Bug#557736: marked as done (kvm: CVE-2009-4004 buffer overflow)

[Debian Bug Tracking System]

Your message dated Wed, 25 Nov 2009 10:27:26 +0000
with message-id <e1ndf5q-00042x...@ries.debian.org>
and subject line Bug#557736: fixed in kvm 88+dfsg-2
has caused the Debian Bug report #557736,
regarding kvm: CVE-2009-4004 buffer overflow
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)


-- 
557736: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=557736
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems

--- Begin Message ---

Package: kvm
Version: 85+dfsg-4.1
Severity: serious
Tags: security

Hi,
the following CVE (Common Vulnerabilities & Exposures) id was
published for kvm.

CVE-2009-4004[0]:
| Buffer overflow in the kvm_vcpu_ioctl_x86_setup_mce function in
| arch/x86/kvm/x86.c in the KVM subsystem in the Linux kernel before
| 2.6.32-rc7 allows local users to cause a denial of service (memory
| corruption) or possibly gain privileges via a KVM_X86_SETUP_MCE IOCTL
| request that specifies a large number of Machine Check Exception (MCE)
| banks.

If you fix the vulnerability please also make sure to include the
CVE id in your changelog entry.

Note that only sid is affected; the vulnerable code is not present in
lenny.

For further information see:

[0] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-4004
    http://security-tracker.debian.org/tracker/CVE-2009-4004

--- End Message ---

--- Begin Message ---

Source: kvm
Source-Version: 88+dfsg-2

We believe that the bug you reported is fixed in the latest version of
kvm, which is due to be installed in the Debian FTP archive:

kvm-dbg_88+dfsg-2_i386.deb
  to main/k/kvm/kvm-dbg_88+dfsg-2_i386.deb
kvm-source_88+dfsg-2_all.deb
  to main/k/kvm/kvm-source_88+dfsg-2_all.deb
kvm_88+dfsg-2.diff.gz
  to main/k/kvm/kvm_88+dfsg-2.diff.gz
kvm_88+dfsg-2.dsc
  to main/k/kvm/kvm_88+dfsg-2.dsc
kvm_88+dfsg-2_i386.deb
  to main/k/kvm/kvm_88+dfsg-2_i386.deb



A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 557...@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Guido Günther <a...@sigxcpu.org> (supplier of updated kvm package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmas...@debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Format: 1.8
Date: Tue, 24 Nov 2009 21:17:58 +0100
Source: kvm
Binary: kvm kvm-source kvm-dbg
Architecture: source all i386
Version: 88+dfsg-2
Distribution: experimental
Urgency: low
Maintainer: Jan Lübbe <jlue...@debian.org>
Changed-By: Guido Günther <a...@sigxcpu.org>
Description: 
 kvm        - Full virtualization on x86 hardware
 kvm-dbg    - Debugging info for kvm
 kvm-source - Source for the KVM driver
Closes: 553986 557736 557737 557739
Changes: 
 kvm (88+dfsg-2) experimental; urgency=low
 .
   * [b2e3840] Make patches gbp-pq/git-am friendly. Drop unused patches.
   * [4c9a8a5] Merge patches changing paths and also fix patch in vl.c.
     (Closes: #553986)
   * [b5b96e3] Fix CVE-2009-4004 (Closes: #557736)
   * [1a64955] Fix CVE-2009-2287 (Closes: #557737)
   * [a315182] Fix CVE-2009-3640 (Closes: #557737)
   * [62a4d2f] Fix CVE-2009-3722 (Closes: #557739)
Checksums-Sha1: 
 33d7163967bf9f0a18382ec6750269b862848aec 1462 kvm_88+dfsg-2.dsc
 37749b696dd6b066b4f97e753f742660dfc720fd 52084 kvm_88+dfsg-2.diff.gz
 69373359b7429c2396e272962b141f26d55fdaf2 311454 kvm-source_88+dfsg-2_all.deb
 879d789aadfdfd71f5d6a2591967587d79c568d8 1340190 kvm_88+dfsg-2_i386.deb
 d8ea811f39792b7504b787cc6b9f4fb4705e1b51 47326 kvm-dbg_88+dfsg-2_i386.deb
Checksums-Sha256: 
 2b8a358b8a570808f9cf5b4cc9dcdd5a8450009b56122e410722b84372ccdbe0 1462 
kvm_88+dfsg-2.dsc
 fa712822822253b3f1d5acc62b7d90b01d8590e49ae5075a9eddf751c42edf8c 52084 
kvm_88+dfsg-2.diff.gz
 2676cf35451903620d527329a77c4c1c154e23a59425765974b7bb668951ccd7 311454 
kvm-source_88+dfsg-2_all.deb
 d734aaaf79a1a4055d33d73e099ebf704ba4f7073c59bee231d4fc263c324066 1340190 
kvm_88+dfsg-2_i386.deb
 65ff64e0c7280c3e3bc6f4e8babfb3e795cfc42d53d6c6661c82ac69610ed906 47326 
kvm-dbg_88+dfsg-2_i386.deb
Files: 
 6f622670aaab3f8855b3a9833fb55d09 1462 misc optional kvm_88+dfsg-2.dsc
 60ce21c219c562658f6f568cd0d273d1 52084 misc optional kvm_88+dfsg-2.diff.gz
 5d97cbd77a2901b3bd093e3c53add4ec 311454 kernel optional 
kvm-source_88+dfsg-2_all.deb
 2a7d8bfedde1d8ba7933f22d38bd42aa 1340190 misc optional kvm_88+dfsg-2_i386.deb
 67821ba6a8151a7526edbbb8ff107f7d 47326 debug extra kvm-dbg_88+dfsg-2_i386.deb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.10 (GNU/Linux)

iD8DBQFLDF2fn88szT8+ZCYRAq/zAJ9mkB8R4ejt0o1MwF9G/Bstxp5EnwCfchyd
PtgFWtFSTdqHmVOUkEmyQPI=
=vbx0
-----END PGP SIGNATURE-----

--- End Message ---