Debian Bug report logs -
#553589
CVE-2009-3616: Multiple use-after-free vulnerabilities in vnc.c
Reported by: Giuseppe Iuculano <iuculano@debian.org>
Date: Sun, 1 Nov 2009 10:12:01 UTC
Severity: grave
Tags: security
Found in version qemu/0.10.6-1
Fixed in version 0.11.0-1
Done: Aurelien Jarno <aurelien@aurel32.net>
Bug is archived. No further changes may be made.
Toggle useless messages
Report forwarded
to debian-bugs-dist@lists.debian.org, team@security.debian.org, secure-testing-team@lists.alioth.debian.org, Debian QEMU Team <pkg-qemu-devel@lists.alioth.debian.org>
:
Bug#553589
; Package qemu
.
(Sun, 01 Nov 2009 10:12:10 GMT) (full text, mbox, link).
Acknowledgement sent
to Giuseppe Iuculano <iuculano@debian.org>
:
New Bug report received and forwarded. Copy sent to team@security.debian.org, secure-testing-team@lists.alioth.debian.org, Debian QEMU Team <pkg-qemu-devel@lists.alioth.debian.org>
.
(Sun, 01 Nov 2009 10:12:12 GMT) (full text, mbox, link).
Message #5 received at submit@bugs.debian.org (full text, mbox, reply):
Package: qemu
Version: 0.10.6-1
Severity: grave
Tags: security
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Hi,
the following CVE (Common Vulnerabilities & Exposures) id was
published for qemu.
CVE-2009-3616[0]:
| Multiple use-after-free vulnerabilities in vnc.c in the VNC server in
| QEMU 0.10.6 and earlier might allow guest OS users to execute
| arbitrary code on the host OS by establishing a connection from a VNC
| client and then (1) disconnecting during data transfer, (2) sending a
| message using incorrect integer data types, or (3) using the Fuzzy
| Screen Mode protocol, related to double free vulnerabilities.
If you fix the vulnerability please also make sure to include the
CVE id in your changelog entry.
For further information see:
[0] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-3616
http://security-tracker.debian.org/tracker/CVE-2009-3616
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.10 (GNU/Linux)
iEYEARECAAYFAkrtXlEACgkQNxpp46476ao3NgCdGPnMHfTITK7HUXeruU2ZGG/2
bsEAn2GLZX9LZxbBxn6T+lwsQ/yjX/8R
=F/Fd
-----END PGP SIGNATURE-----
Reply sent
to Aurelien Jarno <aurelien@aurel32.net>
:
You have taken responsibility.
(Tue, 17 Nov 2009 07:57:06 GMT) (full text, mbox, link).
Notification sent
to Giuseppe Iuculano <iuculano@debian.org>
:
Bug acknowledged by developer.
(Tue, 17 Nov 2009 07:57:06 GMT) (full text, mbox, link).
Message #10 received at 553589-done@bugs.debian.org (full text, mbox, reply):
Version: 0.11.0-1
On Sun, Nov 01, 2009 at 11:09:27AM +0100, Giuseppe Iuculano wrote:
> Package: qemu
> Version: 0.10.6-1
> Severity: grave
> Tags: security
>
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
> Hi,
> the following CVE (Common Vulnerabilities & Exposures) id was
> published for qemu.
>
> CVE-2009-3616[0]:
> | Multiple use-after-free vulnerabilities in vnc.c in the VNC server in
> | QEMU 0.10.6 and earlier might allow guest OS users to execute
> | arbitrary code on the host OS by establishing a connection from a VNC
> | client and then (1) disconnecting during data transfer, (2) sending a
> | message using incorrect integer data types, or (3) using the Fuzzy
> | Screen Mode protocol, related to double free vulnerabilities.
>
> If you fix the vulnerability please also make sure to include the
> CVE id in your changelog entry.
>
> For further information see:
>
> [0] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-3616
> http://security-tracker.debian.org/tracker/CVE-2009-3616
>
The version 0.11.0-1 currently in unstable is not vulnerable to this
security issue. Marking the bug has fixed.
--
Aurelien Jarno GPG: 1024D/F1BCDB73
aurelien@aurel32.net http://www.aurel32.net
Bug archived.
Request was from Debbugs Internal Request <owner@bugs.debian.org>
to internal_control@bugs.debian.org
.
(Wed, 16 Dec 2009 07:40:09 GMT) (full text, mbox, link).
Send a report that this bug log contains spam.
Debian bug tracking system administrator <owner@bugs.debian.org>.
Last modified:
Wed Jun 19 14:04:44 2019;
Machine Name:
buxtehude
Debian Bug tracking system
Debbugs is free software and licensed under the terms of the GNU
Public License version 2. The current version can be obtained
from https://bugs.debian.org/debbugs-source/.
Copyright © 1999 Darren O. Benham,
1997,2003 nCipher Corporation Ltd,
1994-97 Ian Jackson,
2005-2017 Don Armstrong, and many other contributors.