Bug 828851 - (CVE-2013-2231) VUL-1: CVE-2013-2231: qemu: security issue in windows specific part
VUL-1: CVE-2013-2231: qemu: security issue in windows specific part
Classification: Novell Products
Product: SUSE Security Incidents
Classification: Novell Products
Component: Incidents
Other Other
: P4 - Low : Normal
: ---
Assigned To: Kirk Allan
Security Team bot
Depends on:
  Show dependency treegraph
Reported: 2013-07-10 11:52 UTC by Marcus Meissner
Modified: 2021-08-11 08:57 UTC (History)
4 users (show)

See Also:
Found By: ---
Services Priority:
Business Priority:
Blocker: ---
Marketing QA Status: ---
IT Deployment: ---


Note You need to log in before you can comment on or make changes to this bug.
Description Marcus Meissner 2013-07-10 11:52:17 UTC
EMBARGOED. via linux-distros,

CRD Monday, 2013-07-22, 12:00 UTC.

Hello, vendors.

Lev Veyde of Red Hat found a security issue [1] in Windows specific part
of qemu guest agent. See attachment for upstream acked patch.

  [1] http://cwe.mitre.org/data/definitions/428.html

The issue is private, upstream was informed. The embargo lift date is
Monday, 2013-07-22, 12:00 UTC.

Best regards,
Petr Matousek / Red Hat Security Response Team
Comment 3 Marcus Meissner 2013-07-10 11:57:22 UTC
Should we actually care about this bug at all?
Comment 4 Andreas Färber 2013-07-10 13:57:27 UTC
I am not aware that we build and ship a Windows version of qemu-ga - if at all, the VMDP product would be affected. Reassigning to Kirk.

But still it's nice to be aware of the CVE for our upstream v1.6/SLE12 work. :)
Comment 5 Marcus Meissner 2013-07-10 14:14:08 UTC
(Please note the Embargo! Keep this all inside SUSE until the CRD.)
Comment 6 Kirk Allan 2013-07-10 15:03:37 UTC
Forgive my ignorance, but can you explain what qga is, where it is, what is it for, etc.  Does it run inside a windows vm or on the host?
Comment 7 Andreas Färber 2013-07-10 15:26:50 UTC
Kirk, qga is short for qemu-ga, which is built as part of QEMU.

The guest agent runs in the VM and communicates with the host via virtio-serial - for openSUSE guests we package it in a separate qemu-guest-agent package, for SLES guests as part of the kvm package IIRC. It serves for communication between hypervisor and guest through a series of QMP (JSON) commands.

Marcus, I did see the embargo.
Comment 8 Kirk Allan 2013-07-10 15:54:47 UTC
We do not include qemu-ga.exe nor virtio-serial in VMDP so I don't think these patches apply to VMDP.
Comment 9 Bruce Rogers 2013-07-10 21:31:29 UTC
We do not ship a windows guest agent.
Comment 10 Swamp Workflow Management 2013-07-10 22:00:27 UTC
bugbot adjusting priority
Comment 11 Marcus Meissner 2013-07-11 06:23:55 UTC
so we are not affected? then we could resolve/invalid this bug
Comment 12 Bruce Rogers 2013-07-11 16:52:11 UTC
Resolving as invalid.