On Fri, Mar 27, 2015 at 11:26:35AM +0300, Michael Tokarev wrote:
> 26.03.2015 16:47, Moritz Muehlenhoff wrote:
> > Source: qemu
> > Severity: important
> > Tags: security
> > 
> > Hi Michael,
> > two security issues in qemu (you're probably aware, but let's track this 
> > through a bug):
> 
> Yes indeed, I've seen them on oss-sec and on qemu-devel.  Wanted to
> submit two bugreports but you was faster ;)

Heh :-)

> > CVE-2015-1779:
> > https://lists.gnu.org/archive/html/qemu-devel/2015-03/msg04894.html
> 
> This one is about websockets, a rarely used feature.  There was an
> interesting comment about the patch series down in the thread, here:
> 
> https://lists.gnu.org/archive/html/qemu-devel/2015-03/msg04995.html
> 
> So I'm not sure yet whenever it's a good idea to apply the series
> before upstream decides what to do.

No, let's wait with the jessie fix until this properly sorted out
upstream.

> > malicious PRDT flow from guest to host (no CVE ID yet):
> > CVE request: http://www.openwall.com/lists/oss-security/2015/03/24/4
> > http://git.qemu.org/?p=qemu.git;a=commitdiff;h=3251bdcf1c67427d964517053c3d185b46e618e8
> 
> This one affects wheezy too.  But it isn't really that much of a
> security issue, I wonder why they keep assigning CVEs for these
> things (maybe that's the reason why this one hasn't got a CVE#
> yet?).

I think that's mostly because MITRE isn't keeping up with the CVE
assignments at the moment.

> Qemu either leaks memory or loops infinitely.  Memory
> leakage can be easily mitigated using some kind of resource limits
> in security-sensitive environments, and looping can trivially be
> done inside the virtual machine just fine, achieving the same
> effect.  So I don't think this needs to be backported to wheezy
> at least.

That sounds reasonable, I'll update the security tracker.

Cheers,
        Moritz


-- 
To UNSUBSCRIBE, email to [email protected]
with a subject of "unsubscribe". Trouble? Contact [email protected]

Reply via email to