Debian Bug report logs -
#874606
qemu: CVE-2017-14167: i386: multiboot OOB access while loading guest kernel image
Reported by: Salvatore Bonaccorso <carnil@debian.org>
Date: Thu, 7 Sep 2017 20:45:01 UTC
Severity: important
Tags: security, upstream
Found in version qemu/1:2.8+dfsg-6
Fixed in versions qemu/1:2.10.0+dfsg-1, qemu/1:2.8+dfsg-6+deb9u3
Done: Michael Tokarev <mjt@tls.msk.ru>
Bug is archived. No further changes may be made.
Toggle useless messages
Report forwarded
to debian-bugs-dist@lists.debian.org, carnil@debian.org, team@security.debian.org, secure-testing-team@lists.alioth.debian.org, team@security.debian.org, secure-testing-team@lists.alioth.debian.org, Debian QEMU Team <pkg-qemu-devel@lists.alioth.debian.org>:
Bug#874606; Package src:qemu.
(Thu, 07 Sep 2017 20:45:03 GMT) (full text, mbox, link).
Acknowledgement sent
to Salvatore Bonaccorso <carnil@debian.org>:
New Bug report received and forwarded. Copy sent to carnil@debian.org, team@security.debian.org, secure-testing-team@lists.alioth.debian.org, team@security.debian.org, secure-testing-team@lists.alioth.debian.org, Debian QEMU Team <pkg-qemu-devel@lists.alioth.debian.org>.
(Thu, 07 Sep 2017 20:45:03 GMT) (full text, mbox, link).
Message #5 received at submit@bugs.debian.org (full text, mbox, reply):
Source: qemu
Version: 1:2.8+dfsg-6
Severity: important
Tags: security upstream
Hi,
the following vulnerability was published for qemu.
CVE-2017-14167[0]:
i386: multiboot OOB access while loading guest kernel image
If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.
For further information see:
[0] https://security-tracker.debian.org/tracker/CVE-2017-14167
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-14167
[1] https://lists.nongnu.org/archive/html/qemu-devel/2017-09/msg01483.html
[2] https://bugzilla.redhat.com/show_bug.cgi?id=1489375
Please adjust the affected versions in the BTS as needed.
Regards,
Salvatore
Added tag(s) pending.
Request was from <mjt@tls.msk.ru>
to control@bugs.debian.org.
(Sat, 23 Sep 2017 13:42:03 GMT) (full text, mbox, link).
Reply sent
to Michael Tokarev <mjt@tls.msk.ru>:
You have taken responsibility.
(Sat, 23 Sep 2017 16:30:17 GMT) (full text, mbox, link).
Notification sent
to Salvatore Bonaccorso <carnil@debian.org>:
Bug acknowledged by developer.
(Sat, 23 Sep 2017 16:30:17 GMT) (full text, mbox, link).
Message #12 received at 874606-close@bugs.debian.org (full text, mbox, reply):
Source: qemu
Source-Version: 1:2.10.0+dfsg-1
We believe that the bug you reported is fixed in the latest version of
qemu, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 874606@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Michael Tokarev <mjt@tls.msk.ru> (supplier of updated qemu package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
Format: 1.8
Date: Sat, 23 Sep 2017 18:35:29 +0300
Source: qemu
Binary: qemu qemu-system qemu-block-extra qemu-system-common qemu-system-misc qemu-system-arm qemu-system-mips qemu-system-ppc qemu-system-sparc qemu-system-x86 qemu-user qemu-user-static qemu-user-binfmt qemu-utils qemu-guest-agent qemu-kvm
Architecture: source
Version: 1:2.10.0+dfsg-1
Distribution: unstable
Urgency: medium
Maintainer: Debian QEMU Team <pkg-qemu-devel@lists.alioth.debian.org>
Changed-By: Michael Tokarev <mjt@tls.msk.ru>
Description:
qemu - fast processor emulator
qemu-block-extra - extra block backend modules for qemu-system and qemu-utils
qemu-guest-agent - Guest-side qemu-system agent
qemu-kvm - QEMU Full virtualization on x86 hardware
qemu-system - QEMU full system emulation binaries
qemu-system-arm - QEMU full system emulation binaries (arm)
qemu-system-common - QEMU full system emulation binaries (common files)
qemu-system-mips - QEMU full system emulation binaries (mips)
qemu-system-misc - QEMU full system emulation binaries (miscellaneous)
qemu-system-ppc - QEMU full system emulation binaries (ppc)
qemu-system-sparc - QEMU full system emulation binaries (sparc)
qemu-system-x86 - QEMU full system emulation binaries (x86)
qemu-user - QEMU user mode emulation binaries
qemu-user-binfmt - QEMU user mode binfmt registration for qemu-user
qemu-user-static - QEMU user mode emulation binaries (static version)
qemu-utils - QEMU utilities
Closes: 873851 873875 874606
Changes:
qemu (1:2.10.0+dfsg-1) unstable; urgency=medium
.
