Univention Bugzilla – Bug 46217
qemu: multiple Issues (4.2)
Last modified: 2018-05-08 14:56:59 CEST
Last imported version from Debian-Jessie-backports: 2.8+dfsg-3 UCS has a self-build 2.8.1 in errata4.2-0, which is 1:2.8+dfsg-4, which was *never* released, so we are still at 2.8[.0]+dfsg-3 (as Bug #44084 was fixed with only an update of SeaBIOS) Since than: qemu (1:2.8+dfsg-6+deb9u3) stretch-security; urgency=high * xhci-guard-xhci_kick_epctx-against-recursive-calls-CVE-2017-9375.patch * ide-do-not-flush-empty-CDROM-drives-CVE-2017-12809.patch * vga-stop-passing-pointers-to-vga_draw_line-functions-CVE-2017-13672.patch * multiboot-validate-multiboot-header-address-values-CVE-2017-14167.patch * slirp-fix-clearing-ifq_so-from-pending-packets-CVE-2017-13711.patch qemu (1:2.8+dfsg-6+deb9u2) stretch-security; urgency=high * slirp-check-len-against-dhcp-options-array-end-CVE-2017-11434.patch * exec-use-qemu_ram_ptr_length-to-access-guest-ram-CVE-2017-11334.patch * usb-redir-fix-stack-overflow-in-usbredir_log_data-CVE-2017-10806.patch qemu (1:2.8+dfsg-6+deb9u1) stretch-security; urgency=high * net-e1000e-fix-an-infinite-loop-issue-CVE-2017-9310.patch * usb-ohci-fix-error-return-code-in-servicing-iso-td-CVE-2017-9330.patch * ide-ahci-call-cleanup-function-in-ahci-unit-CVE-2017-9373.patch * usb-ehci-fix-memory-leak-in-ehci-CVE-2017-9374.patch * nbd-ignore-SIGPIPE-CVE-2017-10664.patch * nbd-fully-initialize-client-in-case-of-failed-negotiation-CVE-2017-9524.patch nbd-fix-regression-on-resiliency-to-port-scan-CVE-2017-9524.patch * xen-disk-don-t-leak-stack-data-via-response-ring-CVE-2017-10911.patch qemu (1:2.8+dfsg-6) unstable; urgency=high * 9pfs-local-forbid-client-access-to-metadata-CVE-2017-7493.patch qemu (1:2.8+dfsg-5) unstable; urgency=high * 9pfs-local-set-path-of-export-root-to-dot-CVE-2017-7471.patch * 9pfs-xattr-fix-memory-leak-in-v9fs_list_xattr-CVE-2017-8086.patch * vmw_pvscsi-check-message-ring-page-count-at-init-CVE-2017-8112.patch * scsi-avoid-an-off-by-one-error-in-megasas_mmio_write-CVE-2017-8380.patch * input-limit-kbd-queue-depth-CVE-2017-8379.patch * audio-release-capture-buffers-CVE-2017-8309.patch qemu (1:2.8+dfsg-4) unstable; urgency=high * usb-ohci-limit-the-number-of-link-eds-CVE-2017-6505.patch * update to 2.8.1 upstream stable/bugfix release (CVE-2016-9603) (v2.8.1.diff from upstream, except of seabios blob bits). * 9pfs-fix-file-descriptor-leak-CVE-2017-7377.patch * dma-rc4030-limit-interval-timer-reload-value-CVE-2016-8667.patch $ ./tracker.py CVE-2017-9375 CVE-2017-12809 CVE-2017-13672 CVE-2017-14167 CVE-2017-13711 CVE-2017-11434 CVE-2017-11334 CVE-2017-10806 CVE-2017-9310 CVE-2017-9330 CVE-2017-9373 CVE-2017-9374 CVE-2017-10664 CVE-2017-9524 CVE-2017-9524 CVE-2017-10911 CVE-2017-7493 CVE-2017-7471 CVE-2017-8086 CVE-2017-8112 CVE-2017-8380 CVE-2017-8379 CVE-2017-8309 CVE-2017-6505 CVE-2016-9603 CVE-2017-7377 CVE-2016-8667 CVE-2016- 8667 3.0 CVE-2016-8667 Qemu: hw: dma: divide by zero error in set_next_tick CVE-2016- 9603 5.5 CVE-2016-9603 Qemu: cirrus: heap buffer overflow via vnc connection CVE-2017- 6505 3.0 CVE-2017-6505 Qemu: usb: an infinite loop issue in ohci_service_ed_list CVE-2017- 7377 3.0 CVE-2017-7377 Qemu: 9pfs: host memory leakage via v9fs_create CVE-2017- 7471 7.6 