1-32-OK

Comment 4 Thomas Backlund 2012-08-18 11:58:39 CEST 
Update pushed:
https://wiki.mageia.org/en/Support/Advisories/MGASA-2012-0222

Status: NEW => RESOLVED
CC: (none) => tmb
Resolution: (none) => FIXED
Note You need to log in before you can comment on or make changes to this bug.