Debian Bug report logs -
#927439
qemu: CVE-2019-5008
Reported by: Salvatore Bonaccorso <carnil@debian.org>
Date: Fri, 19 Apr 2019 20:42:02 UTC
Severity: important
Tags: patch, security, upstream
Found in version qemu/1:3.1+dfsg-7
Fixed in version qemu/1:3.1+dfsg-8
Done: Michael Tokarev <mjt@tls.msk.ru>
Reply or subscribe to this bug.
Toggle useless messages
Report forwarded
to debian-bugs-dist@lists.debian.org, carnil@debian.org, team@security.debian.org, team@security.debian.org, Debian QEMU Team <pkg-qemu-devel@lists.alioth.debian.org>:
Bug#927439; Package src:qemu.
(Fri, 19 Apr 2019 20:42:04 GMT) (full text, mbox, link).
Acknowledgement sent
to Salvatore Bonaccorso <carnil@debian.org>:
New Bug report received and forwarded. Copy sent to carnil@debian.org, team@security.debian.org, team@security.debian.org, Debian QEMU Team <pkg-qemu-devel@lists.alioth.debian.org>.
(Fri, 19 Apr 2019 20:42:05 GMT) (full text, mbox, link).
Message #5 received at submit@bugs.debian.org (full text, mbox, reply):
Source: qemu
Version: 1:3.1+dfsg-7
Severity: important
Tags: patch security upstream
Hi,
The following vulnerability was published for qemu.
CVE-2019-5008[0]:
| hw/sparc64/sun4u.c in QEMU 3.1.50 is vulnerable to a NULL pointer
| dereference, which allows the attacker to cause a denial of service
| via a device driver.
If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.
For further information see:
[0] https://security-tracker.debian.org/tracker/CVE-2019-5008
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-5008
[1] https://fakhrizulkifli.github.io/posts/2019/01/03/CVE-2019-5008/
[2] https://git.qemu.org/?p=qemu.git;a=commitdiff;h=ad280559c68360c9f1cd7be063857853759e6a73
Please adjust the affected versions in the BTS as needed.
Regards,
Salvatore
Reply sent
to Michael Tokarev <mjt@tls.msk.ru>:
You have taken responsibility.
(Tue, 28 May 2019 07:21:03 GMT) (full text, mbox, link).
Notification sent
to Salvatore Bonaccorso <carnil@debian.org>:
Bug acknowledged by developer.
(Tue, 28 May 2019 07:21:04 GMT) (full text, mbox, link).
Message #10 received at 927439-close@bugs.debian.org (full text, mbox, reply):
Source: qemu
Source-Version: 1:3.1+dfsg-8
We believe that the bug you reported is fixed in the latest version of
qemu, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 927439@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Michael Tokarev <mjt@tls.msk.ru> (supplier of updated qemu package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
Format: 1.8
Date: Mon, 27 May 2019 07:49:25 +0300
Source: qemu
Binary: qemu qemu-system qemu-block-extra qemu-system-data qemu-system-common qemu-system-gui qemu-system-misc qemu-system-arm qemu-system-mips qemu-system-ppc qemu-system-sparc qemu-system-x86 qemu-user qemu-user-static qemu-user-binfmt qemu-utils qemu-guest-agent qemu-kvm
Architecture: source
Version: 1:3.1+dfsg-8
Distribution: unstable
Urgency: high
Maintainer: Debian QEMU Team <pkg-qemu-devel@lists.alioth.debian.org>
Changed-By: Michael Tokarev <mjt@tls.msk.ru>
Description:
qemu - fast processor emulator, dummy package
qemu-block-extra - extra block backend modules for qemu-system and qemu-utils
qemu-guest-agent - Guest-side qemu-system agent
qemu-kvm - QEMU Full virtualization on x86 hardware
qemu-system - QEMU full system emulation binaries
qemu-system-arm - QEMU full system emulation binaries (arm)
qemu-system-common - QEMU full system emulation binaries (common files)
qemu-system-data - QEMU full system emulation (data files)
qemu-system-gui - QEMU full system emulation binaries (user interface and audio sup
qemu-system-mips - QEMU full system emulation binaries (mips)
qemu-system-misc - QEMU full system emulation binaries (miscellaneous)
qemu-system-ppc - QEMU full system emulation binaries (ppc)
qemu-system-sparc - QEMU full system emulation binaries (sparc)
qemu-system-x86 - QEMU full system emulation binaries (x86)
qemu-user - QEMU user mode emulation binaries
qemu-user-binfmt - QEMU user mode binfmt registration for qemu-user
qemu-user-static - QEMU user mode emulation binaries (static version)
qemu-utils - QEMU utilities
Closes: 927439 927763 929067 929261 929353
Changes:
qemu (1:3.1+dfsg-8) unstable; urgency=high
.
