qemu: CVE-2018-11806: slirp: heap buffer overflow while reassembling fragmented datagrams

Debian Bug report logs - #901017
qemu: CVE-2018-11806: slirp: heap buffer overflow while reassembling fragmented datagrams

Reply or subscribe to this bug.

Toggle useless messages

Message #5 received at submit@bugs.debian.org (full text, mbox, reply):

From: Salvatore Bonaccorso <carnil@debian.org>

To: Debian Bug Tracking System <submit@bugs.debian.org>

Subject: qemu: CVE-2018-11806: slirp: heap buffer overflow while reassembling fragmented datagrams

Date: Fri, 08 Jun 2018 05:38:23 +0200

Source: qemu
Version: 1:2.12+dfsg-3
Severity: grave
Tags: patch security upstream
Forwarded: https://lists.gnu.org/archive/html/qemu-devel/2018-06/msg01012.html

Hi,

The following vulnerability was published for qemu.

CVE-2018-11806[0]:
slirp: heap buffer overflow while reassembling fragmented datagrams

If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.

For further information see:

[0] https://security-tracker.debian.org/tracker/CVE-2018-11806
    https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-11806
[1] https://lists.gnu.org/archive/html/qemu-devel/2018-06/msg01012.html

Please adjust the affected versions in the BTS as needed.

Regards,
Salvatore

Message #12 received at 901017-close@bugs.debian.org (full text, mbox, reply):

From: Michael Tokarev <mjt@tls.msk.ru>

To: 901017-close@bugs.debian.org

Subject: Bug#901017: fixed in qemu 1:3.1+dfsg-1

Date: Wed, 12 Dec 2018 09:16:37 +0000

Source: qemu
Source-Version: 1:3.1+dfsg-1

We believe that the bug you reported is fixed in the latest version of
qemu, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 901017@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Michael Tokarev <mjt@tls.msk.ru> (supplier of updated qemu package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

