664740 – (CVE-2018-15746) <app-emulation/qemu-3.1.0: seccomp: blacklist is not applied to all threads

Bug 664740 (CVE-2018-15746) - <app-emulation/qemu-3.1.0: seccomp: blacklist is not applied to all threads

Summary: <app-emulation/qemu-3.1.0: seccomp: blacklist is not applied to all threads

Status:	RESOLVED FIXED

Alias:	CVE-2018-15746

Product:	Gentoo Security
Classification:	Unclassified
Component:	Vulnerabilities (show other bugs)
Hardware:	All Linux

Importance:	Normal minor
Assignee:	Gentoo Security

URL:	http://www.openwall.com/lists/oss-sec...
Whiteboard:	B3 [noglsa cve]
Keywords:

Depends on:	CVE-2018-20123
Blocks:
	Show dependency tree

Reported:	2018-08-28 12:15 UTC by Agostino Sarubbo
Modified:	2019-03-27 04:11 UTC (History)
CC List:	2 users (show)

See Also:
Package list:
Runtime testing required:	---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Agostino Sarubbo gentoo-dev

2018-08-28 12:15:23 UTC

From ${URL} :

An issue was found in the way QEMU implements Seccomp sandboxing. In that, all 
QEMU threads are not bound by the sandbox. A guest user/process maybe be able 
to use this flaw to crash a guest resulting in DoS.

Upstream patch:
---------------
   -> https://lists.gnu.org/archive/html/qemu-devel/2018-08/msg04892.html

Reference:
----------
   -> https://lists.gnu.org/archive/html/qemu-devel/2018-08/msg02289.html

'CVE-2018-15746' assigned via -> https://cveform.mitre.org/


@maintainer(s): after the bump, in case we need to stabilize the package, please let us know if it is ready for the stabilization or not.

Comment 1 Larry the Git Cow gentoo-dev

2018-12-19 21:47:09 UTC

The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=40e4d2a3c32609b313962224ee9d2a96075734b8

commit 40e4d2a3c32609b313962224ee9d2a96075734b8
Author:     Matthias Maier <tamiko@gentoo.org>
AuthorDate: 2018-12-19 21:11:21 +0000
Commit:     Matthias Maier <tamiko@gentoo.org>
CommitDate: 2018-12-19 21:46:41 +0000

    app-emulation/qemu: version bump to 3.1.0
    
     - use RESTRICT=strip, bug #651422
    
     - switch to tar.xz, bug #666726
    
     - add missing use constraints, bug #664474
    
       qemu_softmmu_targets_riscv32? ( fdt )
       qemu_softmmu_targets_riscv64? ( fdt )
    
     - 3.1.0 already contains patches for CVE-2018-15746
    
     - applied patch for CVE-2018-20123
    
     - disable bt subsystem entirely as a "workaround" for CVE-2018-19665.
    
       Upstream deprecated the subsystem in November and states that it had
       been dysfunctional for years with likely no users.
    
    Bug: https://bugs.gentoo.org/664740
    Bug: https://bugs.gentoo.org/672346
    Bug: https://bugs.gentoo.org/673108
    Closes: https://bugs.gentoo.org/651422
    Closes: https://bugs.gentoo.org/664474
    Closes: https://bugs.gentoo.org/666726
    Package-Manager: Portage-2.3.52, Repoman-2.3.12
    Signed-off-by: Matthias Maier <tamiko@gentoo.org>

 app-emulation/qemu/Manifest                        |   1 +
 .../qemu/files/qemu-3.1.0-CVE-2018-20123.patch     |  35 +
 app-emulation/qemu/files/qemu-binfmt.initd.head    |   2 +-
 app-emulation/qemu/qemu-2.12.0-r3.ebuild           |   2 +-
 app-emulation/qemu/qemu-2.12.1.ebuild              |   2 +-
 app-emulation/qemu/qemu-3.1.0.ebuild               | 821 +++++++++++++++++++++
 6 files changed, 860 insertions(+), 3 deletions(-)

Comment 2 Yury German Gentoo Infrastructure

2019-03-27 04:11:56 UTC

GLSA Vote: No
Arches and Maintainer(s), Thank you for your work.