Your message dated Tue, 20 May 2008 14:47:03 +0000
with message-id <[EMAIL PROTECTED]>
and subject line Bug#481204: fixed in kvm 66+dfsg-1.1
has caused the Debian Bug report #481204,
regarding kvm: CVE-2008-2004 allows unauthorized disclosure of information
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [EMAIL PROTECTED]
immediately.)
--
481204: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=481204
Debian Bug Tracking System
Contact [EMAIL PROTECTED] with problems
--- Begin Message ---
Package: kvm
Severity: grave
Tags: security patch
Hi,
the following CVE (Common Vulnerabilities & Exposures) id was
published for kvm.
CVE-2008-2004[0]:
| The drive_init function in QEMU 0.9.1 determines the format of a raw
| disk image based on the header, which allows local guest users to read
| arbitrary files on the host by modifying the header to identify a
| different format, which is used when the guest is restarted.
Patch: http://svn.savannah.gnu.org/viewvc/?view=rev&root=qemu&revision=4277
If you fix the vulnerability please also make sure to include the
CVE id in your changelog entry.
For further information see:
[0] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-2004
http://security-tracker.debian.net/tracker/CVE-2008-2004
--
Nico Golde - http://www.ngolde.de - [EMAIL PROTECTED] - GPG: 0x73647CFF
For security reasons, all text in this mail is double-rot13 encrypted.
pgpoxAn31xUH6.pgp
Description: PGP signature
--- End Message ---
--- Begin Message ---
Source: kvm
Source-Version: 66+dfsg-1.1
We believe that the bug you reported is fixed in the latest version of
kvm, which is due to be installed in the Debian FTP archive:
kvm-data_66+dfsg-1.1_all.deb
to pool/main/k/kvm/kvm-data_66+dfsg-1.1_all.deb
kvm-source_66+dfsg-1.1_all.deb
to pool/main/k/kvm/kvm-source_66+dfsg-1.1_all.deb
kvm_66+dfsg-1.1.diff.gz
to pool/main/k/kvm/kvm_66+dfsg-1.1.diff.gz
kvm_66+dfsg-1.1.dsc
to pool/main/k/kvm/kvm_66+dfsg-1.1.dsc
kvm_66+dfsg-1.1_i386.deb
to pool/main/k/kvm/kvm_66+dfsg-1.1_i386.deb
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to [EMAIL PROTECTED],
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Steffen Joeris <[EMAIL PROTECTED]> (supplier of updated kvm package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing [EMAIL PROTECTED])
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Format: 1.8
Date: Tue, 20 May 2008 13:28:14 +0000
Source: kvm
Binary: kvm kvm-data kvm-source
Architecture: source all i386
Version: 66+dfsg-1.1
Distribution: unstable
Urgency: high
Maintainer: Jan Lübbe <[EMAIL PROTECTED]>
Changed-By: Steffen Joeris <[EMAIL PROTECTED]>
Description:
kvm - Full virtualization on x86 hardware
kvm-data - Data files for the KVM package
kvm-source - Source for the KVM driver
Closes: 480011 481204
Changes:
kvm (66+dfsg-1.1) unstable; urgency=high
.
* Non-maintainer upload by the security team
* Merge the fixes for the security issues in the embedded qemu
version (Closes: #480011) Thanks to Jamie Strandboge
- Add CVE-2007-1320+1321+1322+1366+2893.patch from from qemu 0.9.1-1
to address the following issues:
- Cirrus LGD-54XX "bitblt" heap overflow.
- NE2000 "mtu" heap overflow.
- QEMU "net socket" heap overflow.
- QEMU NE2000 "receive" integer signedness error.
- Infinite loop in the emulated SB16 device.
- Unprivileged "aam" instruction does not correctly handle the
undocumented divisor operand.
- Unprivileged "icebp" instruction will halt emulation.
* Include patch which defaults to existing behaviour (probing based on file
contents), so it still requires the mgmt app (e.g. libvirt xml) to
pass a new "format=raw" parameter for raw disk images
- Fixes possible privilege escalation, which could allow guest users
to read arbitrary files on the host by modifying the header to identify
a different format (Closes: #481204) Fixes: CVE-2008-2004
Checksums-Sha1:
91a99c6cd0fb41e7ce54e413f1d8b1ca939f9347 1308 kvm_66+dfsg-1.1.dsc
d03b192d199763803083e1c88d3fbe7ac80f35c5 34347 kvm_66+dfsg-1.1.diff.gz
3b32e47d274d621c760209cc686a14a232295e6e 186850 kvm-data_66+dfsg-1.1_all.deb
7d84ae37e8f8fb08e49efed0f9f659a18acee34d 158952 kvm-source_66+dfsg-1.1_all.deb
917f2b97235de8ee38254f42b1a428208fada0d5 632944 kvm_66+dfsg-1.1_i386.deb
Checksums-Sha256:
a66a2f026ba401e7a0115b1923bd86e52390e2015a58ceb4637b4f5e18abc1ce 1308
kvm_66+dfsg-1.1.dsc
0d65d3c69bf308ddce0f37c23e36fb1a3a69ed245729646293932e54b248deff 34347
kvm_66+dfsg-1.1.diff.gz
f25066a3281482ae0f2c043a954c1b566d39a66a3b5eac5e9aec35ff9f6456b8 186850
kvm-data_66+dfsg-1.1_all.deb
37934401158248b77f3daa3ed9fdf1aa1ba268efc7491788eafbc39bc7fa538e 158952
kvm-source_66+dfsg-1.1_all.deb
f4c635a3927c2b19d1c3fafe4df16096a54113144c4e149fc9960562195657bf 632944
kvm_66+dfsg-1.1_i386.deb
Files:
23def165ed98f21c558245099146b41d 1308 misc optional kvm_66+dfsg-1.1.dsc
5d3bf47baebe9a89d771b30830c9df92 34347 misc optional kvm_66+dfsg-1.1.diff.gz
6b0557c6e139d5803f0878438d49a281 186850 misc optional
kvm-data_66+dfsg-1.1_all.deb
0528a7efdd3d30b8d28c4e0674ec28c1 158952 misc optional
kvm-source_66+dfsg-1.1_all.deb
202bae86a7d24a0d3270fd91c440922e 632944 misc optional kvm_66+dfsg-1.1_i386.deb
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.6 (GNU/Linux)
iD8DBQFIMuDa62zWxYk/rQcRAhzzAKCtHxSlNFh0pwUMOb8jHmMkmRY3owCfWCiJ
Nd8wh9rdLpYp6KU6pkcSqD0=
=H9hM
-----END PGP SIGNATURE-----
--- End Message ---
