[Git][security-tracker-team/security-tracker][master] Demote CVE-2018-20124/qemu to unimportant

Salvatore Bonaccorso carnil at debian.org
Sat Feb 16 14:06:01 GMT 2019 

Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker


Commits:
b2e0d89a by Salvatore Bonaccorso at 2019-02-16T14:00:43Z
Demote CVE-2018-20124/qemu to unimportant

The state for PVRDMA and RDMA is quite confusing, but for this
particular issue hw/rdma/rdma_backend.c is build when pvrdma support is
enabled.

In 1:3.1+dfsg-4 --enable-rdma was left, while disabling --enable-pvrdma,
making the issue only affecting the source but not anymore the build
packages.

--enable-rdma is about RDMA migration and outside the quest, it is what qemu
does when communicate with another qemu during migration. (The option might
have been actually been called more something like --enable-rdma-migration
instead).

--enable-pvrdma: pvrdma is a specialized guest-visible device (the same
interface as vmware implements) to give rdma capabilities to the guest.

Both are are not related to each other, but pvrdma can't function without rdma
libs on the host.

Thanks: Michael Tokarev

- - - - -


1 changed file:

- data/CVE/list


Changes:

=====================================
data/CVE/list
=====================================
@@ -14928,13 +14928,14 @@ CVE-2018-20125 (hw/rdma/vmw/pvrdma_cmd.c in QEMU allows attackers to cause a den
 	NOTE: https://git.qemu.org/?p=qemu.git;a=commit;h=2c858ce5da8ae6689c75182b73bc455a291cad41
 	NOTE: PVRDMA support not enabled in the binary packages until 1:3.1+dfsg-3, disabled again in 1:3.1+dfsg-4
 CVE-2018-20124 (hw/rdma/rdma_backend.c in QEMU allows guest OS users to trigger ...)
-	- qemu <unfixed> (bug #922461)
+	- qemu <unfixed> (bug #922461; unimportant)
 	[stretch] - qemu <not-affected> (Vulnerable code not present)
 	[jessie] - qemu <not-affected> (Vulnerable code not present)
 	- qemu-kvm <removed>
 	NOTE: https://lists.gnu.org/archive/html/qemu-devel/2018-12/msg02822.html
 	NOTE: https://git.qemu.org/?p=qemu.git;a=commit;h=0e68373cc2b3a063ce067bc0cc3edaf370752890
-	NOTE: RDMA support not enabled in the binary packages until 1:3.1+dfsg-3
+	NOTE: PVRDMA support not enabled in the binary packages until 1:3.1+dfsg-3, disabled again in 1:3.1+dfsg-4
+	NOTE: The issue is in PVRDMA support, cf. https://bugs.debian.org/922461#18
 CVE-2018-20123 (pvrdma_realize in hw/rdma/vmw/pvrdma_main.c in QEMU has a Memory leak ...)
 	- qemu <unfixed> (unimportant; bug #916442)
 	[stretch] - qemu <not-affected> (Vulnerable code not present)



View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/b2e0d89aea1a61457e911c42ba530606a4b19389

-- 
View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/b2e0d89aea1a61457e911c42ba530606a4b19389
You're receiving this email because of your account on salsa.debian.org.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://alioth-lists.debian.net/pipermail/debian-security-tracker-commits/attachments/20190216/06772fe2/attachment.html>

More information about the debian-security-tracker-commits mailing list