Bug#633669: marked as done (CVE-2011-2527: qemu-kvm -runas does not clear supplementary groups)

Wed, 21 Sep 2011 12:57:24 -0700 

Your message dated Wed, 21 Sep 2011 19:55:02 +0000
with message-id <e1r6sso-0003sf...@franck.debian.org>
and subject line Bug#633669: fixed in qemu-kvm 0.12.5+dfsg-5+squeeze5
has caused the Debian Bug report #633669,
regarding CVE-2011-2527: qemu-kvm -runas does not clear supplementary groups
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)


-- 
633669: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=633669
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems
--- Begin Message --- 
Package: qemu-kvm
Version: 0.12.5+dfsg-5
Severity: serious
Tags: patch squeeze sid upstream security

qemu-kvm does not clear list of supplementary groups
when processing -runas argument which supposed to tell
it to drop as much privileges as possible.

See https://bugs.launchpad.net/bugs/807893 for details.

--- End Message ---
--- Begin Message --- 
Source: qemu-kvm
Source-Version: 0.12.5+dfsg-5+squeeze5

We believe that the bug you reported is fixed in the latest version of
qemu-kvm, which is due to be installed in the Debian FTP archive:

kvm_0.12.5+dfsg-5+squeeze5_i386.deb
  to main/q/qemu-kvm/kvm_0.12.5+dfsg-5+squeeze5_i386.deb
qemu-kvm-dbg_0.12.5+dfsg-5+squeeze5_i386.deb
  to main/q/qemu-kvm/qemu-kvm-dbg_0.12.5+dfsg-5+squeeze5_i386.deb
qemu-kvm_0.12.5+dfsg-5+squeeze5.diff.gz
  to main/q/qemu-kvm/qemu-kvm_0.12.5+dfsg-5+squeeze5.diff.gz
qemu-kvm_0.12.5+dfsg-5+squeeze5.dsc
  to main/q/qemu-kvm/qemu-kvm_0.12.5+dfsg-5+squeeze5.dsc
qemu-kvm_0.12.5+dfsg-5+squeeze5_i386.deb
  to main/q/qemu-kvm/qemu-kvm_0.12.5+dfsg-5+squeeze5_i386.deb



A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 633...@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Michael Tokarev <m...@tls.msk.ru> (supplier of updated qemu-kvm package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmas...@debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Format: 1.8
Date: Wed, 13 Jul 2011 01:45:15 +0400
Source: qemu-kvm
Binary: qemu-kvm qemu-kvm-dbg kvm
Architecture: source i386
Version: 0.12.5+dfsg-5+squeeze5
Distribution: stable-security
Urgency: low
Maintainer: Jan Lübbe <jlue...@debian.org>
Changed-By: Michael Tokarev <m...@tls.msk.ru>
Description: 
 kvm        - dummy transitional package from kvm to qemu-kvm
 qemu-kvm   - Full virtualization on x86 hardware
 qemu-kvm-dbg - Debugging info for qemu-kvm
Closes: 632987 633669
Changes: 
 qemu-kvm (0.12.5+dfsg-5+squeeze5) stable-security; urgency=low
 .
   * virtio-fix-indirect-descriptor-buffer-overflow-CVE-2011-2212
     fixes a guest-triggerable buffer overflow in virtio handling
     (closes: #632987)
   * os-posix-set-groups-properly-for--runas-CVE-2011-2527
     clears supplementary groups for -runas (closes: #633669)
Checksums-Sha1: 
 f91197a190192f339a985a53d12e20aea4ee54fa 1814 
qemu-kvm_0.12.5+dfsg-5+squeeze5.dsc
 ec88790b0fa899d84af63500f47553a36c640480 311368 
qemu-kvm_0.12.5+dfsg-5+squeeze5.diff.gz
 2935f5b44770a283f35a6263cd83ab982f89d20a 1497772 
qemu-kvm_0.12.5+dfsg-5+squeeze5_i386.deb
 fc4504feda60154e832e628b585f625dfc0b3fda 2785462 
qemu-kvm-dbg_0.12.5+dfsg-5+squeeze5_i386.deb
 168cb45df1e8cd37ee0167b5e6b7efef2aeb0f00 13364 
kvm_0.12.5+dfsg-5+squeeze5_i386.deb
Checksums-Sha256: 
 d64c02b7ff10bc9fe839d8046cc479d3dacde908044ec2fba4098b178081a84d 1814 
qemu-kvm_0.12.5+dfsg-5+squeeze5.dsc
 54ef2b709590d4b7995bab7a33285bfa5f79d2f04817a4e4acf4eb446fa3aaaa 311368 
qemu-kvm_0.12.5+dfsg-5+squeeze5.diff.gz
 736b275d6e17d446c8b67de2a761c7b9f11daff6e2b2d0d7d8aec2e6f2ff85b6 1497772 
qemu-kvm_0.12.5+dfsg-5+squeeze5_i386.deb
 44a5126f0c6d1edc05f615f3842f0b07ff5de9463b8d7f2f17cdd1c806e2b9df 2785462 
qemu-kvm-dbg_0.12.5+dfsg-5+squeeze5_i386.deb
 c3ee43fda9663fb8a1f63ac1c8ee2f8cd94865e00c143d9ea316fb998ec75142 13364 
kvm_0.12.5+dfsg-5+squeeze5_i386.deb
Files: 
 d9809de660ff2933cb144b610b24e3b1 1814 misc optional 
qemu-kvm_0.12.5+dfsg-5+squeeze5.dsc
 625092aaac7d7c3011f39975d94761c8 311368 misc optional 
qemu-kvm_0.12.5+dfsg-5+squeeze5.diff.gz
 bdb79b257ded7561a2ab9b0484659c46 1497772 misc optional 
qemu-kvm_0.12.5+dfsg-5+squeeze5_i386.deb
 2883511a7eb5a5a163ad184bc1c018dc 2785462 debug extra 
qemu-kvm-dbg_0.12.5+dfsg-5+squeeze5_i386.deb
 ba4eed382a47d39cfd0c76dba58c9a70 13364 oldlibs extra 
kvm_0.12.5+dfsg-5+squeeze5_i386.deb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.10 (GNU/Linux)

iJwEAQECAAYFAk4d+kkACgkQUlPFrXTwyDg2eQP/bk4GsSRnaI2oV5U0sYxJcCIQ
HQ06vp29l6gEJTbhZxd6vc8lwK9FEVGxdid+KafdWThoJS7/9djfcUnQ0mW9sKat
xrz1e+ChGcBSWHH7rsbzMl+9iyUHs48KPUY6b/CYeAOcvqR/Hb1tRoU/iSEMvIyK
VSKjm9LUpsstCXWEAOU=
=SdPO
-----END PGP SIGNATURE-----

--- End Message ---

Reply via email to