CVE-2017-7471 Qemu: 9p: virtfs allows guest to change filesystem attributes on host CVE-2017- 7493 7.1 CVE-2017-7493 Qemu: 9pfs: guest privilege escalation in virtfs mapped-file mode CVE-2017- 8086 3.0 CVE-2017-8086 Qemu: 9pfs: host memory leakage via v9pfs_list_xattr CVE-2017- 8112 3.0 CVE-2017-8112 Qemu: scsi: vmw_pvscsi: infinite loop in pvscsi_log2 CVE-2017- 8309 3.0 CVE-2017-8309 Qemu: audio: host memory leakage via capture buffer CVE-2017- 8379 3.0 CVE-2017-8379 Qemu: input: host memory lekage via keyboard events CVE-2017- 8380 4.4 CVE-2017-8380 Qemu: scsi: megasas: out-of-bounds read in megasas_mmio_write CVE-2017- 9310 3.0 CVE-2017-9310 Qemu: net: infinite loop in e1000e NIC emulation CVE-2017- 9330 3.0 CVE-2017-9330 Qemu: usb: ohci: infinite loop due to incorrect return value CVE-2017- 9373 3.0 CVE-2017-9373 Qemu: ide: ahci host memory leakage during hotunplug CVE-2017- 9374 3.0 CVE-2017-9374 Qemu: usb: ehci host memory leakage during hotunplug CVE-2017- 9375 3.0 CVE-2017-9375 Qemu: usb: xhci infinite recursive call via xhci_kick_ep CVE-2017- 9524 5.3 CVE-2017-9524 Qemu: nbd: segmentation fault due to client non-negotiation CVE-2017- 10664 5.3 CVE-2017-10664 Qemu: qemu-nbd: server breaks with SIGPIPE upon client abort CVE-2017- 10806 4.0 CVE-2017-10806 Qemu: usb-redirect: stack buffer overflow in debug logging CVE-2017- 10911 3.0 CVE-2017-10911 xsa216 xen: blkif responses leak backend stack data (XSA-216) CVE-2017- 11334 5.5 CVE-2017-11334 Qemu: exec: oob access during dma operation CVE-2017- 11434 4.3 CVE-2017-11434 Qemu: slirp: out-of-bounds read while parsing dhcp options CVE-2017- 12809 3.4 CVE-2017-12809 Qemu: ide: flushing of empty CDROM drives leads to NULL dereference CVE-2017- 13672 3.0 CVE-2017-13672 Qemu: vga: OOB read access during display update CVE-2017- 13711 3.4 CVE-2017-13711 Qemu: Slirp: use-after-free when sending response CVE-2017- 14167 4.9 CVE-2017-14167 Qemu: i386: multiboot OOB access while loading kernel image
r18004 | Bug #46217: qemu_2.8+dfsg-6+deb9u3 Package: qemu Version: 1:2.8+dfsg-6+deb9u3A~4.2.0.201802081743 Branch: ucs_4.2-0 Scope: errata4.2-3 r18005 | Bug #46217: qemu_2.8+dfsg-6+deb9u3 Package: qemu Version: 1:2.8+dfsg-6+deb9u3A~4.3.0.201802081754 Branch: ucs_4.3-0 0bd01e20d1 Bug #46217: qemu_1:2.8+dfsg-6+deb9u3A~4.2.0.201802081743
Broken runtime dependencies: > The following packages have unmet dependencies: > qemu-system-sparc : Depends: openbios-sparc (> 1.1+svn1395-1~) but it is not going to be installed This is already broken since UCS-4.2-0: it contains "qemu-system-sparc 1:2.8+dfsg-3~bpo8+1A~4.2.0.201703271321", which depends on "openbios-sparc (>> 1.1+svn1395-1~)", but we only have "openbios-sparc 1.1+svn1306-2". "qemu-system-sparc" and "openbios" are both unmaintained, but we should fix it anyway. Therefore I announced openbios as unmaintained: /usr/sbin/announce_errata --unmaintained openbios.yaml a7f8896e09 Bug #46217: openbios 1.1.git20160820-1~bpo8+1 195b0ec637 Bug #46217: openbios 1.1.git20160820-1~bpo8+1
