628246 – app-emulation/qemu: drop the "vde" USE flag and dependency

Bug 628246 - app-emulation/qemu: drop the "vde" USE flag and dependency

Summary: app-emulation/qemu: drop the "vde" USE flag and dependency

Status:	RESOLVED OBSOLETE

Alias:	None

Product:	Gentoo Linux
Classification:	Unclassified
Component:	Current packages (show other bugs)
Hardware:	All Linux

Importance:	Normal normal
Assignee:	Gentoo QEMU Project

URL:
Whiteboard:
Keywords:

Depends on:
Blocks:

Reported:	2017-08-19 00:06 UTC by Michael Orlitzky
Modified:	2017-09-20 23:52 UTC (History)
CC List:	0 users

See Also:
Package list:
Runtime testing required:	---

Attachments
vde.init-r1 (vde.init-r1,728 bytes, text/plain) 2017-08-19 12:46 UTC, Michael Orlitzky	Details
vde.confd-r1 (vde.confd-r1,258 bytes, text/plain) 2017-08-19 12:47 UTC, Michael Orlitzky	Details
View All Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Michael Orlitzky gentoo-dev

2017-08-19 00:06:01 UTC

I've just masked net-misc/vde because it has an open security bug, and no one to fix it:

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=c2ac0708d552db304ffeb6c217694420a4a8bb13

Can you please drop your "vde" USE flag and dependency on vde? Eventually it will be necessary to remove the package. Thanks!

Comment 1 Denis Lisov 2017-08-19 12:00:04 UTC

I'm a Gentoo user and I use qemu with net-misc/vde. What should I do to ensure they are still available?

Comment 2 Michael Orlitzky gentoo-dev

2017-08-19 12:40:11 UTC

(In reply to Denis Lisov from comment #1)
> I'm a Gentoo user and I use qemu with net-misc/vde. What should I do to
> ensure they are still available?

There's an open security bug that needs addressed, but unfortunately the bug is private because the issue is not fixed yet. The short version is: anyone in the qemu group can gain root on your machine via the vde init script. I've actually already posted a fixed init script, but there's no one to review/test it.

The net-misc package has a proxy-maintainer, but so far I haven't been able to get in touch with him. Maybe he can review the changes and get that bug fixed; otherwise, we would need a new maintainer.

Is VDE still necessary for anything? I don't personally use it myself, but jmbsvicetto (also listed in metadata.xml) suggested that it might be obsolete these days, which is why I went ahead and masked it.

Comment 3 Michael Orlitzky gentoo-dev

2017-08-19 12:46:21 UTC

Created attachment 489672 [details]
vde.init-r1

Comment 4 Michael Orlitzky gentoo-dev

2017-08-19 12:47:11 UTC

Created attachment 489674 [details]
vde.confd-r1

This isn't really an appropriate place for them, but whatever. Here are my proposed init script and conf.d files.

Comment 5 Mark Hoover 2017-08-25 02:37:39 UTC

(In reply to Michael Orlitzky from comment #2)
> (In reply to Denis Lisov from comment #1)
> > I'm a Gentoo user and I use qemu with net-misc/vde. What should I do to
> > ensure they are still available?
> 
> Is VDE still necessary for anything? I don't personally use it myself, but
> jmbsvicetto (also listed in metadata.xml) suggested that it might be
> obsolete these days, which is why I went ahead and masked it.

Michael....I'm not sure if it's strictly "needed", however, I also have a home based qemu/kvm setup based around it.  It would be nice to keep the functionality around especially if all we're talking is an init script issue which apparently has a known fix.

I ran into this issue updating my machines tonight.  Didn't catch it on the first one.  Thankful that I didn't blindly restart the VM.  Fortunately, I caught it before running it through on my major machine.

Comment 6 Matthias Maier gentoo-dev

2017-09-01 01:13:40 UTC

I would like to keep the vde use flag in place for a little while, if you don't mind.

It seems there are a couple of users.

Comment 7 Michael Orlitzky gentoo-dev

2017-09-20 23:52:05 UTC

NP-Hardass got the fixed init script working, so we can forget about this.