Debian Bug report logs -
#787547
CVE-2015-4103 CVE-2015-4104 CVE-2015-4105 CVE-2015-4106
Reported by: Moritz Muehlenhoff <jmm@debian.org>
Date: Tue, 2 Jun 2015 17:03:01 UTC
Severity: grave
Tags: fixed-upstream, patch, security, upstream
Found in versions qemu/1:2.3+dfsg-4, qemu/1:2.1+dfsg-11
Fixed in versions qemu/1:2.3+dfsg-5, qemu/1:2.1+dfsg-12+deb8u1
Done: Michael Tokarev <mjt@tls.msk.ru>
Bug is archived. No further changes may be made.
Toggle useless messages
Report forwarded
to debian-bugs-dist@lists.debian.org, team@security.debian.org, secure-testing-team@lists.alioth.debian.org, Debian QEMU Team <pkg-qemu-devel@lists.alioth.debian.org>:
Bug#787547; Package src:qemu.
(Tue, 02 Jun 2015 17:03:05 GMT) (full text, mbox, link).
Acknowledgement sent
to Moritz Muehlenhoff <jmm@debian.org>:
New Bug report received and forwarded. Copy sent to team@security.debian.org, secure-testing-team@lists.alioth.debian.org, Debian QEMU Team <pkg-qemu-devel@lists.alioth.debian.org>.
(Tue, 02 Jun 2015 17:03:05 GMT) (full text, mbox, link).
Message #5 received at submit@bugs.debian.org (full text, mbox, reply):
Source: qemu
Severity: grave
Tags: security
Hi Michael,
please see theses Xen issues which all affect src:qemu
http://xenbits.xen.org/xsa/advisory-128.html
http://xenbits.xen.org/xsa/advisory-129.html
http://xenbits.xen.org/xsa/advisory-130.html
http://xenbits.xen.org/xsa/advisory-131.html
I suppose the Xen developers reported these to upstream, but
they were only disclosed some hours ago.
Cheers,
Moritz
Marked as found in versions qemu/1:2.3+dfsg-4.
Request was from Salvatore Bonaccorso <carnil@debian.org>
to control@bugs.debian.org.
(Tue, 02 Jun 2015 19:45:06 GMT) (full text, mbox, link).
Added tag(s) patch, upstream, pending, and fixed-upstream.
Request was from <mjt@tls.msk.ru>
to control@bugs.debian.org.
(Wed, 03 Jun 2015 14:03:08 GMT) (full text, mbox, link).
Reply sent
to Michael Tokarev <mjt@tls.msk.ru>:
You have taken responsibility.
(Wed, 03 Jun 2015 16:27:17 GMT) (full text, mbox, link).
Notification sent
to Moritz Muehlenhoff <jmm@debian.org>:
Bug acknowledged by developer.
(Wed, 03 Jun 2015 16:27:17 GMT) (full text, mbox, link).
Message #14 received at 787547-close@bugs.debian.org (full text, mbox, reply):
Source: qemu
Source-Version: 1:2.3+dfsg-5
We believe that the bug you reported is fixed in the latest version of
qemu, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 787547@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Michael Tokarev <mjt@tls.msk.ru> (supplier of updated qemu package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
Format: 1.8
Date: Wed, 03 Jun 2015 17:18:58 +0300
Source: qemu
Binary: qemu qemu-system qemu-block-extra qemu-system-common qemu-system-misc qemu-system-arm qemu-system-mips qemu-system-ppc qemu-system-sparc qemu-system-x86 qemu-user qemu-user-static qemu-user-binfmt qemu-utils qemu-guest-agent qemu-kvm libcacard0 libcacard-dev libcacard-tools
Architecture: source
Version: 1:2.3+dfsg-5
Distribution: unstable
Urgency: high
Maintainer: Debian QEMU Team <pkg-qemu-devel@lists.alioth.debian.org>
Changed-By: Michael Tokarev <mjt@tls.msk.ru>
Description:
libcacard-dev - Virtual Common Access Card (CAC) Emulator (development files)
libcacard-tools - Virtual Common Access Card (CAC) Emulator (tools)
libcacard0 - Virtual Common Access Card (CAC) Emulator (runtime library)
qemu - fast processor emulator
qemu-block-extra - extra block backend modules for qemu-system and qemu-utils
qemu-guest-agent - Guest-side qemu-system agent
qemu-kvm - QEMU Full virtualization on x86 hardware
qemu-system - QEMU full system emulation binaries
qemu-system-arm - QEMU full system emulation binaries (arm)
qemu-system-common - QEMU full system emulation binaries (common files)
qemu-system-mips - QEMU full system emulation binaries (mips)
qemu-system-misc - QEMU full system emulation binaries (miscelaneous)
qemu-system-ppc - QEMU full system emulation binaries (ppc)
qemu-system-sparc - QEMU full system emulation binaries (sparc)
qemu-system-x86 - QEMU full system emulation binaries (x86)
qemu-user - QEMU user mode emulation binaries
qemu-user-binfmt - QEMU user mode binfmt registration for qemu-user
qemu-user-static - QEMU user mode emulation binaries (static version)
qemu-utils - QEMU utilities
Closes: 772422 787547
Changes:
qemu (1:2.3+dfsg-5) unstable; urgency=high
.
