Re: [SECURITY] [DSA-2010-1] New kvm packages fix several vulnerabilities
On Wed, Mar 10, 2010 at 02:18:38PM -0500, Daniel Kahn Gillmor wrote:
> Hi Debian Security folks--
>
> On 03/10/2010 01:18 PM, dann frazier wrote:
> > ------------------------------------------------------------------------
> > Debian Security Advisory DSA-2010 security@debian.org
> > http://www.debian.org/security/ Dann Frazier
> > March 10, 2010 http://www.debian.org/security/faq
> > ------------------------------------------------------------------------
> >
> > Package : kvm
> > Vulnerability : privilege escalation/denial of service
> > Problem type : local
> > Debian-specific: no
> > CVE Id(s) : CVE-2010-0298 CVE-2010-0306 CVE-2010-0309 CVE-2010-0419
> >
> > Several local vulnerabilities have been discovered in kvm, a full
> > virtualization system. The Common Vulnerabilities and Exposures project
> > identifies the following problems:
> >
> > CVE-2010-0298 & CVE-2010-0306
> >
> > Gleb Natapov discovered issues in the KVM subsystem where missing
> > permission checks (CPL/IOPL) permit a user in a guest system to
> > denial of service a guest (system crash) or gain escalated
> > privileges with the guest.
> >
> > CVE-2010-0309
> >
> > Marcelo Tosatti fixed an issue in the PIT emulation code in the
> > KVM subsystem that allows privileged users in a guest domain to
> > cause a denial of service (crash) of the host system.
> >
> > CVE-2010-0419
> >
> > Paolo Bonzini found a bug in KVM that can be used to bypass proper
> > permission checking while loading segment selectors. This
> > potentially allows privileged guest users to execute privileged
> > instructions on the host system.
> >
> > For the stable distribution (lenny), this problem has been fixed in
> > version 72+dfsg-5~lenny5.
> >
> > For the testing distribution (squeeze), and the unstable distribution (sid),
> > these problems will be addressed within the linux-2.6 package.
> >
> > We recommend that you upgrade your kvm package.
> >
> > Upgrade instructions
> > --------------------
> >
> > wget url
> > will fetch the file for you
> > dpkg -i file.deb
> > will install the referenced file.
> >
> > If you are using the apt-get package manager, use the line for
> > sources.list as given below:
> >
> > apt-get update
> > will update the internal database
> > apt-get upgrade
> > will install corrected packages
> >
> > You may use an automated update by adding the resources from the
> > footer to the proper configuration.
>
> It's not clear to me from the instructions above whether users should
> re-build their kvm modules package as well as installing the revised
> versions.
>
> Is the vulnerability fully-resolved by simply upgrading the kvm package?
> (i really don't know, and figure y'all are the right folks to ask).
If you've never built/installed modules from the kvm-source package,
this advisory does not apply to you. If you have - you will need to
update your kernel-source package and rebuild/reload those modules.
> I note that there are kvm modules shipped with the default stable
> kernel.
Yes, these issues are being tracked there as well (3/4 are already
fixed in the latest stable update)
> If more steps are needed, maybe we need additional DSA boilerplate for
> these kind of announcements in the future.
Yes, that's probably a good idea.
> Thanks for all the work you do to keep debian in good shape. it's very
> much appreciated!
>
> --dkg
>
--
dann frazier
Reply to: