Bug#624177: marked as done (CVE-2011-1750 virtio-blk: heap buffer overflow caused by unaligned requests)

Sun, 29 May 2011 11:21:55 -0700 

Your message dated Sun, 29 May 2011 18:18:38 +0000
with message-id <e1qqkzs-0007ej...@franck.debian.org>
and subject line Bug#624177: fixed in qemu-kvm 0.14.1+dfsg-1
has caused the Debian Bug report #624177,
regarding CVE-2011-1750 virtio-blk: heap buffer overflow caused by unaligned 
requests
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)


-- 
624177: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=624177
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems
--- Begin Message --- 
Package: qemu-kvm
Version: 0.12.5+dfsg-5
Severity: important
Tags: upstream patch pending security

This is CVE-2011-1750.  Patch is already available (backported from 0.14),
pushing it.

Petr Matousek <pmato...@redhat.com> wrote at Fri, 22 Apr 2011 05:08:15 -0400:

> It was found that virtio-blk driver in qemu-kvm did not properly
> validate read and write requests from the guest. A privileged guest user
> could use this flaw to cause heap corruption, causing the guest to crash
> (denial of service) or, possibly, resulting in the privileged guest user
> escalating their privileges on the host."
> 
> References:
> http://www.spinics.net/lists/kvm/msg51877.html
> https://bugzilla.redhat.com/show_bug.cgi?id=698906
> 
> Upstream commit:
> http://git.kernel.org/?p=virt/kvm/qemu-kvm.git;a=commit;h=52c050236eaa4f0b5e1d160cd66dc18106445c4d

/mjt

--- End Message ---
--- Begin Message --- 
Source: qemu-kvm
Source-Version: 0.14.1+dfsg-1

We believe that the bug you reported is fixed in the latest version of
qemu-kvm, which is due to be installed in the Debian FTP archive:

kvm_0.14.1+dfsg-1_i386.deb
  to main/q/qemu-kvm/kvm_0.14.1+dfsg-1_i386.deb
qemu-kvm-dbg_0.14.1+dfsg-1_i386.deb
  to main/q/qemu-kvm/qemu-kvm-dbg_0.14.1+dfsg-1_i386.deb
qemu-kvm_0.14.1+dfsg-1.debian.tar.gz
  to main/q/qemu-kvm/qemu-kvm_0.14.1+dfsg-1.debian.tar.gz
qemu-kvm_0.14.1+dfsg-1.dsc
  to main/q/qemu-kvm/qemu-kvm_0.14.1+dfsg-1.dsc
qemu-kvm_0.14.1+dfsg-1_i386.deb
  to main/q/qemu-kvm/qemu-kvm_0.14.1+dfsg-1_i386.deb
qemu-kvm_0.14.1+dfsg.orig.tar.gz
  to main/q/qemu-kvm/qemu-kvm_0.14.1+dfsg.orig.tar.gz



