22.02.2019 0:22, Salvatore Bonaccorso wrote:
Source: qemu
Version: 1:3.1+dfsg-4
Severity: normal
Tags: security upstream
Forwarded: https://lists.gnu.org/archive/html/qemu-devel/2019-02/msg04821.html
Hi,
The following vulnerability was published for qemu.
CVE-2019-8934[0]:
ppc64: sPAPR emulator leaks the host hardware identity
This one's interesting. The vuln itself and the fix too.
First is described elsewhere.
For the second, we can't "just" fix it, -- the fix is to provide
a way to avoid the "leakage" by a means of a command-line option,
and ofcourse a management tool. if any, to run qemu, needs to know
and use this option.
But it is not all really, since this "fix" breaks migration stream
format, so it can't just be backported to 3.1 (the fix applies to
the ongoing next version of qemu). I dunno how much do we care about
the online migration of a ppc guest, probably not _very_ mich, so
this might be an easy path to take. If it is, we can just use a
stright backport of this patch to current debian 3.1 version and
be done with it (modulo the first part -- something needs to actually
use the fix anyway).
Thanks,
/mjt
