Bug 828851 – VUL-1: CVE-2013-2231: qemu: security issue in windows specific part

Bug 828851 - (CVE-2013-2231) VUL-1: CVE-2013-2231: qemu: security issue in windows specific part

(CVE-2013-2231)
Summary:	VUL-1: CVE-2013-2231: qemu: security issue in windows specific part

Status:	RESOLVED INVALID

Classification:	Novell Products
Product:	SUSE Security Incidents
Classification:	Novell Products
Component:	Incidents
Version:	unspecified
Hardware:	Other Other

Priority:	P4 - Low Severity: Normal
Target Milestone:	---
Assigned To:	Kirk Allan
QA Contact:	Security Team bot

URL:
Whiteboard:
Keywords:

Depends on:
Blocks:
	Show dependency tree / graph

Create test case

Clone This Bug

Reported:	2013-07-10 11:52 UTC by Marcus Meissner
Modified:	2021-08-11 08:57 UTC (History)
CC List:	4 users (show)

See Also:
Found By:	---
Services Priority:
Business Priority:
Blocker:	---
Marketing QA Status:	---
IT Deployment:	---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Marcus Meissner 2013-07-10 11:52:17 UTC

EMBARGOED. via linux-distros,

CRD Monday, 2013-07-22, 12:00 UTC.


Hello, vendors.

Lev Veyde of Red Hat found a security issue [1] in Windows specific part
of qemu guest agent. See attachment for upstream acked patch.

  [1] http://cwe.mitre.org/data/definitions/428.html

The issue is private, upstream was informed. The embargo lift date is
Monday, 2013-07-22, 12:00 UTC.

Best regards,
-- 
Petr Matousek / Red Hat Security Response Team

Comment 3 Marcus Meissner 2013-07-10 11:57:22 UTC

Should we actually care about this bug at all?

Comment 4 Andreas Färber 2013-07-10 13:57:27 UTC

I am not aware that we build and ship a Windows version of qemu-ga - if at all, the VMDP product would be affected. Reassigning to Kirk.

But still it's nice to be aware of the CVE for our upstream v1.6/SLE12 work. :)

Comment 5 Marcus Meissner 2013-07-10 14:14:08 UTC

(Please note the Embargo! Keep this all inside SUSE until the CRD.)

Comment 6 Kirk Allan 2013-07-10 15:03:37 UTC

Forgive my ignorance, but can you explain what qga is, where it is, what is it for, etc.  Does it run inside a windows vm or on the host?

Comment 7 Andreas Färber 2013-07-10 15:26:50 UTC

Kirk, qga is short for qemu-ga, which is built as part of QEMU.

The guest agent runs in the VM and communicates with the host via virtio-serial - for openSUSE guests we package it in a separate qemu-guest-agent package, for SLES guests as part of the kvm package IIRC. It serves for communication between hypervisor and guest through a series of QMP (JSON) commands.
http://wiki.qemu.org/Features/QAPI/GuestAgent

Marcus, I did see the embargo.

Comment 8 Kirk Allan 2013-07-10 15:54:47 UTC

We do not include qemu-ga.exe nor virtio-serial in VMDP so I don't think these patches apply to VMDP.

Comment 9 Bruce Rogers 2013-07-10 21:31:29 UTC

We do not ship a windows guest agent.

Comment 10 Swamp Workflow Management 2013-07-10 22:00:27 UTC

bugbot adjusting priority

Comment 11 Marcus Meissner 2013-07-11 06:23:55 UTC

so we are not affected? then we could resolve/invalid this bug

Comment 12 Bruce Rogers 2013-07-11 16:52:11 UTC

Resolving as invalid.