Debian Bug report logs -
#705544
CVE-2013-1922 -- qemu-nbd block format auto-detection vulnerability
Reported by: Michael Tokarev <mjt@tls.msk.ru>
Date: Tue, 16 Apr 2013 14:33:02 UTC
Severity: normal
Tags: patch, security, upstream
Found in version qemu/1.1.2+dfsg-1
Fixed in version 1.5.0~rc0+dfsg-1
Done: Michael Tokarev <mjt@tls.msk.ru>
Bug is archived. No further changes may be made.
Toggle useless messages
Report forwarded
to debian-bugs-dist@lists.debian.org, team@security.debian.org, secure-testing-team@lists.alioth.debian.org, Debian QEMU Team <pkg-qemu-devel@lists.alioth.debian.org>:
Bug#705544; Package qemu-utils.
(Tue, 16 Apr 2013 14:33:06 GMT) (full text, mbox, link).
Acknowledgement sent
to Michael Tokarev <mjt@tls.msk.ru>:
New Bug report received and forwarded. Copy sent to team@security.debian.org, secure-testing-team@lists.alioth.debian.org, Debian QEMU Team <pkg-qemu-devel@lists.alioth.debian.org>.
(Tue, 16 Apr 2013 14:33:06 GMT) (full text, mbox, link).
Message #5 received at submit@bugs.debian.org (full text, mbox, reply):
Package: qemu-utils
Version: 1.1.2+dfsg-1
Severity: normal
Tags: security patch upstream
qemu-nbd utility does not has an option to specify format of the block
image it serves, so it is possible by a guest (user of nbd device) to
write data to it the way so it looks like some format known to qemu-nbd,
and the next time qemu-nbd is restarted with the same image, it will be
tricked to interpret (probably especially crafted) that format.
It is very similar to old vulnerability in qemu itself, CVE-2008-2004.
https://bugzilla.redhat.com/show_bug.cgi?id=923219
http://www.openwall.com/lists/oss-security/2013/04/15/3
The upstream fix -- https://bugzilla.redhat.com/attachment.cgi?id=712650&action=diff --
merely adds an option to qemu-nbd that allows to specify format of the
image explicitly instead of always relying on guessing.
I don't think this is a serious issue, for several reasons:
o qemu-nbd isn't usually used in production where there's a chance to
hit a malicious guest. Instead, it is used mostly for testing or for
access to the guest image from host, for administrative purposes, in
both cases the issue isn't serious.
o even when modified to understand a new option, all relevant usages should
be modified as well, to utilize the new option.
However, it's still nice to fix it in debian package. I'm not sure yet
whenever we should fix it for wheezy or not.
Thanks,
/mjt
Reply sent
to Michael Tokarev <mjt@tls.msk.ru>:
You have taken responsibility.
(Thu, 09 May 2013 19:15:08 GMT) (full text, mbox, link).
Notification sent
to Michael Tokarev <mjt@tls.msk.ru>:
Bug acknowledged by developer.
(Thu, 09 May 2013 19:15:08 GMT) (full text, mbox, link).
Message #10 received at 705544-done@bugs.debian.org (full text, mbox, reply):
Version: 1.5.0~rc0+dfsg-1
The qemu-nbd option mentioned in the bugreport were added for 1.5.
This still does not mean that qemu-nbd magically becomes safe and
bug-free, instead, all usages of it now should include the new
option (-f for `format') to actually make it safe.
/mjt
Bug archived.
Request was from Debbugs Internal Request <owner@bugs.debian.org>
to internal_control@bugs.debian.org.
(Thu, 05 Dec 2013 07:32:58 GMT) (full text, mbox, link).
Send a report that this bug log contains spam.
Debian bug tracking system administrator <owner@bugs.debian.org>.
Last modified:
Wed Jun 19 13:21:19 2019;
Machine Name:
buxtehude
Debian Bug tracking system
Debbugs is free software and licensed under the terms of the GNU
Public License version 2. The current version can be obtained
from https://bugs.debian.org/debbugs-source/.
Copyright © 1999 Darren O. Benham,
1997,2003 nCipher Corporation Ltd,
1994-97 Ian Jackson,
2005-2017 Don Armstrong, and many other contributors.
Vulmon