[Secure-testing-team] Bug#792003: vm86 should be disabled: unmaintained, obsolete, and probably insecure
Ben Hutchings
ben at decadent.org.uk
Fri Jul 10 01:07:22 UTC 2015
Package: src:linux
Version: 4.0.7-1
Severity: important
Tags: security upstream
As discussed in <http://thread.gmane.org/gmane.linux.kernel/1991020>
and <http://thread.gmane.org/gmane.linux.kernel/1992842>, the Linux
kernel's 'vm86' support for real mode virtual machines on i386 is not
well maintained upstream. It is likely to have security flaws due to
its strange interaction with the kernel entry/exit paths.
There are now very few userland programs that depend on it. dosemu,
vbetool and some X drivers used to, but since wheezy (or earlier) they
use libx86 which has an automatic fallback to pure software emulation
even on i386.
Based on a quick review using codesearch, I believe the only remaining
run-time dependencies on vm86 in Debian are:
- Support for running DOS applications from wine - but it will use
DOSBox by preference
- Build-time tests of mbr - could be disabled
- Various versions of the lrmi library embedded in libucimf, zhcon,
atitvout and s3switch - libx86 should be a drop-in replacement for
this
Ben.
-- System Information:
Debian Release: stretch/sid
APT prefers unstable
APT policy: (500, 'unstable'), (1, 'experimental')
Architecture: i386 (x86_64)
Foreign Architectures: amd64
Kernel: Linux 4.0.0-2-amd64 (SMP w/4 CPU cores)
Locale: LANG=en_GB.utf8, LC_CTYPE=en_GB.utf8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)
More information about the Secure-testing-team
mailing list