Your message dated Thu, 10 Jan 2013 09:48:08 +0000 with message-id <e1ttek4-0002iq...@franck.debian.org> and subject line Bug#696051: fixed in qemu-kvm 1.1.2+dfsg-4 has caused the Debian Bug report #696051, regarding potential guest-side buffer overflow caused by e1000 device emulation and large incoming packets - CVE-2012-6075 to be marked as done.
This means that you claim that the problem has been dealt with. If this is not the case it is now your responsibility to reopen the Bug report if necessary, and/or fix the problem forthwith. (NB: If you are a system administrator and have no idea what this message is talking about, this may indicate a serious mail system misconfiguration somewhere. Please contact ow...@bugs.debian.org immediately.) -- 696051: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=696051 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems
--- Begin Message ---Source: qemu Severity: serious Tags: upstream patch pending security When guest does not enable large packet receiving from the qemu-emulated e1000 device, and a large packet is received from the network, qemu will happily transfer whole thing to guest, causing a guest buffer overflow. This is fixed by upstream commit b0d9ffcd0251161c7c92f94804dcf599dfa3edeb , with the following comment by Michael Contreras: Tested with linux guest. This error can potentially be exploited. At the very least it can cause a DoS to a guest system, and in the worse case it could allow remote code execution on the guest system with kernel level privilege. Risk seems low, as the network would need to be configured to allow large packets. So it can be considered a low-risk security issue, too. /mjt
--- End Message ---
--- Begin Message ---Source: qemu-kvm Source-Version: 1.1.2+dfsg-4 We believe that the bug you reported is fixed in the latest version of qemu-kvm, which is due to be installed in the Debian FTP archive. A summary of the changes between this version and the previous one is attached. Thank you for reporting the bug, which will now be closed. If you have further comments please address them to 696...@bugs.debian.org, and the maintainer will reopen the bug report if appropriate. Debian distribution maintenance software pp. Michael Tokarev <m...@tls.msk.ru> (supplier of updated qemu-kvm package) (This message was generated automatically at their request; if you believe that there is a problem with it please contact the archive administrators by mailing ftpmas...@debian.org) -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Format: 1.8 Date: Wed, 09 Jan 2013 23:05:17 +0400 Source: qemu-kvm Binary: qemu-kvm qemu-kvm-dbg kvm Architecture: source i386 Version: 1.1.2+dfsg-4 Distribution: unstable Urgency: medium Maintainer: Michael Tokarev <m...@tls.msk.ru> Changed-By: Michael Tokarev <m...@tls.msk.ru> Description: kvm - dummy transitional package from kvm to qemu-kvm qemu-kvm - Full virtualization on x86 hardware qemu-kvm-dbg - Debugging info for qemu-kvm Closes: 696051 Changes: qemu-kvm (1.1.2+dfsg-4) unstable; urgency=medium . * e1000-discard-oversized-packets-based-on-SBP_LPE.patch: the second half of the fix for CVE-2012-6075. (Finally Closes: #696051) Checksums-Sha1: 41e5c693fb93e277cdfad0d4051d76ce31f784d2 1949 qemu-kvm_1.1.2+dfsg-4.dsc 4da0ae6a33e05c17227e83a5aee1d22363d8547e 48974 qemu-kvm_1.1.2+dfsg-4.debian.tar.gz 95f59365af4a1bea51fffeced45b895076081b09 1756522 qemu-kvm_1.1.2+dfsg-4_i386.deb e0d0436f9358e5be0fd01a8f8b05234f68270215 5098504 qemu-kvm-dbg_1.1.2+dfsg-4_i386.deb 4e9f3f123899e6982f2538bc9115e6de75843d6f 23048 kvm_1.1.2+dfsg-4_i386.deb Checksums-Sha256: 39a847852ba1ef0d46a65814c12cf4ddf10cd9a869122f60b63643b5b80668bf 1949 qemu-kvm_1.1.2+dfsg-4.dsc b1fff4401e85c2a0c8e2172ff70cf1ad356ea591c4beb822ee0b6b5596bfbb7b 48974 qemu-kvm_1.1.2+dfsg-4.debian.tar.gz d6a30e5e3d4ac87803ea0b1aa6e9052aeef6f255c7d1e552c7461e93185ab60f 1756522 qemu-kvm_1.1.2+dfsg-4_i386.deb 81e452e962479c4864258c9ca8026f698fe6db7101183447b33df2e2fe127579 5098504 qemu-kvm-dbg_1.1.2+dfsg-4_i386.deb 459ccc382fae00106f8d7128e8182b0a011ea718ac20e62781e3e9c945292f4a 23048 kvm_1.1.2+dfsg-4_i386.deb Files: 73f094ba620ad87c0d196108819b1bf0 1949 misc optional qemu-kvm_1.1.2+dfsg-4.dsc 66a9b24e1978f642f730b37ce6925ae6 48974 misc optional qemu-kvm_1.1.2+dfsg-4.debian.tar.gz 9e239db72bd78576bf1a66458a37eaf5 1756522 misc optional qemu-kvm_1.1.2+dfsg-4_i386.deb 4d7e3b5b24da965e0dbf9d53968acc90 5098504 debug extra qemu-kvm-dbg_1.1.2+dfsg-4_i386.deb 18facf25305faebe541793143359642b 23048 oldlibs extra kvm_1.1.2+dfsg-4_i386.deb -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.12 (GNU/Linux) iJwEAQECAAYFAlDuitgACgkQUlPFrXTwyDi/XQP7BBaMfu/cDloMjbM0SqM5TcxS K/6y/POPMtiXF4cl9pnBqce3rTh2pkmN2bdXV65yaVyK4GZDzEY0GTYFXDem2BZV 14qF/8YqrZjI2r8npWxuZgfft0XNR/pUd6JgM+SKs1hFHRoE7RvISul2LufnPNrE LnBQgZ2vIp43sJ5EuKU= =cPOo -----END PGP SIGNATURE-----
--- End Message ---
