Debian Bug report logs -
#769451
qemu: CVE-2014-7840: insufficient parameter validation during ram load
Reported by: Salvatore Bonaccorso <carnil@debian.org>
Date: Thu, 13 Nov 2014 17:42:01 UTC
Severity: important
Tags: security, upstream
Found in version qemu/1.1.2+dfsg-6a
Fixed in version qemu/2.1+dfsg-8
Done: Michael Tokarev <mjt@tls.msk.ru>
Bug is archived. No further changes may be made.
Toggle useless messages
Report forwarded
to debian-bugs-dist@lists.debian.org, carnil@debian.org, team@security.debian.org, secure-testing-team@lists.alioth.debian.org, Debian QEMU Team <pkg-qemu-devel@lists.alioth.debian.org>
:
Bug#769451
; Package src:qemu
.
(Thu, 13 Nov 2014 17:42:06 GMT) (full text, mbox, link).
Acknowledgement sent
to Salvatore Bonaccorso <carnil@debian.org>
:
New Bug report received and forwarded. Copy sent to carnil@debian.org, team@security.debian.org, secure-testing-team@lists.alioth.debian.org, Debian QEMU Team <pkg-qemu-devel@lists.alioth.debian.org>
.
(Thu, 13 Nov 2014 17:42:06 GMT) (full text, mbox, link).
Message #5 received at submit@bugs.debian.org (full text, mbox, reply):
Source: qemu
Version: 1.1.2+dfsg-6a
Severity: important
Tags: security upstream
Hi Debian QEMU team,
the following vulnerability was published for qemu, choosed important
severity but actually might be downgraded to normal.
CVE-2014-7840[0]:
insufficient parameter validation during ram load
If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.
For further information see:
[0] https://security-tracker.debian.org/tracker/CVE-2014-7840
[1] http://thread.gmane.org/gmane.comp.emulators.qemu/306117
Please adjust the affected versions in the BTS as needed.
Regards,
Salvatore
Information forwarded
to debian-bugs-dist@lists.debian.org, Debian QEMU Team <pkg-qemu-devel@lists.alioth.debian.org>
:
Bug#769451
; Package src:qemu
.
(Thu, 13 Nov 2014 18:39:05 GMT) (full text, mbox, link).
Acknowledgement sent
to Michael Tokarev <mjt@tls.msk.ru>
:
Extra info received and forwarded to list. Copy sent to Debian QEMU Team <pkg-qemu-devel@lists.alioth.debian.org>
.
(Thu, 13 Nov 2014 18:39:05 GMT) (full text, mbox, link).
Message #10 received at 769451@bugs.debian.org (full text, mbox, reply):
13.11.2014 20:39, Salvatore Bonaccorso wrote:
> Source: qemu
> Version: 1.1.2+dfsg-6a
> Severity: important
> Tags: security upstream
>
> Hi Debian QEMU team,
>
> the following vulnerability was published for qemu, choosed important
> severity but actually might be downgraded to normal.
>
> CVE-2014-7840[0]:
> insufficient parameter validation during ram load
It is the same thing as #739589 (insufficient input validation during
state load) -- new and more exciting ways to exploit this are found
all the time... (I mean, it is another issue of the same sort, not
something which has already been fixed in debian).
We decided we will not try to fix this in wheezy - either all of the
issues should be fixed or none, there's no reason to fix some but
ignore others.
We also decided this is a not very important issue, because it only
happens when you allow untrusted parties to send you guest memory
state which is rather uncommon (see comments in that bugreport).
Yes it affects wheezy version, but it is wontfix for wheezy for the
above reason. And yes I'll fix it for jessie, the patch in question
has been applied to my local qemu git repository yesterday.
Thanks,
/mjt
Information forwarded
to debian-bugs-dist@lists.debian.org, Debian QEMU Team <pkg-qemu-devel@lists.alioth.debian.org>
:
Bug#769451
; Package src:qemu
.
(Thu, 13 Nov 2014 19:36:04 GMT) (full text, mbox, link).
Acknowledgement sent
to Salvatore Bonaccorso <carnil@debian.org>
:
Extra info received and forwarded to list. Copy sent to Debian QEMU Team <pkg-qemu-devel@lists.alioth.debian.org>
.
(Thu, 13 Nov 2014 19:36:04 GMT) (full text, mbox, link).
Message #15 received at 769451@bugs.debian.org (full text, mbox, reply):
Hi Michael,
Thanks for your quick reply.
