qemu: CVE-2016-10028: display: virtio-gpu-3d: OOB access while reading virgl capabilities

Debian Bug report logs - #849798
qemu: CVE-2016-10028: display: virtio-gpu-3d: OOB access while reading virgl capabilities

Toggle useless messages

Message #5 received at submit@bugs.debian.org (full text, mbox, reply):

From: Salvatore Bonaccorso <carnil@debian.org>

To: Debian Bug Tracking System <submit@bugs.debian.org>

Subject: qemu: CVE-2016-10028: display: virtio-gpu-3d: OOB access while reading virgl capabilities

Date: Sat, 31 Dec 2016 07:49:30 +0100

Source: qemu
Version: 1:2.8+dfsg-1
Severity: important
Tags: upstream security

Hi,

the following vulnerability was published for qemu.

CVE-2016-10028[0]:
display: virtio-gpu-3d: OOB access while reading virgl capabilities

If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.

For further information see:

[0] https://security-tracker.debian.org/tracker/CVE-2016-10028
    https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-10028
[1] https://bugzilla.redhat.com/show_bug.cgi?id=1406367

Please adjust the affected versions in the BTS as needed.

Regards,
Salvatore

Message #12 received at 849798-close@bugs.debian.org (full text, mbox, reply):

From: Michael Tokarev <mjt@tls.msk.ru>

To: 849798-close@bugs.debian.org

Subject: Bug#849798: fixed in qemu 1:2.8+dfsg-2

Date: Mon, 23 Jan 2017 11:22:15 +0000

Source: qemu
Source-Version: 1:2.8+dfsg-2

We believe that the bug you reported is fixed in the latest version of
qemu, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 849798@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Michael Tokarev <mjt@tls.msk.ru> (supplier of updated qemu package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

Format: 1.8
Date: Mon, 23 Jan 2017 14:06:54 +0300
Source: qemu
Binary: qemu qemu-system qemu-block-extra qemu-system-common qemu-system-misc qemu-system-arm qemu-system-mips qemu-system-ppc qemu-system-sparc qemu-system-x86 qemu-user qemu-user-static qemu-user-binfmt qemu-utils qemu-guest-agent qemu-kvm
Architecture: source
Version: 1:2.8+dfsg-2
Distribution: unstable
Urgency: medium
Maintainer: Debian QEMU Team <pkg-qemu-devel@lists.alioth.debian.org>
Changed-By: Michael Tokarev <mjt@tls.msk.ru>
Description:
 qemu       - fast processor emulator
 qemu-block-extra - extra block backend modules for qemu-system and qemu-utils
 qemu-guest-agent - Guest-side qemu-system agent
 qemu-kvm   - QEMU Full virtualization on x86 hardware
 qemu-system - QEMU full system emulation binaries
 qemu-system-arm - QEMU full system emulation binaries (arm)
 qemu-system-common - QEMU full system emulation binaries (common files)
 qemu-system-mips - QEMU full system emulation binaries (mips)
 qemu-system-misc - QEMU full system emulation binaries (miscellaneous)
 qemu-system-ppc - QEMU full system emulation binaries (ppc)
 qemu-system-sparc - QEMU full system emulation binaries (sparc)
 qemu-system-x86 - QEMU full system emulation binaries (x86)
 qemu-user  - QEMU user mode emulation binaries
 qemu-user-binfmt - QEMU user mode binfmt registration for qemu-user
 qemu-user-static - QEMU user mode emulation binaries (static version)
 qemu-utils - QEMU utilities
Closes: 843032 849798 851509 851910 852021 852119 852232
Changes:
 qemu (1:2.8+dfsg-2) unstable; urgency=medium
 .
   * Revert "update binfmt registration for mipsn32"
     Reopens: #829243
     Closes: #843032
     Will re-enable it for stretch+1, since for now upgrades
     from jessie are broken (jessie comes with 3.16 kernel),
     and there's no easy fix for this
   * Revert "enable virtio gpu (virglrenderer) and opengl support"
     Revert "switch from sdl1 to gtk3"
     Revert other gtk2/drm/vte/virgl-related changes
     Reopens: #813658, #839695
     The change were too close to stretch release and too large,
     bringing too much graphics stuff for headless servers,
     will re-think this for stretch+1.
     sdl1 back: Closes: #851509
     virtio-3d bugs: Closes: #849798, #852119
   * mention closing of #769983 (multi-threaded linux-user) by 2.7
   * mention closing of #842455, CVE-2016-9101 by 2.8
   * audio-ac97-add-exit-function-CVE-2017-5525.patch (Closes: #852021)
   * audio-es1370-add-exit-function-CVE-2017-5526.patch (Closes: #851910)
   * watchdog-6300esb-add-exit-function-CVE-2016-10155.patch (Closes: #852232)
Checksums-Sha1:
 799ac71489099acfc592c9bed5fb5fa4947d537d 5513 qemu_2.8+dfsg-2.dsc
 f1dd8654d8ab1d3010aa3923efedf7c6d428d12c 71096 qemu_2.8+dfsg-2.debian.tar.xz
Checksums-Sha256:
 fd5de313eaa67eaaaaee79e231ac1f496685bc683eb160b1820585c931920579 5513 qemu_2.8+dfsg-2.dsc
 2ffcd7ba87595cbfc869b2d6f0d7f983902a41466cbb2eaf27896525a0208331 71096 qemu_2.8+dfsg-2.debian.tar.xz
Files:
 e0caa780cd84bdfda9d47ce641e7b3e3 5513 otherosfs optional qemu_2.8+dfsg-2.dsc
 7428e6578e4b23d67655ec97bb77208e 71096 otherosfs optional qemu_2.8+dfsg-2.debian.tar.xz

