Debian Bug report logs -
#526013
qemu: CVE-2008-1945 media handling vulnerability
Reported by: "Michael S. Gilbert" <michael.s.gilbert@gmail.com>
Date: Tue, 28 Apr 2009 17:06:02 UTC
Severity: important
Tags: security
Found in version qemu/0.9.1-5
Fixed in versions qemu/0.10.1-1, qemu/0.9.1-10lenny1, qemu/0.8.2-4etch4
Done: Aurelien Jarno <aurel32@debian.org>
Bug is archived. No further changes may be made.
Toggle useless messages
Report forwarded
to debian-bugs-dist@lists.debian.org, Debian QEMU Team <pkg-qemu-devel@lists.alioth.debian.org>:
Bug#526013; Package qemu.
(Tue, 28 Apr 2009 17:06:04 GMT) (full text, mbox, link).
Acknowledgement sent
to "Michael S. Gilbert" <michael.s.gilbert@gmail.com>:
New Bug report received and forwarded. Copy sent to Debian QEMU Team <pkg-qemu-devel@lists.alioth.debian.org>.
(Tue, 28 Apr 2009 17:06:04 GMT) (full text, mbox, link).
Message #5 received at submit@bugs.debian.org (full text, mbox, reply):
Package: qemu
Severity: important
Tags: security
Fixed: 0.9.1-5
Hi,
The following CVE (Common Vulnerabilities & Exposures) id was
published for qemu.
CVE-2008-1945[0]:
| QEMU 0.9.0 does not properly handle changes to removable media, which
| allows guest OS users to read arbitrary files on the host OS by using
| the diskformat: parameter in the -usbdevice option to modify the
| disk-image header to identify a different format, a related issue to
| CVE-2008-2004.
This is already fixed in version 0.9.1-5 in unstable. Please
coordinate with the security team (team@security.debian.org) to prepare
packages for the stable releases.
If you fix the vulnerability please also make sure to include the
CVE id in your changelog entry.
For further information see:
[0] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-1945
http://security-tracker.debian.net/tracker/CVE-2008-1945
Thanks,
Mike
Information forwarded
to debian-bugs-dist@lists.debian.org, Debian QEMU Team <pkg-qemu-devel@lists.alioth.debian.org>:
Bug#526013; Package qemu.
(Tue, 28 Apr 2009 19:33:02 GMT) (full text, mbox, link).
Acknowledgement sent
to "Michael S. Gilbert" <michael.s.gilbert@gmail.com>:
Extra info received and forwarded to list. Copy sent to Debian QEMU Team <pkg-qemu-devel@lists.alioth.debian.org>.
(Tue, 28 Apr 2009 19:33:02 GMT) (full text, mbox, link).
Message #10 received at 526013@bugs.debian.org (full text, mbox, reply):
fixed 526013 0.9.1-5
thanks
i should have mentioned that qemu > 0.9.1-5 is already in lenny, so the
security update will need to be for etch only.
Bug marked as fixed in version 0.9.1-5.
Request was from "Michael S. Gilbert" <michael.s.gilbert@gmail.com>
to control@bugs.debian.org.
(Tue, 28 Apr 2009 19:33:03 GMT) (full text, mbox, link).
Information forwarded
to debian-bugs-dist@lists.debian.org, Debian QEMU Team <pkg-qemu-devel@lists.alioth.debian.org>:
Bug#526013; Package qemu.
(Sat, 02 May 2009 13:48:04 GMT) (full text, mbox, link).
Acknowledgement sent
to Aurelien Jarno <aurelien@aurel32.net>:
Extra info received and forwarded to list. Copy sent to Debian QEMU Team <pkg-qemu-devel@lists.alioth.debian.org>.
(Sat, 02 May 2009 13:48:05 GMT) (full text, mbox, link).
Message #17 received at 526013@bugs.debian.org (full text, mbox, reply):
found 526013 0.9.1-5
thanks
On Tue, Apr 28, 2009 at 01:05:31PM -0400, Michael S. Gilbert wrote:
> Package: qemu
> Severity: important
> Tags: security
> Fixed: 0.9.1-5
>
> Hi,
>
> The following CVE (Common Vulnerabilities & Exposures) id was
> published for qemu.
>
> CVE-2008-1945[0]:
> | QEMU 0.9.0 does not properly handle changes to removable media, which
> | allows guest OS users to read arbitrary files on the host OS by using
> | the diskformat: parameter in the -usbdevice option to modify the
> | disk-image header to identify a different format, a related issue to
> | CVE-2008-2004.
