qemu: cve-2013-2016

Debian Bug report logs - #710822
qemu: cve-2013-2016

Toggle useless messages

Message #5 received at submit@bugs.debian.org (full text, mbox, reply):

From: Michael Gilbert <mgilbert@debian.org>

To: Debian Bug Tracking System <submit@bugs.debian.org>

Subject: qemu: cve-2013-2016

Date: Sun, 2 Jun 2013 14:53:18 -0400

Package: qemu
Severity: serious
version: 1.5.0+dfsg-1
Tags: security

Hi,
An out-of-bounds issue in virtio was published for qemu:
https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2013-2016

I've checked squeeze and wheezy (both qemu and qemu-kvm).  They are
both not affected.

If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.

For further information see:

[0] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-2016
    http://security-tracker.debian.org/tracker/CVE-2013-2016
Please adjust the affected versions in the BTS as needed.

Message #10 received at 710822@bugs.debian.org (full text, mbox, reply):

From: Michael Tokarev <mjt@tls.msk.ru>

To: Michael Gilbert <mgilbert@debian.org>, 710822@bugs.debian.org

Subject: Re: Bug#710822: qemu: cve-2013-2016

Date: Sun, 02 Jun 2013 23:54:05 +0400

Control: severity -1 minor

02.06.2013 22:53, Michael Gilbert wrote:
> Package: qemu
> Severity: serious
> version: 1.5.0+dfsg-1
> Tags: security
> 
> Hi,
> An out-of-bounds issue in virtio was published for qemu:
> https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2013-2016

Yes, that's the case.  However, the issue is so small, --
they wern't sure it is worth assigning a CVE# for it.
I even forgot to include the fix for it to the latest
1.5.0-3 release.

Setting severity as that.

> I've checked squeeze and wheezy (both qemu and qemu-kvm).  They are
> both not affected.

Thank you for that!

> If you fix the vulnerability please also make sure to include the
> CVE (Common Vulnerabilities & Exposures) id in your changelog entry.

Yes, sure.  Thank you for the bugreport and the diagnostics!

/mjt

Message #17 received at 710822@bugs.debian.org (full text, mbox, reply):

From: Michael Tokarev <mjt@tls.msk.ru>

To: Michael Gilbert <mgilbert@debian.org>, 710822@bugs.debian.org

Subject: Re: Bug#710822: qemu: cve-2013-2016

Date: Wed, 05 Jun 2013 21:12:37 +0400

02.06.2013 22:53, Michael Gilbert wrote:
> Package: qemu
> Severity: serious
> version: 1.5.0+dfsg-1
> Tags: security
> 
> Hi,
> An out-of-bounds issue in virtio was published for qemu:
> https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2013-2016

Hmm.  Now I'm really confused.

Upstream version 1.5.0 includes the fix for this issue, so
filing the bug against 1.5.0+dfsg-1 package is kind of wrong.
The fix is commit 5f5a1318653c08e435cfa52f60b6a712815b659d
which was applied past 1.5.0~rc0.

Yes, the experimental version of qemu, based on 1.5.0~rc0,
is buggy, but do we really care about it, especially since
current version is already fixed?

> I've checked squeeze and wheezy (both qemu and qemu-kvm).  They are
> both not affected.

To me it looks like no debian version of qemu is affected.

Thanks!

/mjt

Message #28 received at 710822@bugs.debian.org (full text, mbox, reply):

From: Michael Gilbert <mgilbert@debian.org>

To: 710822@bugs.debian.org

Subject: Re: Bug#710822: qemu: cve-2013-2016

Date: Sun, 16 Jun 2013 15:29:17 -0400

On Wed, Jun 5, 2013 at 1:12 PM, Michael Tokarev wrote:
> 02.06.2013 22:53, Michael Gilbert wrote:
>> Package: qemu
>> Severity: serious
>> version: 1.5.0+dfsg-1
>> Tags: security
>>
>> Hi,
>> An out-of-bounds issue in virtio was published for qemu:
>> https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2013-2016
>
> Hmm.  Now I'm really confused.
>
> Upstream version 1.5.0 includes the fix for this issue, so
> filing the bug against 1.5.0+dfsg-1 package is kind of wrong.
> The fix is commit 5f5a1318653c08e435cfa52f60b6a712815b659d
> which was applied past 1.5.0~rc0.

Is that a complete fix?  The suggested patch in the redhat bug [0]
also adds checks to virtio-pci.c, which is what I had used for
reference when checking whether this was fixed or not, and that is not
applied in the debian package yet.

Best wishes,
Mike

[0] https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2013-2016

Message #33 received at 710822@bugs.debian.org (full text, mbox, reply):

From: Michael Tokarev <mjt@tls.msk.ru>

To: Michael Gilbert <mgilbert@debian.org>, 710822@bugs.debian.org

Subject: Re: Bug#710822: qemu: cve-2013-2016

Date: Sat, 29 Jun 2013 23:45:24 +0400

Please excuse me for this really long delay with the answer.

16.06.2013 23:29, Michael Gilbert wrote:
> On Wed, Jun 5, 2013 at 1:12 PM, Michael Tokarev wrote:
>> 02.06.2013 22:53, Michael Gilbert wrote:
>>> Package: qemu
>>> Severity: serious
>>> version: 1.5.0+dfsg-1
>>> Tags: security
>>>
>>> Hi,
>>> An out-of-bounds issue in virtio was published for qemu:
>>> https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2013-2016
>>
>> Hmm.  Now I'm really confused.
>>
>> Upstream version 1.5.0 includes the fix for this issue, so
>> filing the bug against 1.5.0+dfsg-1 package is kind of wrong.
>> The fix is commit 5f5a1318653c08e435cfa52f60b6a712815b659d
>> which was applied past 1.5.0~rc0.
> 
> Is that a complete fix?  The suggested patch in the redhat bug [0]
> also adds checks to virtio-pci.c, which is what I had used for
> reference when checking whether this was fixed or not, and that is not
> applied in the debian package yet.

The fix referred to from that redhat bugreport (which is here --
https://lists.gnu.org/archive/html/qemu-devel/2013-04/msg05254.html
or http://thread.gmane.org/gmane.comp.emulators.qemu/208677 )
was a suggested patch.  After which some discussion emerged (see
the thread on gmane), and another, V2 version of the same patch were
sent, which is here -- http://patchwork.ozlabs.org/patch/241991/ or
http://thread.gmane.org/gmane.comp.emulators.qemu/210292 -- which has
been applied as 5f5a1318653c08e, which is included in 1.5.0-rc1 and up.

Thanks,

/mjt

> [0] https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2013-2016

Send a report that this bug log contains spam.