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1

iQEcBAEBCAAGBQJYheRPAAoJEHAbT2saaT5ZWgYIALpVDIHx8u3HFY7nJ+NzSonG
2Q7eqgO0Iv7KMNh0Rx00BA8JMsglxJ3El/rFoKK2kfGNb3fv9ET8Dt7Ay9f2l1mp
c8E09+M5HY3xRv2RsD76ylvrrwwD7d2JQV5RmcEqLhYbZUUVSGYRXzjAhhRtskQV
oooipsoX0c2L3glNQDrCUr6MGFih8hs0laC+2f+GdsknlD7o3x9uzPKlxm/nMiYp
Eox4WLba8KDqz+u5wmrxuZgy/LffqCTg+w06wWpUgkHYRvOGMSjhFaZ13cBpvR5O
SqmtHsFm7B08Sh4Fh4AAV1W23Oc7Xt0a8lvy5MHZ0o9NiTVMyXK5PoOFm2oQX3o=
=98T2
-----END PGP SIGNATURE-----

Message #17 received at 849798@bugs.debian.org (full text, mbox, reply):

From: Salvatore Bonaccorso <carnil@debian.org>

To: Michael Tokarev <mjt@tls.msk.ru>

Cc: 849798@bugs.debian.org, 852119@bugs.debian.org

Subject: Handling #849798, #852119

Date: Sat, 28 Jan 2017 21:40:22 +0100

Hi Michael

Thanks for handling both #849798, #852119. 

Now, I have a bit a problem to track those. Since while I agree, and
thanks for that, 1:2.8+dfsg-2, reverts the support for virtio gpu
(virtglrenderer) and opengl, the *source* as per 1:2.8+dfsg-2 is still
affected.

In case this support get readded later, after the stretch release,
presumably we just need to make sure the issues are fixed source-wise.
But OTOH, at that point they will be fixed upstream already, so I gues
we are safe here.

I have marked those for now as unfixed, but 'unimportant' in the
security-tracker, which basically means: source affected, but built
binary packages are not affected.

Thanks for your work,

Regards,
Salvatore

Send a report that this bug log contains spam.