qemu: CVE-2014-7840: insufficient parameter validation during ram load

Debian Bug report logs - #769451
qemu: CVE-2014-7840: insufficient parameter validation during ram load

Toggle useless messages

Message #5 received at submit@bugs.debian.org (full text, mbox, reply):

From: Salvatore Bonaccorso <carnil@debian.org>

To: Debian Bug Tracking System <submit@bugs.debian.org>

Subject: qemu: CVE-2014-7840: insufficient parameter validation during ram load

Date: Thu, 13 Nov 2014 18:39:25 +0100

Source: qemu
Version: 1.1.2+dfsg-6a
Severity: important
Tags: security upstream

Hi Debian QEMU team,

the following vulnerability was published for qemu, choosed important
severity but actually might be downgraded to normal.

CVE-2014-7840[0]:
insufficient parameter validation during ram load

If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.

For further information see:

[0] https://security-tracker.debian.org/tracker/CVE-2014-7840
[1] http://thread.gmane.org/gmane.comp.emulators.qemu/306117

Please adjust the affected versions in the BTS as needed.

Regards,
Salvatore

Message #10 received at 769451@bugs.debian.org (full text, mbox, reply):

From: Michael Tokarev <mjt@tls.msk.ru>

To: Salvatore Bonaccorso <carnil@debian.org>, 769451@bugs.debian.org

Subject: Re: Bug#769451: qemu: CVE-2014-7840: insufficient parameter validation during ram load

Date: Thu, 13 Nov 2014 21:37:09 +0300

13.11.2014 20:39, Salvatore Bonaccorso wrote:
> Source: qemu
> Version: 1.1.2+dfsg-6a
> Severity: important
> Tags: security upstream
> 
> Hi Debian QEMU team,
> 
> the following vulnerability was published for qemu, choosed important
> severity but actually might be downgraded to normal.
> 
> CVE-2014-7840[0]:
> insufficient parameter validation during ram load

It is the same thing as #739589 (insufficient input validation during
state load) -- new and more exciting ways to exploit this are found
all the time...  (I mean, it is another issue of the same sort, not
something which has already been fixed in debian).

We decided we will not try to fix this in wheezy - either all of the
issues should be fixed or none, there's no reason to fix some but
ignore others.

We also decided this is a not very important issue, because it only
happens when you allow untrusted parties to send you guest memory
state which is rather uncommon (see comments in that bugreport).

Yes it affects wheezy version, but it is wontfix for wheezy for the
above reason.  And yes I'll fix it for jessie, the patch in question
has been applied to my local qemu git repository yesterday.

Thanks,

/mjt

Message #15 received at 769451@bugs.debian.org (full text, mbox, reply):

From: Salvatore Bonaccorso <carnil@debian.org>

To: Michael Tokarev <mjt@tls.msk.ru>, 769451@bugs.debian.org

Subject: Re: Bug#769451: qemu: CVE-2014-7840: insufficient parameter validation during ram load

Date: Thu, 13 Nov 2014 20:33:51 +0100

Hi Michael,

Thanks for your quick reply.

On Thu, Nov 13, 2014 at 09:37:09PM +0300, Michael Tokarev wrote:
> 13.11.2014 20:39, Salvatore Bonaccorso wrote:
> > Source: qemu
> > Version: 1.1.2+dfsg-6a
> > Severity: important
> > Tags: security upstream
> > 
> > Hi Debian QEMU team,
> > 
> > the following vulnerability was published for qemu, choosed important
> > severity but actually might be downgraded to normal.
> > 
> > CVE-2014-7840[0]:
> > insufficient parameter validation during ram load
> 
> It is the same thing as #739589 (insufficient input validation during
> state load) -- new and more exciting ways to exploit this are found
> all the time...  (I mean, it is another issue of the same sort, not
> something which has already been fixed in debian).
> 
> We decided we will not try to fix this in wheezy - either all of the
> issues should be fixed or none, there's no reason to fix some but
> ignore others.
> 
> We also decided this is a not very important issue, because it only
> happens when you allow untrusted parties to send you guest memory
> state which is rather uncommon (see comments in that bugreport).

This makes sense.

> Yes it affects wheezy version, but it is wontfix for wheezy for the
> above reason.  And yes I'll fix it for jessie, the patch in question
> has been applied to my local qemu git repository yesterday.

Sure, also makes sense. I'm particulary interested in tracking issues
in the security-tracker with appropriate cross-references to the BTS.
I have marked it appropriately in the tracker.

Thanks for your work!

Regards,
Salvatore

Message #22 received at 769451-close@bugs.debian.org (full text, mbox, reply):

