Bug#526013: marked as done (qemu: CVE-2008-1945 media handling vulnerability)

[Debian Bug Tracking System]

Your message dated Mon, 08 Jun 2009 22:19:19 +0000
with message-id <e1mdnbx-0005te...@ries.debian.org>
and subject line Bug#526013: fixed in qemu 0.9.1-10lenny1
has caused the Debian Bug report #526013,
regarding qemu: CVE-2008-1945 media handling vulnerability
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)


-- 
526013: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=526013
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems

--- Begin Message ---

Package: qemu
Severity: important
Tags: security
Fixed: 0.9.1-5

Hi,

The following CVE (Common Vulnerabilities & Exposures) id was
published for qemu.

CVE-2008-1945[0]:
| QEMU 0.9.0 does not properly handle changes to removable media, which
| allows guest OS users to read arbitrary files on the host OS by using
| the diskformat: parameter in the -usbdevice option to modify the
| disk-image header to identify a different format, a related issue to
| CVE-2008-2004.

This is already fixed in version 0.9.1-5 in unstable.  Please
coordinate with the security team (t...@security.debian.org) to prepare
packages for the stable releases.

If you fix the vulnerability please also make sure to include the
CVE id in your changelog entry.

For further information see:

[0] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-1945
    http://security-tracker.debian.net/tracker/CVE-2008-1945

Thanks,
Mike

--- End Message ---

--- Begin Message ---

Source: qemu
Source-Version: 0.9.1-10lenny1

We believe that the bug you reported is fixed in the latest version of
qemu, which is due to be installed in the Debian FTP archive:

qemu_0.9.1-10lenny1.diff.gz
  to pool/main/q/qemu/qemu_0.9.1-10lenny1.diff.gz
qemu_0.9.1-10lenny1.dsc
  to pool/main/q/qemu/qemu_0.9.1-10lenny1.dsc
qemu_0.9.1-10lenny1_amd64.deb
  to pool/main/q/qemu/qemu_0.9.1-10lenny1_amd64.deb



A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 526...@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Aurelien Jarno <aure...@debian.org> (supplier of updated qemu package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmas...@debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Format: 1.8
Date: Sat, 02 May 2009 15:29:10 +0200
Source: qemu
Binary: qemu
Architecture: source amd64
Version: 0.9.1-10lenny1
Distribution: stable-security
Urgency: low
Maintainer: Debian QEMU Team <pkg-qemu-de...@lists.alioth.debian.org>
Changed-By: Aurelien Jarno <aure...@debian.org>
Description: 
 qemu       - fast processor emulator
Closes: 469649 526013 526040
Changes: 
 qemu (0.9.1-10lenny1) stable-security; urgency=low
 .
   * debian/patches/91_security.patch: fix privilege escalation.
     (CVE-2008-0928). Closes: bug#469649.
   * debian/patches/97_security.patch: fix heap-based buffer overflow in
     the Cirrus VGA implementation (CVE-2008-4539). Closes: bug#526040.
   * debian/patches/98_security.patch: fix media handling vulnerability
     (CVE-2008-1945). Closes: bug#526013.
Checksums-Sha1: 
 d0ef3cd50d65cdd7bd14e9a43964797bedd7da22 1638 qemu_0.9.1-10lenny1.dsc
 15a5cc9a82dfedca9d679901a1e7281134ed9420 2392515 qemu_0.9.1.orig.tar.gz
 a8d66924bdd5af86998237bbda19f4ac38902a15 80162 qemu_0.9.1-10lenny1.diff.gz
 dcdc5f828fd152f0cf7e2af943ac1a24b7220376 11030660 qemu_0.9.1-10lenny1_amd64.deb
Checksums-Sha256: 
 111ae1899b8701ecdac6c74cd6143970282c6c42c647d3c5eee3a7a98496449c 1638 
qemu_0.9.1-10lenny1.dsc
 0868ad1439da3edb750b5ef0d4f7ca54ebdcd76582fa5c2a60c5290f8a3f7ebe 2392515 
qemu_0.9.1.orig.tar.gz
 ba0f3919062760cfe3e869ca638fac9502d0a6769fb598c798dab888e467e148 80162 
qemu_0.9.1-10lenny1.diff.gz
 dcd416aab0e2a8d9f07847ee3caeca72af34716e25ad0cc70ce11042e51f1940 11030660 
qemu_0.9.1-10lenny1_amd64.deb
Files: 
 1c8e6db187f4b58e5655f2b06581b56f 1638 misc optional qemu_0.9.1-10lenny1.dsc
 937c34632a59e12ba7b55054419bbe7d 2392515 misc optional qemu_0.9.1.orig.tar.gz
 f5d593dcea9ec54a148c76a3883fa537 80162 misc optional 
qemu_0.9.1-10lenny1.diff.gz
 02d39005c7b486f1d3541875052435d0 11030660 misc optional 
qemu_0.9.1-10lenny1_amd64.deb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)

iEYEARECAAYFAkn9+2kACgkQXm3vHE4uylpaRgCeKYsUJ87I9MpyQI6Og3p55yvU
244AoIilhn98N0eQHTqhJPiODN2BMLXm
=632A
-----END PGP SIGNATURE-----

--- End Message ---