QEMU regression (USN-3047-2)

Bug #1615063 reported by Dmitry Goloshubov
This bug affects 1 person
Affects Status Importance Assigned to Milestone
Mirantis OpenStack
Fix Released
Ivan Suzdal
Anton Chevychalov
Anton Chevychalov
Fix Released
Ivan Suzdal

Bug Description

USN-3047-2: QEMU regression
Ubuntu Security Notice USN-3047-2
12th August, 2016

qemu, qemu-kvm regression

A security issue affects these releases of Ubuntu and its derivatives:
- Ubuntu 16.04 LTS
- Ubuntu 14.04 LTS
- Ubuntu 12.04 LTS

- Summary:
USN-3047-1 introduced a regression in QEMU.

- Software description:
qemu - Machine emulator and virtualizer
qemu-kvm - Machine emulator and virtualizer

- Details:
USN-3047-1 fixed vulnerabilities in QEMU. The patch to fix CVE-2016-5403
caused a regression which resulted in save/restore failures when virtio
memory balloon statistics are enabled. This update temporarily reverts the
security fix for CVE-2016-5403 pending further investigation. We apologize
for the inconvenience.

Original advisory details:

- Update instructions:
The problem can be corrected by updating your system

- References
LP: 1612089, https://launchpad.net/bugs/1612089

CVE References

Revision history for this message
Denis Meltsaykin (dmeltsaykin) wrote :

MOS Linux team, could you please check whether our qemu is affected by the issue?

tags: added: area-linux
Revision history for this message
Dmitry Teselkin (teselkin-d) wrote :
Anna Babich (ababich)
tags: added: on-verification
Revision history for this message
Anna Babich (ababich) wrote :

Verified on MOS 9.1 (snapshot #209).
Steps to verify:
1) Find qemu package's source against compute node:
root@node-5:~# apt show qemu-kvm | grep 'APT-Sources'
APT-Sources: http://mirror.seed-cz1.fuel-infra.org/mos-repos/ubuntu/snapshots/9.0-2016-09-01-164323/ mos9.0-proposed/main amd64 Packages
2) Go via displayed link and get source of qemu package:
wget http://mirror.seed-cz1.fuel-infra.org/mos-repos/ubuntu/snapshots/9.0-2016-09-01-164323/pool/main/q/qemu/qemu_2.3+dfsg-5~u14.04+mos3.debian.tar.gz
3) Open patches proposed here https://review.fuel-infra.org/#/c/25536/ and check that they exist in folder debian/patches of qemu package

tags: removed: on-verification
Revision history for this message
Sergii Turivnyi (sturivnyi) wrote :

dgoloshubov, Could you please specify steps to reproduce?

Revision history for this message
Anton Chevychalov (achevychalov) wrote :

We are using upstream (Ubuntu 14.04 Trusty) qemu packages in MOS7 and MOS8. All patches was applied by upstream.

Revision history for this message
Fuel Devops McRobotson (fuel-devops-robot) wrote : Related fix proposed to packages/trusty/qemu (9.0)

Related fix proposed to branch: 9.0
Change author: Dmitry Teselkin <email address hidden>
Review: https://review.fuel-infra.org/27800

Revision history for this message
Fuel Devops McRobotson (fuel-devops-robot) wrote : Related fix merged to packages/trusty/qemu (9.0)

Reviewed: https://review.fuel-infra.org/27800
Submitter: Pkgs Jenkins <email address hidden>
Branch: 9.0

Commit: d7e106a46b3b2771fb90b3c55dd650fc02a8c613
Author: Dmitry Teselkin <email address hidden>
Date: Wed Oct 26 08:49:10 2016

Merge with 'feature/nfv'

* Checkout from 110d4f1c5e7fedaa17973cbe0aa2bed5ae8c0673

* Cherry-pick from 5a1ecc38811fea0bde6c3c84bdd6f0b7260864b9)
  CVE security fix(es) for QEMU ver 2.3 (has been fixed since QEMU ver 2.6)

  Related-Bug: #1584662

* Cherry-pick from 07bf2cb1edb049271b5150d7c4f9b37e89c02ee0
  QEMU security update

  All patches listed in [0] except CVE-2016-5403
  were applied.

  [0] http://www.ubuntu.com/usn/usn-3047-2/

  Related-Bug: #1615063

Change-Id: I27aca76840b1c81b21ee0f76a50cdae4200b3407

To post a comment you must log in.
This report contains Public information  
Everyone can see this information.

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.