>
> This is already fixed in version 0.9.1-5 in unstable. Please
> coordinate with the security team (team@security.debian.org) to prepare
> packages for the stable releases.
>
This bug is actually present in 0.9.1-5. CVE-2008-2004 has been fixed,
but not CVE-2008-1945. I am working on a fix.
--
Aurelien Jarno GPG: 1024D/F1BCDB73
aurelien@aurel32.net http://www.aurel32.net
Bug marked as found in version 0.9.1-5.
Request was from Aurelien Jarno <aurelien@aurel32.net>
to control@bugs.debian.org.
(Sat, 02 May 2009 13:48:07 GMT) (full text, mbox, link).
Tags added: pending
Request was from Aurelien Jarno <aurel32@alioth.debian.org>
to control@bugs.debian.org.
(Sat, 02 May 2009 13:51:05 GMT) (full text, mbox, link).
Bug marked as fixed in version 0.10.1-1.
Request was from Aurelien Jarno <aurel32@debian.org>
to control@bugs.debian.org.
(Sun, 03 May 2009 11:45:02 GMT) (full text, mbox, link).
Tags added: pending
Request was from Aurelien Jarno <aurel32@alioth.debian.org>
to control@bugs.debian.org.
(Sun, 03 May 2009 15:27:34 GMT) (full text, mbox, link).
Reply sent
to Aurelien Jarno <aurel32@debian.org>:
You have taken responsibility.
(Mon, 08 Jun 2009 22:36:11 GMT) (full text, mbox, link).
Notification sent
to "Michael S. Gilbert" <michael.s.gilbert@gmail.com>:
Bug acknowledged by developer.
(Mon, 08 Jun 2009 22:36:11 GMT) (full text, mbox, link).
Message #30 received at 526013-close@bugs.debian.org (full text, mbox, reply):
Source: qemu
Source-Version: 0.9.1-10lenny1
We believe that the bug you reported is fixed in the latest version of
qemu, which is due to be installed in the Debian FTP archive:
qemu_0.9.1-10lenny1.diff.gz
to pool/main/q/qemu/qemu_0.9.1-10lenny1.diff.gz
qemu_0.9.1-10lenny1.dsc
to pool/main/q/qemu/qemu_0.9.1-10lenny1.dsc
qemu_0.9.1-10lenny1_amd64.deb
to pool/main/q/qemu/qemu_0.9.1-10lenny1_amd64.deb
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 526013@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Aurelien Jarno <aurel32@debian.org> (supplier of updated qemu package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Format: 1.8
Date: Sat, 02 May 2009 15:29:10 +0200
Source: qemu
Binary: qemu
Architecture: source amd64
Version: 0.9.1-10lenny1
Distribution: stable-security
Urgency: low
Maintainer: Debian QEMU Team <pkg-qemu-devel@lists.alioth.debian.org>
Changed-By: Aurelien Jarno <aurel32@debian.org>
Description:
qemu - fast processor emulator
Closes: 469649 526013 526040
Changes:
qemu (0.9.1-10lenny1) stable-security; urgency=low
.
* debian/patches/91_security.patch: fix privilege escalation.
(CVE-2008-0928). Closes: bug#469649.
* debian/patches/97_security.patch: fix heap-based buffer overflow in
the Cirrus VGA implementation (CVE-2008-4539). Closes: bug#526040.
* debian/patches/98_security.patch: fix media handling vulnerability
(CVE-2008-1945). Closes: bug#526013.
