Bug#633669: marked as done (CVE-2011-2527: qemu-kvm -runas does not clear supplementary groups)

Wed, 13 Jul 2011 00:39:34 -0700 

Your message dated Wed, 13 Jul 2011 07:32:35 +0000
with message-id <e1qgtvv-0005ji...@franck.debian.org>
and subject line Bug#633669: fixed in qemu-kvm 0.14.1+dfsg-3
has caused the Debian Bug report #633669,
regarding CVE-2011-2527: qemu-kvm -runas does not clear supplementary groups
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)


-- 
633669: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=633669
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems
--- Begin Message --- 
Package: qemu-kvm
Version: 0.12.5+dfsg-5
Severity: serious
Tags: patch squeeze sid upstream security

qemu-kvm does not clear list of supplementary groups
when processing -runas argument which supposed to tell
it to drop as much privileges as possible.

See https://bugs.launchpad.net/bugs/807893 for details.

--- End Message ---
--- Begin Message --- 
Source: qemu-kvm
Source-Version: 0.14.1+dfsg-3

We believe that the bug you reported is fixed in the latest version of
qemu-kvm, which is due to be installed in the Debian FTP archive:

kvm_0.14.1+dfsg-3_i386.deb
  to main/q/qemu-kvm/kvm_0.14.1+dfsg-3_i386.deb
qemu-kvm-dbg_0.14.1+dfsg-3_i386.deb
  to main/q/qemu-kvm/qemu-kvm-dbg_0.14.1+dfsg-3_i386.deb
qemu-kvm_0.14.1+dfsg-3.debian.tar.gz
  to main/q/qemu-kvm/qemu-kvm_0.14.1+dfsg-3.debian.tar.gz
qemu-kvm_0.14.1+dfsg-3.dsc
  to main/q/qemu-kvm/qemu-kvm_0.14.1+dfsg-3.dsc
qemu-kvm_0.14.1+dfsg-3_i386.deb
  to main/q/qemu-kvm/qemu-kvm_0.14.1+dfsg-3_i386.deb



A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 633...@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Michael Tokarev <m...@tls.msk.ru> (supplier of updated qemu-kvm package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmas...@debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Format: 1.8
Date: Wed, 13 Jul 2011 00:59:47 +0400
Source: qemu-kvm
Binary: qemu-kvm qemu-kvm-dbg kvm
Architecture: source i386
Version: 0.14.1+dfsg-3
Distribution: unstable
Urgency: high
Maintainer: Jan Lübbe <jlue...@debian.org>
Changed-By: Michael Tokarev <m...@tls.msk.ru>
Description: 
 kvm        - dummy transitional package from kvm to qemu-kvm
 qemu-kvm   - Full virtualization on x86 hardware
 qemu-kvm-dbg - Debugging info for qemu-kvm
Closes: 632987 633669
Changes: 
 qemu-kvm (0.14.1+dfsg-3) unstable; urgency=high
 .
   * virtio-fix-indirect-descriptor-buffer-overflow-CVE-2011-2212
     fixes a guest-triggerable buffer overflow in virtio handling
     (closes: #632987)
   * os-posix-set-groups-properly-for--runas-CVE-2011-2527
     clears supplementary groups for -runas (closes: #633669)
   * two security updates so urgency is high
Checksums-Sha1: 
 ece8a6b1e98405e855bb6ae8156d70a7d79322e5 1816 qemu-kvm_0.14.1+dfsg-3.dsc
 a2dc6084f0f2e7f02cece93698cd89fe3a4473cd 25719 
qemu-kvm_0.14.1+dfsg-3.debian.tar.gz
 a7f1fa7088a18767938ddfc3801c8a1495281a12 1261296 
qemu-kvm_0.14.1+dfsg-3_i386.deb
 d683eeff3b86934fb55c1811ac91893c06c56462 3246390 
qemu-kvm-dbg_0.14.1+dfsg-3_i386.deb
 6d8e3453261ed9362abd7d06c36a91b0904abd80 8978 kvm_0.14.1+dfsg-3_i386.deb
Checksums-Sha256: 
 900775f5711b921387f2cc362101a67ac18ec1a9c079bb173f45a61ba54e0e19 1816 
qemu-kvm_0.14.1+dfsg-3.dsc
 0a05bd9c2be824e1ed59c78ad2b27eac066b965d09c8cdce365d0a70ec8046b7 25719 
qemu-kvm_0.14.1+dfsg-3.debian.tar.gz
 25d061631a5ec554c6094103743c3ce892ff7f63d357de51119c7340cf87aded 1261296 
qemu-kvm_0.14.1+dfsg-3_i386.deb
 cf0ccc377089438f331f4129cec4d2b91ff9f6579720886ba2b2eed9c492fa6f 3246390 
qemu-kvm-dbg_0.14.1+dfsg-3_i386.deb
 f615a274c097f8d619d815b7487dae5fe73038e9100738ddebc9c912176631cc 8978 
kvm_0.14.1+dfsg-3_i386.deb
Files: 
 343e14268127f600ef46029656ca146c 1816 misc optional qemu-kvm_0.14.1+dfsg-3.dsc
 24165c961e741f8871f1070358ea55c0 25719 misc optional 
qemu-kvm_0.14.1+dfsg-3.debian.tar.gz
 a03ad22947aab1d16154b45c3536ed18 1261296 misc optional 
qemu-kvm_0.14.1+dfsg-3_i386.deb
 04073ab2abb3d85ea16e8a585ac0b080 3246390 debug extra 
qemu-kvm-dbg_0.14.1+dfsg-3_i386.deb
 ae64585fcda18fc5fdd7abb8909ce634 8978 oldlibs extra kvm_0.14.1+dfsg-3_i386.deb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.11 (GNU/Linux)

iJwEAQECAAYFAk4dR0oACgkQUlPFrXTwyDgHYAQAgO5v3uyn8C3ywvFrLQ/NKkEK
b2zt+DWLl3u44c+8lmpBMz6H/66rVoksgg2sr7agovx6ZuXJFLbEwxR1dol3n6Yq
J+v1Cae668+TkdIMuulipzFUwWSits+OVdmHeBQxmTBKG9Uo16t/CFlx7bE9uIZs
bH+xcNUS4UXyWWc/vVM=
=3aI2
-----END PGP SIGNATURE-----

--- End Message ---

Reply via email to