Bugzilla – Bug 828851
VUL-1: CVE-2013-2231: qemu: security issue in windows specific part
Last modified: 2021-08-11 08:57:47 UTC
EMBARGOED. via linux-distros,
CRD Monday, 2013-07-22, 12:00 UTC.
Lev Veyde of Red Hat found a security issue  in Windows specific part
of qemu guest agent. See attachment for upstream acked patch.
The issue is private, upstream was informed. The embargo lift date is
Monday, 2013-07-22, 12:00 UTC.
Petr Matousek / Red Hat Security Response Team
Should we actually care about this bug at all?
I am not aware that we build and ship a Windows version of qemu-ga - if at all, the VMDP product would be affected. Reassigning to Kirk.
But still it's nice to be aware of the CVE for our upstream v1.6/SLE12 work. :)
(Please note the Embargo! Keep this all inside SUSE until the CRD.)
Forgive my ignorance, but can you explain what qga is, where it is, what is it for, etc. Does it run inside a windows vm or on the host?
Kirk, qga is short for qemu-ga, which is built as part of QEMU.
The guest agent runs in the VM and communicates with the host via virtio-serial - for openSUSE guests we package it in a separate qemu-guest-agent package, for SLES guests as part of the kvm package IIRC. It serves for communication between hypervisor and guest through a series of QMP (JSON) commands.
Marcus, I did see the embargo.
We do not include qemu-ga.exe nor virtio-serial in VMDP so I don't think these patches apply to VMDP.
We do not ship a windows guest agent.
bugbot adjusting priority
so we are not affected? then we could resolve/invalid this bug
Resolving as invalid.