Your message dated Tue, 13 Oct 2009 19:54:09 +0000
with message-id <[email protected]>
and subject line Bug#548975: fixed in kvm 72+dfsg-5~lenny3
has caused the Debian Bug report #548975,
regarding kvm-source: allows MMU hypercalls from ring > 0
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)
--
548975: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=548975
Debian Bug Tracking System
Contact [email protected] with problems
--- Begin Message ---
Package: kvm-source
Version: 85+dfsg-4
Severity: critical
Tags: patch security
Justification: potential privilege escalation
Upstream patch:
http://git.kernel.org/?p=virt/kvm/kvm.git;a=commitdiff;h=07708c4af1346ab1521b26a202f438366b7bcffd
Please mention CVE-2009-3290 in your changelog.
diff -urpN kvm-85+dfsg.orig/debian/patches/CVE-2009-3290.patch
kvm-85+dfsg/debian/patches/CVE-2009-3290.patch
--- kvm-85+dfsg.orig/debian/patches/CVE-2009-3290.patch 1969-12-31
17:00:00.000000000 -0700
+++ kvm-85+dfsg/debian/patches/CVE-2009-3290.patch 2009-09-29
17:05:38.000000000 -0600
@@ -0,0 +1,34 @@
+diff -urpN kvm-85+dfsg.orig/kernel/include/linux/kvm_para.h
kvm-85+dfsg/kernel/include/linux/kvm_para.h
+--- kvm-85+dfsg.orig/kernel/include/linux/kvm_para.h 2009-04-21
04:04:03.000000000 -0600
++++ kvm-85+dfsg/kernel/include/linux/kvm_para.h 2009-09-29
17:04:54.000000000 -0600
+@@ -53,6 +53,7 @@
+ #define KVM_ENOSYS 1000
+ #define KVM_EFAULT EFAULT
+ #define KVM_E2BIG E2BIG
++#define KVM_EPERM EPERM
+
+ #define KVM_HC_VAPIC_POLL_IRQ 1
+ #define KVM_HC_MMU_OP 2
+diff -urpN kvm-85+dfsg.orig/kernel/x86/x86.c kvm-85+dfsg/kernel/x86/x86.c
+--- kvm-85+dfsg.orig/kernel/x86/x86.c 2009-04-21 04:04:13.000000000 -0600
++++ kvm-85+dfsg/kernel/x86/x86.c 2009-09-29 17:05:01.000000000 -0600
+@@ -2873,6 +2873,11 @@ int kvm_emulate_hypercall(struct kvm_vcp
+ a3 &= 0xFFFFFFFF;
+ }
+
++ if (kvm_x86_ops->get_cpl(vcpu) != 0) {
++ ret = -KVM_EPERM;
++ goto out;
++ }
++
+ switch (nr) {
+ case KVM_HC_VAPIC_POLL_IRQ:
+ ret = 0;
+@@ -2884,6 +2889,7 @@ int kvm_emulate_hypercall(struct kvm_vcp
+ ret = -KVM_ENOSYS;
+ break;
+ }
++out:
+ kvm_register_write(vcpu, VCPU_REGS_RAX, ret);
+ ++vcpu->stat.hypercalls;
+ return r;
diff -urpN kvm-85+dfsg.orig/debian/patches/series
kvm-85+dfsg/debian/patches/series
--- kvm-85+dfsg.orig/debian/patches/series 2009-09-29 17:04:12.000000000
-0600
+++ kvm-85+dfsg/debian/patches/series 2009-09-29 17:05:53.000000000 -0600
@@ -8,3 +8,4 @@ from-debian-qemu/62_linux_boot_nasm.patc
security/leftover.patch
qemu-ifup_head.patch
readd_drive_boot_parameter_help.patch
+CVE-2009-3290.patch
--- End Message ---
--- Begin Message ---
Source: kvm
Source-Version: 72+dfsg-5~lenny3
We believe that the bug you reported is fixed in the latest version of
