Vulmon Recent Vulnerabilities Research Posts Trends Blog About Contact

qemu: CVE-2016-9101: net: eepro100 memory leakage at device unplug

Related Vulnerabilities: CVE-2016-9101  

Source

Debian Bug report logs - #842455
qemu: CVE-2016-9101: net: eepro100 memory leakage at device unplug

version graph

Package: qemu; Maintainer for qemu is Debian QEMU Team <pkg-qemu-devel@lists.alioth.debian.org>; Source for qemu is src:qemu (PTS, buildd, popcon).

Reported by: Guido Günther <agx@sigxcpu.org>

Date: Sat, 29 Oct 2016 11:51:02 UTC

Severity: important

Tags: security, upstream

Found in versions qemu/1.1.2+dfsg-6+deb7u17, qemu/1.1.2+dfsg-6a, qemu/1:2.1+dfsg-12+deb8u6, qemu/1:2.6+dfsg-3.1

Fixed in version qemu/1:2.8+dfsg-1

Done: Michael Tokarev <mjt@tls.msk.ru>

Bug is archived. No further changes may be made.

Toggle useless messages

View this report as an mbox folder, status mbox, maintainer mbox

Report forwarded to debian-bugs-dist@lists.debian.org, Debian QEMU Team <pkg-qemu-devel@lists.alioth.debian.org>:
Bug#842455; Package qemu. (Sat, 29 Oct 2016 11:51:04 GMT) (full text, mbox, link).

Acknowledgement sent to Guido Günther <agx@sigxcpu.org>:
New Bug report received and forwarded. Copy sent to Debian QEMU Team <pkg-qemu-devel@lists.alioth.debian.org>. (Sat, 29 Oct 2016 11:51:04 GMT) (full text, mbox, link).

Message #5 received at submit@bugs.debian.org (full text, mbox, reply):

From: Guido Günther <agx@sigxcpu.org>
To: submit@bugs.debian.org
Subject: net: eepro100 memory leakage at device unplug
Date: Sat, 29 Oct 2016 13:47:08 +0200
Package: qemu
Version: 1:2.6+dfsg-3.1
Severity: important
Tags: security

See

  https://lists.gnu.org/archive/html/qemu-devel/2016-10/msg03024.html

There's no CVE assigned yet. Sine eepro is parctically unused it
probably doesn't not warant a DSA.
Cheers,
 -- Guido

Marked as found in versions qemu/1.1.2+dfsg-6+deb7u17. Request was from Guido Günther <agx@sigxcpu.org> to control@bugs.debian.org. (Sat, 29 Oct 2016 12:51:06 GMT) (full text, mbox, link).

Marked as found in versions qemu/1:2.1+dfsg-12+deb8u6. Request was from Guido Günther <agx@sigxcpu.org> to control@bugs.debian.org. (Sat, 29 Oct 2016 12:51:08 GMT) (full text, mbox, link).

Added tag(s) upstream. Request was from Salvatore Bonaccorso <carnil@debian.org> to control@bugs.debian.org. (Sat, 29 Oct 2016 13:54:07 GMT) (full text, mbox, link).

Marked as found in versions qemu/1.1.2+dfsg-6a. Request was from Salvatore Bonaccorso <carnil@debian.org> to control@bugs.debian.org. (Sat, 29 Oct 2016 13:54:12 GMT) (full text, mbox, link).

Information forwarded to debian-bugs-dist@lists.debian.org, Debian QEMU Team <pkg-qemu-devel@lists.alioth.debian.org>:
Bug#842455; Package qemu. (Mon, 31 Oct 2016 06:00:02 GMT) (full text, mbox, link).

Acknowledgement sent to Salvatore Bonaccorso <carnil@debian.org>:
Extra info received and forwarded to list. Copy sent to Debian QEMU Team <pkg-qemu-devel@lists.alioth.debian.org>. (Mon, 31 Oct 2016 06:00:02 GMT) (full text, mbox, link).