* slirp-use-less-predictable-directory-name-in-tmp-CVE-2015-4037.patch
(Closes: CVE-2015-4037)
* 11 patches for XEN PCI pass-through issues
(Closes: #787547 CVE-2015-4103 CVE-2015-4104 CVE-2015-4105 CVE-2015-4106)
* kbd-add-brazil-kbd-keys-*.patch, adding two keys found on Brazilian
keyboards (Closes: #772422)
Checksums-Sha1:
43faa255f2a14f55d487a8aa0eb961011af47b9d 6040 qemu_2.3+dfsg-5.dsc
550cfa1784ea6af7d2e7d415c884a041918aa5e3 81820 qemu_2.3+dfsg-5.debian.tar.xz
Checksums-Sha256:
858468f6e692f75bea6c72ae89bae7ff208a006100dd71e9ed7e399e84f41d19 6040 qemu_2.3+dfsg-5.dsc
a9c355ba0c723aa3ac0f945df16ca77ab3fd7b25fad076c0c1082eb210cdd5f5 81820 qemu_2.3+dfsg-5.debian.tar.xz
Files:
92da4413ed53697c89fd7d9562212fa3 6040 otherosfs optional qemu_2.3+dfsg-5.dsc
40c80a3758a66257673220e5ede646ea 81820 otherosfs optional qemu_2.3+dfsg-5.debian.tar.xz
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2
iQEcBAEBCAAGBQJVbxobAAoJEL7lnXSkw9fbnlkIAK1QuOHi6AAs3VYsfUKCb0K3
/bmVJP686FWLPIzbRhfhE9kTrMXsdgqhYcjZu4wF3x36ABGWvTIkHmvvnNboKMUJ
oqJ34tsJWWf11PwJWr01x9xc2NB2I69uZXDxxCwqR0bQxZr0qllGdSrzsNxll78k
YubCCwThKVz3U1ZvK/N8Qz3s/pbhvYBNQ0iZN9Ku+K+Wb9vzp5qF0mU1CKv1/lWG
3kN7h8hXip/gzDFXpuQzIqK7UgCZIHVBrZEfZc9aUh+SKCYJbh/DYoWKLm8ggzau
BcIUJ8z4yWatmtjiZITRQHqM0OlRGHJanlytgvNULOWnTa6JW23UZj+vPVGkGNU=
=cpEE
-----END PGP SIGNATURE-----
Marked as found in versions qemu/1:2.1+dfsg-11.
Request was from Salvatore Bonaccorso <carnil@debian.org>
to control@bugs.debian.org.
(Fri, 12 Jun 2015 22:48:03 GMT) (full text, mbox, link).
Reply sent
to Michael Tokarev <mjt@tls.msk.ru>:
You have taken responsibility.
(Sun, 14 Jun 2015 16:06:04 GMT) (full text, mbox, link).
Notification sent
to Moritz Muehlenhoff <jmm@debian.org>:
Bug acknowledged by developer.
(Sun, 14 Jun 2015 16:06:04 GMT) (full text, mbox, link).