On Thu, Nov 13, 2014 at 09:37:09PM +0300, Michael Tokarev wrote:
> 13.11.2014 20:39, Salvatore Bonaccorso wrote:
> > Source: qemu
> > Version: 1.1.2+dfsg-6a
> > Severity: important
> > Tags: security upstream
> >
> > Hi Debian QEMU team,
> >
> > the following vulnerability was published for qemu, choosed important
> > severity but actually might be downgraded to normal.
> >
> > CVE-2014-7840[0]:
> > insufficient parameter validation during ram load
>
> It is the same thing as #739589 (insufficient input validation during
> state load) -- new and more exciting ways to exploit this are found
> all the time... (I mean, it is another issue of the same sort, not
> something which has already been fixed in debian).
>
> We decided we will not try to fix this in wheezy - either all of the
> issues should be fixed or none, there's no reason to fix some but
> ignore others.
>
> We also decided this is a not very important issue, because it only
> happens when you allow untrusted parties to send you guest memory
> state which is rather uncommon (see comments in that bugreport).
This makes sense.
> Yes it affects wheezy version, but it is wontfix for wheezy for the
> above reason. And yes I'll fix it for jessie, the patch in question
> has been applied to my local qemu git repository yesterday.
Sure, also makes sense. I'm particulary interested in tracking issues
in the security-tracker with appropriate cross-references to the BTS.
I have marked it appropriately in the tracker.
Thanks for your work!
Regards,
Salvatore
Added tag(s) pending.
Request was from <mjt@tls.msk.ru>
to control@bugs.debian.org
.
(Fri, 14 Nov 2014 04:12:09 GMT) (full text, mbox, link).
Reply sent
to Michael Tokarev <mjt@tls.msk.ru>
:
You have taken responsibility.
(Thu, 27 Nov 2014 16:09:31 GMT) (full text, mbox, link).
Notification sent
to Salvatore Bonaccorso <carnil@debian.org>
:
Bug acknowledged by developer.
(Thu, 27 Nov 2014 16:09:31 GMT) (full text, mbox, link).
Message #22 received at 769451-close@bugs.debian.org (full text, mbox, reply):
Source: qemu
Source-Version: 2.1+dfsg-8
We believe that the bug you reported is fixed in the latest version of
qemu, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 769451@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Michael Tokarev <mjt@tls.msk.ru> (supplier of updated qemu package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Format: 1.8
Date: Thu, 27 Nov 2014 18:32:45 +0300
Source: qemu
Binary: qemu qemu-system qemu-system-common qemu-system-misc qemu-system-arm qemu-system-mips qemu-system-ppc qemu-system-sparc qemu-system-x86 qemu-user qemu-user-static qemu-user-binfmt qemu-utils qemu-guest-agent qemu-kvm
Architecture: source
Version: 2.1+dfsg-8
Distribution: unstable
Urgency: low
Maintainer: Debian QEMU Team <pkg-qemu-devel@lists.alioth.debian.org>
Changed-By: Michael Tokarev <mjt@tls.msk.ru>
Description:
qemu - fast processor emulator
qemu-guest-agent - Guest-side qemu-system agent
qemu-kvm - QEMU Full virtualization on x86 hardware
qemu-system - QEMU full system emulation binaries
qemu-system-arm - QEMU full system emulation binaries (arm)
qemu-system-common - QEMU full system emulation binaries (common files)
qemu-system-mips - QEMU full system emulation binaries (mips)
qemu-system-misc - QEMU full system emulation binaries (miscelaneous)
qemu-system-ppc - QEMU full system emulation binaries (ppc)
qemu-system-sparc - QEMU full system emulation binaries (sparc)
qemu-system-x86 - QEMU full system emulation binaries (x86)
qemu-user - QEMU user mode emulation binaries
qemu-user-binfmt - QEMU user mode binfmt registration for qemu-user
qemu-user-static - QEMU user mode emulation binaries (static version)
qemu-utils - QEMU utilities
Closes: 763043 763841 768244 768926 769451 769470 770468 770880
Changes:
qemu (2.1+dfsg-8) unstable; urgency=low
.
[ Michael Tokarev ]
* add Built-Using control field for qemu-user-static package:
take contents of qemu-user ${shlibs:Depends} and transform it
into list of source packages with versions. (Closes: #768926)
* run remove-alternatives in qemu-system.postinst (the metapkg)
too, not only in qemu-system-XX.postinst, to handle upgrades
from wheezy (Closes: #768244)
* several fixes for debian/qemu-user.1 manpage. It needs more
work, but at least some easy and obvious errors are fixed now.
