Your message dated Wed, 21 Oct 2009 22:04:18 +0000
with message-id <e1n0ji2-0007ud...@ries.debian.org>
and subject line Bug#548975: fixed in kvm 72+dfsg-5+squeeze1
has caused the Debian Bug report #548975,
regarding kvm-source: allows MMU hypercalls from ring > 0
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)
--
548975: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=548975
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems
--- Begin Message ---
Package: kvm-source
Version: 85+dfsg-4
Severity: critical
Tags: patch security
Justification: potential privilege escalation
Upstream patch:
http://git.kernel.org/?p=virt/kvm/kvm.git;a=commitdiff;h=07708c4af1346ab1521b26a202f438366b7bcffd
Please mention CVE-2009-3290 in your changelog.
diff -urpN kvm-85+dfsg.orig/debian/patches/CVE-2009-3290.patch
kvm-85+dfsg/debian/patches/CVE-2009-3290.patch
--- kvm-85+dfsg.orig/debian/patches/CVE-2009-3290.patch 1969-12-31
17:00:00.000000000 -0700
+++ kvm-85+dfsg/debian/patches/CVE-2009-3290.patch 2009-09-29
17:05:38.000000000 -0600
@@ -0,0 +1,34 @@
+diff -urpN kvm-85+dfsg.orig/kernel/include/linux/kvm_para.h
kvm-85+dfsg/kernel/include/linux/kvm_para.h
+--- kvm-85+dfsg.orig/kernel/include/linux/kvm_para.h 2009-04-21
04:04:03.000000000 -0600
++++ kvm-85+dfsg/kernel/include/linux/kvm_para.h 2009-09-29
17:04:54.000000000 -0600
+@@ -53,6 +53,7 @@
+ #define KVM_ENOSYS 1000
+ #define KVM_EFAULT EFAULT
+ #define KVM_E2BIG E2BIG
++#define KVM_EPERM EPERM
+
+ #define KVM_HC_VAPIC_POLL_IRQ 1
+ #define KVM_HC_MMU_OP 2
+diff -urpN kvm-85+dfsg.orig/kernel/x86/x86.c kvm-85+dfsg/kernel/x86/x86.c
+--- kvm-85+dfsg.orig/kernel/x86/x86.c 2009-04-21 04:04:13.000000000 -0600
++++ kvm-85+dfsg/kernel/x86/x86.c 2009-09-29 17:05:01.000000000 -0600
+@@ -2873,6 +2873,11 @@ int kvm_emulate_hypercall(struct kvm_vcp
+ a3 &= 0xFFFFFFFF;
+ }
+
++ if (kvm_x86_ops->get_cpl(vcpu) != 0) {
++ ret = -KVM_EPERM;
++ goto out;
++ }
++
+ switch (nr) {
+ case KVM_HC_VAPIC_POLL_IRQ:
+ ret = 0;
+@@ -2884,6 +2889,7 @@ int kvm_emulate_hypercall(struct kvm_vcp
+ ret = -KVM_ENOSYS;
+ break;
+ }
++out:
+ kvm_register_write(vcpu, VCPU_REGS_RAX, ret);
+ ++vcpu->stat.hypercalls;
+ return r;
diff -urpN kvm-85+dfsg.orig/debian/patches/series
kvm-85+dfsg/debian/patches/series
--- kvm-85+dfsg.orig/debian/patches/series 2009-09-29 17:04:12.000000000
-0600
+++ kvm-85+dfsg/debian/patches/series 2009-09-29 17:05:53.000000000 -0600
@@ -8,3 +8,4 @@ from-debian-qemu/62_linux_boot_nasm.patc
security/leftover.patch
qemu-ifup_head.patch
readd_drive_boot_parameter_help.patch
+CVE-2009-3290.patch
--- End Message ---
--- Begin Message ---
Source: kvm
Source-Version: 72+dfsg-5+squeeze1
We believe that the bug you reported is fixed in the latest version of
