On Fri, Mar 27, 2015 at 11:26:35AM +0300, Michael Tokarev wrote: > 26.03.2015 16:47, Moritz Muehlenhoff wrote: > > Source: qemu > > Severity: important > > Tags: security > > > > Hi Michael, > > two security issues in qemu (you're probably aware, but let's track this > > through a bug): > > Yes indeed, I've seen them on oss-sec and on qemu-devel. Wanted to > submit two bugreports but you was faster ;)
Heh :-) > > CVE-2015-1779: > > https://lists.gnu.org/archive/html/qemu-devel/2015-03/msg04894.html > > This one is about websockets, a rarely used feature. There was an > interesting comment about the patch series down in the thread, here: > > https://lists.gnu.org/archive/html/qemu-devel/2015-03/msg04995.html > > So I'm not sure yet whenever it's a good idea to apply the series > before upstream decides what to do. No, let's wait with the jessie fix until this properly sorted out upstream. > > malicious PRDT flow from guest to host (no CVE ID yet): > > CVE request: http://www.openwall.com/lists/oss-security/2015/03/24/4 > > http://git.qemu.org/?p=qemu.git;a=commitdiff;h=3251bdcf1c67427d964517053c3d185b46e618e8 > > This one affects wheezy too. But it isn't really that much of a > security issue, I wonder why they keep assigning CVEs for these > things (maybe that's the reason why this one hasn't got a CVE# > yet?). I think that's mostly because MITRE isn't keeping up with the CVE assignments at the moment. > Qemu either leaks memory or loops infinitely. Memory > leakage can be easily mitigated using some kind of resource limits > in security-sensitive environments, and looping can trivially be > done inside the virtual machine just fine, achieving the same > effect. So I don't think this needs to be backported to wheezy > at least. That sounds reasonable, I'll update the security tracker. Cheers, Moritz -- To UNSUBSCRIBE, email to [email protected] with a subject of "unsubscribe". Trouble? Contact [email protected]

