Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!

Bug 628246

Summary: app-emulation/qemu: drop the "vde" USE flag and dependency
Product: Gentoo Linux Reporter: Michael Orlitzky <mjo>
Component: Current packagesAssignee: Gentoo QEMU Project <qemu+disabled>
Status: RESOLVED OBSOLETE    
Severity: normal    
Priority: Normal    
Version: unspecified   
Hardware: All   
OS: Linux   
Whiteboard:
Package list:
Runtime testing required: ---
Attachments: vde.init-r1
vde.confd-r1

Description Michael Orlitzky gentoo-dev 2017-08-19 00:06:01 UTC 
I've just masked net-misc/vde because it has an open security bug, and no one to fix it:

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=c2ac0708d552db304ffeb6c217694420a4a8bb13

Can you please drop your "vde" USE flag and dependency on vde? Eventually it will be necessary to remove the package. Thanks!
Comment 1 Denis Lisov 2017-08-19 12:00:04 UTC 
I'm a Gentoo user and I use qemu with net-misc/vde. What should I do to ensure they are still available?
Comment 2 Michael Orlitzky gentoo-dev 2017-08-19 12:40:11 UTC 
(In reply to Denis Lisov from comment #1)
> I'm a Gentoo user and I use qemu with net-misc/vde. What should I do to
> ensure they are still available?

There's an open security bug that needs addressed, but unfortunately the bug is private because the issue is not fixed yet. The short version is: anyone in the qemu group can gain root on your machine via the vde init script. I've actually already posted a fixed init script, but there's no one to review/test it.

The net-misc package has a proxy-maintainer, but so far I haven't been able to get in touch with him. Maybe he can review the changes and get that bug fixed; otherwise, we would need a new maintainer.

Is VDE still necessary for anything? I don't personally use it myself, but jmbsvicetto (also listed in metadata.xml) suggested that it might be obsolete these days, which is why I went ahead and masked it.
Comment 3 Michael Orlitzky gentoo-dev 2017-08-19 12:46:21 UTC 
Created attachment 489672 [details]
vde.init-r1
Comment 4 Michael Orlitzky gentoo-dev 2017-08-19 12:47:11 UTC 
Created attachment 489674 [details]
vde.confd-r1

This isn't really an appropriate place for them, but whatever. Here are my proposed init script and conf.d files.
Comment 5 Mark Hoover 2017-08-25 02:37:39 UTC 
(In reply to Michael Orlitzky from comment #2)
> (In reply to Denis Lisov from comment #1)
> > I'm a Gentoo user and I use qemu with net-misc/vde. What should I do to
> > ensure they are still available?
> 
> Is VDE still necessary for anything? I don't personally use it myself, but
> jmbsvicetto (also listed in metadata.xml) suggested that it might be
> obsolete these days, which is why I went ahead and masked it.

Michael....I'm not sure if it's strictly "needed", however, I also have a home based qemu/kvm setup based around it.  It would be nice to keep the functionality around especially if all we're talking is an init script issue which apparently has a known fix.

I ran into this issue updating my machines tonight.  Didn't catch it on the first one.  Thankful that I didn't blindly restart the VM.  Fortunately, I caught it before running it through on my major machine.
Comment 6 Matthias Maier gentoo-dev 2017-09-01 01:13:40 UTC 
I would like to keep the vde use flag in place for a little while, if you don't mind.

It seems there are a couple of users.
Comment 7 Michael Orlitzky gentoo-dev 2017-09-20 23:52:05 UTC 
NP-Hardass got the fixed init script working, so we can forget about this.