Re: qemu: CVE-2016-7116
Hi Balint, > I took the liberty of claiming qemu-kvm for you in dla-needed.txt. Thanks ! > There are also new issues reported today for qemu. I've had a quick look at them, but I'd like to fix CVE-2016-7116 firstly. In fact, reproducing this issue turned out to be a bit more difficult than what I expected because I have difficulties to set up a test environment in my VM (qemu VM with host directory sharing via 9pfs). I've encountered a bug (exact same situation as here[0]), and I have performances issues because of inefficient VM interlocking. I'm currently setting up a physical wheezy system to get rid of the first virtualization level. Cheers, Hugo [0] https://www.mail-archive.com/kvm@vger.kernel.org/msg30993.html -- Hugo Lefeuvre (hle)|www.owl.eu.com 4096/ ACB7 B67F 197F 9B32 1533 431C AC90 AC3E C524 065E signature.asc Description: PGP signature
Re: qemu: CVE-2016-7116
Hi Hugo, 2016-09-04 13:25 GMT+02:00 Hugo Lefeuvre : >> Yes, qemu is supported (and there has was lots of file renaming after >> the Wheezy version). If you handle qemu please look at qemu-kvm as well >> (they're the same version). > > Thanks for the hint. I took the liberty of claiming qemu-kvm for you in dla-needed.txt. There are also new issues reported today for qemu. Cheers, Balint
Re: qemu: CVE-2016-7116
Hi Hugo and Guido, On Mon, 5 Sep 2016, Hugo Lefeuvre wrote: There are several "versions" of Plan 9 currently. The Bell one, which is rather inactive, and forked one, 9front, which seems to be under active development[0]. oh, great, I "found" the wrong one. I wasn't sure whether we should do an LTS upload for qemu or not. That's why I asked here before claiming qemu in dla-needed. I'll follow the team's decision. I hadn't heard before of 9p and I thought nobody would use it. But this seems to be wrong, so please go ahead. I removed the ... (By the way, *if we do an LTS upload*, shouldn't we include this patch[1][2], too ?) Yes, and while you are at it, maybe [11] from [2] is worth a look as well ... Thorsten [1] http://git.qemu.org/?p=qemu.git;a=commit;h=805b5d98c649d26fc44d2d7755a97f18e62b438a [2] https://marc.info/?l=oss-security&m=147259351226835&w=2 [11] http://git.qemu.org/?p=qemu.git;a=commit;h=fff39a7ad09da07ef490de05c92c91f22f8002f2
Re: qemu: CVE-2016-7116
Hi Thorsten, > > "A privileged user inside guest could use this flaw to access undue > > files on the host." > > ... you should also cite: > "... host directory sharing via Plan 9 File System(9pfs) support ..." > > The latest news on [1] is from 2008. I am not sure whether there are really > that much installations in the wild that really use it. There are several "versions" of Plan 9 currently. The Bell one, which is rather inactive, and forked one, 9front, which seems to be under active development[0]. > I still think it is not needed. I wasn't sure whether we should do an LTS upload for qemu or not. That's why I asked here before claiming qemu in dla-needed. I'll follow the team's decision. (By the way, *if we do an LTS upload*, shouldn't we include this patch[1][2], too ?) Cheers, Hugo [0] http://ninetimes.cat-v.org/ [1] http://git.qemu.org/?p=qemu.git;a=commit;h=805b5d98c649d26fc44d2d7755a97f18e62b438a [2] https://marc.info/?l=oss-security&m=147259351226835&w=2 -- Hugo Lefeuvre (hle)|www.owl.eu.com 4096/ ACB7 B67F 197F 9B32 1533 431C AC90 AC3E C524 065E signature.asc Description: PGP signature
Re: qemu: CVE-2016-7116
On Sun, Sep 04, 2016 at 08:06:11PM +0200, Thorsten Alteholz wrote: > Hi Guido, > > On Sun, 4 Sep 2016, Guido Günther wrote: > > no-dsa should be used very scarcely in LTS since we don't have a s-p-u > > to fix minor issues and reading the RedHat entry[1]: > > yes, but ... > > > "A privileged user inside guest could use this flaw to access undue > > files on the host." > > ... you should also cite: > "... host directory sharing via Plan 9 File System(9pfs) support ..." Sorry for the omission, I thought that was clear from the context already. I know quiet some installations that share files via 9pfs between host and guest since this is the simplest way if you don't want to fiddle with network filesystems and it's easy to setup with common tools like libvirt/virt-manager. Cheers, -- Guido
Re: qemu: CVE-2016-7116
Hi Guido, On Sun, 4 Sep 2016, Guido Günther wrote: no-dsa should be used very scarcely in LTS since we don't have a s-p-u to fix minor issues and reading the RedHat entry[1]: yes, but ... "A privileged user inside guest could use this flaw to access undue files on the host." ... you should also cite: "... host directory sharing via Plan 9 File System(9pfs) support ..." The latest news on [1] is from 2008. I am not sure whether there are really that much installations in the wild that really use it. I think we should well fix this vulnerability. I still think it is not needed. So qemu and qemu-kvm users: Do you use 9pfs on a Wheezy system? (me does not) Thorsten [1] http://9p.cat-v.org/News
