Hi Michael, On Thu, Feb 20, 2014 at 12:55:31PM +0400, Michael Tokarev wrote: > > Hi, > > multiple security issues were reported in qemu/KVM: > [...] > > These are all about the same thing, with references to 23 patches > from the same thread starting there: > > http://lists.gnu.org/archive/html/qemu-devel/2013-12/msg00394.html > > It is about state loading issues, which is about migration between > two (hopefully) qemu instances or guest save/load functionality. > The first message in the series explains conditions when this can > happen.
I had missed the initial mail from the thread, that explains it well enough. I agree that the attack scenario during migration between nodes is negligable and a non-issue. But I don't understand what is meant by the second part: | * Saving/Loading state to/from file. | For example: | https://bugzilla.redhat.com/show_bug.cgi?id=588133#c8 | https://bugzilla.redhat.com/show_bug.cgi?id=588133#c9 The RH bugs are restricted and I don't understand what is meant with "saving/loading state to/from file". Is this about snapshots or malformed images? Do you have an idea? > So.. oh well. I'd really love to not backport all this shit to > wheezy... ;) If "Saving/Loading state to/from file" is negligable as well, I would mark it as a non-issue in the tracker. > But now I'm not really sure what to do with this bugreport. It > is a good amount of work, especially to backport those to wheezy > (since code changed significantly since that), with quite low > outcome (because the whole thing does not seem very important, > even for qemu developers - note that this patchset hasn't been > applied still, which might be due to another issue in qemu > community). Feel free to downgrade to non-RC severity until the patches are merged in 1.8. Cheers, Moritz -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