A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 624...@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Michael Tokarev <m...@tls.msk.ru> (supplier of updated qemu-kvm package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmas...@debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Format: 1.8
Date: Sat, 28 May 2011 13:43:40 +0400
Source: qemu-kvm
Binary: qemu-kvm qemu-kvm-dbg kvm
Architecture: source i386
Version: 0.14.1+dfsg-1
Distribution: unstable
Urgency: low
Maintainer: Jan Lübbe <jlue...@debian.org>
Changed-By: Michael Tokarev <m...@tls.msk.ru>
Description: 
 kvm        - dummy transitional package from kvm to qemu-kvm
 qemu-kvm   - Full virtualization on x86 hardware
 qemu-kvm-dbg - Debugging info for qemu-kvm
Closes: 489442 540686 604844 611952 616159 619300 624006 624177 625571 627448
Changes: 
 qemu-kvm (0.14.1+dfsg-1) unstable; urgency=low
 .
   * new upstream 0.14.1 stable/bugfix release
     (closes: #616159, #624177)
   * remove vgabios package entirely finally, when it's properly
     packaged in debian (and depend on it) (Closes: #489442)
   * ship vgabios.bin link too, for now.  It's not used but helps for
     older versions of qemu-kvm.
   * add $(QEMU_KVM_CONFIGURE_OPTIONS) to ./configure flags, to simplify
     local/custom builds.  Does not affect Debian qemu-kvm build.
     Also fix whitespace in that area in debian/rules
   * move init.d script to rcS.d and don't run it on stop
     (Closes: #611952, #540686)
   * remove isa-bus:-Remove-bogus-IRQ-sharing-check-ee951a.diff
     (upstream)
   * build-depend on librados-dev to enable rbd support
   * update kvm-ifup to be a bit more accurate and to warn about
     problem cases.  (closes: #619300, #624006)
   * ignore-pci-unplug-requests-for-unpluggable-devices-CVE-2011-1751.diff
     (closes: #627448)
   * fix-crash-in-migration-32-bit-userspace-on-64-bit-host-51b0c6065a.diff
     (closes: #625571)
   * 
set-$SDL_VIDEODRIVER=x11-on-Linux-to-prevent-sudo-kvm-from-fighting-for-video-1de9756b97
     (closes: #604844)
Checksums-Sha1: 
 6b837b6086d20fca8a5b5bb82aae01b9e0d77ff3 1690 qemu-kvm_0.14.1+dfsg-1.dsc
 219822e107ec69a087aec6ae8103f7adab51a931 4360232 
qemu-kvm_0.14.1+dfsg.orig.tar.gz
 2c65971292f4113288ac28b1f085dd553638827b 23834 
qemu-kvm_0.14.1+dfsg-1.debian.tar.gz
 5d2542fe24385f9366e59d9e2044ddaee6cde1f8 1261646 
qemu-kvm_0.14.1+dfsg-1_i386.deb
 badd732a25c8239a566a4adcd3d7d87000219ec7 3243766 
qemu-kvm-dbg_0.14.1+dfsg-1_i386.deb
 1d7a0f03a080f5784b77ebe046dd21728ead187f 8752 kvm_0.14.1+dfsg-1_i386.deb
Checksums-Sha256: 
 c3e81550560711cb4b1f33b48418b865d936fdf000982ad4626639b4c2ce17ab 1690 
qemu-kvm_0.14.1+dfsg-1.dsc
 4fc803738eaba125fe9096ab05ebe9b52d1daa28670627fe04ff2df9983edd90 4360232 
qemu-kvm_0.14.1+dfsg.orig.tar.gz
 b4ac0246e15eeb09154ab81a52166dad3befb88f0e7f17690faf6470505f2d19 23834 
qemu-kvm_0.14.1+dfsg-1.debian.tar.gz
 a242bf99f11c8abfaebd6db2b1893378870455fbe44da65756a44c0b9aa3cba8 1261646 
qemu-kvm_0.14.1+dfsg-1_i386.deb
 f2eee4f980807ca91190a7e32d672d1b0fabdf9650de0de064dfe1ade663268a 3243766 
qemu-kvm-dbg_0.14.1+dfsg-1_i386.deb
 352b36b280a22f79aafff03b4041a883fa67b0ec44c8154c28955e6b005a71c2 8752 
kvm_0.14.1+dfsg-1_i386.deb
Files: 
 4f6ece07e6a54ae5fe2e008d7cb9758a 1690 misc optional qemu-kvm_0.14.1+dfsg-1.dsc
 7ca8f463209369acb21e6476fd351e8d 4360232 misc optional 
qemu-kvm_0.14.1+dfsg.orig.tar.gz
 6b674819156ac2016fa25def1e0c3737 23834 misc optional 
qemu-kvm_0.14.1+dfsg-1.debian.tar.gz
 183f54315c62410e95fee2493fafe3bd 1261646 misc optional 
qemu-kvm_0.14.1+dfsg-1_i386.deb
 123ea56776856e94bafac5c4685810ef 3243766 debug extra 
qemu-kvm-dbg_0.14.1+dfsg-1_i386.deb
 96df6153da846754339c1cf1b0ae6e72 8752 oldlibs extra kvm_0.14.1+dfsg-1_i386.deb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.11 (GNU/Linux)

iD8DBQFN4mXxn88szT8+ZCYRAt1AAJ4shZ+BPL5Ms4bNl/v5s5fx1viP+gCeLVCK
DEcT3BmKrs2JPEahsa/hwHg=
=mXbD
-----END PGP SIGNATURE-----

--- End Message ---

Reply via email to