--- mirror/ftp/4.2/unmaintained/4.2-0/source/qemu_2.8+dfsg-3~bpo8+1A~4.2.0.201703271321.dsc +++ apt/ucs_4.2-0-errata4.2-3/source/qemu_2.8+dfsg-6+deb9u3A~4.2.0.201802081743.dsc @@ -1,4 +1,4 @@ -1:2.8+dfsg-3~bpo8+1A~4.2.0.201703271321 [Mon, 27 Mar 2017 13:21:14 +0200] Univention builddaemon <buildd@univention.de>: +1:2.8+dfsg-6+deb9u3A~4.2.0.201802081743 [Thu, 08 Feb 2018 17:43:20 +0100] Univention builddaemon <buildd@univention.de>: * UCS auto build. The following patches have been applied to the original source package 0001-Disable-options-build-dependencies-for-UCS @@ -12,9 +12,118 @@ 1006-0007-Bug-38877-fix-qemu-kvm-1.1-piix4_pm-incompatibi 1007-0008-x86-Work-around-SMI-migration-breakages -1:2.8+dfsg-3~bpo8+1 [Mon, 06 Mar 2017 01:04:45 +0300] Michael Tokarev <mjt@tls.msk.ru>: +1:2.8+dfsg-6+deb9u3 [Mon, 02 Oct 2017 16:11:47 +0300] Michael Tokarev <mjt@tls.msk.ru>: - * Rebuild for jessie-backports. + * xhci-dont-kick-in-xhci_submit-and-xhci_fire_ctl_transfer.patch + This is a pre-required patch for the next patch to work right. + Closes: #869945 + * xhci-guard-xhci_kick_epctx-against-recursive-calls-CVE-2017-9375.patch + After applying previous patch, this one can be applied again + Closes: #864219, CVE-2017-9375 + * ide-do-not-flush-empty-CDROM-drives-CVE-2017-12809.patch + Closes: #873849, CVE-2017-12809 + * vga-stop-passing-pointers-to-vga_draw_line-functions-CVE-2017-13672.patch + Closes: #873851, CVE-2017-13672 + * multiboot-validate-multiboot-header-address-values-CVE-2017-14167.patch + Closes: #874606, CVE-2017-14167 + * slirp-fix-clearing-ifq_so-from-pending-packets-CVE-2017-13711.patch + Closes: #873875, CVE-2017-13711 + * exec-add-lock-parameter-to-qemu_ram_ptr_length.patch + upstream patch fixing memory leak after + exec-use-qemu_ram_ptr_length-to-access-guest-ram-CVE-2017-11334.patch + Closes: #871648, #871702, #872257 + +1:2.8+dfsg-6+deb9u2 [Wed, 02 Aug 2017 16:57:34 +0300] Michael Tokarev <mjt@tls.msk.ru>: + + * actually apply the nbd server patches, not only include in debian/patches/ + Really closes: #865755, CVE-2017-9524 + * slirp-check-len-against-dhcp-options-array-end-CVE-2017-11434.patch + Closes: #869171, CVE-2017-11434 + * exec-use-qemu_ram_ptr_length-to-access-guest-ram-CVE-2017-11334.patch + Closes: #869173, CVE-2017-11334 + * usb-redir-fix-stack-overflow-in-usbredir_log_data-CVE-2017-10806.patch + Closes: #867751, CVE-2017-10806 + * add reference to #869706 to + xen-disk-don-t-leak-stack-data-via-response-ring-CVE-2017-10911.patch + * disable xhci recursive calls fix for now, as it causes instant crash + (xhci-guard-xhci_kick_epctx-against-recursive-calls-CVE-2017-9375.patch) + Reopens: #864219, CVE-2017-9375 + Closes: #869945 + +1:2.8+dfsg-6+deb9u1 [Wed, 12 Jul 2017 11:05:16 +0300] Michael Tokarev <mjt@tls.msk.ru>: + + * net-e1000e-fix-an-infinite-loop-issue-CVE-2017-9310.patch + Closes: #863840, CVE-2017-9310 + * usb-ohci-fix-error-return-code-in-servicing-iso-td-CVE-2017-9330.patch + Closes: #863943, CVE-2017-9330 + * ide-ahci-call-cleanup-function-in-ahci-unit-CVE-2017-9373.patch + Closes: #864216, CVE-2017-9373 + * xhci-guard-xhci_kick_epctx-against-recursive-calls-CVE-2017-9375.patch + Closes: #864219, CVE-2017-9375 + * usb-ehci-fix-memory-leak-in-ehci-CVE-2017-9374.patch + Closes: #864568, CVE-2017-9374 + * nbd-ignore-SIGPIPE-CVE-2017-10664.patch + Closes: #866674, CVE-2017-10664 + * nbd-fully-initialize-client-in-case-of-failed-negotiation-CVE-2017-9524.patch + nbd-fix-regression-on-resiliency-to-port-scan-CVE-2017-9524.patch + Closes: #865755, CVE-2017-9524 + * xen-disk-don-t-leak-stack-data-via-response-ring-CVE-2017-10911.patch + Closes: CVE-2017-10911 + +1:2.8+dfsg-6 [Tue, 23 May 2017 09:58:03 +0300] Michael Tokarev <mjt@tls.msk.ru>: + + * 9pfs-local-forbid-client-access-to-metadata-CVE-2017-7493.patch + Closes: CVE-2017-7493 + * group all 9p patches together + * drop obsolete comment about libiscsi on ubuntu from d/control + +1:2.8+dfsg-5 [Wed, 17 May 2017 09:01:24 +0300] Michael Tokarev <mjt@tls.msk.ru>: + + * Security fix release + * 9pfs-local-set-path-of-export-root-to-dot-CVE-2017-7471.patch + Closes: #860785, CVE-2017-7471 + * 9pfs-xattr-fix-memory-leak-in-v9fs_list_xattr-CVE-2017-8086.patch + Closes: #861348, CVE-2017-8086 + * vmw_pvscsi-check-message-ring-page-count-at-init-CVE-2017-8112.patch + Closes: #861351, CVE-2017-8112 + * scsi-avoid-an-off-by-one-error-in-megasas_mmio_write-CVE-2017-8380.patch + Closes: #862282, CVE-2017-8380 + * input-limit-kbd-queue-depth-CVE-2017-8379.patch + Closes: #862289, CVE-2017-8379 + * audio-release-capture-buffers-CVE-2017-8309.patch + Closes: #862280, CVE-2017-8309 + +1:2.8+dfsg-4 [Mon, 03 Apr 2017 16:28:49 +0300] Michael Tokarev <mjt@tls.msk.ru>: + + * usb-ohci-limit-the-number-of-link-eds-CVE-2017-6505.patch + Closes: #856969, CVE-2017-6505 + * linux-user-fix-apt-get-update-on-linux-user-hppa.patch + Closes: #846084 + * update to 2.8.1 upstream stable/bugfix release + (v2.8.1.diff from upstream, except of seabios blob bits). + Closes: #857744, CVE-2016-9603 + Patches dropped because they're included in 2.8.1 release: + 9pfs-symlink-attack-fixes-CVE-2016-9602.patch + char-fix-ctrl-a-b-not-working.patch + cirrus-add-blit_is_unsafe-to-cirrus_bitblt_cputovideo-CVE-2017-2620.patch + cirrus-fix-oob-access-issue-CVE-2017-2615.patch + cirrus-ignore-source-pitch-as-needed-in-blit_is_unsafe.patch + linux-user-fix-s390x-safe-syscall-for-z900.patch + nbd_client-fix-drop_sync-CVE-2017-2630.patch + s390x-use-qemu-cpu-model-in-user-mode.patch + sd-sdhci-check-data-length-during-dma_memory_read-CVE-2017-5667.patch + virtio-crypto-fix-possible-integer-and-heap-overflow-CVE-2017-5931.patch + vmxnet3-fix-memory-corruption-on-vlan-header-stripping-CVE-2017-6058.patch + * bump seabios dependency to 1.10.2 due to ahci fix in 2.8.1 + * 9pfs-fix-file-descriptor-leak-CVE-2017-7377.patch + (Closes: #859854, CVE-2017-7377) + * dma-rc4030-limit-interval-timer-reload-value-CVE-2016-8667.patch + Closes: #840950, CVE-2016-8667 + * make d/control un-writable to stop users from changing a generated file + * two patches from upstream to fix user-mode network with IPv6 + slirp-make-RA-build-more-flexible.patch + slirp-send-RDNSS-in-RA-only-if-host-has-an-IPv6-DNS.patch + (Closes: #844566) 1:2.8+dfsg-3 [Tue, 28 Feb 2017 11:40:18 +0300] Michael Tokarev <mjt@tls.msk.ru>:
* UCS specific patches slightly adjusted to apply new Debian source package (e.g. versioned dependency on updated seabios package shipped in errata4.2-1) * All UCS specific patches applied during rebuilt * Comparison to previously shipped version ok * Comparison to version shipped in UCS 4.3-0 ok * Test Installation of qemu-utils Ok * Advisory looks Ok
<http://errata.software-univention.de/ucs/4.2/395.html>