group.of.nepali.translators team mailing list archive
-
group.of.nepali.translators team
-
Mailing list archive
-
Message #29721
[Bug 1789551] Re: qemu: CVE-2018-15746: seccomp: blacklist is not applied to all threads
** Changed in: qemu (Debian)
Status: Confirmed => Fix Released
--
You received this bug notification because you are a member of नेपाली
भाषा समायोजकहरुको समूह, which is subscribed to Xenial.
Matching subscriptions: Ubuntu 16.04 Bugs
https://bugs.launchpad.net/bugs/1789551
Title:
qemu: CVE-2018-15746: seccomp: blacklist is not applied to all threads
Status in qemu package in Ubuntu:
Fix Released
Status in qemu source package in Trusty:
Won't Fix
Status in qemu source package in Xenial:
Won't Fix
Status in qemu source package in Bionic:
Fix Released
Status in qemu source package in Cosmic:
Fix Released
Status in qemu package in Debian:
Fix Released
Bug description:
[Impact]
* Backport upstream CVE fix (applies as-is)
* This will ensure that the seccomp rules apply to all threads.
Without that the security benefit that seccomp provides can be avoided
by an attacker.
[Test Case]
* Run qemu on Bionic, and enable the seccomp feature (not yet default on
in Bionic, but in Cosmic). In qemu this is called "sandbox"
$ qemu-system-x86_64 -sandbox on -nographic & pid=$!; sleep 2s;
echo PID $pid; for task in /proc/$pid/task/*; do cat $task/status | grep Secc; done; kill -9 $pid
That will report something like
PID 23230
Seccomp: 2
Seccomp: 0
And the two lines should match.
[Regression Potential]
* discussion of how regressions are most likely to manifest as a
result of this change.
* It is assumed that any SRU candidate patch is well-tested before
upload and has a low overall risk of regression, but it's important
to make the effort to think about what ''could'' happen in the
event of a regression.
* This both shows the SRU team that the risks have been considered,
and provides guidance to testers in regression-testing the SRU.
[Other Info]
* This was discussed for other releases e.g. Xenial, but back then the
approach to seccomp was different and regression risk would be too
high.
----
The Qemu changes are public, so nothing to hide here IMHO, but leaving
that to the security team.
Copy from the related Debian bug that I commented on:
"
The following vulnerability was published for qemu.
CVE-2018-15746[0]:
seccomp: blacklist is not applied to all threads
If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.
For further information see:
[0] https://security-tracker.debian.org/tracker/CVE-2018-15746
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-15746
[1] https://lists.gnu.org/archive/html/qemu-devel/2018-08/msg04892.html
[2] https://lists.gnu.org/archive/html/qemu-devel/2018-08/msg02289.html
"
In addition I think that:
- it is available (built in since all still supported releases)
- it is default enabled with qemu 2.11 (Bionic)
- with libvirt >4.3 (Cosmic) more of the filters are set
That in my bad security severity guessing capability makes it
- Medium prio <Bionic
- High prio >=Bionic
OTOH, when checking the upstream reproducer with a qemu 2.11 I see nothing being used - so maybe all of it is a red herring (checked on Bionic):
$ for pid in $(pidof qemu-system-x86_64); do echo PID $pid; for task in /proc/$pid/task/*; do cat $task/status | grep Secc; done; done
PID 10817
Seccomp: 0
Seccomp: 0
Seccomp: 0
Seccomp: 0
PID 10657
Seccomp: 0
Seccomp: 0
Seccomp: 0
Seccomp: 0
Seccomp: 0
Seccomp: 0
PID 438
Seccomp: 0
Seccomp: 0
Seccomp: 0
Seccomp: 0
Seccomp: 0
Seccomp: 0
Seccomp: 0
Seccomp: 0
Seccomp: 0
Seccomp: 0
Seccomp: 0
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/qemu/+bug/1789551/+subscriptions