Format: 1.8
Date: Sun, 02 Dec 2018 19:10:27 +0300
Source: qemu
Binary: qemu qemu-system qemu-block-extra qemu-system-data qemu-system-common qemu-system-gui qemu-system-misc qemu-system-arm qemu-system-mips qemu-system-ppc qemu-system-sparc qemu-system-x86 qemu-user qemu-user-static qemu-user-binfmt qemu-utils qemu-guest-agent qemu-kvm
Architecture: source
Version: 1:3.1+dfsg-1
Distribution: unstable
Urgency: medium
Maintainer: Debian QEMU Team <pkg-qemu-devel@lists.alioth.debian.org>
Changed-By: Michael Tokarev <mjt@tls.msk.ru>
Description:
 qemu       - fast processor emulator, dummy package
 qemu-block-extra - extra block backend modules for qemu-system and qemu-utils
 qemu-guest-agent - Guest-side qemu-system agent
 qemu-kvm   - QEMU Full virtualization on x86 hardware
 qemu-system - QEMU full system emulation binaries
 qemu-system-arm - QEMU full system emulation binaries (arm)
 qemu-system-common - QEMU full system emulation binaries (common files)
 qemu-system-data - QEMU full system emulation (data files)
 qemu-system-gui - QEMU full system emulation binaries (user interface and audio sup
 qemu-system-mips - QEMU full system emulation binaries (mips)
 qemu-system-misc - QEMU full system emulation binaries (miscellaneous)
 qemu-system-ppc - QEMU full system emulation binaries (ppc)
 qemu-system-sparc - QEMU full system emulation binaries (sparc)
 qemu-system-x86 - QEMU full system emulation binaries (x86)
 qemu-user  - QEMU user mode emulation binaries
 qemu-user-binfmt - QEMU user mode binfmt registration for qemu-user
 qemu-user-static - QEMU user mode emulation binaries (static version)
 qemu-utils - QEMU utilities
Closes: 795486 813658 901017 902501 902725 907500 908682 910431 911468 911469 911470 911499 912535 914599 914604 914727 915884
Changes:
 qemu (1:3.1+dfsg-1) unstable; urgency=medium
 .
   * new upstream release (3.1)
   * Security bugs fixed by upstream:
     Closes: #910431, CVE-2018-10839:
      integer overflow leads to buffer overflow issue
     Closes: #911468, CVE-2018-17962
      pcnet: integer overflow leads to buffer overflow
     Closes: #911469, CVE-2018-17963
      net: ignore packets with large size
     Closes: #908682, CVE-2018-3639
      qemu should be able to pass the ssbd cpu flag
     Closes: #901017, CVE-2018-11806
      m_cat in slirp/mbuf.c in Qemu has a heap-based buffer overflow
      via incoming fragmented datagrams
     Closes: #902725, CVE-2018-12617
      qmp_guest_file_read in qemu-ga has an integer overflow
     Closes: #907500, CVE-2018-15746
      qemu-seccomp might allow local OS guest users to cause a denial of service
     Closes: #915884, CVE-2018-16867
      dev-mtp: path traversal in usb_mtp_write_data of the MTP
     Closes: #911499, CVE-2018-17958
      Buffer Overflow in rtl8139_do_receive in hw/net/rtl8139.c
      because an incorrect integer data type is used
     Closes: #911470, CVE-2018-18438
      integer overflows because IOReadHandler and its associated functions
      use a signed integer data type for a size value
     Closes: #912535, CVE-2018-18849
      lsi53c895a: OOB msg buffer access leads to DoS
     Closes: #914604, CVE-2018-18954
      pnv_lpc_do_eccb function in hw/ppc/pnv_lpc.c in Qemu before 3.1
      allows out-of-bounds write or read access to PowerNV memory
     Closes: #914599, CVE-2018-19364
      Use-after-free due to race condition while updating fid path
     Closes: #914727, CVE-2018-19489
      9pfs: crash due to race condition in renaming files
   * remove patches which were applied upstream
   * add new manpage qemu-cpu-models.7
   * qemu-system-ppcemb is gone, use qemu-system-ppc[64]
   * do-not-link-everything-with-xen.patch (trivial)
   * get-orig-source: handle 3.x and 4.x, and remove roms again, as
     upstream wants us to use separate source packages for that stuff
   * move generated data from qemu-system-data back to qemu-system-common
   * d/control: enable spice on arm64 (Closes: #902501)
     (probably should enable on all)
   * d/control: change git@salsa urls to https
   * add qemu-guest-agent.service (Closes: #795486)
   * enable opengl support and virglrenderer (Closes: #813658)
   * simplify d/rules just a little bit
   * build-depend on libudev-dev, for qga
Checksums-Sha1:
 a65a31436ea02a77c21bff8f7afa02ae05938a26 5967 qemu_3.1+dfsg-1.dsc
 b6a6c31d146b13e14af253d6dc25f16ccad7d060 8705368 qemu_3.1+dfsg.orig.tar.xz
 a07b0298ac2fe6be7ee5e9540fd6fc6d9c1b20ee 72160 qemu_3.1+dfsg-1.debian.tar.xz
 2233f07915fcbb0daa421fca2674a139941f832b 16084 qemu_3.1+dfsg-1_source.buildinfo
Checksums-Sha256:
 c1b9ec8e25ff07877505291d8c0ef235f7b81117a9a706bdf76deba857c09484 5967 qemu_3.1+dfsg-1.dsc
 2f277942759dd3eed21f7e00edfeab52b4f58d6f2f22d4f7e1a8aa4dc54c80d7 8705368 qemu_3.1+dfsg.orig.tar.xz
 62ccd57796c3a43d99aac37ffac4b24b7188216f719ff50b0e1ce84f058ccca5 72160 qemu_3.1+dfsg-1.debian.tar.xz
 4f53f5acac8637a3716dbd1ea4380d7c08a8c1d15a1de581095963b1e76b560b 16084 qemu_3.1+dfsg-1_source.buildinfo
Files:
 059657635379ae27ba846df240e16b54 5967 otherosfs optional qemu_3.1+dfsg-1.dsc
 b17f33786c89d547150490811a40f0b2 8705368 otherosfs optional qemu_3.1+dfsg.orig.tar.xz
 62ef7391f798ccbd2b4d5f7928033522 72160 otherosfs optional qemu_3.1+dfsg-1.debian.tar.xz
 13fd8a8bb95fc80a05de9f1cb33a50ce 16084 otherosfs optional qemu_3.1+dfsg-1_source.buildinfo

