Debian Bug report logs -
#699396
CVE-2013-0241 - qxl: synchronous io guest DoS
Reported by: Luciano Bello <luciano@debian.org>
Date: Wed, 30 Jan 2013 23:12:04 UTC
Severity: grave
Tags: patch, security
Fixed in version 0.0.17-1
Done: Moritz Muehlenhoff <jmm@inutil.org>
Bug is archived. No further changes may be made.
Toggle useless messages
Report forwarded
to debian-bugs-dist@lists.debian.org, Debian X Strike Force <debian-x@lists.debian.org>
:
Bug#699396
; Package xserver-xorg-video-qxl
.
(Wed, 30 Jan 2013 23:12:07 GMT) (full text, mbox, link).
Acknowledgement sent
to Luciano Bello <luciano@debian.org>
:
New Bug report received and forwarded. Copy sent to Debian X Strike Force <debian-x@lists.debian.org>
.
(Wed, 30 Jan 2013 23:12:07 GMT) (full text, mbox, link).
Message #5 received at submit@bugs.debian.org (full text, mbox, reply):
Package: xserver-xorg-video-qxl
Severity: grave
Tags: security patch
Justification: user security hole
Hi there,
Take a look to http://seclists.org/oss-sec/2013/q1/204
Please, use CVE-2013-0241 to refer this issue.
The Debian package in unstable looks affected. Can you check if the stable or
testings are affected too?
Cheers,
luciano
Information forwarded
to debian-bugs-dist@lists.debian.org, Debian X Strike Force <debian-x@lists.debian.org>
:
Bug#699396
; Package xserver-xorg-video-qxl
.
(Thu, 31 Jan 2013 17:00:05 GMT) (full text, mbox, link).
Acknowledgement sent
to Liang Guo <bluestonechina@gmail.com>
:
Extra info received and forwarded to list. Copy sent to Debian X Strike Force <debian-x@lists.debian.org>
.
(Thu, 31 Jan 2013 17:00:05 GMT) (full text, mbox, link).
Message #10 received at 699396@bugs.debian.org (full text, mbox, reply):
[Message part 1 (text/plain, inline)]
Hi,
On Thu, Jan 31, 2013 at 12:10:16AM +0100, Luciano Bello wrote:
> Package: xserver-xorg-video-qxl
> Severity: grave
> Tags: security patch
> Justification: user security hole
>
> Hi there,
> Take a look to http://seclists.org/oss-sec/2013/q1/204
> Please, use CVE-2013-0241 to refer this issue.
> The Debian package in unstable looks affected. Can you check if the stable or
> testings are affected too?
>
> Cheers,
> luciano
Would you like to check xserver-xorg-video-qxl 0.0.17 is
affected?
According to http://seclists.org/oss-sec/2013/q1/204, this
bug is fixed in commit 30b4b72cdbdf9f0e92a8d1c4e01779f60f15a741,
which is included in 0.0.17.
I'm backport this patch to 0.0.12, I'll let you know when
it is ready.
Thanks and Regards,
--
Liang Guo
http://bluestone.cublog.cn
[signature.asc (application/pgp-signature, inline)]
Information forwarded
to debian-bugs-dist@lists.debian.org, Debian X Strike Force <debian-x@lists.debian.org>
:
Bug#699396
; Package xserver-xorg-video-qxl
.
(Tue, 05 Feb 2013 15:39:03 GMT) (full text, mbox, link).
Acknowledgement sent
to Liang Guo <bluestonechina@gmail.com>
:
Extra info received and forwarded to list. Copy sent to Debian X Strike Force <debian-x@lists.debian.org>
.
(Tue, 05 Feb 2013 15:39:03 GMT) (full text, mbox, link).
Message #15 received at 699396@bugs.debian.org (full text, mbox, reply):
[Message part 1 (text/plain, inline)]
Hi, Luciano,
On Thu, Jan 31, 2013 at 12:10:16AM +0100, Luciano Bello wrote:
> Package: xserver-xorg-video-qxl
> Severity: grave
> Tags: security patch
> Justification: user security hole
>
> Hi there,
> Take a look to http://seclists.org/oss-sec/2013/q1/204
> Please, use CVE-2013-0241 to refer this issue.
> The Debian package in unstable looks affected. Can you check if the stable or
> testings are affected too?
I checked the patch, it modified following function:
qxl_handle_oom
qxl_allocnf
setup_slot
qxl_surface_cache_create_primary
download_box
qxl_allocnf exist in qxl 0.0.12, but it have not use ioport_write
function, other function don't exist in qxl 0.0.12.
Could you please check wheather this bug affect qxl in squeeze ?
Thanks and Regards,
--
Liang Guo
http://bluestone.cublog.cn
[signature.asc (application/pgp-signature, inline)]
Reply sent
to Moritz Muehlenhoff <jmm@inutil.org>
:
You have taken responsibility.
(Fri, 01 Mar 2013 16:57:13 GMT) (full text, mbox, link).
Notification sent
to Luciano Bello <luciano@debian.org>
:
Bug acknowledged by developer.
(Fri, 01 Mar 2013 16:57:14 GMT) (full text, mbox, link).
Message #20 received at 699396-done@bugs.debian.org (full text, mbox, reply):
Version: 0.0.17-1
On Fri, Feb 01, 2013 at 12:57:02AM +0800, Liang Guo wrote:
> Hi,
>
> On Thu, Jan 31, 2013 at 12:10:16AM +0100, Luciano Bello wrote:
> > Package: xserver-xorg-video-qxl
> > Severity: grave
> > Tags: security patch
> > Justification: user security hole
> >
> > Hi there,
> > Take a look to http://seclists.org/oss-sec/2013/q1/204
> > Please, use CVE-2013-0241 to refer this issue.
> > The Debian package in unstable looks affected. Can you check if the stable or
> > testings are affected too?
> >
> > Cheers,
> > luciano
> Would you like to check xserver-xorg-video-qxl 0.0.17 is
> affected?
>
> According to http://seclists.org/oss-sec/2013/q1/204, this
> bug is fixed in commit 30b4b72cdbdf9f0e92a8d1c4e01779f60f15a741,
> which is included in 0.0.17.
Closing the bug properly.
Cheers,
Moritz
Bug archived.
Request was from Debbugs Internal Request <owner@bugs.debian.org>
to internal_control@bugs.debian.org
.
(Sun, 02 Jun 2013 08:31:33 GMT) (full text, mbox, link).
Send a report that this bug log contains spam.
Debian bug tracking system administrator <owner@bugs.debian.org>.
Last modified:
Wed Jun 19 14:51:44 2019;
Machine Name:
buxtehude
Debian Bug tracking system
Debbugs is free software and licensed under the terms of the GNU
Public License version 2. The current version can be obtained
from https://bugs.debian.org/debbugs-source/.
Copyright © 1999 Darren O. Benham,
1997,2003 nCipher Corporation Ltd,
1994-97 Ian Jackson,
2005-2017 Don Armstrong, and many other contributors.