Debian Bug report logs -
#861351
qemu: CVE-2017-8112: scsi: vmw_pvscsi: infinite loop in pvscsi_log2
Reported by: Salvatore Bonaccorso <carnil@debian.org>
Date: Thu, 27 Apr 2017 20:09:01 UTC
Severity: normal
Tags: security, upstream
Found in version qemu/1:2.8+dfsg-4
Fixed in version qemu/1:2.8+dfsg-5
Done: Michael Tokarev <mjt@tls.msk.ru>
Bug is archived. No further changes may be made.
Toggle useless messages
Report forwarded
to debian-bugs-dist@lists.debian.org, carnil@debian.org, team@security.debian.org, secure-testing-team@lists.alioth.debian.org, Debian QEMU Team <pkg-qemu-devel@lists.alioth.debian.org>:
Bug#861351; Package src:qemu.
(Thu, 27 Apr 2017 20:09:04 GMT) (full text, mbox, link).
Acknowledgement sent
to Salvatore Bonaccorso <carnil@debian.org>:
New Bug report received and forwarded. Copy sent to carnil@debian.org, team@security.debian.org, secure-testing-team@lists.alioth.debian.org, Debian QEMU Team <pkg-qemu-devel@lists.alioth.debian.org>.
(Thu, 27 Apr 2017 20:09:04 GMT) (full text, mbox, link).
Message #5 received at submit@bugs.debian.org (full text, mbox, reply):
Source: qemu
Version: 1:2.8+dfsg-4
Severity: normal
Tags: upstream security
Hi,
the following vulnerability was published for qemu.
CVE-2017-8112[0]:
vmw_pvscsi: infinite loop in pvscsi_log2
If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.
For further information see:
[0] https://security-tracker.debian.org/tracker/CVE-2017-8112
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-8112
[1] https://bugzilla.novell.com/show_bug.cgi?id=1036211
[2] https://lists.gnu.org/archive/html/qemu-devel/2017-04/msg04578.html
[3] https://bugzilla.redhat.com/show_bug.cgi?id=1445621
Please adjust the affected versions in the BTS as needed.
Regards,
Salvatore
Added tag(s) pending.
Request was from <mjt@tls.msk.ru>
to control@bugs.debian.org.
(Wed, 17 May 2017 05:51:05 GMT) (full text, mbox, link).
Reply sent
to Michael Tokarev <mjt@tls.msk.ru>:
You have taken responsibility.
(Wed, 17 May 2017 06:42:08 GMT) (full text, mbox, link).
Notification sent
to Salvatore Bonaccorso <carnil@debian.org>:
Bug acknowledged by developer.
(Wed, 17 May 2017 06:42:08 GMT) (full text, mbox, link).
Message #12 received at 861351-close@bugs.debian.org (full text, mbox, reply):
Source: qemu
Source-Version: 1:2.8+dfsg-5
We believe that the bug you reported is fixed in the latest version of
qemu, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 861351@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Michael Tokarev <mjt@tls.msk.ru> (supplier of updated qemu package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
Format: 1.8
Date: Wed, 17 May 2017 09:01:24 +0300
Source: qemu
Binary: qemu qemu-system qemu-block-extra qemu-system-common qemu-system-misc qemu-system-arm qemu-system-mips qemu-system-ppc qemu-system-sparc qemu-system-x86 qemu-user qemu-user-static qemu-user-binfmt qemu-utils qemu-guest-agent qemu-kvm
Architecture: source
Version: 1:2.8+dfsg-5
Distribution: unstable
Urgency: high
Maintainer: Debian QEMU Team <pkg-qemu-devel@lists.alioth.debian.org>
Changed-By: Michael Tokarev <mjt@tls.msk.ru>
Description:
qemu - fast processor emulator
qemu-block-extra - extra block backend modules for qemu-system and qemu-utils
qemu-guest-agent - Guest-side qemu-system agent
qemu-kvm - QEMU Full virtualization on x86 hardware
qemu-system - QEMU full system emulation binaries
qemu-system-arm - QEMU full system emulation binaries (arm)
qemu-system-common - QEMU full system emulation binaries (common files)
qemu-system-mips - QEMU full system emulation binaries (mips)
qemu-system-misc - QEMU full system emulation binaries (miscellaneous)
qemu-system-ppc - QEMU full system emulation binaries (ppc)
qemu-system-sparc - QEMU full system emulation binaries (sparc)
qemu-system-x86 - QEMU full system emulation binaries (x86)
qemu-user - QEMU user mode emulation binaries
qemu-user-binfmt - QEMU user mode binfmt registration for qemu-user
qemu-user-static - QEMU user mode emulation binaries (static version)
qemu-utils - QEMU utilities
Closes: 860785 861348 861351 862280 862282 862289
Changes:
qemu (1:2.8+dfsg-5) unstable; urgency=high
.
