[Bug 453441] Re: qemu-kvm should link against libcurl to be able to boot/stream off of http://..../*.iso
This bug was fixed in the package qemu-kvm - 0.11.0-0ubuntu6.3 --- qemu-kvm (0.11.0-0ubuntu6.3) karmic-security; urgency=low * SECURITY UPDATE: linux = 2.6.25 guests (e.g. hardy) with virtio networking are subject to DoS by qemu-kvm application crash; the crash can be remotely triggered by a malicious user flooding any open network port (LP: #458521) - debian/patches/12_whitelist_host_virtio_networking_features.patch: fix accounting of virtio networking features available to make available to the guests - CVE-2009- * debian/kvm-ok: check for other common reasons why KVM might not be usable, LP: #452323 * debian/control: build-depend on libcurl devel, to allow booting from ISOs over http, LP: #453441 -- Dustin Kirkland kirkl...@ubuntu.com Thu, 29 Oct 2009 11:36:18 -0500 ** Changed in: qemu-kvm (Ubuntu Karmic) Status: Fix Committed = Fix Released -- qemu-kvm should link against libcurl to be able to boot/stream off of http:///*.iso https://bugs.launchpad.net/bugs/453441 You received this bug notification because you are a member of Ubuntu Server Team, which is subscribed to qemu-kvm in ubuntu. -- Ubuntu-server-bugs mailing list Ubuntu-server-bugs@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-server-bugs
[Bug 453441] Re: qemu-kvm should link against libcurl to be able to boot/stream off of http://..../*.iso
tested this as per the test case above using qemu-kvm 0.11.0-0ubuntu6.3 from karmic-proposed the test case works for me, within seconds i am greeted with the ubuntu installer menu. please advise if you require further information. regards -- qemu-kvm should link against libcurl to be able to boot/stream off of http:///*.iso https://bugs.launchpad.net/bugs/453441 You received this bug notification because you are a member of Ubuntu Server Team, which is subscribed to qemu-kvm in ubuntu. -- Ubuntu-server-bugs mailing list Ubuntu-server-bugs@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-server-bugs
[Bug 453441] Re: qemu-kvm should link against libcurl to be able to boot/stream off of http://..../*.iso
** Tags added: verification-done ** Tags removed: verification-needed -- qemu-kvm should link against libcurl to be able to boot/stream off of http:///*.iso https://bugs.launchpad.net/bugs/453441 You received this bug notification because you are a member of Ubuntu Server Team, which is subscribed to qemu-kvm in ubuntu. -- Ubuntu-server-bugs mailing list Ubuntu-server-bugs@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-server-bugs
[Bug 453441] Re: qemu-kvm should link against libcurl to be able to boot/stream off of http://..../*.iso
** Branch linked: lp:ubuntu/karmic-proposed/qemu-kvm -- qemu-kvm should link against libcurl to be able to boot/stream off of http:///*.iso https://bugs.launchpad.net/bugs/453441 You received this bug notification because you are a member of Ubuntu Server Team, which is subscribed to qemu-kvm in ubuntu. -- Ubuntu-server-bugs mailing list Ubuntu-server-bugs@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-server-bugs
[Bug 453441] Re: qemu-kvm should link against libcurl to be able to boot/stream off of http://..../*.iso
Copied karmic-proposed to lucid. ** Changed in: qemu-kvm (Ubuntu) Status: In Progress = Fix Released ** Changed in: qemu-kvm (Ubuntu Karmic) Status: Fix Released = Fix Committed -- qemu-kvm should link against libcurl to be able to boot/stream off of http:///*.iso https://bugs.launchpad.net/bugs/453441 You received this bug notification because you are a member of Ubuntu Server Team, which is subscribed to qemu-kvm in ubuntu. -- Ubuntu-server-bugs mailing list Ubuntu-server-bugs@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-server-bugs
[Bug 453441] Re: qemu-kvm should link against libcurl to be able to boot/stream off of http://..../*.iso