Checksums-Sha1:
d0ef3cd50d65cdd7bd14e9a43964797bedd7da22 1638 qemu_0.9.1-10lenny1.dsc
15a5cc9a82dfedca9d679901a1e7281134ed9420 2392515 qemu_0.9.1.orig.tar.gz
a8d66924bdd5af86998237bbda19f4ac38902a15 80162 qemu_0.9.1-10lenny1.diff.gz
dcdc5f828fd152f0cf7e2af943ac1a24b7220376 11030660 qemu_0.9.1-10lenny1_amd64.deb
Checksums-Sha256:
111ae1899b8701ecdac6c74cd6143970282c6c42c647d3c5eee3a7a98496449c 1638 qemu_0.9.1-10lenny1.dsc
0868ad1439da3edb750b5ef0d4f7ca54ebdcd76582fa5c2a60c5290f8a3f7ebe 2392515 qemu_0.9.1.orig.tar.gz
ba0f3919062760cfe3e869ca638fac9502d0a6769fb598c798dab888e467e148 80162 qemu_0.9.1-10lenny1.diff.gz
dcd416aab0e2a8d9f07847ee3caeca72af34716e25ad0cc70ce11042e51f1940 11030660 qemu_0.9.1-10lenny1_amd64.deb
Files:
1c8e6db187f4b58e5655f2b06581b56f 1638 misc optional qemu_0.9.1-10lenny1.dsc
937c34632a59e12ba7b55054419bbe7d 2392515 misc optional qemu_0.9.1.orig.tar.gz
f5d593dcea9ec54a148c76a3883fa537 80162 misc optional qemu_0.9.1-10lenny1.diff.gz
02d39005c7b486f1d3541875052435d0 11030660 misc optional qemu_0.9.1-10lenny1_amd64.deb
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)
iEYEARECAAYFAkn9+2kACgkQXm3vHE4uylpaRgCeKYsUJ87I9MpyQI6Og3p55yvU
244AoIilhn98N0eQHTqhJPiODN2BMLXm
=632A
-----END PGP SIGNATURE-----
Reply sent
to Aurelien Jarno <aurel32@debian.org>:
You have taken responsibility.
(Sat, 27 Jun 2009 16:45:30 GMT) (full text, mbox, link).
Notification sent
to "Michael S. Gilbert" <michael.s.gilbert@gmail.com>:
Bug acknowledged by developer.
(Sat, 27 Jun 2009 16:45:30 GMT) (full text, mbox, link).
Message #35 received at 526013-close@bugs.debian.org (full text, mbox, reply):
Source: qemu
Source-Version: 0.9.1-10lenny1
We believe that the bug you reported is fixed in the latest version of
qemu, which is due to be installed in the Debian FTP archive:
qemu_0.9.1-10lenny1.diff.gz
to pool/main/q/qemu/qemu_0.9.1-10lenny1.diff.gz
qemu_0.9.1-10lenny1.dsc
to pool/main/q/qemu/qemu_0.9.1-10lenny1.dsc
qemu_0.9.1-10lenny1_amd64.deb
to pool/main/q/qemu/qemu_0.9.1-10lenny1_amd64.deb
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 526013@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Aurelien Jarno <aurel32@debian.org> (supplier of updated qemu package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Format: 1.8
Date: Sat, 02 May 2009 15:29:10 +0200
Source: qemu
Binary: qemu
Architecture: source amd64
Version: 0.9.1-10lenny1
Distribution: stable-security
Urgency: low
Maintainer: Debian QEMU Team <pkg-qemu-devel@lists.alioth.debian.org>
Changed-By: Aurelien Jarno <aurel32@debian.org>
Description:
qemu - fast processor emulator
Closes: 469649 526013 526040
Changes:
qemu (0.9.1-10lenny1) stable-security; urgency=low
.
* debian/patches/91_security.patch: fix privilege escalation.
(CVE-2008-0928). Closes: bug#469649.
* debian/patches/97_security.patch: fix heap-based buffer overflow in
the Cirrus VGA implementation (CVE-2008-4539). Closes: bug#526040.
* debian/patches/98_security.patch: fix media handling vulnerability
(CVE-2008-1945). Closes: bug#526013.
Checksums-Sha1:
d0ef3cd50d65cdd7bd14e9a43964797bedd7da22 1638 qemu_0.9.1-10lenny1.dsc
15a5cc9a82dfedca9d679901a1e7281134ed9420 2392515 qemu_0.9.1.orig.tar.gz
a8d66924bdd5af86998237bbda19f4ac38902a15 80162 qemu_0.9.1-10lenny1.diff.gz
dcdc5f828fd152f0cf7e2af943ac1a24b7220376 11030660 qemu_0.9.1-10lenny1_amd64.deb
Checksums-Sha256:
111ae1899b8701ecdac6c74cd6143970282c6c42c647d3c5eee3a7a98496449c 1638 qemu_0.9.1-10lenny1.dsc
0868ad1439da3edb750b5ef0d4f7ca54ebdcd76582fa5c2a60c5290f8a3f7ebe 2392515 qemu_0.9.1.orig.tar.gz
ba0f3919062760cfe3e869ca638fac9502d0a6769fb598c798dab888e467e148 80162 qemu_0.9.1-10lenny1.diff.gz
dcd416aab0e2a8d9f07847ee3caeca72af34716e25ad0cc70ce11042e51f1940 11030660 qemu_0.9.1-10lenny1_amd64.deb
Files:
1c8e6db187f4b58e5655f2b06581b56f 1638 misc optional qemu_0.9.1-10lenny1.dsc
937c34632a59e12ba7b55054419bbe7d 2392515 misc optional qemu_0.9.1.orig.tar.gz
f5d593dcea9ec54a148c76a3883fa537 80162 misc optional qemu_0.9.1-10lenny1.diff.gz
02d39005c7b486f1d3541875052435d0 11030660 misc optional qemu_0.9.1-10lenny1_amd64.deb
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)
iEYEARECAAYFAkn9+2kACgkQXm3vHE4uylpaRgCeKYsUJ87I9MpyQI6Og3p55yvU
244AoIilhn98N0eQHTqhJPiODN2BMLXm
=632A
-----END PGP SIGNATURE-----
Reply sent
to Aurelien Jarno <aurel32@debian.org>:
You have taken responsibility.
