Bug#633669: marked as done (CVE-2011-2527: qemu-kvm -runas does not clear supplementary groups)

Wed, 21 Sep 2011 12:57:27 -0700 

Your message dated Wed, 21 Sep 2011 19:55:08 +0000
with message-id <e1r6ssu-0003td...@franck.debian.org>
and subject line Bug#633669: fixed in qemu-kvm 0.12.5+dfsg-5+squeeze6
has caused the Debian Bug report #633669,
regarding CVE-2011-2527: qemu-kvm -runas does not clear supplementary groups
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)


-- 
633669: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=633669
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems
--- Begin Message --- 
Package: qemu-kvm
Version: 0.12.5+dfsg-5
Severity: serious
Tags: patch squeeze sid upstream security

qemu-kvm does not clear list of supplementary groups
when processing -runas argument which supposed to tell
it to drop as much privileges as possible.

See https://bugs.launchpad.net/bugs/807893 for details.

--- End Message ---
--- Begin Message --- 
Source: qemu-kvm
Source-Version: 0.12.5+dfsg-5+squeeze6

We believe that the bug you reported is fixed in the latest version of
qemu-kvm, which is due to be installed in the Debian FTP archive:

kvm_0.12.5+dfsg-5+squeeze6_i386.deb
  to main/q/qemu-kvm/kvm_0.12.5+dfsg-5+squeeze6_i386.deb
qemu-kvm-dbg_0.12.5+dfsg-5+squeeze6_i386.deb
  to main/q/qemu-kvm/qemu-kvm-dbg_0.12.5+dfsg-5+squeeze6_i386.deb
qemu-kvm_0.12.5+dfsg-5+squeeze6.diff.gz
  to main/q/qemu-kvm/qemu-kvm_0.12.5+dfsg-5+squeeze6.diff.gz
qemu-kvm_0.12.5+dfsg-5+squeeze6.dsc
  to main/q/qemu-kvm/qemu-kvm_0.12.5+dfsg-5+squeeze6.dsc
qemu-kvm_0.12.5+dfsg-5+squeeze6_i386.deb
  to main/q/qemu-kvm/qemu-kvm_0.12.5+dfsg-5+squeeze6_i386.deb



A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 633...@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Michael Tokarev <m...@tls.msk.ru> (supplier of updated qemu-kvm package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmas...@debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Format: 1.8
Date: Wed, 13 Jul 2011 01:45:15 +0400
Source: qemu-kvm
Binary: qemu-kvm qemu-kvm-dbg kvm
Architecture: source i386
Version: 0.12.5+dfsg-5+squeeze6
Distribution: stable-security
Urgency: low
Maintainer: Jan Lübbe <jlue...@debian.org>
Changed-By: Michael Tokarev <m...@tls.msk.ru>
Description: 
 kvm        - dummy transitional package from kvm to qemu-kvm
 qemu-kvm   - Full virtualization on x86 hardware
 qemu-kvm-dbg - Debugging info for qemu-kvm
Closes: 632987 633669
Changes: 
 qemu-kvm (0.12.5+dfsg-5+squeeze6) stable-security; urgency=low
 .
   * virtio-fix-indirect-descriptor-buffer-overflow-CVE-2011-2212
     fixes a guest-triggerable buffer overflow in virtio handling
     (closes: #632987)
   * os-posix-set-groups-properly-for--runas-CVE-2011-2527
     clears supplementary groups for -runas (closes: #633669)
Checksums-Sha1: 
 e769bc452e22e0398b03b0a244e1dcefe0f92519 1814 
qemu-kvm_0.12.5+dfsg-5+squeeze6.dsc
 ecb560bf43e8e0da62d61f443662dc1bd1d2386e 311201 
qemu-kvm_0.12.5+dfsg-5+squeeze6.diff.gz
 f6f797f52362d200b74cd798d1aed4f4007733e2 1497768 
qemu-kvm_0.12.5+dfsg-5+squeeze6_i386.deb
 de81796c7f053f9d4ee91a2aa145fc39b5851986 2785462 
qemu-kvm-dbg_0.12.5+dfsg-5+squeeze6_i386.deb
 7a78514f7aa7474e9cc79f3e12338f5874c46365 13360 
kvm_0.12.5+dfsg-5+squeeze6_i386.deb
Checksums-Sha256: 
 68c99a352ec39be632f806d7b7d01db425f955ccfb15b793343707a4954ad4ae 1814 
qemu-kvm_0.12.5+dfsg-5+squeeze6.dsc
 99a5b0cd62d9286bd2087b61d3d96f7fcec92171e3dc8c6aaeec43a1fa0ca061 311201 
qemu-kvm_0.12.5+dfsg-5+squeeze6.diff.gz
 5251ca770e40bc123ddb70032977981c4ea557cb8f2734b25956b14a26929f3c 1497768 
qemu-kvm_0.12.5+dfsg-5+squeeze6_i386.deb
 cee05476466eb4edeccef25c79116e264b0dfba9a1537581c8345052e21e1196 2785462 
qemu-kvm-dbg_0.12.5+dfsg-5+squeeze6_i386.deb
 a49db7ee77c2dc7ebff8489b37b864e61dd999fe79fac23fc59225cfc2dec56b 13360 
kvm_0.12.5+dfsg-5+squeeze6_i386.deb
Files: 
 a43e45d361ad95b18b0bcb7625254f71 1814 misc optional 
qemu-kvm_0.12.5+dfsg-5+squeeze6.dsc
 48bb2c830bc3a00c77378a3f47d95ccc 311201 misc optional 
qemu-kvm_0.12.5+dfsg-5+squeeze6.diff.gz
 d569fafa4e18114d268708f8711679b5 1497768 misc optional 
qemu-kvm_0.12.5+dfsg-5+squeeze6_i386.deb
 9b500462424bdff4b9d80c69f04eb6fe 2785462 debug extra 
qemu-kvm-dbg_0.12.5+dfsg-5+squeeze6_i386.deb
 628a3c749b3b637dfabf0068e4d6decb 13360 oldlibs extra 
kvm_0.12.5+dfsg-5+squeeze6_i386.deb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.10 (GNU/Linux)

iJwEAQECAAYFAk4kevwACgkQUlPFrXTwyDg7eAP/VlAVlG8maNqxSRy4sXVkXNTH
PjqS27I5EHdB0M7vMijG7kIkkwwMAK9YZd1+5SFWx/LNS1ssxXSw1SxSsGdNtrJx
xXhlzDd62bnlbY03i70jdOVyrigZk7JPSvXP6Nppb2E4WcSbISQuxlvMN8IX8ABg
sY9OD3P2IHfQC/fFxuE=
=p8iN
-----END PGP SIGNATURE-----

--- End Message ---

Reply via email to