This bug was fixed in the package qemu-kvm - 0.11.0-0ubuntu6.3 --- qemu-kvm (0.11.0-0ubuntu6.3) karmic-security; urgency=low * SECURITY UPDATE: linux = 2.6.25 guests (e.g. hardy) with virtio networking are subject to DoS by qemu-kvm application crash; the crash can be remotely triggered by a malicious user flooding any open network port (LP: #458521) - debian/patches/12_whitelist_host_virtio_networking_features.patch: fix accounting of virtio networking features available to make available to the guests - CVE-2009- * debian/kvm-ok: check for other common reasons why KVM might not be usable, LP: #452323 * debian/control: build-depend on libcurl devel, to allow booting from ISOs over http, LP: #453441 -- Dustin Kirkland kirkl...@ubuntu.com Thu, 29 Oct 2009 11:36:18 -0500 ** Changed in: qemu-kvm (Ubuntu Karmic) Status: Fix Committed = Fix Released -- qemu-kvm should link against libcurl to be able to boot/stream off of http:///*.iso https://bugs.launchpad.net/bugs/453441 You received this bug notification because you are a member of Ubuntu Server Team, which is subscribed to qemu-kvm in ubuntu. -- Ubuntu-server-bugs mailing list Ubuntu-server-bugs@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-server-bugs
[Bug 453441] Re: qemu-kvm should link against libcurl to be able to boot/stream off of http://..../*.iso
Martin, I've tested the package in karmic-proposed. Verifying this one is *very* easy. I would appreciate it if someone else would try the instructions in the description. :-Dustin ** Description changed: Binary package hint: qemu-kvm qemu-kvm has the ability to boot off of a remote, http iso. This is really, really useful, particularly when testing daily iso's, or from a system like my laptop with a small SSD hard drive. All we need to do to enable this is to build-depend on libcurl4-gnutls- dev. :-Dustin === SRU Justification This is truly a wishlist item, but absolutely trivial to fix, and very high impact. This should significantly improve our developers', testers', and users' abilities to test ISOs during the Lucid cycle. We simple need to build-depend on a curl library. This will enable kvm to actually boot using -cdrom http://remote.host/path/to/image.iso, streaming the ISO over a network connection. The impact is tremendous. On systems with relatively small hard disks (SSDs, eg), it can be very beneficial to save some disk space and stream ISOs. This should in no way affect any other functionality. The risk of regression should be negligible. TEST CASE: - * kvm -m 512 -cdrom http://mirrors.kernel.org/ubuntu-releases/8.04.3/ubuntu-8.04.3-desktop-amd64.iso + * kvm -m 512 -cdrom http://mirrors.kernel.org/ubuntu-releases/8.04.3/ubuntu-8.04.3-desktop-amd64.iso + Should boot to the graphical desktop. (Actually, you can stop if you see the bootloader screen.) === -- qemu-kvm should link against libcurl to be able to boot/stream off of http:///*.iso https://bugs.launchpad.net/bugs/453441 You received this bug notification because you are a member of Ubuntu Server Team, which is subscribed to qemu-kvm in ubuntu. -- Ubuntu-server-bugs mailing list Ubuntu-server-bugs@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-server-bugs
[Bug 453441] Re: qemu-kvm should link against libcurl to be able to boot/stream off of http://..../*.iso
** Changed in: qemu-kvm (Ubuntu) Milestone: None = karmic-updates ** Also affects: qemu-kvm (Ubuntu Karmic) Importance: Wishlist Assignee: Dustin Kirkland (kirkland) Status: In Progress -- qemu-kvm should link against libcurl to be able to boot/stream off of http:///*.iso https://bugs.launchpad.net/bugs/453441 You received this bug notification because you are a member of Ubuntu Server Team, which is subscribed to qemu-kvm in ubuntu. -- Ubuntu-server-bugs mailing list Ubuntu-server-bugs@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-server-bugs
[Bug 453441] Re: qemu-kvm should link against libcurl to be able to boot/stream off of http://..../*.iso
Patch attached for SRU review. I will upload it with 2 other bugs. :-Dustin ** Description changed: Binary package hint: qemu-kvm qemu-kvm has the ability to boot off of a remote, http iso. This is really, really useful, particularly when testing daily iso's, or from a system like my laptop with a small SSD hard drive. All we need to do to enable this is to build-depend on libcurl4-gnutls- dev. :-Dustin + + === + SRU Justification + + This is truly a wishlist item, but absolutely trivial to fix, and very + high impact. This should significantly improve our developers', + testers', and users' abilities to test ISOs during the Lucid cycle. We + simple need to