Debian Bug report logs -
#794611
qemu: CVE-2015-5166: Use after free in QEMU/Xen block unplug protocol
Reported by: Salvatore Bonaccorso <carnil@debian.org>
Date: Tue, 4 Aug 2015 20:27:02 UTC
Severity: important
Tags: security, upstream
Found in version qemu/1:2.3+dfsg-1
Fixed in version qemu/1:2.4+dfsg-1a
Done: Michael Tokarev <mjt@tls.msk.ru>
Bug is archived. No further changes may be made.
Toggle useless messages
Report forwarded
to debian-bugs-dist@lists.debian.org, carnil@debian.org, team@security.debian.org, secure-testing-team@lists.alioth.debian.org, Debian QEMU Team <pkg-qemu-devel@lists.alioth.debian.org>:
Bug#794611; Package src:qemu.
(Tue, 04 Aug 2015 20:27:05 GMT) (full text, mbox, link).
Acknowledgement sent
to Salvatore Bonaccorso <carnil@debian.org>:
New Bug report received and forwarded. Copy sent to carnil@debian.org, team@security.debian.org, secure-testing-team@lists.alioth.debian.org, Debian QEMU Team <pkg-qemu-devel@lists.alioth.debian.org>.
(Tue, 04 Aug 2015 20:27:05 GMT) (full text, mbox, link).
Message #5 received at submit@bugs.debian.org (full text, mbox, reply):
Source: qemu
Version: 1.1.2+dfsg-6a
Severity: important
Tags: security upstream
Hi,
the following vulnerability was published for qemu.
CVE-2015-5166[0]:
Use after free in QEMU/Xen block unplug protocol
If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.
For further information see:
[0] https://security-tracker.debian.org/tracker/CVE-2015-5166
[1] https://bugzilla.redhat.com/show_bug.cgi?id=1248997
Regards,
Salvatore
No longer marked as found in versions qemu/1.1.2+dfsg-6a.
Request was from Salvatore Bonaccorso <carnil@debian.org>
to control@bugs.debian.org.
(Fri, 28 Aug 2015 17:39:09 GMT) (full text, mbox, link).
Marked as found in versions qemu/1:2.3+dfsg-1.
Request was from Salvatore Bonaccorso <carnil@debian.org>
to control@bugs.debian.org.
(Fri, 28 Aug 2015 17:39:10 GMT) (full text, mbox, link).
Added tag(s) pending.
Request was from <mjt@tls.msk.ru>
to control@bugs.debian.org.
(Mon, 31 Aug 2015 12:27:25 GMT) (full text, mbox, link).
Reply sent
to Michael Tokarev <mjt@tls.msk.ru>:
You have taken responsibility.
(Mon, 31 Aug 2015 15:48:24 GMT) (full text, mbox, link).
Notification sent
to Salvatore Bonaccorso <carnil@debian.org>:
Bug acknowledged by developer.
(Mon, 31 Aug 2015 15:48:24 GMT) (full text, mbox, link).
Message #16 received at 794611-close@bugs.debian.org (full text, mbox, reply):
Source: qemu
Source-Version: 1:2.4+dfsg-1a
We believe that the bug you reported is fixed in the latest version of
qemu, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 794611@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Michael Tokarev <mjt@tls.msk.ru> (supplier of updated qemu package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
Format: 1.8
Date: Mon, 31 Aug 2015 16:28:08 +0300
Source: qemu
Binary: qemu qemu-system qemu-block-extra qemu-system-common qemu-system-misc qemu-system-arm qemu-system-mips qemu-system-ppc qemu-system-sparc qemu-system-x86 qemu-user qemu-user-static qemu-user-binfmt qemu-utils qemu-guest-agent qemu-kvm libcacard0 libcacard-dev libcacard-tools
Architecture: source
Version: 1:2.4+dfsg-1a
Distribution: unstable
Urgency: medium
Maintainer: Debian QEMU Team <pkg-qemu-devel@lists.alioth.debian.org>
Changed-By: Michael Tokarev <mjt@tls.msk.ru>
Description:
libcacard-dev - Virtual Common Access Card (CAC) Emulator (development files)
libcacard-tools - Virtual Common Access Card (CAC) Emulator (tools)
libcacard0 - Virtual Common Access Card (CAC) Emulator (runtime library)
qemu - fast processor emulator
qemu-block-extra - extra block backend modules for qemu-system and qemu-utils
qemu-guest-agent - Guest-side qemu-system agent
qemu-kvm - QEMU Full virtualization on x86 hardware
qemu-system - QEMU full system emulation binaries
qemu-system-arm - QEMU full system emulation binaries (arm)
qemu-system-common - QEMU full system emulation binaries (common files)
qemu-system-mips - QEMU full system emulation binaries (mips)
qemu-system-misc - QEMU full system emulation binaries (miscelaneous)
qemu-system-ppc - QEMU full system emulation binaries (ppc)
qemu-system-sparc - QEMU full system emulation binaries (sparc)
qemu-system-x86 - QEMU full system emulation binaries (x86)
qemu-user - QEMU user mode emulation binaries
qemu-user-binfmt - QEMU user mode binfmt registration for qemu-user
qemu-user-static - QEMU user mode emulation binaries (static version)
qemu-utils - QEMU utilities
Closes: 793388 793811 793817 794610 794611 795087 795461 796465
Changes:
qemu (1:2.4+dfsg-1a) unstable; urgency=medium
.
