Package: qemu-utils Version: 1.1.2+dfsg-1 Severity: normal Tags: security patch upstream
qemu-nbd utility does not has an option to specify format of the block image it serves, so it is possible by a guest (user of nbd device) to write data to it the way so it looks like some format known to qemu-nbd, and the next time qemu-nbd is restarted with the same image, it will be tricked to interpret (probably especially crafted) that format. It is very similar to old vulnerability in qemu itself, CVE-2008-2004. https://bugzilla.redhat.com/show_bug.cgi?id=923219 http://www.openwall.com/lists/oss-security/2013/04/15/3 The upstream fix -- https://bugzilla.redhat.com/attachment.cgi?id=712650&action=diff -- merely adds an option to qemu-nbd that allows to specify format of the image explicitly instead of always relying on guessing. I don't think this is a serious issue, for several reasons: o qemu-nbd isn't usually used in production where there's a chance to hit a malicious guest. Instead, it is used mostly for testing or for access to the guest image from host, for administrative purposes, in both cases the issue isn't serious. o even when modified to understand a new option, all relevant usages should be modified as well, to utilize the new option. However, it's still nice to fix it in debian package. I'm not sure yet whenever we should fix it for wheezy or not. Thanks, /mjt -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org