build-depend on a curl library. This will enable kvm to + actually boot using -cdrom http://remote.host/path/to/image.iso, + streaming the ISO over a network connection. The impact is tremendous. + On systems with relatively small hard disks (SSDs, eg), it can be very + beneficial to save some disk space and stream ISOs. This should in no + way affect any other functionality. The risk of regression should be + negligible. + + TEST CASE: + * kvm -m 512 -cdrom http://mirrors.kernel.org/ubuntu-releases/8.04.3/ubuntu-8.04.3-desktop-amd64.iso + === ** Attachment added: 453441.patch http://launchpadlibrarian.net/34608852/453441.patch -- qemu-kvm should link against libcurl to be able to boot/stream off of http:///*.iso https://bugs.launchpad.net/bugs/453441 You received this bug notification because you are a member of Ubuntu Server Team, which is subscribed to qemu-kvm in ubuntu. -- Ubuntu-server-bugs mailing list Ubuntu-server-bugs@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-server-bugs
[Bug 453441] Re: qemu-kvm should link against libcurl to be able to boot/stream off of http://..../*.iso
** Changed in: qemu-kvm (Ubuntu Karmic) Status: In Progress = Fix Committed -- qemu-kvm should link against libcurl to be able to boot/stream off of http:///*.iso https://bugs.launchpad.net/bugs/453441 You received this bug notification because you are a member of Ubuntu Server Team, which is subscribed to qemu-kvm in ubuntu. -- Ubuntu-server-bugs mailing list Ubuntu-server-bugs@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-server-bugs
[Bug 453441] Re: qemu-kvm should link against libcurl to be able to boot/stream off of http://..../*.iso
This is a new feature which hasn't been in Ubuntu before. How much was this tested? Was there ever a review about potential security issues? Does it change the default behaviour in any way? -- qemu-kvm should link against libcurl to be able to boot/stream off of http:///*.iso https://bugs.launchpad.net/bugs/453441 You received this bug notification because you are a member of Ubuntu Server Team, which is subscribed to qemu-kvm in ubuntu. -- Ubuntu-server-bugs mailing list Ubuntu-server-bugs@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-server-bugs
Re: [Bug 453441] Re: qemu-kvm should link against libcurl to be able to boot/stream off of http://..../*.iso
On Thu, Oct 29, 2009 at 1:39 PM, Martin Pitt martin.p...@ubuntu.com wrote: This is a new feature which hasn't been in Ubuntu before. How much was this tested? I have run this extensively myself. The kvm I generally run on my own hardware is a kvm that I build myself. I have that library on my system and in my chroots, so the build of kvm that I've been using has had it for a while now. I use it extensively, as I boot from ISOs on my mirror over my local gigabit network all the time. Saves a lot of disk space on my local system. That said, I didn't notice that this was missing from the official deb's until very late into Karmic RC, so I didn't upload it. Was there ever a review about potential security issues? Not that I know of. Does it change the default behaviour in any way? Default behavior -- no. I think the risk of regression is very, very, very low. Most users will never boot from a remote ISO, so they'll never see this. If they do, and for some reason it doesn't work, then they're no worse off than they were before (not being able to boot from an ISO url). I think the upshot is very valuable. Many people (including Ubuntu developers) will continue using Karmic to develop Lucid. It would be very nice, this cycle, to be able to boot VMs in this way, using an http/ftp style URL. If you're really opposed to this, I suppose that we could just push it to -backports. That's okay, I guess. I simply added it to this SRU since I was fixing/uploading anyway, and the advantage is very nice. Thanks for the careful look, Martin. :-Dustin -- qemu-kvm should link against libcurl to be able to boot/stream off of http:///*.iso https://bugs.launchpad.net/bugs/453441 You received this bug notification because you are a member of Ubuntu Server Team, which is subscribed to qemu-kvm in ubuntu. -- Ubuntu-server-bugs mailing list Ubuntu-server-bugs@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-server-bugs
