Your message dated Fri, 21 Dec 2018 15:51:14 +0000
with message-id <[email protected]>
and subject line Bug#916397: fixed in qemu 1:3.1+dfsg-2
has caused the Debian Bug report #916397,
regarding qemu: CVE-2018-16872: usb-mtp: path traversal by host filesystem
manipulation in Media Transfer Protocol (MTP)
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)
--
916397: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=916397
Debian Bug Tracking System
Contact [email protected] with problems
--- Begin Message ---
Source: qemu
Version: 1:3.1+dfsg-1
Severity: important
Tags: security upstream
Forwarded: https://lists.gnu.org/archive/html/qemu-devel/2018-12/msg03135.html
Hi,
The following vulnerability was published for qemu.
CVE-2018-16872[0]:
| A flaw was found in qemu Media Transfer Protocol (MTP). The code
| opening files in usb_mtp_get_object and usb_mtp_get_partial_object and
| directories in usb_mtp_object_readdir doesn't consider that the
| underlying filesystem may have changed since the time lstat(2) was
| called in usb_mtp_object_alloc, a classical TOCTTOU problem. An
| attacker with write access to the host filesystem shared with a guest
| can use this property to navigate the host filesystem in the context
| of the QEMU process and read any file the QEMU process has access to.
| Access to the filesystem may be local or via a network share protocol
| such as CIFS.
If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.
For further information see:
[0] https://security-tracker.debian.org/tracker/CVE-2018-16872
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-16872
[1] https://lists.gnu.org/archive/html/qemu-devel/2018-12/msg03135.html
[2] https://www.openwall.com/lists/oss-security/2018/12/13/11
Please adjust the affected versions in the BTS as needed.
Regards,
Salvatore
--- End Message ---
--- Begin Message ---
Source: qemu
Source-Version: 1:3.1+dfsg-2
We believe that the bug you reported is fixed in the latest version of
qemu, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to [email protected],
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Michael Tokarev <[email protected]> (supplier of updated qemu package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing [email protected])
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
Format: 1.8
Date: Fri, 21 Dec 2018 16:51:39 +0300
Source: qemu
Binary: qemu qemu-system qemu-block-extra qemu-system-data qemu-system-common
qemu-system-gui qemu-system-misc qemu-system-arm qemu-system-mips
qemu-system-ppc qemu-system-sparc qemu-system-x86 qemu-user qemu-user-static
qemu-user-binfmt qemu-utils qemu-guest-agent qemu-kvm
Architecture: source
Version: 1:3.1+dfsg-2
Distribution: unstable
Urgency: medium
Maintainer: Debian QEMU Team <[email protected]>
Changed-By: Michael Tokarev <[email protected]>
Description:
qemu - fast processor emulator, dummy package
qemu-block-extra - extra block backend modules for qemu-system and qemu-utils
qemu-guest-agent - Guest-side qemu-system agent
qemu-kvm - QEMU Full virtualization on x86 hardware
qemu-system - QEMU full system emulation binaries
qemu-system-arm - QEMU full system emulation binaries (arm)
qemu-system-common - QEMU full system emulation binaries (common files)
qemu-system-data - QEMU full system emulation (data files)
qemu-system-gui - QEMU full system emulation binaries (user interface and
audio sup
qemu-system-mips - QEMU full system emulation binaries (mips)
qemu-system-misc - QEMU full system emulation binaries (miscellaneous)
qemu-system-ppc - QEMU full system emulation binaries (ppc)
qemu-system-sparc - QEMU full system emulation binaries (sparc)
qemu-system-x86 - QEMU full system emulation binaries (x86)
qemu-user - QEMU user mode emulation binaries
qemu-user-binfmt - QEMU user mode binfmt registration for qemu-user
qemu-user-static - QEMU user mode emulation binaries (static version)
qemu-utils - QEMU utilities
Closes: 684909 849798 903562 912655 916278 916279 916397 916625 916674 917007
Changes:
qemu (1:3.1+dfsg-2) unstable; urgency=medium
.