Re: qemu: CVE-2016-7116
Hi Thorsten, On Sun, Sep 04, 2016 at 05:23:40PM +0200, Thorsten Alteholz wrote: > Hi Hugo, > > are you aware that this CVE is marked as in Jessie and soon will be > in Wheezy as well. > > So unless you disagree with this , it would be better to avoid any > potential regression and not upload qemu or qemu-kvm. no-dsa should be used very scarcely in LTS since we don't have a s-p-u to fix minor issues and reading the RedHat entry[1]: "A privileged user inside guest could use this flaw to access undue files on the host." I think we should well fix this vulnerability. Cheers, -- Guido [1]: https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2016-7116
Re: qemu: CVE-2016-7116
Hi Hugo, On Sun, Sep 04, 2016 at 01:25:56PM +0200, Hugo Lefeuvre wrote: > > Yes, qemu is supported (and there has was lots of file renaming after > > the Wheezy version). If you handle qemu please look at qemu-kvm as well > > (they're the same version). > > Thanks for the hint. > > By the way, could you explain me why this CVE is still labeled RESERVED, > although a public fix explaining the security issue has been released ? MITRE has assigned the CVE here: https://marc.info/?l=oss-security&m=147259351226835&w=2 . Basically that it is still RESERVED mean, that MITRE has not yet updated the corresponding description entry in their database, at some point then https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-7116 will contain the MITRE provided description. Regards, Salvatore
Re: qemu: CVE-2016-7116
Hi Hugo, are you aware that this CVE is marked as in Jessie and soon will be in Wheezy as well. So unless you disagree with this , it would be better to avoid any potential regression and not upload qemu or qemu-kvm. Thorsten
Re: qemu: CVE-2016-7116
> Yes, qemu is supported (and there has was lots of file renaming after > the Wheezy version). If you handle qemu please look at qemu-kvm as well > (they're the same version). Thanks for the hint. By the way, could you explain me why this CVE is still labeled RESERVED, although a public fix explaining the security issue has been released ? -- Hugo Lefeuvre (hle)|www.owl.eu.com 4096/ ACB7 B67F 197F 9B32 1533 431C AC90 AC3E C524 065E signature.asc Description: PGP signature
Re: qemu: CVE-2016-7116
On Fri, Sep 02, 2016 at 12:12:17PM +0200, Hugo Lefeuvre wrote: > Hi, > > I've had a quick look at CVE-2016-7116[0] and would be interested by working > on > it. Upstream provided a patch[1], which looks 'relatively' simple and seems to > apply well with some adaptations. However, the names of the concerned files > have > changed[2] (e.g. virtio-9p.c -> 9p.c). I think this isn't very important since > the sourcecode hasn't changed too much, but, just to make sure, could anybody > have a second look at it (and, before I send a message to the maintainers, > confirm me that we should support qemu in wheezy LTS) ? Yes, qemu is supported (and there has was lots of file renaming after the Wheezy version). If you handle qemu please look at qemu-kvm as well (they're the same version). Cheers, -- Guido > > Thanks ! > > Cheers, > Hugo > > [0] https://security-tracker.debian.org/tracker/CVE-2016-7116 > [1] > http://git.qemu.org/?p=qemu.git;a=commit;h=56f101ecce0eafd09e2daf1c4eeb1377d6959261 > [2] > http://sources.debian.net/src/qemu/1:2.1%2Bdfsg-12%2Bdeb8u5a~bpo70%2B1/hw/9pfs/ > > -- > Hugo Lefeuvre (hle)|www.owl.eu.com > 4096/ ACB7 B67F 197F 9B32 1533 431C AC90 AC3E C524 065E
qemu: CVE-2016-7116
Hi, I've had a quick look at CVE-2016-7116[0] and would be interested by working on it. Upstream provided a patch[1], which looks 'relatively' simple and seems to apply well with some adaptations. However, the names of the concerned files have changed[2] (e.g. virtio-9p.c -> 9p.c). I think this isn't very important since the sourcecode hasn't changed too much, but, just to make sure, could anybody have a second look at it (and, before I send a message to the maintainers, confirm me that we should support qemu in wheezy LTS) ? Thanks ! Cheers, Hugo [0] https://security-tracker.debian.org/tracker/CVE-2016-7116 [1] http://git.qemu.org/?p=qemu.git;a=commit;h=56f101ecce0eafd09e2daf1c4eeb1377d6959261 [2] http://sources.debian.net/src/qemu/1:2.1%2Bdfsg-12%2Bdeb8u5a~bpo70%2B1/hw/9pfs/ -- Hugo Lefeuvre (hle)|www.owl.eu.com 4096/ ACB7 B67F 197F 9B32 1533 431C AC90 AC3E C524 065E signature.asc Description: PGP signature