From: Michael Tokarev <mjt@tls.msk.ru>

To: 769451-close@bugs.debian.org

Subject: Bug#769451: fixed in qemu 2.1+dfsg-8

Date: Thu, 27 Nov 2014 16:07:13 +0000

Source: qemu
Source-Version: 2.1+dfsg-8

We believe that the bug you reported is fixed in the latest version of
qemu, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 769451@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Michael Tokarev <mjt@tls.msk.ru> (supplier of updated qemu package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Format: 1.8
Date: Thu, 27 Nov 2014 18:32:45 +0300
Source: qemu
Binary: qemu qemu-system qemu-system-common qemu-system-misc qemu-system-arm qemu-system-mips qemu-system-ppc qemu-system-sparc qemu-system-x86 qemu-user qemu-user-static qemu-user-binfmt qemu-utils qemu-guest-agent qemu-kvm
Architecture: source
Version: 2.1+dfsg-8
Distribution: unstable
Urgency: low
Maintainer: Debian QEMU Team <pkg-qemu-devel@lists.alioth.debian.org>
Changed-By: Michael Tokarev <mjt@tls.msk.ru>
Description:
 qemu       - fast processor emulator
 qemu-guest-agent - Guest-side qemu-system agent
 qemu-kvm   - QEMU Full virtualization on x86 hardware
 qemu-system - QEMU full system emulation binaries
 qemu-system-arm - QEMU full system emulation binaries (arm)
 qemu-system-common - QEMU full system emulation binaries (common files)
 qemu-system-mips - QEMU full system emulation binaries (mips)
 qemu-system-misc - QEMU full system emulation binaries (miscelaneous)
 qemu-system-ppc - QEMU full system emulation binaries (ppc)
 qemu-system-sparc - QEMU full system emulation binaries (sparc)
 qemu-system-x86 - QEMU full system emulation binaries (x86)
 qemu-user  - QEMU user mode emulation binaries
 qemu-user-binfmt - QEMU user mode binfmt registration for qemu-user
 qemu-user-static - QEMU user mode emulation binaries (static version)
 qemu-utils - QEMU utilities
Closes: 763043 763841 768244 768926 769451 769470 770468 770880
Changes:
 qemu (2.1+dfsg-8) unstable; urgency=low
 .
   [ Michael Tokarev ]
   * add Built-Using control field for qemu-user-static package:
     take contents of qemu-user ${shlibs:Depends} and transform it
     into list of source packages with versions.  (Closes: #768926)
   * run remove-alternatives in qemu-system.postinst (the metapkg)
     too, not only in qemu-system-XX.postinst, to handle upgrades
     from wheezy (Closes: #768244)
   * several fixes for debian/qemu-user.1 manpage.  It needs more
     work, but at least some easy and obvious errors are fixed now.
     (Closes: #763841)
   * migration-fix-parameter-validation-on-ram-load.patch from upstream
     (Closes: #769451 CVE-2014-7840)
   * fix x86_64 binfmt mask to allow more values in ELF_OSABI field
     (byte7).  Current gcc/binfmt sometimes produces binaries with
     this field set to 3 (OSABI_GNU) not 0 (OSABI_SYSV) as used to be.
     Set mask to 0xfb not 0xff here, to allow 0 (traditional SYSV),
     1 (HPUX), 2 (NETBSD) or 3 (GNU).  This lets 2 more types than
     necessary, but qemu will reject wrong types so no harm is done.
     Some other binfmts ignore this field completely (with mask=0).
     Maybe some day we'll have 2 different binfmt registrations for
     the 2 different ABI types.  (Closes: #763043)
   * usb-host-fix-usb_host_speed_compat-tyops.patch -- fix host usb devices
     attach, without this patch many USB devices does not work
   * qdev-monitor-fix-segmentation-fault-on-qdev_device_h.patch - trivial
     patch from upstream to fix segfault in -device foo,help (Closes: #770880)
 .
   [ Aurelien Jarno ]
   * Add tcg-mips-fix-store-softmmu-slow-path.patch from upstream to fix
     TCG support on mips/mipsel hosts (Closes: #769470).
 .
   [ Ian Campbell ]
   * Backport patch to fix unmapping of persistent grants in the Xen qdisk
     backend (Closes: #770468).
Checksums-Sha1:
 dba3205f47316d77e9b40e25b47eaf2312d726dc 5152 qemu_2.1+dfsg-8.dsc
 b76331ca9c9c104790de70760a4d7f29f59fe5ee 87220 qemu_2.1+dfsg-8.debian.tar.xz
Checksums-Sha256:
 c4990d16ad4e87b529efe373bdc28b64d7022e99271e33964a6a8f0eec2ace57 5152 qemu_2.1+dfsg-8.dsc
 9007e000423e6bb8ea3339d8010a1b3a224aa6e11d9f01d87f581139621d8c76 87220 qemu_2.1+dfsg-8.debian.tar.xz
Files:
 24f1f578263c4c22b002e03b48e533e6 5152 otherosfs optional qemu_2.1+dfsg-8.dsc
 df7ef6c6680cbe38ef0ea0880b8abb45 87220 otherosfs optional qemu_2.1+dfsg-8.debian.tar.xz

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.12 (GNU/Linux)

iQEcBAEBAgAGBQJUd0fPAAoJEL7lnXSkw9fbL84H/RLk2xiEKHddKdv//ws6yhbQ
IDaYxrLOafshx+eZ3Cj4kv6rIZcpg+21MtDdM4I6rSBYQ/LgE1qB/OqakFXADAZJ
IgMSSv8FWi5BA3iYX13Lbq/4KlcY3VKiW5I5au4ipeZ4myZ1PoIV07JFKx7Dh5W3
6e2+TLNHqa00y1sjFB0BHJWUvXaiomvz/Fy+SSjJE2A/K25bSWDL0GsUSC7A6q1l
8KMikO8s+VoNDxesHm1y0d9uOHjjqfYO5TXxmLS6AQTQTqqCbFL1zfD0sQqdZZX0
ubWDsvkDifDY+P7jtWafwzDGeuQDyOlSu55BD6WdCGLLPs187+dICpYQ60Atavo=
=pNq9
-----END PGP SIGNATURE-----

Send a report that this bug log contains spam.