RedHat has issued an advisory on January 31: https://rhn.redhat.com/errata/RHSA-2013-0218.html The qemu-kvm code that the fix is dependent on (according to the RedHat bug), is present in our qemu in both Mageia 2 and Cauldron. Mageia 2 is also affected.
CC: (none) => thierry.vignaudWhiteboard: (none) => MGA2TOO
Summary: x11-driver-video-qxl => x11-driver-video-qxl new security issue CVE-2013-0241
URL: (none) => http://lwn.net/Vulnerabilities/535718/
This is already fixed upstream in the version we have in Cauldron. Patched package uploaded for Mageia 2. Advisory: ======================== Updated x11-driver-video-qxl package fixes security vulnerability: A flaw was found in the way the host's qemu-kvm qxl driver and the guest's X.Org qxl driver interacted when a SPICE connection terminated. A user able to initiate a SPICE connection to a guest could use this flaw to make the guest temporarily unavailable or, potentially (if the sysctl kernel.softlockup_panic variable was set to "1" in the guest), crash the guest (CVE-2013-0241). References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-0241 https://rhn.redhat.com/errata/RHSA-2013-0218.html ======================== Updated packages in core/updates_testing: ======================== x11-driver-video-qxl-0.0.16-4.1.mga2 from x11-driver-video-qxl-0.0.16-4.1.mga2.src.rpm
Version: Cauldron => 2Assignee: thierry.vignaud => qa-bugsWhiteboard: MGA2TOO => (none)
If I understand correctly, the driver should be used when running qemu with the -vga qxl option. Currently creating a 32 bit Mageia 2 qemu installation, with this option, to test it.
CC: (none) => davidwhodgins
Painfully slow. It's clear that no one is using this, or there would be a lot of bug reports. Besides being slow, I noticed the following problems. Black horizontal lines, roughly every 10 pixels from top to bottom of the screen. Mouse cursor is either not visible, or when it is, doesn't reflect where the mouse cursor actually is, and every time the mouse cursor touches the edge of the screen, the position of the actual mouse cursor relative to where it's displayed changes, so the only way to figure out where it is, is to move it around until something gets highlighted, or right click on the desktop, and see where the context menu opens. Also had many crashes of xorg. These problems were found both before and after installing the update. The script I used for installing (after creating the disk image) was #!/bin/bash Dir="/qemu" Size="16G" Arch="32" Iso="/s3/m3/mageia3-beta2/Mageia-3-beta2-LiveDVD-KDE4-i586-DVD/Mageia-3-beta2-LiveDVD-KDE4-i586-DVD.iso" Iso="/home/dave/software/i2/boot-nonfree.iso" cd "$Dir" qemu-img create mageia"$Arch".qcow "$Size" qemu-system-i386 -cdrom "$Iso" -hda mageia"$Arch".qcow2 -boot d -net nic -net user,net=192.168.10.0/16,host=192.168.10.3 -m 2047 -vga qxl This was with the kvm module loaded. Testing complete on Mageia 2 i586.
Testing x86-64 now.
I made the mistake of thinking qemu-system-x86_64 would be faster than the i586 version, on a x86_64 host. After 6 hours getting a full kde install, that has spent 20 minutes, with the desktop showing, but no icons yet available on the panel, I'm going to post a message to the developers mailing list asking for qemu to be dropped from Mageia 3, as a useless package. I'm giving up trying to test this package. As it's a security update, I'm going to go ahead and validate it, even though it's clear no-one could be using it. I have confirmed the updated package installs cleanly, on a 64 bit system. Could someone from the sysadmin team push the srpm x11-driver-video-qxl-0.0.16-4.1.mga2.src.rpm from Mageia 2 Core Updates Testing to Core Updates. Advisory: Updated x11-driver-video-qxl package fixes security vulnerability: A flaw was found in the way the host's qemu-kvm qxl driver and the guest's X.Org qxl driver interacted when a SPICE connection terminated. A user able to initiate a SPICE connection to a guest could use this flaw to make the guest temporarily unavailable or, potentially (if the sysctl kernel.softlockup_panic variable was set to "1" in the guest), crash the guest (CVE-2013-0241). References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-0241 https://rhn.redhat.com/errata/RHSA-2013-0218.html https://bugs.mageia.org/show_bug.cgi?id=8938
Keywords: (none) => validated_updateCC: (none) => sysadmin-bugsWhiteboard: (none) => MGA2-64-OK MGA2-32-OK
Did you have qemu-kvm installed Dave? It enables the cpu vm extensions. qemu is very slow though you're right.
Sorry I see in comment 3 you did.
Update pushed: https://wiki.mageia.org/en/Support/Advisories/MGASA-2013-0036
Status: NEW => RESOLVEDCC: (none) => tmbResolution: (none) => FIXED
Sorry Dave Hodgins, but I have multiple VMs running under virt-manager/libvirt/kvm on Magiea 1 and Mageia 2. I don't think we can cover all the prerequisites (hardware virtualisation support in your CPU, hardware virtualisation enabled in your BIOS) of a modern hypervisor in a bug report. But, the lack of bug reports on a platform that is used by all the major linux distros as enterprise virtualisation may rather point to how well KVM works. Please continue shipping updates, as many people are using these packages.
CC: (none) => bgmilne
Well this particular package is completely broken on Cauldron, so someone needs to take care of it. Christiaan said he tried and wasn't able to. I did notice that ROSA has a newer version of it, so maybe syncing with them would fix it.
CC: (none) => cjw