Also we had it a few more days in cosmic now with slowly testers/early adopters picking up and no one hit any issue (and remember in cosmic it is default on).
Added SRU Template and prepared the packaging of the changes to Bionic. ** Description changed: + [Impact] + + * Backport upstream CVE fix (applies as-is) + + * This will ensure that the seccomp rules apply to all threads. + Without that the security benefit that seccomp provides can be avoided + by an attacker. + + [Test Case] + + * Run qemu on Bionic, and enable the seccomp feature (not yet default on + in Bionic, but in Cosmic). In qemu this is called "sandbox" + + $ qemu-system-x86_64 -sandbox on -nographic & pid=$!; sleep 2s; + echo PID $pid; for task in /proc/$pid/task/*; do cat $task/status | grep Secc; done; kill -9 $pid + + That will report something like + PID 23230 + Seccomp: 2 + Seccomp: 0 + + And the two lines should match. + + [Regression Potential] + + * discussion of how regressions are most likely to manifest as a result + of this change. + + * It is assumed that any SRU candidate patch is well-tested before + upload and has a low overall risk of regression, but it's important + to make the effort to think about what ''could'' happen in the + event of a regression. + + * This both shows the SRU team that the risks have been considered, + and provides guidance to testers in regression-testing the SRU. + + [Other Info] + + * This was discussed for other releases e.g. Xenial, but back then the + approach to seccomp was different and regression risk would be too + high. + + ---- + The Qemu changes are public, so nothing to hide here IMHO, but leaving that to the security team. Copy from the related Debian bug that I commented on: " The following vulnerability was published for qemu. CVE-2018-15746[0]: seccomp: blacklist is not applied to all threads If you fix the vulnerability please also make sure to include the CVE (Common Vulnerabilities & Exposures) id in your changelog entry. For further information see: [0] https://security-tracker.debian.org/tracker/CVE-2018-15746 - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-15746 + https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-15746 [1] https://lists.gnu.org/archive/html/qemu-devel/2018-08/msg04892.html [2] https://lists.gnu.org/archive/html/qemu-devel/2018-08/msg02289.html " In addition I think that: - it is available (built in since all still supported releases) - it is default enabled with qemu 2.11 (Bionic) - with libvirt >4.3 (Cosmic) more of the filters are set That in my bad security severity guessing capability makes it - Medium prio <Bionic - High prio >=Bionic OTOH, when checking the upstream reproducer with a qemu 2.11 I see nothing being used - so maybe all of it is a red herring (checked on Bionic): $ for pid in $(pidof qemu-system-x86_64); do echo PID $pid; for task in /proc/$pid/task/*; do cat $task/status | grep Secc; done; done PID 10817 Seccomp: 0 Seccomp: 0 Seccomp: 0 Seccomp: 0 PID 10657 Seccomp: 0 Seccomp: 0 Seccomp: 0 Seccomp: 0 Seccomp: 0 Seccomp: 0 PID 438 Seccomp: 0 Seccomp: 0 Seccomp: 0 Seccomp: 0 Seccomp: 0 Seccomp: 0 Seccomp: 0 Seccomp: 0 Seccomp: 0 Seccomp: 0 Seccomp: 0 -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1789551 Title: qemu: CVE-2018-15746: seccomp: blacklist is not applied to all threads To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/qemu/+bug/1789551/+subscriptions -- ubuntu-bugs mailing list [email protected] https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