(Closes: #763841)
* migration-fix-parameter-validation-on-ram-load.patch from upstream
(Closes: #769451 CVE-2014-7840)
* fix x86_64 binfmt mask to allow more values in ELF_OSABI field
(byte7). Current gcc/binfmt sometimes produces binaries with
this field set to 3 (OSABI_GNU) not 0 (OSABI_SYSV) as used to be.
Set mask to 0xfb not 0xff here, to allow 0 (traditional SYSV),
1 (HPUX), 2 (NETBSD) or 3 (GNU). This lets 2 more types than
necessary, but qemu will reject wrong types so no harm is done.
Some other binfmts ignore this field completely (with mask=0).
Maybe some day we'll have 2 different binfmt registrations for
the 2 different ABI types. (Closes: #763043)
* usb-host-fix-usb_host_speed_compat-tyops.patch -- fix host usb devices
attach, without this patch many USB devices does not work
* qdev-monitor-fix-segmentation-fault-on-qdev_device_h.patch - trivial
patch from upstream to fix segfault in -device foo,help (Closes: #770880)
.
[ Aurelien Jarno ]
* Add tcg-mips-fix-store-softmmu-slow-path.patch from upstream to fix
TCG support on mips/mipsel hosts (Closes: #769470).
.
[ Ian Campbell ]
* Backport patch to fix unmapping of persistent grants in the Xen qdisk
backend (Closes: #770468).
Checksums-Sha1:
dba3205f47316d77e9b40e25b47eaf2312d726dc 5152 qemu_2.1+dfsg-8.dsc
b76331ca9c9c104790de70760a4d7f29f59fe5ee 87220 qemu_2.1+dfsg-8.debian.tar.xz
Checksums-Sha256:
c4990d16ad4e87b529efe373bdc28b64d7022e99271e33964a6a8f0eec2ace57 5152 qemu_2.1+dfsg-8.dsc
9007e000423e6bb8ea3339d8010a1b3a224aa6e11d9f01d87f581139621d8c76 87220 qemu_2.1+dfsg-8.debian.tar.xz
Files:
24f1f578263c4c22b002e03b48e533e6 5152 otherosfs optional qemu_2.1+dfsg-8.dsc
df7ef6c6680cbe38ef0ea0880b8abb45 87220 otherosfs optional qemu_2.1+dfsg-8.debian.tar.xz
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.12 (GNU/Linux)
iQEcBAEBAgAGBQJUd0fPAAoJEL7lnXSkw9fbL84H/RLk2xiEKHddKdv//ws6yhbQ
IDaYxrLOafshx+eZ3Cj4kv6rIZcpg+21MtDdM4I6rSBYQ/LgE1qB/OqakFXADAZJ
IgMSSv8FWi5BA3iYX13Lbq/4KlcY3VKiW5I5au4ipeZ4myZ1PoIV07JFKx7Dh5W3
6e2+TLNHqa00y1sjFB0BHJWUvXaiomvz/Fy+SSjJE2A/K25bSWDL0GsUSC7A6q1l
8KMikO8s+VoNDxesHm1y0d9uOHjjqfYO5TXxmLS6AQTQTqqCbFL1zfD0sQqdZZX0
ubWDsvkDifDY+P7jtWafwzDGeuQDyOlSu55BD6WdCGLLPs187+dICpYQ60Atavo=
=pNq9
-----END PGP SIGNATURE-----
Bug archived.
Request was from Debbugs Internal Request <owner@bugs.debian.org>
to internal_control@bugs.debian.org
.
(Mon, 12 Jan 2015 07:28:45 GMT) (full text, mbox, link).
Send a report that this bug log contains spam.
Debian bug tracking system administrator <owner@bugs.debian.org>.
Last modified:
Wed Jun 19 17:21:02 2019;
Machine Name:
buxtehude
Debian Bug tracking system
Debbugs is free software and licensed under the terms of the GNU
Public License version 2. The current version can be obtained
from https://bugs.debian.org/debbugs-source/.
Copyright © 1999 Darren O. Benham,
1997,2003 nCipher Corporation Ltd,
1994-97 Ian Jackson,
2005-2017 Don Armstrong, and many other contributors.