Bug 7367 - qemu-kvm new security issue CVE-2012-3515
: qemu-kvm new security issue CVE-2012-3515
Status: RESOLVED FIXED
Product: Mageia
Classification: Unclassified
Component: Security
: 2
: i586 Linux
: Normal Severity: critical
: ---
Assigned To: QA Team
:
: http://lwn.net/Vulnerabilities/514963/
: MGA1TOO MGA2-64-OK has_procdure MGA2-...
: validated_update
:
:
  Show dependency treegraph
 
Reported: 2012-09-05 22:13 CEST by David Walser
Modified: 2012-09-09 21:23 CEST (History)
4 users (show)

See Also:
Source RPM: qemu
CVE:


Attachments

Description David Walser 2012-09-05 22:13:43 CEST
RedHat has issued an advisory today (September 5):
https://rhn.redhat.com/errata/RHSA-2012-1234.html

I added the patch for Mageia 1, Mageia 2, and Cauldron, but qemu no longer builds in Cauldron, with this error:

/home/iurt/rpm/BUILD/qemu-kvm-1.0/linux-user/signal.c:3468:24: error: field 'info' has incomplete type

Here is the code it's complaining about:
struct rt_signal_frame {
        struct siginfo *pinfo;
        void *puc;
        struct siginfo info;
        struct ucontext uc;
        uint8_t retcode[8];       /* Trampoline code. */
};

It builds fine in Mageia 1 and Mageia 2.
Comment 2 David Walser 2012-09-05 22:57:45 CEST
Thierry has updated to 1.2.0 in Cauldron to fix this (hopefully it builds :o).

Thanks Thierry.
Comment 3 David Walser 2012-09-05 23:58:36 CEST
Cauldron build succeeded.
Comment 4 David Walser 2012-09-06 00:03:05 CEST
Patched packages uploaded for Mageia 1 and Mageia 2.

Advisory:
========================

Updated qemu-kvm packages fix security vulnerability:

A flaw was found in the way QEMU handled VT100 terminal escape sequences
when emulating certain character devices. A guest user with privileges to
write to a character device that is emulated on the host using a virtual
console back-end could use this flaw to crash the qemu-kvm process on the
host or, possibly, escalate their privileges on the host (CVE-2012-3515).

References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-3515
https://rhn.redhat.com/errata/RHSA-2012-1234.html
========================

Updated packages in core/updates_testing:
========================
qemu-0.14.0-5.3.mga1
qemu-img-0.14.0-5.3.mga1
qemu-1.0-6.2.mga2
qemu-img-1.0-6.2.mga2

from SRPMS:
qemu-0.14.0-5.3.mga1.src.rpm
qemu-1.0-6.2.mga2.src.rpm
Comment 5 Dave Hodgins 2012-09-08 05:54:32 CEST
Testing complete on Mageia 2 x86-64.

Testing using the procedure at
https://bugs.mageia.org/show_bug.cgi?id=6694#c3

I again had to use the divider=10 kernel option, when booting
the kernel in the installer, to allow the mkinitrd to finish
in under 10 minutes, as per bug 44.

I did run into problems booting into the installation after
it was installed, as it stops after mounting /home, but that
is more likely a Mageia 3, or lack of firmware problem, as
I used the Mageia 3 alpha 1 iso, for the installation.

qemu is so much slower than VirtualBox.  I have the kvm module
loaded, but that doesn't seem to make any difference.  Any
suggestions on how to speed things up for further tests?

As it is, even on my new system, it's painfully slow.
Comment 6 Dave Hodgins 2012-09-08 05:57:30 CEST
Btw, the actual command I'm using to run the installed image is

qemu-system-i386 -hda mageia.qcow2 -boot d -net nic -net user -m 2048 -localtime
Comment 7 Dave Hodgins 2012-09-09 20:48:33 CEST
Testing complete.

Could someone from the sysadmin team push the srpm
qemu-1.0-6.2.mga2.src.rpm
from Mageia 2 Core Updates Testing to Core Updates and the srpm
qemu-0.14.0-5.3.mga1.src.rpm
from Mageia 1 Core Updates Testing to Core Updates.

Advisory: Updated qemu-kvm packages fix security vulnerability:

A flaw was found in the way QEMU handled VT100 terminal escape sequences
when emulating certain character devices. A guest user with privileges to
write to a character device that is emulated on the host using a virtual
console back-end could use this flaw to crash the qemu-kvm process on the
host or, possibly, escalate their privileges on the host (CVE-2012-3515).

References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-3515
https://rhn.redhat.com/errata/RHSA-2012-1234.html

https://bugs.mageia.org/show_bug.cgi?id=7367
Comment 8 Thomas Backlund 2012-09-09 21:23:39 CEST
Update pushed:
https://wiki.mageia.org/en/Support/Advisories/MGASA-2012-0263

Note You need to log in before you can comment on or make changes to this bug.