* remove blobs, to DFSG'ify it again (there's still
no source for some blobs included in upstream tarball)
There's no way to revert to 2-number version due to prev. upload
* update from upstream git (no changes but include date & commit-id):
multiboot-validate-multiboot-header-address-values-CVE-2017-14167.patch
* update previous changelog entry (fix bug/closes refs):
Closes: #873851, CVE-2017-13672
Closes: #874606, CVE-2017-14167
Closes: #873875, CVE-2017-13711
Checksums-Sha1:
496069cb7d0ef69199cc531b55312ad9a802ae2b 5529 qemu_2.10.0+dfsg-1.dsc
c08a48755d68d92f62f658b3715a0ceedf0a4823 7444976 qemu_2.10.0+dfsg.orig.tar.xz
ae09957a5f60b207f0b0677657b3a6a7d95dba55 74340 qemu_2.10.0+dfsg-1.debian.tar.xz
844339e5c8db3b0f7be92a81b29239d6facf5dd8 10792 qemu_2.10.0+dfsg-1_source.buildinfo
Checksums-Sha256:
164b55ac8bc59a9d5c78cbecb31c48288f4eda158feeb4e409494150ec589845 5529 qemu_2.10.0+dfsg-1.dsc
3cfdffeb8a468e9f107643b50de277bcf23a9175f8665054fece994890cf2dd1 7444976 qemu_2.10.0+dfsg.orig.tar.xz
da8ebed6fedcbd3472542ad457e303da2dc28f31b5a189dd73be3b97f7586d5b 74340 qemu_2.10.0+dfsg-1.debian.tar.xz
fc5f462c5f5a57c4848d726922bd076547c4bda2d0e3dad7590548145a23e873 10792 qemu_2.10.0+dfsg-1_source.buildinfo
Files:
86a78f6d29aa45bd23e53be1a184f7f9 5529 otherosfs optional qemu_2.10.0+dfsg-1.dsc
78acff0031aa6cfafb26163ab24024f4 7444976 otherosfs optional qemu_2.10.0+dfsg.orig.tar.xz
8f86868219b00816f1445fb9241d0262 74340 otherosfs optional qemu_2.10.0+dfsg-1.debian.tar.xz
98713a5ab25ec702ef81a907429baafe 10792 otherosfs optional qemu_2.10.0+dfsg-1_source.buildinfo
-----BEGIN PGP SIGNATURE-----
iQFDBAEBCAAtFiEEe3O61ovnosKJMUsicBtPaxppPlkFAlnGf18PHG1qdEB0bHMu
bXNrLnJ1AAoJEHAbT2saaT5ZdRsH/09y6LcED95xrizSZ+p+cWv7Vjy8LcTL5hKW
4jpCEHsnigLWxss4BgAoC3q8GhJB8rw0E5+MYHvLF1r+I/rzDoLZ9sN0WNhHHNEe
ErX3YS2CWiEgrFHb2rbRFZsiIBNO/pMQBpkVt+lgR5jtfovr/kejXQ3LTwPPmAEe
p0kqvq8H/Djv8gyDs0shOPb/h4Q8/JFNmAnJmbr2PYcY1CnW62mFQ0T+jhYpVPcy
62MCU+BOt5gavzKRou83RiTX7hVNfRR2uZ82c7+/wY8yp/+ns7jKus1H1enPNer3
mm041+f/Gj6/MOZ4scYiQOcTm4DhfaGP2kPkDpvEizh99I9LBwM=
=krDC
-----END PGP SIGNATURE-----
Reply sent
to Michael Tokarev <mjt@tls.msk.ru>:
You have taken responsibility.
