LWN.net Logo

Not logged in

Log in now

Create an account

Subscribe to LWN

Recent Features

The Android Dev Phone 1

LWN.net Weekly Edition for December 25, 2008

The Grumpy Editor's 2008 retrospective

The 2008 Linux and free software timeline

LWN.net Weekly Edition for December 18, 2008

Printable page
Weekly edition Kernel Security Distributions Search
Archives Calendar Subscribe Write for LWN LWN.net FAQ

Debian alert DSA-1657-1 (qemu)



From:
    	      Steve Kemp <skx@debian.org>


To:
    	      bugtraq@securityfocus.com


Subject:
    	      [SECURITY] [DSA 1657-1] New qemu packages fix denial of service


Date:
    	      Mon, 20 Oct 2008 21:29:57 +0100


Message-ID:
    	      <20081020202957.GA22225@steve.org.uk>


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

- ------------------------------------------------------------------------
Debian Security Advisory DSA-1657-1                  security@debian.org
http://www.debian.org/security/                               Steve Kemp
October 20, 2008                      http://www.debian.org/security/faq
- ------------------------------------------------------------------------


Package        : qemu
Vulnerability  : insecure temporary files
Problem type   : local
Debian-specific: no
CVE Id(s)      : CVE-2008-4553
Debian Bug     : 496394

Dmitry E. Oboukhov discovered that the qemu-make-debian-root script in qemu,
fast processor emulator, creates temporary files insecurely, which may lead
to a local denial of service through symlink attacks.

For the stable distribution (etch), this problem has been fixed in
version 0.8.2-4etch2.

For the testing (lenny) and unstable distribution (sid), this problem has
been fixed in version 0.9.1-6.

We recommend that you upgrade your qemu package.


Upgrade instructions
- --------------------

wget url
        will fetch the file for you
dpkg -i file.deb
        will install the referenced file.

If you are using the apt-get package manager, use the line for
sources.list as given below:

apt-get update
        will update the internal database
apt-get upgrade
        will install corrected packages

You may use an automated update by adding the resources from the
footer to the proper configuration.


Debian GNU/Linux 4.0 alias etch
- -------------------------------

Source archives:

  http://security.debian.org/pool/updates/main/q/qemu/qemu_...
    Size/MD5 checksum:     1130 fd503742c9e3e64be60f8ff265f05edc
  http://security.debian.org/pool/updates/main/q/qemu/qemu_...
    Size/MD5 checksum:  1501979 312eebc1386cca2e9b30a40763ab9c0d
  http://security.debian.org/pool/updates/main/q/qemu/qemu_...
    Size/MD5 checksum:    65528 6b47c99fa9e0e99e4af47d5417bc497b

amd64 architecture (AMD x86_64 (AMD64))

  http://security.debian.org/pool/updates/main/q/qemu/qemu_...
    Size/MD5 checksum:  3697974 1e88b4385a82864d386fe57608c8617a

i386 architecture (Intel ia32)

  http://security.debian.org/pool/updates/main/q/qemu/qemu_...
    Size/MD5 checksum:  3676128 cd73888cc1915af94792085994b946e3

powerpc architecture (PowerPC)

  http://security.debian.org/pool/updates/main/q/qemu/qemu_...
    Size/MD5 checksum:  3578592 86133e0b1804cc53f78f8eb71779a337


  These files will probably be moved into the stable distribution on
  its next update.

- ---------------------------------------------------------------------------------
For apt-get: deb http://security.debian.org/ stable/updates main
For dpkg-ftp: ftp://security.debian.org/debian-security dists/stable/updates/main
Mailing list: debian-security-announce@lists.debian.org
Package info: `apt-cache show <pkg>' and http://packages.debian.org/<pkg>
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.6 (GNU/Linux)

iD8DBQFI/OoqwM/Gs81MDZ0RAi1KAJ9u7MPZCS56SYaALfmEYuN6GP7/eACeLmqE
81SKUu5vlFvKQDlu8IwoLE0=
=Szbv
-----END PGP SIGNATURE-----
(Log in to post comments)

Copyright © 2009, Eklektix, Inc.
Comments and public postings are copyrighted by their creators.
Linux is a registered trademark of Linus Torvalds