Vulmon Recent Vulnerabilities Research Posts Trends Blog About Contact

CVE-2018-20124

Related Vulnerabilities: CVE-2018-20124  

Source

Debian Bug report logs - #922461
CVE-2018-20124

version graph

Package: src:qemu; Maintainer for src:qemu is Debian QEMU Team <pkg-qemu-devel@lists.alioth.debian.org>;

Reported by: Moritz Muehlenhoff <jmm@debian.org>

Date: Sat, 16 Feb 2019 12:45:02 UTC

Severity: minor

Tags: security, upstream

Found in version qemu/1:3.1+dfsg-3

Forwarded to https://lists.gnu.org/archive/html/qemu-devel/2018-12/msg02822.html

Reply or subscribe to this bug.

Toggle useless messages

View this report as an mbox folder, status mbox, maintainer mbox

Report forwarded to debian-bugs-dist@lists.debian.org, team@security.debian.org, Debian QEMU Team <pkg-qemu-devel@lists.alioth.debian.org>:
Bug#922461; Package src:qemu. (Sat, 16 Feb 2019 12:45:04 GMT) (full text, mbox, link).

Acknowledgement sent to Moritz Muehlenhoff <jmm@debian.org>:
New Bug report received and forwarded. Copy sent to team@security.debian.org, Debian QEMU Team <pkg-qemu-devel@lists.alioth.debian.org>. (Sat, 16 Feb 2019 12:45:04 GMT) (full text, mbox, link).

Message #5 received at submit@bugs.debian.org (full text, mbox, reply):

From: Moritz Muehlenhoff <jmm@debian.org>
To: Debian Bug Tracking System <submit@bugs.debian.org>
Subject: CVE-2018-20124
Date: Sat, 16 Feb 2019 13:41:52 +0100
Source: qemu
Severity: grave
Tags: security

When rdma was enabled in -3, this also made a fix for CVE-2018-20124 necessary:

https://lists.gnu.org/archive/html/qemu-devel/2018-12/msg02822.html
https://git.qemu.org/?p=qemu.git;a=commit;h=0e68373cc2b3a063ce067bc0cc3edaf370752890

Cheers,
        Moritz

Marked as found in versions qemu/1:3.1+dfsg-3. Request was from Salvatore Bonaccorso <carnil@debian.org> to control@bugs.debian.org. (Sat, 16 Feb 2019 12:57:02 GMT) (full text, mbox, link).

Marked as found in versions qemu/1:3.1+dfsg-4. Request was from Salvatore Bonaccorso <carnil@debian.org> to control@bugs.debian.org. (Sat, 16 Feb 2019 12:57:03 GMT) (full text, mbox, link).

Added tag(s) upstream. Request was from Salvatore Bonaccorso <carnil@debian.org> to control@bugs.debian.org. (Sat, 16 Feb 2019 12:57:03 GMT) (full text, mbox, link).

Set Bug forwarded-to-address to 'https://lists.gnu.org/archive/html/qemu-devel/2018-12/msg02822.html'. Request was from Salvatore Bonaccorso <carnil@debian.org> to control@bugs.debian.org. (Sat, 16 Feb 2019 12:57:04 GMT) (full text, mbox, link).

Information forwarded to debian-bugs-dist@lists.debian.org, Debian QEMU Team <pkg-qemu-devel@lists.alioth.debian.org>:
Bug#922461; Package src:qemu. (Sat, 16 Feb 2019 13:09:02 GMT) (full text, mbox, link).

Acknowledgement sent to Michael Tokarev <mjt@tls.msk.ru>:
Extra info received and forwarded to list. Copy sent to Debian QEMU Team <pkg-qemu-devel@lists.alioth.debian.org>. (Sat, 16 Feb 2019 13:09:02 GMT) (full text, mbox, link).

Message #18 received at 922461@bugs.debian.org (full text, mbox, reply):

From: Michael Tokarev <mjt@tls.msk.ru>
To: Moritz Muehlenhoff <jmm@debian.org>, 922461@bugs.debian.org
Subject: Re: Bug#922461: CVE-2018-20124
Date: Sat, 16 Feb 2019 16:05:15 +0300
Control: notfound -1 1:3.1+dfsg-4

16.02.2019 15:41, Moritz Muehlenhoff wrote:
> Source: qemu
> Severity: grave
> Tags: security
> 
> When rdma was enabled in -3, this also made a fix for CVE-2018-20124 necessary:

Yes indeed.

But since this code has a ton of bugs (not only security) and is generally
quite a bit too "fluxy", I disabled it entirely in -4.

> https://lists.gnu.org/archive/html/qemu-devel/2018-12/msg02822.html
> https://git.qemu.org/?p=qemu.git;a=commit;h=0e68373cc2b3a063ce067bc0cc3edaf370752890

Note this is pvrdma, an optimized vmware-like device.
RDMA is in migration, not guest visible.

So I think this can be closed, or at least be made unimportant,
b/c is is only applies to the source code, not to the binary
(code is not compiled into binary).

$ cat hw/rdma/Makefile.objs
ifeq ($(CONFIG_PVRDMA),y)
obj-$(CONFIG_PCI) += rdma_utils.o rdma_backend.o rdma_rm.o
obj-$(CONFIG_PCI) += vmw/pvrdma_dev_ring.o vmw/pvrdma_cmd.o \
                     vmw/pvrdma_qp_ops.o vmw/pvrdma_main.o
endif


Thanks,

/mjt

No longer marked as found in versions qemu/1:3.1+dfsg-4. Request was from Michael Tokarev <mjt@tls.msk.ru> to 922461-submit@bugs.debian.org. (Sat, 16 Feb 2019 13:09:02 GMT) (full text, mbox, link).

Severity set to 'minor' from 'grave' Request was from Salvatore Bonaccorso <carnil@debian.org> to control@bugs.debian.org. (Sat, 16 Feb 2019 14:15:03 GMT) (full text, mbox, link).

Send a report that this bug log contains spam.

Debian bug tracking system administrator <owner@bugs.debian.org>. Last modified: Wed Jun 19 15:52:56 2019; Machine Name: beach

Debian Bug tracking system

Debbugs is free software and licensed under the terms of the GNU Public License version 2. The current version can be obtained from https://bugs.debian.org/debbugs-source/.

Copyright © 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson, 2005-2017 Don Armstrong, and many other contributors.

Vulmon Search

Vulmon Search is a vulnerability search engine. It gives comprehensive vulnerability information through a very simple user interface.

About

Home Recent Vulnerabilities Research Posts Trends Blog About Contact

Products

Vulmon Search Vulmon Research Vulmon Alerts Vulmap

Connect

Twitter Reddit Linkedin Facebook

Vulnerability Notification Service
You don’t have to wait for vulnerability scanning results
Get Started