group.of.nepali.translators team mailing list archive
-
group.of.nepali.translators team
-
Mailing list archive
-
Message #25834
[Bug 1789551] Re: qemu: CVE-2018-15746: seccomp: blacklist is not applied to all threads
Hi Seth,
thanks for your thoughts!
Splitting my answers per Release:
== Cosmic ==
For cosmic it needs no FFe IMHO, for already having the Blacklist variant and using it for quite a while. We only extend it to the threads that were missing - in that scope it is only a bug fix.
- There the fix is ready and now also tested in various combinations
stage0-prep-cosmic-CVE-seccomp-run1-x86_64.status : Pass 4 Failed 0 Skip 0 + 0 - RC 0 in 12 minutes
stage1-migrate-cosmic-CVE-seccomp-run1-x86_64.status : Pass 276 Failed 0 Skip 0 + 0 - RC 0 in 62 minutes
stage2-cross-cosmic-CVE-seccomp-run1-x86_64.status : Pass 22 Failed 0 Skip 0 + 1 - RC 0 in 28 minutes
stage3-misc-cosmic-CVE-seccomp-run1-x86_64.status : Pass 103 Failed 0 Skip 0 + 0 - RC 0 in 29 minutes
stage0-prep-cosmic-CVE-seccomp-run1-s390x.status : Pass 3 Failed 0 Skip 0 + 0 - RC 0 in 44 minutes
stage1-migrate-cosmic-CVE-seccomp-run1-s390x.status : Pass 249 Failed 2 Skip 5 + 0 - RC 2 in 531 minutes
stage2-cross-cosmic-CVE-seccomp-run1-s390x.status : Pass 12 Failed 0 Skip 0 + 0 - RC 0 in 178 minutes
stage3-misc-cosmic-CVE-seccomp-run1-s390x.status : Pass 67 Failed 0 Skip 0 + 0 - RC 0 in 95 minutes
stage0-prep-cosmic-CVE-seccomp-run1-ppc64le.status : Pass 2 Failed 0 Skip 0 + 0 - RC 0 in 47 minutes
stage1-migrate-cosmic-CVE-seccomp-run1-ppc64le.status : Pass 276 Failed 0 Skip 0 + 0 - RC 0 in 101 minutes
stage2-cross-cosmic-CVE-seccomp-run1-ppc64le.status : Pass 4 Failed 0 Skip 0 + 0 - RC 0 in 8 minutes
stage3-misc-cosmic-CVE-seccomp-run1-ppc64le.status : Pass 48 Failed 0 Skip 1 + 0 - RC 0 in 20 minutes
The only two fails we see have existed before.
Given all that looks good and we were using it already I'll push that for Cosmic.
== Bionic ==
Bionic is different as I outlined and you also emphasized further.
First of all I'd NOT want to turn on blacklist filtering by default at
all there.
But OTOH being not used by default means the only few that use it are
those that want to rely on its function. So they would most likely want
the fix to be in?
Bionic at least using the blacklist approach already makes this safer than in older relases.
So for Bionic I'd agree to the "prep something and cajole people that are using it already for testing of their cases".
I'll make a PPA ready for that.
The fact that not all kernels log seccomp denials is what makes me feel
unsure. That would really be hard to debug.
If we want to go on further than this PPA and actually push something into Bionic depends on
a) positive test feedback
b) feedback at all that the feature is used
c) your security severity estimation if that is needed is high enough
If not a+b+c then I'd keep Bionic untouched.
Would you be able to "cajole the people" once I have a PPA to try?
== Xenial/Trusty ==
Still using the whitelist approach plus risk due to the obvious backport noise and older kernels behaving different makes this too much of a risk IMHO.
So I'd rate these Won't Fix unless your severity estimation implies it is needed.
Again there the feature won't be used by default, and being rather new at the time it might not be used anywhere.
I'll update the bug task status - please feel free to override if your rating forces us to deliver something there.
** Changed in: qemu (Ubuntu Trusty)
Status: New => Won't Fix
** Changed in: qemu (Ubuntu Xenial)
Status: New => Won't Fix
** Changed in: qemu (Ubuntu Bionic)
Assignee: Christian Ehrhardt (paelzer) => Ubuntu Security Team (ubuntu-security)
--
You received this bug notification because you are a member of नेपाली
भाषा समायोजकहरुको समूह, which is subscribed to Xenial.
Matching subscriptions: Ubuntu 16.04 Bugs
https://bugs.launchpad.net/bugs/1789551
Title:
qemu: CVE-2018-15746: seccomp: blacklist is not applied to all threads
Status in qemu package in Ubuntu:
In Progress
Status in qemu source package in Trusty:
Won't Fix
Status in qemu source package in Xenial:
Won't Fix
Status in qemu source package in Bionic:
Triaged
Status in qemu source package in Cosmic:
In Progress
Status in qemu package in Debian:
Confirmed
Bug description:
The Qemu changes are public, so nothing to hide here IMHO, but leaving
that to the security team.
Copy from the related Debian bug that I commented on:
"
The following vulnerability was published for qemu.
CVE-2018-15746[0]:
seccomp: blacklist is not applied to all threads
If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.
For further information see:
[0] https://security-tracker.debian.org/tracker/CVE-2018-15746
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-15746
[1] https://lists.gnu.org/archive/html/qemu-devel/2018-08/msg04892.html
[2] https://lists.gnu.org/archive/html/qemu-devel/2018-08/msg02289.html
"
In addition I think that:
- it is available (built in since all still supported releases)
- it is default enabled with qemu 2.11 (Bionic)
- with libvirt >4.3 (Cosmic) more of the filters are set
That in my bad security severity guessing capability makes it
- Medium prio <Bionic
- High prio >=Bionic
OTOH, when checking the upstream reproducer with a qemu 2.11 I see nothing being used - so maybe all of it is a red herring (checked on Bionic):
$ for pid in $(pidof qemu-system-x86_64); do echo PID $pid; for task in /proc/$pid/task/*; do cat $task/status | grep Secc; done; done
PID 10817
Seccomp: 0
Seccomp: 0
Seccomp: 0
Seccomp: 0
PID 10657
Seccomp: 0
Seccomp: 0
Seccomp: 0
Seccomp: 0
Seccomp: 0
Seccomp: 0
PID 438
Seccomp: 0
Seccomp: 0
Seccomp: 0
Seccomp: 0
Seccomp: 0
Seccomp: 0
Seccomp: 0
Seccomp: 0
Seccomp: 0
Seccomp: 0
Seccomp: 0
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/qemu/+bug/1789551/+subscriptions