kvm, which is due to be installed in the Debian FTP archive:
kvm-source_72+dfsg-5~lenny3_all.deb
to pool/main/k/kvm/kvm-source_72+dfsg-5~lenny3_all.deb
kvm_72+dfsg-5~lenny3.diff.gz
to pool/main/k/kvm/kvm_72+dfsg-5~lenny3.diff.gz
kvm_72+dfsg-5~lenny3.dsc
to pool/main/k/kvm/kvm_72+dfsg-5~lenny3.dsc
kvm_72+dfsg-5~lenny3_i386.deb
to pool/main/k/kvm/kvm_72+dfsg-5~lenny3_i386.deb
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to [email protected],
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Giuseppe Iuculano <[email protected]> (supplier of updated kvm package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing [email protected])
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Format: 1.8
Date: Sun, 11 Oct 2009 11:16:45 +0200
Source: kvm
Binary: kvm kvm-source
Architecture: source all i386
Version: 72+dfsg-5~lenny3
Distribution: stable-security
Urgency: high
Maintainer: Jan Lübbe <[email protected]>
Changed-By: Giuseppe Iuculano <[email protected]>
Description:
kvm - Full virtualization on x86 hardware
kvm-source - Source for the KVM driver
Closes: 509997 548975
Changes:
kvm (72+dfsg-5~lenny3) stable-security; urgency=high
.
* Non-maintainer upload by the Security Team.
* Considers hypercalls valid only if issued from guest ring 0 (CVE-2009-3290)
(Closes: 548975)
* Add patch from upstream qemu for CVE-2008-5714 (Closes: #509997)
Checksums-Sha1:
00a4bcd797dbe7652ba7f5968be9869a9d99e02a 1349 kvm_72+dfsg-5~lenny3.dsc
219f2ffc5be63cbff233fd348ffc4bc3ddbdd2ed 41138 kvm_72+dfsg-5~lenny3.diff.gz
e392433c16cb740df6b2d826c23e0a881b59e652 158242
kvm-source_72+dfsg-5~lenny3_all.deb
c7e0d3457e8efbb757240a4aa02e967acd936514 1030530 kvm_72+dfsg-5~lenny3_i386.deb
Checksums-Sha256:
54d3347499c9c24827eeb4b4568c5a73cf26bbfa655ad79b7a5f4c05ba26059e 1349
kvm_72+dfsg-5~lenny3.dsc
df4ffabe2b4a8adc7f169345b68442685da1b01709dd33de8ea743702fd81a88 41138
kvm_72+dfsg-5~lenny3.diff.gz
4a74874157b2595b0622d9a91924152b52d340125a72bd86b075d42e48839633 158242
kvm-source_72+dfsg-5~lenny3_all.deb
fd384a7432430494d90285c8b2c64f9b5c9f62722ee99779ce36f2c2f6a5f5b1 1030530
kvm_72+dfsg-5~lenny3_i386.deb
Files:
da207d5f42ab45ed3956be5fcb6ad685 1349 misc optional kvm_72+dfsg-5~lenny3.dsc
f28b640e60392636399873e99b6cc5e3 41138 misc optional
kvm_72+dfsg-5~lenny3.diff.gz
8cee5a68dadbbceecdac6330b69fa59f 158242 misc optional
kvm-source_72+dfsg-5~lenny3_all.deb
313f1a0d91889bf167c4e1aaf57a027d 1030530 misc optional
kvm_72+dfsg-5~lenny3_i386.deb
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.10 (GNU/Linux)
iEYEARECAAYFAkrRpgIACgkQNxpp46476aoN/QCfe5JKI+/qU4fWRZOfu7V6adIv
Z4AAn1/iPp2Xqkd9D3f1ZRefNtyxNV50
=rSDj
-----END PGP SIGNATURE-----
--- End Message ---
