On Wed, Mar 10, 2010 at 02:18:38PM -0500, Daniel Kahn Gillmor wrote: > Hi Debian Security folks-- > > On 03/10/2010 01:18 PM, dann frazier wrote: > > ------------------------------------------------------------------------ > > Debian Security Advisory DSA-2010 [email protected] > > http://www.debian.org/security/ Dann Frazier > > March 10, 2010 http://www.debian.org/security/faq > > ------------------------------------------------------------------------ > > > > Package : kvm > > Vulnerability : privilege escalation/denial of service > > Problem type : local > > Debian-specific: no > > CVE Id(s) : CVE-2010-0298 CVE-2010-0306 CVE-2010-0309 CVE-2010-0419 > > > > Several local vulnerabilities have been discovered in kvm, a full > > virtualization system. The Common Vulnerabilities and Exposures project > > identifies the following problems: > > > > CVE-2010-0298 & CVE-2010-0306 > > > > Gleb Natapov discovered issues in the KVM subsystem where missing > > permission checks (CPL/IOPL) permit a user in a guest system to > > denial of service a guest (system crash) or gain escalated > > privileges with the guest. > > > > CVE-2010-0309 > > > > Marcelo Tosatti fixed an issue in the PIT emulation code in the > > KVM subsystem that allows privileged users in a guest domain to > > cause a denial of service (crash) of the host system. > > > > CVE-2010-0419 > > > > Paolo Bonzini found a bug in KVM that can be used to bypass proper > > permission checking while loading segment selectors. This > > potentially allows privileged guest users to execute privileged > > instructions on the host system. > > > > For the stable distribution (lenny), this problem has been fixed in > > version 72+dfsg-5~lenny5. > > > > For the testing distribution (squeeze), and the unstable distribution (sid), > > these problems will be addressed within the linux-2.6 package. > > > > We recommend that you upgrade your kvm package. > > > > Upgrade instructions > > -------------------- > > > > wget url > > will fetch the file for you > > dpkg -i file.deb > > will install the referenced file. > > > > If you are using the apt-get package manager, use the line for > > sources.list as given below: > > > > apt-get update > > will update the internal database > > apt-get upgrade > > will install corrected packages > > > > You may use an automated update by adding the resources from the > > footer to the proper configuration. > > It's not clear to me from the instructions above whether users should > re-build their kvm modules package as well as installing the revised > versions. > > Is the vulnerability fully-resolved by simply upgrading the kvm package? > (i really don't know, and figure y'all are the right folks to ask).
If you've never built/installed modules from the kvm-source package, this advisory does not apply to you. If you have - you will need to update your kernel-source package and rebuild/reload those modules. > I note that there are kvm modules shipped with the default stable > kernel. Yes, these issues are being tracked there as well (3/4 are already fixed in the latest stable update) > If more steps are needed, maybe we need additional DSA boilerplate for > these kind of announcements in the future. Yes, that's probably a good idea. > Thanks for all the work you do to keep debian in good shape. it's very > much appreciated! > > --dkg > -- dann frazier -- To UNSUBSCRIBE, email to [email protected] with a subject of "unsubscribe". Trouble? Contact [email protected] Archive: http://lists.debian.org/[email protected]