Message #18 received at 842455@bugs.debian.org (full text, mbox, reply):

From: Salvatore Bonaccorso <carnil@debian.org>
To: Guido G??nther <agx@sigxcpu.org>, 842455@bugs.debian.org
Subject: Re: Bug#842455: net: eepro100 memory leakage at device unplug
Date: Mon, 31 Oct 2016 06:57:07 +0100
Control: retitle -1 qemu: CVE-2016-9101: net: eepro100 memory leakage at device unplug

Hi,

On Sat, Oct 29, 2016 at 01:47:08PM +0200, Guido G??nther wrote:
> Package: qemu
> Version: 1:2.6+dfsg-3.1
> Severity: important
> Tags: security
> 
> See
> 
>   https://lists.gnu.org/archive/html/qemu-devel/2016-10/msg03024.html
> 
> There's no CVE assigned yet. Sine eepro is parctically unused it
> probably doesn't not warant a DSA.

CVE-2016-9101 has been assigned for this issue.

Regards,
Salvatore

Changed Bug title to 'qemu: CVE-2016-9101: net: eepro100 memory leakage at device unplug' from 'net: eepro100 memory leakage at device unplug'. Request was from Salvatore Bonaccorso <carnil@debian.org> to 842455-submit@bugs.debian.org. (Mon, 31 Oct 2016 06:00:02 GMT) (full text, mbox, link).

Reply sent to Michael Tokarev <mjt@tls.msk.ru>:
You have taken responsibility. (Sun, 22 Jan 2017 12:30:03 GMT) (full text, mbox, link).

Notification sent to Guido Günther <agx@sigxcpu.org>:
Bug acknowledged by developer. (Sun, 22 Jan 2017 12:30:03 GMT) (full text, mbox, link).

Message #25 received at 842455-done@bugs.debian.org (full text, mbox, reply):

From: Michael Tokarev <mjt@tls.msk.ru>
To: 842455-done@bugs.debian.org
Subject: Fixed by 2.8
Date: Sun, 22 Jan 2017 15:27:31 +0300
Version: 2.8+dfsg-1

This has been fixed upstream by commit
2634ab7fe29b3f75d0865b719caf8f310d634aae:

From: Li Qiang <liqiang6-s@360.cn>
Date: Sat, 8 Oct 2016 05:07:25 -0700
Subject: net: eepro100: fix memory leak in device uninit

The exit dispatch of eepro100 network card device doesn't free
the 's->vmstate' field which was allocated in device realize thus
leading a host memory leak. This patch avoid this.

Thanks,

/mjt

No longer marked as fixed in versions 2.8+dfsg-1. Request was from Andreas Beckmann <anbe@debian.org> to control@bugs.debian.org. (Sun, 02 Jul 2017 22:39:40 GMT) (full text, mbox, link).

Marked as fixed in versions qemu/1:2.8+dfsg-1. Request was from Andreas Beckmann <anbe@debian.org> to control@bugs.debian.org. (Sun, 02 Jul 2017 22:39:41 GMT) (full text, mbox, link).

Bug archived. Request was from Debbugs Internal Request <owner@bugs.debian.org> to internal_control@bugs.debian.org. (Wed, 05 Jun 2019 08:09:27 GMT) (full text, mbox, link).

Send a report that this bug log contains spam.

Debian bug tracking system administrator <owner@bugs.debian.org>. Last modified: Wed Jun 19 14:04:09 2019; Machine Name: buxtehude

Debian Bug tracking system

Debbugs is free software and licensed under the terms of the GNU Public License version 2. The current version can be obtained from https://bugs.debian.org/debbugs-source/.

Copyright © 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson, 2005-2017 Don Armstrong, and many other contributors.

Vulmon Search

Vulmon Search is a vulnerability search engine. It gives comprehensive vulnerability information through a very simple user interface.

About

Home Recent Vulnerabilities Research Posts Trends Blog About Contact

Products

Vulmon Search Vulmon Research Vulmon Alerts Vulmap

Connect

Twitter Reddit Linkedin Facebook

Vulnerability Notification Service
You don’t have to wait for vulnerability scanning results
Get Started