Date: Tue, 8 Dec 2009 21:52:37 -0600 From: Jamie Strandboge <jamie@...onical.com> To: oss-security@...ts.openwall.com Subject: Linux/QEMU issue Ubuntu recently released http://www.ubuntu.com/usn/USN-863-1 against qemu. Due to an oversight, this was not brought to the attention of oss-security before now. This issue is public and fixed upstream, and affects guests using a 2.6.25 kernel (or backported virtio net drivers from the 2.6.25 kernel, like our 8.04 LTS release does). Specifically, if a guest with the affected virtio net drivers is running under qemu/kvm, then if you saturate a network connection to the guest, the guest will crash. This is https://launchpad.net/bugs/458521. There was not consensus on whether this should get a CVE. You can see the patch and upstream discussion here: http://patchwork.kernel.org/patch/56479/ The bug is really two parts though: the qemu issue which crashes the guest, and the guest kernel writing garbage to the virtio net backend. We decided to fix it as a security update in qemu since a remote attacker could DoS an Ubuntu 8.04 LTS guest, possibly leading to data corruption within the guest. 2.6.26 and later kernels should not be affected. Jamie -- Jamie Strandboge | http://www.canonical.com Download attachment "signature.asc" of type "application/pgp-signature" (198 bytes)
Powered by blists - more mailing lists
Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.
Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.