-----BEGIN PGP SIGNATURE-----

iQFDBAEBCAAtFiEEe3O61ovnosKJMUsicBtPaxppPlkFAlwQzGwPHG1qdEB0bHMu
bXNrLnJ1AAoJEHAbT2saaT5Z+zUH/1AG3gTlCfodSE7V0FW8268LUMpsJS7mpZ/p
4K8GUdAXtH6TWN1n4vfbUeCaO+dJYHT2g0dTFqwKhJoLElhcCFH8F2pcVQPJfPQQ
YLYQIR/5Mijs+cHIpbzc7KO4Jj2umLOe0GZtEnmbXvBNGRf9/KImb8nRzSitVJSX
qlRSLsr5tLVIgBxGJynPCWYLzwAnvv6chSNBT7e/1vBvo87B1l3gL7ibRdIF3CFJ
s4mYqyYQvIwlEgOE1UKswSunQjcbjZY2ATy0DAxZw5E0ec8etX3cl/tCH8Hq6aSZ
lpDOsBZu/rRukrF3Rt7GSSPCsoLXwWUYa9mRnEsTBWzcw0pJKmc=
=1I7Y
-----END PGP SIGNATURE-----

Message #17 received at 901017-close@bugs.debian.org (full text, mbox, reply):

From: Michael Tokarev <mjt@tls.msk.ru>

To: 901017-close@bugs.debian.org

Subject: Bug#901017: fixed in qemu 1:2.8+dfsg-6+deb9u6

Date: Mon, 03 Jun 2019 10:02:18 +0000

Source: qemu
Source-Version: 1:2.8+dfsg-6+deb9u6

We believe that the bug you reported is fixed in the latest version of
qemu, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 901017@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Michael Tokarev <mjt@tls.msk.ru> (supplier of updated qemu package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