Message #21 received at 787547-close@bugs.debian.org (full text, mbox, reply):
Source: qemu
Source-Version: 1:2.1+dfsg-12+deb8u1
We believe that the bug you reported is fixed in the latest version of
qemu, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 787547@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Michael Tokarev <mjt@tls.msk.ru> (supplier of updated qemu package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
Format: 1.8
Date: Thu, 11 Jun 2015 20:17:04 +0300
Source: qemu
Binary: qemu qemu-system qemu-system-common qemu-system-misc qemu-system-arm qemu-system-mips qemu-system-ppc qemu-system-sparc qemu-system-x86 qemu-user qemu-user-static qemu-user-binfmt qemu-utils qemu-guest-agent qemu-kvm
Architecture: source
Version: 1:2.1+dfsg-12+deb8u1
Distribution: jessie-security
Urgency: high
Maintainer: Debian QEMU Team <pkg-qemu-devel@lists.alioth.debian.org>
Changed-By: Michael Tokarev <mjt@tls.msk.ru>
Description:
qemu - fast processor emulator
qemu-guest-agent - Guest-side qemu-system agent
qemu-kvm - QEMU Full virtualization on x86 hardware
qemu-system - QEMU full system emulation binaries
qemu-system-arm - QEMU full system emulation binaries (arm)
qemu-system-common - QEMU full system emulation binaries (common files)
qemu-system-mips - QEMU full system emulation binaries (mips)
qemu-system-misc - QEMU full system emulation binaries (miscelaneous)
qemu-system-ppc - QEMU full system emulation binaries (ppc)
qemu-system-sparc - QEMU full system emulation binaries (sparc)
qemu-system-x86 - QEMU full system emulation binaries (x86)
qemu-user - QEMU user mode emulation binaries
qemu-user-binfmt - QEMU user mode binfmt registration for qemu-user
qemu-user-static - QEMU user mode emulation binaries (static version)
qemu-utils - QEMU utilities
Closes: 787547 788460
Changes:
qemu (1:2.1+dfsg-12+deb8u1) jessie-security; urgency=high
.
* slirp-use-less-predictable-directory-name-in-tmp-CVE-2015-4037.patch
(Closes: CVE-2015-4037)
* 11 patches for XEN PCI pass-through issues
(Closes: #787547 CVE-2015-4103 CVE-2015-4104 CVE-2015-4105 CVE-2015-4106)
* pcnet-force-buffer-access-to-be-in-bounds-CVE-2015-3209.patch
with preparation bugfix pcnet-fix-negative-array-index-read.patch
from upstream (Closes: #788460 CVE-2015-3209)
Checksums-Sha1:
32e306497bc8b6f65c8713e383b5968dcf29d1d3 5174 qemu_2.1+dfsg-12+deb8u1.dsc
79252b7eb6054390584b67b2e9e6b5764ef48054 105752 qemu_2.1+dfsg-12+deb8u1.debian.tar.xz
Checksums-Sha256:
72243a617919f14a0343a171ddd9e678ffdce5fc78c7f951b4264b72b625e6f9 5174 qemu_2.1+dfsg-12+deb8u1.dsc
4a6b8761167a8b2cdc553c90cab1e67474ce4be7996d3bb1c4eb188ff4208331 105752 qemu_2.1+dfsg-12+deb8u1.debian.tar.xz
Files:
6ab66f0e18fea39c4857351eced6f672 5174 otherosfs optional qemu_2.1+dfsg-12+deb8u1.dsc
813744f5b619eb2b23c1b8692b589c12 105752 otherosfs optional qemu_2.1+dfsg-12+deb8u1.debian.tar.xz
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2
iQEcBAEBCAAGBQJVefxUAAoJEL7lnXSkw9fbvmEH/0U6/Xi+n/WY+rvhIVMU9ik9
fpOVZYDWGWZXOtXfvEIFUkRO6rv5ZHDbbonsg/9mDwTcZo8Qz44akdPqd9jS0xGA
olkuYL9/NO7lFlif+5If+Fa6ZRfz38VpEWkEgibGJm0KBtnqAwsaCj07DOSRhA2j
R2M7R6Ssn/NaBl2BX5KqGFu3/TlePPVFBDfhKi06QyWRXvhGx2DASqXUeETceYmK
1vA/SAx5qOvQcnha5Ml/OobuHLEJNlESEw0T6pWBS94HKcjDdUk8RzohF9ed+Eby
+A+860Te+H8iQ72eB+vs1RvdRA2tA3j2MDg091c0u76/fiAflHfBj/xtWf111/c=
=woCP
-----END PGP SIGNATURE-----
Bug archived.
Request was from Debbugs Internal Request <owner@bugs.debian.org>
to internal_control@bugs.debian.org.
(Sun, 04 Oct 2015 07:56:28 GMT) (full text, mbox, link).
Send a report that this bug log contains spam.
Debian bug tracking system administrator <owner@bugs.debian.org>.
Last modified:
Wed Jun 19 17:14:55 2019;
Machine Name:
buxtehude
Debian Bug tracking system
Debbugs is free software and licensed under the terms of the GNU
Public License version 2. The current version can be obtained
from https://bugs.debian.org/debbugs-source/.
Copyright © 1999 Darren O. Benham,
1997,2003 nCipher Corporation Ltd,
1994-97 Ian Jackson,
2005-2017 Don Armstrong, and many other contributors.
Vulmon