Debian Bug report logs -
#877890
qemu: CVE-2017-15038: 9p: virtfs: information disclosure when reading extended attributes
Reported by: Salvatore Bonaccorso <carnil@debian.org>
Date: Fri, 6 Oct 2017 18:36:02 UTC
Severity: important
Tags: patch, security, upstream
Found in versions qemu/1:2.1+dfsg-11, qemu/1:2.10.0+dfsg-1
Fixed in version qemu/1:2.10.0+dfsg-2
Done: Michael Tokarev <mjt@tls.msk.ru>
Bug is archived. No further changes may be made.
Toggle useless messages
Report forwarded
to debian-bugs-dist@lists.debian.org, carnil@debian.org, team@security.debian.org, secure-testing-team@lists.alioth.debian.org, team@security.debian.org, secure-testing-team@lists.alioth.debian.org, Debian QEMU Team <pkg-qemu-devel@lists.alioth.debian.org>:
Bug#877890; Package src:qemu.
(Fri, 06 Oct 2017 18:36:04 GMT) (full text, mbox, link).
Acknowledgement sent
to Salvatore Bonaccorso <carnil@debian.org>:
New Bug report received and forwarded. Copy sent to carnil@debian.org, team@security.debian.org, secure-testing-team@lists.alioth.debian.org, team@security.debian.org, secure-testing-team@lists.alioth.debian.org, Debian QEMU Team <pkg-qemu-devel@lists.alioth.debian.org>.
(Fri, 06 Oct 2017 18:36:04 GMT) (full text, mbox, link).
Message #5 received at submit@bugs.debian.org (full text, mbox, reply):
Source: qemu
Version: 1:2.10.0+dfsg-1
Severity: important
Tags: patch security upstream
Hi,
the following vulnerability was published for qemu.
CVE-2017-15038[0]:
|Qemu: 9p: virtfs: information disclosure when reading extended
|attributes
If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.
For further information see:
[0] https://security-tracker.debian.org/tracker/CVE-2017-15038
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-15038
[1] https://bugzilla.redhat.com/show_bug.cgi?id=1499110
[2] https://lists.gnu.org/archive/html/qemu-devel/2017-10/msg00729.html
[3] http://www.openwall.com/lists/oss-security/2017/10/06/1
Please adjust the affected versions in the BTS as needed.
Regards,
Salvatore
Marked as found in versions qemu/1:2.1+dfsg-11.
Request was from Salvatore Bonaccorso <carnil@debian.org>
to control@bugs.debian.org.
(Fri, 06 Oct 2017 18:42:04 GMT) (full text, mbox, link).
Reply sent
to Michael Tokarev <mjt@tls.msk.ru>:
You have taken responsibility.
(Sun, 08 Oct 2017 10:24:12 GMT) (full text, mbox, link).
Notification sent
to Salvatore Bonaccorso <carnil@debian.org>:
Bug acknowledged by developer.
(Sun, 08 Oct 2017 10:24:12 GMT) (full text, mbox, link).
Message #12 received at 877890-close@bugs.debian.org (full text, mbox, reply):
Source: qemu
Source-Version: 1:2.10.0+dfsg-2
We believe that the bug you reported is fixed in the latest version of
qemu, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 877890@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Michael Tokarev <mjt@tls.msk.ru> (supplier of updated qemu package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
Format: 1.8
Date: Sun, 08 Oct 2017 12:51:09 +0300
Source: qemu
Binary: qemu qemu-system qemu-block-extra qemu-system-common qemu-system-misc qemu-system-arm qemu-system-mips qemu-system-ppc qemu-system-sparc qemu-system-x86 qemu-user qemu-user-static qemu-user-binfmt qemu-utils qemu-guest-agent qemu-kvm
Architecture: source
Version: 1:2.10.0+dfsg-2
Distribution: unstable
Urgency: medium
Maintainer: Debian QEMU Team <pkg-qemu-devel@lists.alioth.debian.org>
Changed-By: Michael Tokarev <mjt@tls.msk.ru>
Description:
qemu - fast processor emulator
qemu-block-extra - extra block backend modules for qemu-system and qemu-utils
qemu-guest-agent - Guest-side qemu-system agent
qemu-kvm - QEMU Full virtualization on x86 hardware
qemu-system - QEMU full system emulation binaries
qemu-system-arm - QEMU full system emulation binaries (arm)
qemu-system-common - QEMU full system emulation binaries (common files)
qemu-system-mips - QEMU full system emulation binaries (mips)
qemu-system-misc - QEMU full system emulation binaries (miscellaneous)
qemu-system-ppc - QEMU full system emulation binaries (ppc)
qemu-system-sparc - QEMU full system emulation binaries (sparc)
qemu-system-x86 - QEMU full system emulation binaries (x86)
qemu-user - QEMU user mode emulation binaries
qemu-user-binfmt - QEMU user mode binfmt registration for qemu-user
qemu-user-static - QEMU user mode emulation binaries (static version)
qemu-utils - QEMU utilities
Closes: 870025 875711 877160 877890
Changes:
qemu (1:2.10.0+dfsg-2) unstable; urgency=medium
.