* new upstream (2.4.0) release
Closes: #795461, #793811, #794610, #795087, #794611, #793388
CVE-2015-3214 CVE-2015-5154 CVE-2015-5165 CVE-2015-5745
CVE-2015-5166 CVE-2015-5158
Closes: #793817
* removed all upstreamed patches
* remove --enable-vnc-ws option (not used anymore)
* update mjt-set-oem-in-rsdt-like-slic.diff
* vnc-fix-memory-corruption-CVE-2015-5225.patch from upstream
Closes: #796465 CVE-2015-5225
* remove now-unused /etc/qemu/target-x86_64.conf
Checksums-Sha1:
3cfe8483bfc42ab0a71f7c4993c80a46c423a973 6044 qemu_2.4+dfsg-1a.dsc
50abfe59be072820e933e68f049844f8e4d41822 5847444 qemu_2.4+dfsg.orig.tar.xz
0000fa25a4d795123d2f0fd623569533d43b02e5 62084 qemu_2.4+dfsg-1a.debian.tar.xz
Checksums-Sha256:
9110dcb593a324701dca6328616097206a25b5b06d31742ae762f9610591a910 6044 qemu_2.4+dfsg-1a.dsc
fac42371926deac8a2e64ff7d36d483d524841a88e9d96f5f8f8f796a50e3595 5847444 qemu_2.4+dfsg.orig.tar.xz
532c24fc19df15731bacaf3e4cfd90d6d0b6cad9c2541fc80b7b628e9ced5b38 62084 qemu_2.4+dfsg-1a.debian.tar.xz
Files:
4df20832a6ebaed264ab9e9e07274424 6044 otherosfs optional qemu_2.4+dfsg-1a.dsc
0b1db74f432a8b3bd9b6b0d07c8f3cc1 5847444 otherosfs optional qemu_2.4+dfsg.orig.tar.xz
2a0c7d279425626358d2abcef4bf6773 62084 otherosfs optional qemu_2.4+dfsg-1a.debian.tar.xz
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2
iQEcBAEBCAAGBQJV5FsQAAoJEL7lnXSkw9fbVnUIAKBB3pX6sz5HHP0K3aSilyJx
Guy+bOgPGVp5V6pumpqjnrbzTcfuoCjtdH6j6cqFwBqRNtWeZ3EabVZgIVv6AkD+
R6y+C2Nhi0LssZbNGJdkLemv9UFkIdAwMrJKiMqnT+aWkRo1dCR2SGLXXh+ZPoCb
CxcPF5aYdkGfyiHP3pxzRZSt+6fp4+mEGvdOP61u+mma2MwkLwdEhwIhOYVxsGiQ
kFcR8ALEILj0b4znt8L6LsCjEJ/WkgTOCAkk+xzcyRIs6oavzYR+y0oVfNaVLtZ/
MIoRI8pOAJ2HBiYwMJXG5wWpfpH3/tVYPtuMffWKgHM9ynC1zt79z8VLYCVzqa8=
=s/3S
-----END PGP SIGNATURE-----
Bug archived.
Request was from Debbugs Internal Request <owner@bugs.debian.org>
to internal_control@bugs.debian.org.
(Wed, 11 Nov 2015 07:26:33 GMT) (full text, mbox, link).
Send a report that this bug log contains spam.
Debian bug tracking system administrator <owner@bugs.debian.org>.
Last modified:
Wed Jun 19 14:09:05 2019;
Machine Name:
buxtehude
Debian Bug tracking system
Debbugs is free software and licensed under the terms of the GNU
Public License version 2. The current version can be obtained
from https://bugs.debian.org/debbugs-source/.
Copyright © 1999 Darren O. Benham,
1997,2003 nCipher Corporation Ltd,
1994-97 Ian Jackson,
2005-2017 Don Armstrong, and many other contributors.
Vulmon