Bug 8938 - x11-driver-video-qxl new security issue CVE-2013-0241
: x11-driver-video-qxl new security issue CVE-2013-0241
Status: RESOLVED FIXED
Product: Mageia
Classification: Unclassified
Component: Security
: 2
: i586 Linux
: Normal Severity: major
: ---
Assigned To: QA Team
:
: http://lwn.net/Vulnerabilities/535718/
: MGA2-64-OK MGA2-32-OK
: validated_update
:
:
  Show dependency treegraph
 
Reported: 2013-02-01 20:15 CET by David Walser
Modified: 2013-02-12 20:38 CET (History)
6 users (show)

See Also:
Source RPM: x11-driver-video-qxl-0.0.17-3.mga3.src.rpm
CVE:


Attachments

Description David Walser 2013-02-01 20:15:06 CET
RedHat has issued an advisory on January 31:
https://rhn.redhat.com/errata/RHSA-2013-0218.html

The qemu-kvm code that the fix is dependent on (according to the RedHat bug), is present in our qemu in both Mageia 2 and Cauldron.

Mageia 2 is also affected.
Comment 1 David Walser 2013-02-01 23:54:53 CET
This is already fixed upstream in the version we have in Cauldron.

Patched package uploaded for Mageia 2.

Advisory:
========================

Updated x11-driver-video-qxl package fixes security vulnerability:

A flaw was found in the way the host's qemu-kvm qxl driver and the guest's
X.Org qxl driver interacted when a SPICE connection terminated. A user able
to initiate a SPICE connection to a guest could use this flaw to make the
guest temporarily unavailable or, potentially (if the sysctl
kernel.softlockup_panic variable was set to "1" in the guest), crash the
guest (CVE-2013-0241).

References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-0241
https://rhn.redhat.com/errata/RHSA-2013-0218.html
========================

Updated packages in core/updates_testing:
========================
x11-driver-video-qxl-0.0.16-4.1.mga2

from x11-driver-video-qxl-0.0.16-4.1.mga2.src.rpm
Comment 2 Dave Hodgins 2013-02-02 22:24:31 CET
If I understand correctly, the driver should be used when running
qemu with the -vga qxl option.

Currently creating a 32 bit Mageia 2 qemu installation, with this
option, to test it.
Comment 3 Dave Hodgins 2013-02-03 02:02:24 CET
Painfully slow.  It's clear that no one is using this, or there would
be a lot of bug reports.  Besides being slow, I noticed the following
problems.  Black horizontal lines, roughly every 10 pixels from top
to bottom of the screen.  Mouse cursor is either not visible, or when
it is, doesn't reflect where the mouse cursor actually is, and every
time the mouse cursor touches the edge of the screen, the position of
the actual mouse cursor relative to where it's displayed changes, so
the only way to figure out where it is, is to move it around until
something gets highlighted, or right click on the desktop, and see
where the context menu opens.  Also had many crashes of xorg.

These problems were found both before and after installing the update.

The script I used for installing (after creating the disk image) was
#!/bin/bash
Dir="/qemu"
Size="16G"
Arch="32"
Iso="/s3/m3/mageia3-beta2/Mageia-3-beta2-LiveDVD-KDE4-i586-DVD/Mageia-3-beta2-LiveDVD-KDE4-i586-DVD.iso"
Iso="/home/dave/software/i2/boot-nonfree.iso"
cd "$Dir"
qemu-img create mageia"$Arch".qcow "$Size"
qemu-system-i386 -cdrom "$Iso" -hda mageia"$Arch".qcow2 -boot d -net nic -net user,net=192.168.10.0/16,host=192.168.10.3 -m 2047 -vga qxl

This was with the kvm module loaded.

Testing complete on Mageia 2 i586.
Comment 4 Dave Hodgins 2013-02-03 03:22:02 CET
Testing x86-64 now.
Comment 5 Dave Hodgins 2013-02-03 09:38:08 CET
I made the mistake of thinking qemu-system-x86_64 would be faster
than the i586 version, on a x86_64 host.  After 6 hours getting
a full kde install, that has spent 20 minutes, with the desktop
showing, but no icons yet available on the panel, I'm going to
post a message to the developers mailing list asking for qemu
to be dropped from Mageia 3, as a useless package.

I'm giving up trying to test this package.  As it's a security
update, I'm going to go ahead and validate it, even though it's
clear no-one could be using it.

I have confirmed the updated package installs cleanly, on a
64 bit system.

Could someone from the sysadmin team push the srpm
x11-driver-video-qxl-0.0.16-4.1.mga2.src.rpm
from Mageia 2 Core Updates Testing to Core Updates.

Advisory: Updated x11-driver-video-qxl package fixes security vulnerability:

A flaw was found in the way the host's qemu-kvm qxl driver and the guest's
X.Org qxl driver interacted when a SPICE connection terminated. A user able
to initiate a SPICE connection to a guest could use this flaw to make the
guest temporarily unavailable or, potentially (if the sysctl
kernel.softlockup_panic variable was set to "1" in the guest), crash the
guest (CVE-2013-0241).

References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-0241
https://rhn.redhat.com/errata/RHSA-2013-0218.html

https://bugs.mageia.org/show_bug.cgi?id=8938
Comment 6 claire robinson 2013-02-03 15:49:39 CET
Did you have qemu-kvm installed Dave? It enables the cpu vm extensions.

qemu is very slow though you're right.
Comment 7 claire robinson 2013-02-03 15:50:15 CET
Sorry I see in comment 3 you did.
Comment 8 Thomas Backlund 2013-02-06 23:24:32 CET
Update pushed:
https://wiki.mageia.org/en/Support/Advisories/MGASA-2013-0036
Comment 9 Buchan Milne 2013-02-12 20:30:15 CET
Sorry Dave Hodgins, but I have multiple VMs running under virt-manager/libvirt/kvm on Magiea 1 and Mageia 2.

I don't think we can cover all the prerequisites (hardware virtualisation support in your CPU, hardware virtualisation enabled in your BIOS) of a modern hypervisor in a bug report.

But, the lack of bug reports on a platform that is used by all the major linux distros as enterprise virtualisation may rather point to how well KVM works.

Please continue shipping updates, as many people are using these packages.
Comment 10 David Walser 2013-02-12 20:38:31 CET
Well this particular package is completely broken on Cauldron, so someone needs to take care of it.  Christiaan said he tried and wasn't able to.  I did notice that ROSA has a newer version of it, so maybe syncing with them would fix it.

Note You need to log in before you can comment on or make changes to this bug.