(Fri, 03 Jul 2009 20:36:26 GMT) (full text, mbox, link).
Notification sent
to "Michael S. Gilbert" <michael.s.gilbert@gmail.com>:
Bug acknowledged by developer.
(Fri, 03 Jul 2009 20:36:26 GMT) (full text, mbox, link).
Message #40 received at 526013-close@bugs.debian.org (full text, mbox, reply):
Source: qemu
Source-Version: 0.8.2-4etch4
We believe that the bug you reported is fixed in the latest version of
qemu, which is due to be installed in the Debian FTP archive:
qemu_0.8.2-4etch4.diff.gz
to pool/main/q/qemu/qemu_0.8.2-4etch4.diff.gz
qemu_0.8.2-4etch4.dsc
to pool/main/q/qemu/qemu_0.8.2-4etch4.dsc
qemu_0.8.2-4etch4_i386.deb
to pool/main/q/qemu/qemu_0.8.2-4etch4_i386.deb
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 526013@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Aurelien Jarno <aurel32@debian.org> (supplier of updated qemu package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Format: 1.7
Date: Sun, 03 May 2009 15:38:17 +0200
Source: qemu
Binary: qemu
Architecture: source i386
Version: 0.8.2-4etch4
Distribution: oldstable-security
Urgency: low
Maintainer: Debian QEMU Team <pkg-qemu-devel@lists.alioth.debian.org>
Changed-By: Aurelien Jarno <aurel32@debian.org>
Description:
qemu - fast processor emulator
Closes: 469649 526013
Changes:
qemu (0.8.2-4etch4) oldstable-security; urgency=low
.
* debian/patches/92_security.patch: fix media handling vulnerability
(CVE-2008-1945). Closes: bug#526013.
* debian/patches/93_security.patch: fix privilege escalation.
(CVE-2008-0928). Closes: bug#469649.
Files:
b7d65acdf5cdc3332b3a7a5100c4586d 1122 misc optional qemu_0.8.2-4etch4.dsc
312eebc1386cca2e9b30a40763ab9c0d 1501979 misc optional qemu_0.8.2.orig.tar.gz
9770edb5cd197a444e9daad2f0439823 67363 misc optional qemu_0.8.2-4etch4.diff.gz
cf0babcf03c61381fea0d7f30a06e44f 3676468 misc optional qemu_0.8.2-4etch4_i386.deb
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.6 (GNU/Linux)
iD8DBQFJ/yYaXm3vHE4uyloRAiOXAJ9WwlRA4B2fjmPBc57GxRPF6Kch8gCgnq7A
xY1XjJK+DtogeIY6+mQtqEM=
=MCc4
-----END PGP SIGNATURE-----
Bug archived.
Request was from Debbugs Internal Request <owner@bugs.debian.org>
to internal_control@bugs.debian.org.
(Sat, 01 Aug 2009 07:40:06 GMT) (full text, mbox, link).
Send a report that this bug log contains spam.
Debian bug tracking system administrator <owner@bugs.debian.org>.
Last modified:
Wed Jun 19 18:00:19 2019;
Machine Name:
buxtehude
Debian Bug tracking system
Debbugs is free software and licensed under the terms of the GNU
Public License version 2. The current version can be obtained
from https://bugs.debian.org/debbugs-source/.
Copyright © 1999 Darren O. Benham,
1997,2003 nCipher Corporation Ltd,
1994-97 Ian Jackson,
2005-2017 Don Armstrong, and many other contributors.
Vulmon