* Security fix release
* 9pfs-local-set-path-of-export-root-to-dot-CVE-2017-7471.patch
Closes: #860785, CVE-2017-7471
* 9pfs-xattr-fix-memory-leak-in-v9fs_list_xattr-CVE-2017-8086.patch
Closes: #861348, CVE-2017-8086
* vmw_pvscsi-check-message-ring-page-count-at-init-CVE-2017-8112.patch
Closes: #861351, CVE-2017-8112
* scsi-avoid-an-off-by-one-error-in-megasas_mmio_write-CVE-2017-8380.patch
Closes: #862282, CVE-2017-8380
* input-limit-kbd-queue-depth-CVE-2017-8379.patch
Closes: #862289, CVE-2017-8379
* audio-release-capture-buffers-CVE-2017-8309.patch
Closes: #862280, CVE-2017-8309
Checksums-Sha1:
15604eac9a024e6c67aa1307e8c6cad012e0cbd6 5551 qemu_2.8+dfsg-5.dsc
908078bbc64384750e38099df5cd33e439a04897 116796 qemu_2.8+dfsg-5.debian.tar.xz
1b236111206cc9b2b35ba1415bd7d3a86316b64f 10151 qemu_2.8+dfsg-5_source.buildinfo
Checksums-Sha256:
d49d6808cd2610205293b59b1b354b98d75ec34f3452595419d8c5ffb178dd2e 5551 qemu_2.8+dfsg-5.dsc
14f93b47667c0d8555abfc0686e39e641dfa353d4a62ec96602b0794396c1401 116796 qemu_2.8+dfsg-5.debian.tar.xz
2ceea1bac3bb8978ad01b08d1199db6c0ba871d711920873739d0066edc2d658 10151 qemu_2.8+dfsg-5_source.buildinfo
Files:
076b80e402580bfb3c951b94af53f943 5551 otherosfs optional qemu_2.8+dfsg-5.dsc
9e4b382b32d6b06c71d2cbae1730f9a3 116796 otherosfs optional qemu_2.8+dfsg-5.debian.tar.xz
22ac5889dcb1cddf5275146b1fe8b9d0 10151 otherosfs optional qemu_2.8+dfsg-5_source.buildinfo
-----BEGIN PGP SIGNATURE-----
iQFDBAEBCAAtFiEEe3O61ovnosKJMUsicBtPaxppPlkFAlkb6EIPHG1qdEB0bHMu
bXNrLnJ1AAoJEHAbT2saaT5Z8Z0H+QGIU/9BfCpA5uaYEbHBxxfzMJ8BelmiiT9m
25Zc2aIafrSlC+ciT0CfpXwHwqQejcY8TFF0CMsKN7VsuzIzW4RP3XH7lL4KNmP3
PkDvCpm/M5XtfFx1Jj8ytwUuq6koBt7wj+H8PWkrE7k4wGd5zqmnKpZ7PEXW9C7v
IcaxSCX/RoFORJci5+GZvR4l5ffKhAAHFUvct3V7Q6Cg/glNVIldeA0pq/qHYa8n
GptVRtU0NIoqT1CEBAHgb+VlQePo3YldKGsaBwZsUK019n5Ub7Ec/Bm4UpF35Bsb
URac60tlH18AMfyRkj7Fcxpyh+6gW3lq72fRDQxtWRQ3Hof44wA=
=wjmv
-----END PGP SIGNATURE-----
Bug archived.
Request was from Debbugs Internal Request <owner@bugs.debian.org>
to internal_control@bugs.debian.org.
(Sun, 25 Jun 2017 07:26:41 GMT) (full text, mbox, link).
Send a report that this bug log contains spam.
Debian bug tracking system administrator <owner@bugs.debian.org>.
Last modified:
Wed Jun 19 14:06:14 2019;
Machine Name:
buxtehude
Debian Bug tracking system
Debbugs is free software and licensed under the terms of the GNU
Public License version 2. The current version can be obtained
from https://bugs.debian.org/debbugs-source/.
Copyright © 1999 Darren O. Benham,
1997,2003 nCipher Corporation Ltd,
1994-97 Ian Jackson,
2005-2017 Don Armstrong, and many other contributors.
Vulmon