kvm, which is due to be installed in the Debian FTP archive:
kvm-source_72+dfsg-5+squeeze1_all.deb
to pool/main/k/kvm/kvm-source_72+dfsg-5+squeeze1_all.deb
kvm_72+dfsg-5+squeeze1.diff.gz
to pool/main/k/kvm/kvm_72+dfsg-5+squeeze1.diff.gz
kvm_72+dfsg-5+squeeze1.dsc
to pool/main/k/kvm/kvm_72+dfsg-5+squeeze1.dsc
kvm_72+dfsg-5+squeeze1_i386.deb
to pool/main/k/kvm/kvm_72+dfsg-5+squeeze1_i386.deb
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 548...@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Giuseppe Iuculano <iucul...@debian.org> (supplier of updated kvm package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmas...@debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Format: 1.8
Date: Sat, 10 Oct 2009 12:13:56 +0200
Source: kvm
Binary: kvm kvm-source
Architecture: source all i386
Version: 72+dfsg-5+squeeze1
Distribution: testing-security
Urgency: high
Maintainer: Jan Lübbe <jlue...@debian.org>
Changed-By: Giuseppe Iuculano <iucul...@debian.org>
Description:
kvm - Full virtualization on x86 hardware
kvm-source - Source for the KVM driver
Closes: 509997 548975
Changes:
kvm (72+dfsg-5+squeeze1) testing-security; urgency=high
.
* Non-maintainer upload by the testing Security Team.
* Considers hypercalls valid only if issued from guest ring 0 (CVE-2009-3290)
(Closes: 548975)
* Add patch from upstream qemu for CVE-2008-5714 (Closes: #509997)
Checksums-Sha1:
3ba66967d6e7559820f6ebf39acc9f02e071c030 1368 kvm_72+dfsg-5+squeeze1.dsc
7bcec0c4ea199f62382175bea27d669f91cabda6 40783 kvm_72+dfsg-5+squeeze1.diff.gz
31e4330be6efb606197efc544fd459b92ec7e183 157980
kvm-source_72+dfsg-5+squeeze1_all.deb
05c3a49b3dce70641df6939f1578cc1b6f9f7962 1028406
kvm_72+dfsg-5+squeeze1_i386.deb
Checksums-Sha256:
59471ebe704669a0f3dbf143f0803fa01713ad8dce2e22d3e701f3d97788fef5 1368
kvm_72+dfsg-5+squeeze1.dsc
64bf1357c82b29e870df09679406790a2bae6717956f4967f49ac63b6ad0ddfd 40783
kvm_72+dfsg-5+squeeze1.diff.gz
587b4840a0c52baccd906d0dc472e07248e0247f3459112ca89b20898ca06a68 157980
kvm-source_72+dfsg-5+squeeze1_all.deb
c4cbce4fe8a0b926a14a119a6da39da87c37851005f4bb5a1569e8e7344ba39e 1028406
kvm_72+dfsg-5+squeeze1_i386.deb
Files:
c33280ada49a11de7544aabbcec26ec4 1368 misc optional kvm_72+dfsg-5+squeeze1.dsc
49057a37741903ea84a415b7b5d15845 40783 misc optional
kvm_72+dfsg-5+squeeze1.diff.gz
61ec8f48ca05a53590653bb9a4e56ea9 157980 misc optional
kvm-source_72+dfsg-5+squeeze1_all.deb
dc05a6168cfb7788a8702e4c09df0351 1028406 misc optional
kvm_72+dfsg-5+squeeze1_i386.deb
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.10 (GNU/Linux)
iEYEARECAAYFAkrVaqgACgkQNxpp46476aoOqQCeMAWKGUo4qLh81h6PJOs6z/hm
btIAoIBClCw/iJcodrUcaeV+A8rgxK/d
=050j
-----END PGP SIGNATURE-----
--- End Message ---