* sun4u-add-power_mem_read-routine-CVE-2019-5008.patch
fixes a null-pointer dereference in sparc/sun4u emulated hw
Closes: #927439, CVE-2019-5008
* enable-md-no.patch & enable-md-clear.patch
mitigation for MDS (Microarchitectural Data Sampling) issues
Closes: #929067,
CVE-2018-12126, CVE-2018-12127, CVE-2018-12130, CVE-2019-11091
* qxl-check-release-info-object-CVE-2019-12155.patch
fixes null-pointer deref in qxl cleanup code
Closes: #929353, CVE-2019-12155
* aarch42-exception-return-to-switch-from-hyp-mon.patch
fixes booting U-Boot in UEFI mode on aarch42
Closes: #927763
* stop qemu-system-common pre-depending on adduser
Closes: #929261
Checksums-Sha1:
6d93e2ebaaa5a4ae25d8029970ec552cbd48b803 6120 qemu_3.1+dfsg-8.dsc
36a8b215dccf1466557e6d61e26da222ed892efd 87704 qemu_3.1+dfsg-8.debian.tar.xz
5e5b48914604bf01806ac6ae8af17e5934922bd9 16386 qemu_3.1+dfsg-8_source.buildinfo
Checksums-Sha256:
75c62145aefd0a2fd3da3531063a5537aa067ec3295c8118e213e28b8b7d8d1b 6120 qemu_3.1+dfsg-8.dsc
da5b20a6f91c7309b41c809374572282c6addc828838c487158aa46ef8350607 87704 qemu_3.1+dfsg-8.debian.tar.xz
80739736ddbab9aaa611484e8e90bdb0aa07a9e11b772d6065e630388350ccd1 16386 qemu_3.1+dfsg-8_source.buildinfo
Files:
8f6cf6785bcd3343cb45f267d0b54adf 6120 otherosfs optional qemu_3.1+dfsg-8.dsc
9f48a84ab4f55d8dc81b380dfb9e395d 87704 otherosfs optional qemu_3.1+dfsg-8.debian.tar.xz
3f3475a16a609e4809d8ca91b37100ca 16386 otherosfs optional qemu_3.1+dfsg-8_source.buildinfo
-----BEGIN PGP SIGNATURE-----
iQFDBAEBCAAtFiEEe3O61ovnosKJMUsicBtPaxppPlkFAlzrbwAPHG1qdEB0bHMu
bXNrLnJ1AAoJEHAbT2saaT5Z960IAKe0Mwf1xMZRqGGN96lx2cjsiT6fkORjbZsz
VRGpbXVRYU+S6iVZCsN2RkIsKz3gY2q1J6msQLIhBx7iypiAIcJ+/AyJTKngklPd
PNITaSM0W0c23XCzV2+dxKO+Sxsk/X7R+99cfDHcZuivrBFN2wILpLLEd7rdjx0t
QMj9/1lxtRG8gZxkKpHuha1u39DxWCRDd0mMnFk2wqetsijZ64RIDmkJXSjJEDIz
1xLn/b0TzzCPqqbt50Ykq91A96ybobka6SVM5D1nvtsyf6jYitjHriTj4L/4uImC
UnZ6TVnzG/Hr9O5xRqc5TZJvutq/lI/HezUUcYAUkTTcFlqT1D0=
=mC66
-----END PGP SIGNATURE-----
Send a report that this bug log contains spam.
Debian bug tracking system administrator <owner@bugs.debian.org>.
Last modified:
Wed Jun 19 14:37:54 2019;
Machine Name:
beach
Debian Bug tracking system
Debbugs is free software and licensed under the terms of the GNU
Public License version 2. The current version can be obtained
from https://bugs.debian.org/debbugs-source/.
Copyright © 1999 Darren O. Benham,
1997,2003 nCipher Corporation Ltd,
1994-97 Ian Jackson,
2005-2017 Don Armstrong, and many other contributors.
Vulmon