(Sat, 07 Oct 2017 11:51:28 GMT) (full text, mbox, link).
Notification sent
to Salvatore Bonaccorso <carnil@debian.org>:
Bug acknowledged by developer.
(Sat, 07 Oct 2017 11:51:29 GMT) (full text, mbox, link).
Message #17 received at 874606-close@bugs.debian.org (full text, mbox, reply):
Source: qemu
Source-Version: 1:2.8+dfsg-6+deb9u3
We believe that the bug you reported is fixed in the latest version of
qemu, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 874606@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Michael Tokarev <mjt@tls.msk.ru> (supplier of updated qemu package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
Format: 1.8
Date: Mon, 02 Oct 2017 16:11:47 +0300
Source: qemu
Binary: qemu qemu-system qemu-block-extra qemu-system-common qemu-system-misc qemu-system-arm qemu-system-mips qemu-system-ppc qemu-system-sparc qemu-system-x86 qemu-user qemu-user-static qemu-user-binfmt qemu-utils qemu-guest-agent qemu-kvm
Architecture: source
Version: 1:2.8+dfsg-6+deb9u3
Distribution: stretch-security
Urgency: high
Maintainer: Debian QEMU Team <pkg-qemu-devel@lists.alioth.debian.org>
Changed-By: Michael Tokarev <mjt@tls.msk.ru>
Description:
qemu - fast processor emulator
qemu-block-extra - extra block backend modules for qemu-system and qemu-utils
qemu-guest-agent - Guest-side qemu-system agent
qemu-kvm - QEMU Full virtualization on x86 hardware
qemu-system - QEMU full system emulation binaries
qemu-system-arm - QEMU full system emulation binaries (arm)
qemu-system-common - QEMU full system emulation binaries (common files)
qemu-system-mips - QEMU full system emulation binaries (mips)
qemu-system-misc - QEMU full system emulation binaries (miscellaneous)
qemu-system-ppc - QEMU full system emulation binaries (ppc)
qemu-system-sparc - QEMU full system emulation binaries (sparc)
qemu-system-x86 - QEMU full system emulation binaries (x86)
qemu-user - QEMU user mode emulation binaries
qemu-user-binfmt - QEMU user mode binfmt registration for qemu-user
qemu-user-static - QEMU user mode emulation binaries (static version)
qemu-utils - QEMU utilities
Closes: 864219 869945 871648 871702 872257 873849 873851 873875 874606
Changes:
qemu (1:2.8+dfsg-6+deb9u3) stretch-security; urgency=high
.
* xhci-dont-kick-in-xhci_submit-and-xhci_fire_ctl_transfer.patch
This is a pre-required patch for the next patch to work right.
Closes: #869945
* xhci-guard-xhci_kick_epctx-against-recursive-calls-CVE-2017-9375.patch
After applying previous patch, this one can be applied again
Closes: #864219, CVE-2017-9375
* ide-do-not-flush-empty-CDROM-drives-CVE-2017-12809.patch
Closes: #873849, CVE-2017-12809
* vga-stop-passing-pointers-to-vga_draw_line-functions-CVE-2017-13672.patch
Closes: #873851, CVE-2017-13672
* multiboot-validate-multiboot-header-address-values-CVE-2017-14167.patch
Closes: #874606, CVE-2017-14167
* slirp-fix-clearing-ifq_so-from-pending-packets-CVE-2017-13711.patch
Closes: #873875, CVE-2017-13711
* exec-add-lock-parameter-to-qemu_ram_ptr_length.patch
upstream patch fixing memory leak after
exec-use-qemu_ram_ptr_length-to-access-guest-ram-CVE-2017-11334.patch
Closes: #871648, #871702, #872257
Checksums-Sha1:
86b9489c5f1d443c84bc4973fd9071d913737a9c 5579 qemu_2.8+dfsg-6+deb9u3.dsc
58ba5aa2e6562d59d113820dba69aacb050eb59c 130256 qemu_2.8+dfsg-6+deb9u3.debian.tar.xz
1ca8bb7235b37b4f7b2634913b92bac3ae084c94 10818 qemu_2.8+dfsg-6+deb9u3_source.buildinfo
Checksums-Sha256:
1328b57741bba1ee5f8ab5e5ab2e7a3a0eb78791151d72fd48de8226b3ebb85d 5579 qemu_2.8+dfsg-6+deb9u3.dsc
ef24cad8ee55f4ceb7a9b52de81ec61e8386249b921f656438ef939a4979a419 130256 qemu_2.8+dfsg-6+deb9u3.debian.tar.xz
2e61af972fe8525142ac3b63f1145d77e015c38cb459e7329a9e0094a5b579d7 10818 qemu_2.8+dfsg-6+deb9u3_source.buildinfo
Files:
a76e0dc92a5e609f23deaae8fddc18ca 5579 otherosfs optional qemu_2.8+dfsg-6+deb9u3.dsc
8010d49ac95ca2fa07faa682a5d967dd 130256 otherosfs optional qemu_2.8+dfsg-6+deb9u3.debian.tar.xz
a8357f2c157e24c2f2003bc1c287951d 10818 otherosfs optional qemu_2.8+dfsg-6+deb9u3_source.buildinfo
-----BEGIN PGP SIGNATURE-----
iQFDBAEBCAAtFiEEe3O61ovnosKJMUsicBtPaxppPlkFAlnSO10PHG1qdEB0bHMu
bXNrLnJ1AAoJEHAbT2saaT5ZA+8H/jZGNDjA1sUInHuHWJFr0pFLO8L3iKeKmZzj
P5bXARMqBRIIzOvUKTv0DTqFr3L1ablR0ooviZXDOvAKEUXBeWuuUyndeETm9y8/
T/H6Utr6pGD6ToNn36ev5qYLjabtSis+W9YRMlSYqZAjvoNTPhPPuiscl/NjqzOg
OpZfs9kS1r4glmvygv1D6JD6iWSuPLUsWEH1aNnDe7LPOdbAFo3snF5zh7JKuMus
jTBafv1X5Z/bUZ6lL31BcVr2zGhjD9qaH/X7eYMVD9O160J1fCnvZBKOh49nRo1d
NaesLFXtn/mF7p26d8Xl5HivVLuS/R4V0aSfY0y2xq5wFC6LiAg=
=H33i
-----END PGP SIGNATURE-----
Bug archived.
Request was from Debbugs Internal Request <owner@bugs.debian.org>
to internal_control@bugs.debian.org.
(Fri, 10 Nov 2017 07:25:16 GMT) (full text, mbox, link).
Send a report that this bug log contains spam.
Debian bug tracking system administrator <owner@bugs.debian.org>.
Last modified:
Wed Jun 19 18:13:05 2019;
Machine Name:
buxtehude
Debian Bug tracking system
Debbugs is free software and licensed under the terms of the GNU
Public License version 2. The current version can be obtained
from https://bugs.debian.org/debbugs-source/.
Copyright © 1999 Darren O. Benham,
1997,2003 nCipher Corporation Ltd,
1994-97 Ian Jackson,
2005-2017 Don Armstrong, and many other contributors.
Vulmon