* update to upstream 2.10.1 point release
Closes: #877160
Closes: CVE-2017-13673
* remove 3 patches included upstream:
multiboot-validate-multiboot-header-address-values-CVE-2017-14167.patch
vga-stop-passing-pointers-to-vga_draw_line-functions-CVE-2017-13672.patch
slirp-fix-clearing-ifq_so-from-pending-packets-CVE-2017-13711.patch
* 9pfs-use-g_malloc0-to-allocate-space-for-xattr-CVE-2017-15038.patch
Closes: #877890, CVE-2017-15038
* remove-trailing-whitespace-from-qemu-options.hx.patch
Closes: #875711
* drop dh_makeshlibs call (was for libcacard)
* drop linux-libc-dev build-dependency (it gets pulled by libc-dev)
* switch from sdl1 to sdl2 (Closes: #870025)
Checksums-Sha1:
6f78255b0adc15a91daaf7f9e475af41a6753e37 5476 qemu_2.10.0+dfsg-2.dsc
efac65c43e964ba534edc01d663f5d95e2ed03c5 83308 qemu_2.10.0+dfsg-2.debian.tar.xz
bf3499baf4cb68265f4ccb3a618ee7cc1f7f5eb7 12183 qemu_2.10.0+dfsg-2_source.buildinfo
Checksums-Sha256:
7fccab93e91e237197c54d2c38100a6126f6e4a738187b23ea86fa9ce9d4aa3c 5476 qemu_2.10.0+dfsg-2.dsc
bd7ef8d44ec82d73e9b5b2df5d122501cf5bfb21989fbe66d00aaead7d19ca0f 83308 qemu_2.10.0+dfsg-2.debian.tar.xz
c928b67da4e292685fc704543af7a061ae5bd4584945462e7e55ab23a89c1853 12183 qemu_2.10.0+dfsg-2_source.buildinfo
Files:
b20b60bbe7d688d1c1850772e957d2fe 5476 otherosfs optional qemu_2.10.0+dfsg-2.dsc
552a6450f20eff2e21ac6ea68df8b448 83308 otherosfs optional qemu_2.10.0+dfsg-2.debian.tar.xz
034eafd7279c7d8fd632bbc626da5538 12183 otherosfs optional qemu_2.10.0+dfsg-2_source.buildinfo
-----BEGIN PGP SIGNATURE-----
iQFDBAEBCAAtFiEEe3O61ovnosKJMUsicBtPaxppPlkFAlnZ9UUPHG1qdEB0bHMu
bXNrLnJ1AAoJEHAbT2saaT5ZOAAIAMVZjpS8jOe1+zUw3oYAkW8YaobOJbOTn5hx
c7+AZBkhhbl7tEtIZOVoOyhU7sdlxP6JpatEk2JzbVsri2UbDb5w3dFjBFw3NwC8
8l/IsMGqWN9YBLbRCMvkUhAM34AM7BO3d3rtyvf7xFUeGBkdHIJwm8T6P25yZbe1
lwWSKsWUNXO+XYXRN+bMV7dv71Tn4UVfj/hlarWfvB143WXJ5g0pXR3+RJq043WZ
lHmlKBueh7wAUlSQLlm2FxzJws5qNz5EjSLqWUgO/g3bLy7LCLVPHOlEqeGOBP0s
8QtyePVpbjQwO2W6Pb87spL9VXSdS32dkS5oX4oe1O/J1ywtapg=
=nb1b
-----END PGP SIGNATURE-----
Bug archived.
Request was from Debbugs Internal Request <owner@bugs.debian.org>
to internal_control@bugs.debian.org.
(Fri, 10 Nov 2017 07:32:51 GMT) (full text, mbox, link).
Send a report that this bug log contains spam.
Debian bug tracking system administrator <owner@bugs.debian.org>.
Last modified:
Wed Jun 19 19:15:00 2019;
Machine Name:
buxtehude
Debian Bug tracking system
Debbugs is free software and licensed under the terms of the GNU
Public License version 2. The current version can be obtained
from https://bugs.debian.org/debbugs-source/.
Copyright © 1999 Darren O. Benham,
1997,2003 nCipher Corporation Ltd,
1994-97 Ian Jackson,
2005-2017 Don Armstrong, and many other contributors.
Vulmon