Recent Vulnerabilities Research Posts Trends Blog About Contact

Related Vulnerabilities: CVE-2017-10911

Source

Debian Bug report logs - #869706
qemu: CVE-2017-10911

Package: src:qemu; Maintainer for src:qemu is Debian QEMU Team <pkg-qemu-devel@lists.alioth.debian.org>;

Reported by: Salvatore Bonaccorso <carnil@debian.org>

Date: Tue, 25 Jul 2017 19:48:02 UTC

Severity: serious

Tags: security, upstream

Found in version qemu/1:2.8+dfsg-6

Fixed in versions qemu/1:2.8+dfsg-7, qemu/1:2.8+dfsg-6+deb9u1, 1:2.8+dfsg-6+deb9u1

Done: Michael Tokarev <mjt@tls.msk.ru>

Bug is archived. No further changes may be made.

Toggle useless messages

View this report as an mbox folder, status mbox, maintainer mbox

Report forwarded to debian-bugs-dist@lists.debian.org, carnil@debian.org, team@security.debian.org, secure-testing-team@lists.alioth.debian.org, team@security.debian.org, secure-testing-team@lists.alioth.debian.org, Debian QEMU Team <pkg-qemu-devel@lists.alioth.debian.org>:
Bug#869706; Package src:qemu. (Tue, 25 Jul 2017 19:48:04 GMT) (full text, mbox, link).

Acknowledgement sent to Salvatore Bonaccorso <carnil@debian.org>:
New Bug report received and forwarded. Copy sent to carnil@debian.org, team@security.debian.org, secure-testing-team@lists.alioth.debian.org, team@security.debian.org, secure-testing-team@lists.alioth.debian.org, Debian QEMU Team <pkg-qemu-devel@lists.alioth.debian.org>. (Tue, 25 Jul 2017 19:48:04 GMT) (full text, mbox, link).

Message #5 received at submit@bugs.debian.org (full text, mbox, reply):

Source: qemu
Version: 1:2.8+dfsg-6
Severity: important
Tags: security upstream
Control: fixed -1 1:2.8+dfsg-6+deb9u1

Hi,

the following vulnerability was published for qemu.

CVE-2017-10911[0]:
| The make_response function in drivers/block/xen-blkback/blkback.c in
| the Linux kernel before 4.11.8 allows guest OS users to obtain
| sensitive information from host OS (or other guest OS) kernel memory by
| leveraging the copying of uninitialized padding fields in Xen
| block-interface response structures, aka XSA-216.

If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.

For further information see:

[0] https://security-tracker.debian.org/tracker/CVE-2017-10911
    https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-10911

Please adjust the affected versions in the BTS as needed.

Regards,
Salvatore

Marked as fixed in versions qemu/1:2.8+dfsg-6+deb9u1. Request was from Salvatore Bonaccorso <carnil@debian.org> to submit@bugs.debian.org. (Tue, 25 Jul 2017 19:48:04 GMT) (full text, mbox, link).

Information forwarded to debian-bugs-dist@lists.debian.org, Debian QEMU Team <pkg-qemu-devel@lists.alioth.debian.org>:
Bug#869706; Package src:qemu. (Thu, 27 Jul 2017 09:45:22 GMT) (full text, mbox, link).

Acknowledgement sent to Salvatore Bonaccorso <carnil@debian.org>:
Extra info received and forwarded to list. Copy sent to Debian QEMU Team <pkg-qemu-devel@lists.alioth.debian.org>. (Thu, 27 Jul 2017 09:45:22 GMT) (full text, mbox, link).

Message #12 received at 869706@bugs.debian.org (full text, mbox, reply):

severity 863840 serious
severity 863943 serious
severity 864216 serious
severity 864219 serious
severity 864568 serious
severity 866674 serious
severity 865755 serious
severity 869706 serious
thanks

Hi Michael,

I'm raising the severity to RC for those bugs which were addressed in
stable but not yet in unstable, since that means a regression in
security fixes. I know it's just pro-forma, since at some point a
newer update of qemu will include those and likely to be fixed in time
for buster :)

Regards,
Salvatore

Severity set to 'serious' from 'important' Request was from Salvatore Bonaccorso <carnil@debian.org> to control@bugs.debian.org. (Thu, 27 Jul 2017 09:45:28 GMT) (full text, mbox, link).

Marked as fixed in versions qemu/1:2.8+dfsg-7. Request was from Salvatore Bonaccorso <carnil@debian.org> to control@bugs.debian.org. (Sat, 05 Aug 2017 14:00:08 GMT) (full text, mbox, link).

Reply sent to Michael Tokarev <mjt@tls.msk.ru>:
You have taken responsibility. (Sun, 24 Sep 2017 10:33:04 GMT) (full text, mbox, link).

Notification sent to Salvatore Bonaccorso <carnil@debian.org>:
Bug acknowledged by developer. (Sun, 24 Sep 2017 10:33:04 GMT) (full text, mbox, link).

Message #21 received at 869706-done@bugs.debian.org (full text, mbox, reply):

Version: 1:2.8+dfsg-6+deb9u1

Somehow this bug hasn't been closed.  Do it now.

/mjt

Bug archived. Request was from Debbugs Internal Request <owner@bugs.debian.org> to internal_control@bugs.debian.org. (Sun, 05 Nov 2017 07:25:26 GMT) (full text, mbox, link).

Send a report that this bug log contains spam.

Debian bug tracking system administrator <owner@bugs.debian.org>. Last modified: Wed Jun 19 15:43:26 2019; Machine Name: buxtehude

Debian Bug tracking system

Debbugs is free software and licensed under the terms of the GNU Public License version 2. The current version can be obtained from https://bugs.debian.org/debbugs-source/.

Vulmon Search is a vulnerability search engine. It gives comprehensive vulnerability information through a very simple user interface.

Home Recent Vulnerabilities Research Posts Trends Blog About Contact

Vulmon Search Vulmon Research Vulmon Alerts Vulmap

Twitter Reddit Linkedin Facebook

qemu: CVE-2017-10911

Debian Bug report logs - #869706
qemu: CVE-2017-10911

Vulmon Search

About

Products

Connect

qemu: CVE-2017-10911

Debian Bug report logs - #869706 qemu: CVE-2017-10911

Vulmon Search

About

Products

Connect

Debian Bug report logs - #869706
qemu: CVE-2017-10911