[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: [SECURITY] [DSA-2010-1] New kvm packages fix several vulnerabilities

On Wed, Mar 10, 2010 at 02:18:38PM -0500, Daniel Kahn Gillmor wrote:
> Hi Debian Security folks--
> 
> On 03/10/2010 01:18 PM, dann frazier wrote:
> > ------------------------------------------------------------------------
> > Debian Security Advisory DSA-2010                  security@debian.org
> > http://www.debian.org/security/                         Dann Frazier
> > March 10, 2010                   http://www.debian.org/security/faq
> > ------------------------------------------------------------------------
> > 
> > Package        : kvm
> > Vulnerability  : privilege escalation/denial of service
> > Problem type   : local
> > Debian-specific: no
> > CVE Id(s)      : CVE-2010-0298 CVE-2010-0306 CVE-2010-0309 CVE-2010-0419
> > 
> > Several local vulnerabilities have been discovered in kvm, a full
> > virtualization system. The Common Vulnerabilities and Exposures project
> > identifies the following problems:
> > 
> > CVE-2010-0298 & CVE-2010-0306
> > 
> >     Gleb Natapov discovered issues in the KVM subsystem where missing
> >     permission checks (CPL/IOPL) permit a user in a guest system to
> >     denial of service a guest (system crash) or gain escalated
> >     privileges with the guest.
> > 
> > CVE-2010-0309
> > 
> >     Marcelo Tosatti fixed an issue in the PIT emulation code in the
> >     KVM subsystem that allows privileged users in a guest domain to
> >     cause a denial of service (crash) of the host system.
> > 
> > CVE-2010-0419
> > 
> >     Paolo Bonzini found a bug in KVM that can be used to bypass proper
> >     permission checking while loading segment selectors. This
> >     potentially allows privileged guest users to execute privileged
> >     instructions on the host system.
> > 
> > For the stable distribution (lenny), this problem has been fixed in
> > version 72+dfsg-5~lenny5.
> > 
> > For the testing distribution (squeeze), and the unstable distribution (sid),
> > these problems will be addressed within the linux-2.6 package.
> > 
> > We recommend that you upgrade your kvm package.
> > 
> > Upgrade instructions
> > --------------------
> > 
> > wget url
> >         will fetch the file for you
> > dpkg -i file.deb
> >         will install the referenced file.
> > 
> > If you are using the apt-get package manager, use the line for
> > sources.list as given below:
> > 
> > apt-get update
> >         will update the internal database
> > apt-get upgrade
> >         will install corrected packages
> > 
> > You may use an automated update by adding the resources from the
> > footer to the proper configuration.
> 
> It's not clear to me from the instructions above whether users should
> re-build their kvm modules package as well as installing the revised
> versions.
> 
> Is the vulnerability fully-resolved by simply upgrading the kvm package?
> (i really don't know, and figure y'all are the right folks to ask). 

If you've never built/installed modules from the kvm-source package,
this advisory does not apply to you. If you have - you will need to
update your kernel-source package and rebuild/reload those modules.

> I note that there are kvm modules shipped with the default stable
> kernel.

Yes, these issues are being tracked there as well (3/4 are already
fixed in the latest stable update)

> If more steps are needed, maybe we need additional DSA boilerplate for
> these kind of announcements in the future.

Yes, that's probably a good idea.

> Thanks for all the work you do to keep debian in good shape.  it's very
> much appreciated!
> 
> 	--dkg
> 



-- 
dann frazier
Reply to: