group.of.nepali.translators team mailing list archive

Thread
Date
[Bug 1789551] Re: qemu: CVE-2018-15746: seccomp: blacklist is not applied to all threads

To: group.of.nepali.translators@xxxxxxxxxxxxxxxxxxx
From: Launchpad Bug Tracker <1789551@xxxxxxxxxxxxxxxxxx>
Date: Mon, 08 Oct 2018 13:17:50 -0000
Reply-to: Bug 1789551 <1789551@xxxxxxxxxxxxxxxxxx>
Sender: bounces@xxxxxxxxxxxxx
This bug was fixed in the package qemu - 1:2.11+dfsg-1ubuntu7.6

---------------
qemu (1:2.11+dfsg-1ubuntu7.6) bionic; urgency=medium

  [ Christian Ehrhardt ]
  * Add cpu model for z14 ZR1 (LP: #1780773)
  * d/p/ubuntu/lp-1789551-seccomp-set-the-seccomp-filter-to-all-threads.patch:
    ensure that the seccomp blacklist is applied to all threads (LP: #1789551)
    - CVE-2018-15746
  * improve s390x spectre mitigation with etoken facility (LP: #1790457)
    - debian/patches/ubuntu/lp-1790457-s390x-kvm-add-etoken-facility.patch
    - debian/patches/ubuntu/lp-1790457-partial-s390x-linux-headers-update.patch

  [ Phillip Susi ]
  * d/p/ubuntu/lp-1787267-fix-en_us-vnc-pipe.patch: Fix pipe, greater than and
    less than keys over vnc when using en_us kemaps (LP: #1787267).

 -- Christian Ehrhardt <christian.ehrhardt@xxxxxxxxxxxxx>  Wed, 29 Aug
2018 11:46:37 +0200

** Changed in: qemu (Ubuntu Bionic)
       Status: Fix Committed => Fix Released

-- 
You received this bug notification because you are a member of नेपाली
भाषा समायोजकहरुको समूह, which is subscribed to Xenial.
Matching subscriptions: Ubuntu 16.04 Bugs
https://bugs.launchpad.net/bugs/1789551

Title:
  qemu: CVE-2018-15746: seccomp: blacklist is not applied to all threads

Status in qemu package in Ubuntu:
  Fix Released
Status in qemu source package in Trusty:
  Won't Fix
Status in qemu source package in Xenial:
  Won't Fix
Status in qemu source package in Bionic:
  Fix Released
Status in qemu source package in Cosmic:
  Fix Released
Status in qemu package in Debian:
  Confirmed

Bug description:
  [Impact]

   * Backport upstream CVE fix (applies as-is)

   * This will ensure that the seccomp rules apply to all threads.
     Without that the security benefit that seccomp provides can be avoided 
     by an attacker.

  [Test Case]

   * Run qemu on Bionic, and enable the seccomp feature (not yet default on 
     in Bionic, but in Cosmic). In qemu this is called "sandbox"

     $ qemu-system-x86_64 -sandbox on -nographic & pid=$!; sleep 2s;
       echo PID $pid; for task in /proc/$pid/task/*; do cat $task/status | grep Secc; done; kill -9 $pid

      That will report something like
      PID 23230
      Seccomp: 2
      Seccomp: 0

      And the two lines should match.

  [Regression Potential]

   * discussion of how regressions are most likely to manifest as a
  result of this change.

   * It is assumed that any SRU candidate patch is well-tested before
     upload and has a low overall risk of regression, but it's important
     to make the effort to think about what ''could'' happen in the
     event of a regression.

   * This both shows the SRU team that the risks have been considered,
     and provides guidance to testers in regression-testing the SRU.

  [Other Info]
   
   * This was discussed for other releases e.g. Xenial, but back then the 
     approach to seccomp was different and regression risk would be too 
     high.

  ----

  The Qemu changes are public, so nothing to hide here IMHO, but leaving
  that to the security team.

  Copy from the related Debian bug that I commented on:
  "
  The following vulnerability was published for qemu.

  CVE-2018-15746[0]:
  seccomp: blacklist is not applied to all threads

  If you fix the vulnerability please also make sure to include the
  CVE (Common Vulnerabilities & Exposures) id in your changelog entry.

  For further information see:

  [0] https://security-tracker.debian.org/tracker/CVE-2018-15746
      https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-15746
  [1] https://lists.gnu.org/archive/html/qemu-devel/2018-08/msg04892.html
  [2] https://lists.gnu.org/archive/html/qemu-devel/2018-08/msg02289.html
  "

  In addition I think that:
  - it is available (built in since all still supported releases)
  - it is default enabled with qemu 2.11 (Bionic)
  - with libvirt >4.3 (Cosmic) more of the filters are set

  That in my bad security severity guessing capability makes it
  - Medium prio <Bionic
  - High prio >=Bionic

  OTOH, when checking the upstream reproducer with a qemu 2.11 I see nothing being used - so maybe all of it is a red herring (checked on Bionic):
  $ for pid in $(pidof qemu-system-x86_64); do echo PID $pid; for task in /proc/$pid/task/*; do cat $task/status | grep Secc; done; done
  PID 10817
  Seccomp:        0
  Seccomp:        0
  Seccomp:        0
  Seccomp:        0
  PID 10657
  Seccomp:        0
  Seccomp:        0
  Seccomp:        0
  Seccomp:        0
  Seccomp:        0
  Seccomp:        0
  PID 438
  Seccomp:        0
  Seccomp:        0
  Seccomp:        0
  Seccomp:        0
  Seccomp:        0
  Seccomp:        0
  Seccomp:        0
  Seccomp:        0
  Seccomp:        0
  Seccomp:        0
  Seccomp:        0

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/qemu/+bug/1789551/+subscriptions