Debian Bug report logs -
#922923
qemu: CVE-2019-8934: ppc64: sPAPR emulator leaks the host hardware identity
Reply or subscribe to this bug.
Toggle useless messages
Report forwarded
to debian-bugs-dist@lists.debian.org, carnil@debian.org, team@security.debian.org, team@security.debian.org, Debian QEMU Team <pkg-qemu-devel@lists.alioth.debian.org>
:
Bug#922923
; Package src:qemu
.
(Thu, 21 Feb 2019 21:27:04 GMT) (full text, mbox, link).
Acknowledgement sent
to Salvatore Bonaccorso <carnil@debian.org>
:
New Bug report received and forwarded. Copy sent to carnil@debian.org, team@security.debian.org, team@security.debian.org, Debian QEMU Team <pkg-qemu-devel@lists.alioth.debian.org>
.
(Thu, 21 Feb 2019 21:27:04 GMT) (full text, mbox, link).
Message #5 received at submit@bugs.debian.org (full text, mbox, reply):
Source: qemu
Version: 1:3.1+dfsg-4
Severity: normal
Tags: security upstream
Forwarded: https://lists.gnu.org/archive/html/qemu-devel/2019-02/msg04821.html
Hi,
The following vulnerability was published for qemu.
CVE-2019-8934[0]:
ppc64: sPAPR emulator leaks the host hardware identity
If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.
For further information see:
[0] https://security-tracker.debian.org/tracker/CVE-2019-8934
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-8934
[1] https://lists.gnu.org/archive/html/qemu-devel/2019-02/msg04821.html
[2] https://bugzilla.redhat.com/show_bug.cgi?id=1668022
Please adjust the affected versions in the BTS as needed.
Regards,
Salvatore
Information forwarded
to debian-bugs-dist@lists.debian.org, Debian QEMU Team <pkg-qemu-devel@lists.alioth.debian.org>
:
Bug#922923
; Package src:qemu
.
(Thu, 21 Feb 2019 22:45:03 GMT) (full text, mbox, link).
Acknowledgement sent
to Michael Tokarev <mjt@tls.msk.ru>
:
Extra info received and forwarded to list. Copy sent to Debian QEMU Team <pkg-qemu-devel@lists.alioth.debian.org>
.
(Thu, 21 Feb 2019 22:45:03 GMT) (full text, mbox, link).
Message #10 received at 922923@bugs.debian.org (full text, mbox, reply):
22.02.2019 0:22, Salvatore Bonaccorso wrote:
> Source: qemu
> Version: 1:3.1+dfsg-4
> Severity: normal
> Tags: security upstream
> Forwarded: https://lists.gnu.org/archive/html/qemu-devel/2019-02/msg04821.html
>
> Hi,
>
> The following vulnerability was published for qemu.
>
> CVE-2019-8934[0]:
> ppc64: sPAPR emulator leaks the host hardware identity
This one's interesting. The vuln itself and the fix too.
First is described elsewhere.
For the second, we can't "just" fix it, -- the fix is to provide
a way to avoid the "leakage" by a means of a command-line option,
and ofcourse a management tool. if any, to run qemu, needs to know
and use this option.
But it is not all really, since this "fix" breaks migration stream
format, so it can't just be backported to 3.1 (the fix applies to
the ongoing next version of qemu). I dunno how much do we care about
the online migration of a ppc guest, probably not _very_ mich, so
this might be an easy path to take. If it is, we can just use a
stright backport of this patch to current debian 3.1 version and
be done with it (modulo the first part -- something needs to actually
use the fix anyway).
Thanks,
/mjt
Information forwarded
to debian-bugs-dist@lists.debian.org, Debian QEMU Team <pkg-qemu-devel@lists.alioth.debian.org>
:
Bug#922923
; Package src:qemu
.
(Fri, 22 Feb 2019 21:09:03 GMT) (full text, mbox, link).
Acknowledgement sent
to Salvatore Bonaccorso <salvatore.bonaccorso@gmail.com>
:
Extra info received and forwarded to list. Copy sent to Debian QEMU Team <pkg-qemu-devel@lists.alioth.debian.org>
.
(Fri, 22 Feb 2019 21:09:03 GMT) (full text, mbox, link).
Message #15 received at 922923@bugs.debian.org (full text, mbox, reply):
Hi Michael,
On Fri, Feb 22, 2019 at 01:43:39AM +0300, Michael Tokarev wrote:
> 22.02.2019 0:22, Salvatore Bonaccorso wrote:
> > Source: qemu
> > Version: 1:3.1+dfsg-4
> > Severity: normal
> > Tags: security upstream
> > Forwarded: https://lists.gnu.org/archive/html/qemu-devel/2019-02/msg04821.html
> >
> > Hi,
> >
> > The following vulnerability was published for qemu.
> >
> > CVE-2019-8934[0]:
> > ppc64: sPAPR emulator leaks the host hardware identity
>
> This one's interesting. The vuln itself and the fix too.
> First is described elsewhere.
>
> For the second, we can't "just" fix it, -- the fix is to provide
> a way to avoid the "leakage" by a means of a command-line option,
> and ofcourse a management tool. if any, to run qemu, needs to know
> and use this option.
>
> But it is not all really, since this "fix" breaks migration stream
> format, so it can't just be backported to 3.1 (the fix applies to
> the ongoing next version of qemu). I dunno how much do we care about
> the online migration of a ppc guest, probably not _very_ mich, so
> this might be an easy path to take. If it is, we can just use a
> stright backport of this patch to current debian 3.1 version and
> be done with it (modulo the first part -- something needs to actually
> use the fix anyway).
Thanks for the explanations. So I guess it's safest to just wait for
the respective upstream version which will integrate the fixes and
furthermore not try to backport fixes to older versions.
Regards,
Salvatore
Send a report that this bug log contains spam.
Debian bug tracking system administrator <owner@bugs.debian.org>.
Last modified:
Wed Jun 19 15:48:25 2019;
Machine Name:
beach
Debian Bug tracking system
Debbugs is free software and licensed under the terms of the GNU
Public License version 2. The current version can be obtained
from https://bugs.debian.org/debbugs-source/.
Copyright © 1999 Darren O. Benham,
1997,2003 nCipher Corporation Ltd,
1994-97 Ian Jackson,
2005-2017 Don Armstrong, and many other contributors.