Format: 1.8
Date: Wed, 29 May 2019 14:39:09 +0300
Source: qemu
Binary: qemu qemu-system qemu-block-extra qemu-system-common qemu-system-misc qemu-system-arm qemu-system-mips qemu-system-ppc qemu-system-sparc qemu-system-x86 qemu-user qemu-user-static qemu-user-binfmt qemu-utils qemu-guest-agent qemu-kvm
Architecture: source
Version: 1:2.8+dfsg-6+deb9u6
Distribution: stretch-security
Urgency: medium
Maintainer: Debian QEMU Team <pkg-qemu-devel@lists.alioth.debian.org>
Changed-By: Michael Tokarev <mjt@tls.msk.ru>
Description:
 qemu       - fast processor emulator
 qemu-block-extra - extra block backend modules for qemu-system and qemu-utils
 qemu-guest-agent - Guest-side qemu-system agent
 qemu-kvm   - QEMU Full virtualization on x86 hardware
 qemu-system - QEMU full system emulation binaries
 qemu-system-arm - QEMU full system emulation binaries (arm)
 qemu-system-common - QEMU full system emulation binaries (common files)
 qemu-system-mips - QEMU full system emulation binaries (mips)
 qemu-system-misc - QEMU full system emulation binaries (miscellaneous)
 qemu-system-ppc - QEMU full system emulation binaries (ppc)
 qemu-system-sparc - QEMU full system emulation binaries (sparc)
 qemu-system-x86 - QEMU full system emulation binaries (x86)
 qemu-user  - QEMU user mode emulation binaries
 qemu-user-binfmt - QEMU user mode binfmt registration for qemu-user
 qemu-user-static - QEMU user mode emulation binaries (static version)
 qemu-utils - QEMU utilities
Closes: 901017 902725 911499 912535 914599 914604 914727 916397 921525 922635 929067 929353
Changes:
 qemu (1:2.8+dfsg-6+deb9u6) stretch-security; urgency=medium
 .
   [ Moritz Mühlenhoff <jmm@debian.org> ]
   * slirp-correct-size-computation-concatenating-mbuf-CVE-2018-11806.patch
     (Closes: #901017, CVE-2018-11806)
   * qga-check-bytes-count-read-by-guest-file-read-CVE-2018-12617.patch
     (Closes: #902725, CVE-2018-12617)
   * usb-mtp-use-O_NOFOLLOW-and-O_CLOEXEC-CVE-2018-16872.patch
     (Closes: #916397, CVE-2018-16872)
   * rtl8139-fix-possible-out-of-bound-access-CVE-2018-17958.patch
     (Closes: #911499, CVE-2018-17958)
   * lsi53c895a-check-message-length-value-is-valid-CVE-2018-18849.patch
     (Closes: #912535, CVE-2018-18849)
   * ppc-pnv-check-size-before-data-buffer-access-CVE-2018-18954.patch
     (Closes: #914604, CVE-2018-18954)
   * 9p-write-lock-path-in-v9fs-co_open2.patch
     9p-take-write-lock-on-fid-path-updates-CVE-2018-19364.patch
     (Closes: #914599, CVE-2018-19364)
   * 9p-fix-QEMU-crash-when-renaming-files-CVE-2018-19489.patch
     (Closes: #914727, CVE-2018-19489)
   * i2c-ddc-fix-oob-read-CVE-2019-3812.patch
     (Closes: #922635, CVE-2019-3812)
   * slirp-check-data-length-while-emulating-ident-function-CVE-2019-6778.patch
     (Closes: #921525, CVE-2019-6778)
   * slirp-check-sscanf-result-when-emulating-ident-CVE-2019-9824.patch
     (Closes: CVE-2019-9824)
 .
   [ Michael Tokarev ]
   * enable-md-clear.patch
     define new CPUID for MDS
     (Closes: #929067)
     (Closes: CVE-2018-12126, CVE-2018-12127, CVE-2018-12130, CVE-2019-11091)
   * qxl-check-release-info-object-CVE-2019-12155.patch
     fixes null-pointer deref in qxl cleanup code
     (Closes: #929353, CVE-2019-12155)
Checksums-Sha1:
 77f1affa75e189d4d4fd18afabecb85029f95ad2 5579 qemu_2.8+dfsg-6+deb9u6.dsc
 a95daacb4ec953c972e6f06fc20b8b2311e13c99 160688 qemu_2.8+dfsg-6+deb9u6.debian.tar.xz
 5ab201d41676fc348109796dab1b77e7ace9a6d6 10688 qemu_2.8+dfsg-6+deb9u6_source.buildinfo
Checksums-Sha256:
 3c478c5b3cf794795c042bfaab007c4c938850461bb675b7bd3935ac4f896857 5579 qemu_2.8+dfsg-6+deb9u6.dsc
 0bf185c3a72d400e82785a82ce91fd7128f87676e7ffa07eeec0c813deb54a19 160688 qemu_2.8+dfsg-6+deb9u6.debian.tar.xz
 faa2372a78580657b43f9f223af24feec00f4f5d7ab0fc9ab6a31bc070d007d5 10688 qemu_2.8+dfsg-6+deb9u6_source.buildinfo
Files:
 f13b237940ede0bf4c7945642471bcbc 5579 otherosfs optional qemu_2.8+dfsg-6+deb9u6.dsc
 6a4872d066b015bdf56e33abdb8de50d 160688 otherosfs optional qemu_2.8+dfsg-6+deb9u6.debian.tar.xz
 a9009de8c777f4dc0e21ba5e2486a0cd 10688 otherosfs optional qemu_2.8+dfsg-6+deb9u6_source.buildinfo

-----BEGIN PGP SIGNATURE-----

iQFDBAEBCAAtFiEEe3O61ovnosKJMUsicBtPaxppPlkFAlzudGgPHG1qdEB0bHMu
bXNrLnJ1AAoJEHAbT2saaT5Zt4AIAMZySkKhcHSGSv5vncIrNwXFB9kz8+cnpQnl
BSEclrxy9FskwVuakN7tyHHB9GrhPfnascHbd0+mJIJffWeIr6RxNrcdAEJxspos
xcEVx/0PDe6agrziFMjdciQAbbp/LCsS3p2FLvsIs5q4bD2xjYIKamxBXj48npd5
H1Q+fe/cm4MPiGwhYMhKD4M3nZ6FLafCats1KSMPIJqCAOZDke8PxtEu9Zs23n+q
dQZT3et0ufLFtUCvQJCt/kObetJyKEemBtWmHt0mg27tAmPD8DaU8rC8jMo0WZ8w
v+nAsGPGtqEJsHyFHuK+/b89eCUZTaigbQNVcaRG3mOvpSqX+Zs=
=PcmR
-----END PGP SIGNATURE-----

Send a report that this bug log contains spam.