Package: src:linux Version: 4.0.7-1 Severity: important Tags: security upstream
As discussed in <http://thread.gmane.org/gmane.linux.kernel/1991020> and <http://thread.gmane.org/gmane.linux.kernel/1992842>, the Linux kernel's 'vm86' support for real mode virtual machines on i386 is not well maintained upstream. It is likely to have security flaws due to its strange interaction with the kernel entry/exit paths. There are now very few userland programs that depend on it. dosemu, vbetool and some X drivers used to, but since wheezy (or earlier) they use libx86 which has an automatic fallback to pure software emulation even on i386. Based on a quick review using codesearch, I believe the only remaining run-time dependencies on vm86 in Debian are: - Support for running DOS applications from wine - but it will use DOSBox by preference - Build-time tests of mbr - could be disabled - Various versions of the lrmi library embedded in libucimf, zhcon, atitvout and s3switch - libx86 should be a drop-in replacement for this Ben. -- System Information: Debian Release: stretch/sid APT prefers unstable APT policy: (500, 'unstable'), (1, 'experimental') Architecture: i386 (x86_64) Foreign Architectures: amd64 Kernel: Linux 4.0.0-2-amd64 (SMP w/4 CPU cores) Locale: LANG=en_GB.utf8, LC_CTYPE=en_GB.utf8 (charmap=UTF-8) Shell: /bin/sh linked to /bin/dash Init: systemd (via /run/systemd/system) _______________________________________________ Secure-testing-team mailing list [email protected] http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-team