* d/rules: split arch and indep builds
* enable s390x cross-compiler and build s390-ccw.img (Closes: #684909)
* build x86 optionrom in qemu-system-data (was in seabios/debian/)
* qemu-system-data: Multi-Arch: allowed=>foreign (Closes: #903562)
* fix Replaces: version for qemu-system-common (Closes: #916279)
* add simple udev rules file for systemd guest agent (Closes: #916674)
* usb-mtp-use-O_NOFOLLOW-and-O_CLOEXEC-CVE-2018-16872.patch
Race condition in usb_mtp implementation (Closes: #916397)
*
bt-use-size_t-type-for-length-parameters-instead-of-int-CVE-2018-19665.patch
Memory corruption in bluetooth subsystem (Closes: #916278)
* hw_usb-fix-mistaken-de-initialization-of-CCID-state.patch (Closes: #917007)
* bump debhelper compat to 12 (>>11)
* d/rules: use dh_missing instead of dh_install --list-missing (compat=12)
* use dh_installsystemd for guest agent (Closes: #916625)
* mention closing by 3.1: Closes: #912655, CVE-2018-16847
* mention closing by 2.10:
Closes: #849798, CVE-2016-10028
Closes: CVE-2017-9060
Closes: CVE-2017-8284
Checksums-Sha1:
04b44c05dbc941d44a9263f86464107c608cc1d1 6009 qemu_3.1+dfsg-2.dsc
642b91d6402bf10661eef79b056ceadd8d633617 79956 qemu_3.1+dfsg-2.debian.tar.xz
441b91f0922509cd6f49483ae05640acdcf50e1e 16308 qemu_3.1+dfsg-2_source.buildinfo
Checksums-Sha256:
ff801502d364414ac213537da9e114989e8374b4ddc584dba9629060b54f1385 6009
qemu_3.1+dfsg-2.dsc
03b3283c026d58e7067c217b0c62296a622c94214f0d252da6562b65fd6daf4b 79956
qemu_3.1+dfsg-2.debian.tar.xz
cb497f2b9c41e24ec2614c3ca223dee8b4734d1f90da6ded96f43b8a9432a8f5 16308
qemu_3.1+dfsg-2_source.buildinfo
Files:
75c65f666196fb751354b9f1423ac163 6009 otherosfs optional qemu_3.1+dfsg-2.dsc
e0c4de806a66ec70cbf409b57f293796 79956 otherosfs optional
qemu_3.1+dfsg-2.debian.tar.xz
105f2dbc8adaab55f0ace64bb59e4053 16308 otherosfs optional
qemu_3.1+dfsg-2_source.buildinfo
-----BEGIN PGP SIGNATURE-----
iQFDBAEBCAAtFiEEe3O61ovnosKJMUsicBtPaxppPlkFAlwdBycPHG1qdEB0bHMu
bXNrLnJ1AAoJEHAbT2saaT5ZR4EH/1DWJ5T4wPaksVDVn+UsmKhYCXggcQPPWaJC
oUg2BEKGH0URQZUe/u+xgVn8/SovSq8/x6tng4o3QP4ay+sFRrxFtkBGwKSXT5zG
AXKC/vB8lhXL0OnVEz4BZMrmweV3jX9m8b+jFPC5URoQTqFNLvtPZ7pvA+30yjLx
53VUf/FBP2q8alKZVVSivNOXhkYSEE/nofuKfVKDyYkCAzqSEzQ6J3+z7roJxRh0
bMYUKWBcxF4yXdii7P2JTbWyut1ysSRCdPIruhMbBot9JATVk8gG6HQqLzswrKhu
Q2xP0fZZeoSgQDPH87CkJMo3KQpexu+z+ghjQGXtApdE+7Eo/HE=
=W0YW
-----END PGP SIGNATURE-----
--- End Message ---
