CVE-2019-8934
Published: 21 March 2019
hw/ppc/spapr.c in QEMU through 3.1.0 allows Information Exposure because the hypervisor shares the /proc/device-tree/system-id and /proc/device-tree/model system attributes with a guest.
Notes
| Author | Note |
|---|---|
| mdeslaur | see debian bug for information on this change that may break existing functionnality. This fix will break ppc migration. we will not be fixing this issue in stable releases, marking as ignored |
Priority
Status
| Package | Release | Status |
|---|---|---|
|
qemu Launchpad, Ubuntu, Debian |
bionic |
Ignored
|
| cosmic |
Ignored
(end of life)
|
|
| disco |
Ignored
(end of life)
|
|
| eoan |
Not vulnerable
(4.0+dfsg-0ubuntu9)
|
|
| focal |
Not vulnerable
(4.0+dfsg-0ubuntu9)
|
|
| trusty |
Ignored
|
|
| upstream |
Needs triage
|
|
| xenial |
Ignored
|
|
|
Patches: upstream: https://git.qemu.org/?p=qemu.git;a=commit;h=27461d69a0f108dea756419251acc3ea65198f1b |
||
|
qemu-kvm Launchpad, Ubuntu, Debian |
bionic |
Does not exist
|
| cosmic |
Does not exist
|
|
| disco |
Does not exist
|
|
| eoan |
Does not exist
|
|
| focal |
Does not exist
|
|
| trusty |
Does not exist
|
|
| upstream |
Needs triage
|
|
| xenial |
Does not exist
|
|
Severity score breakdown
| Parameter | Value |
|---|---|
| Base score | 3.3 |
| Attack vector | Local |
| Attack complexity | Low |
| Privileges required | Low |
| User interaction | None |
| Scope | Unchanged |
| Confidentiality | Low |
| Integrity impact | None |
| Availability impact | None |
| Vector | CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N |