Bug 46217 - qemu: multiple Issues (4.2)
qemu: multiple Issues (4.2)
Status: CLOSED FIXED
Product: UCS
Classification: Unclassified
Component: Security updates
UCS 4.2
Other Linux
: P5 normal (vote)
: UCS 4.2-3-errata
Assigned To: Philipp Hahn
Arvid Requate
:
Depends on: 44084
Blocks: 46119
  Show dependency treegraph
 
Reported: 2018-02-05 13:22 CET by Philipp Hahn
Modified: 2018-05-08 14:56 CEST (History)
1 user (show)

See Also:
What kind of report is it?: Security Issue
What type of bug is this?: ---
Who will be affected by this bug?: ---
How will those affected feel about the bug?: ---
User Pain:
Enterprise Customer affected?:
School Customer affected?:
ISV affected?:
Waiting Support:
Flags outvoted (downgraded) after PO Review:
Ticket number:
Bug group (optional):
Max CVSS v3 score: 7.6 (CVSS:3.0/AV:A/AC:H/PR:H/UI:N/S:C/C:H/I:H/A:H)


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Philipp Hahn univentionstaff 2018-02-05 13:22:09 CET
Last imported version from Debian-Jessie-backports: 2.8+dfsg-3
UCS has a self-build 2.8.1 in errata4.2-0, which is 1:2.8+dfsg-4, which was *never* released, so we are still at 2.8[.0]+dfsg-3 (as Bug #44084 was fixed with only an update of SeaBIOS)

Since than:
qemu (1:2.8+dfsg-6+deb9u3) stretch-security; urgency=high
  * xhci-guard-xhci_kick_epctx-against-recursive-calls-CVE-2017-9375.patch
  * ide-do-not-flush-empty-CDROM-drives-CVE-2017-12809.patch
  * vga-stop-passing-pointers-to-vga_draw_line-functions-CVE-2017-13672.patch
  * multiboot-validate-multiboot-header-address-values-CVE-2017-14167.patch
  * slirp-fix-clearing-ifq_so-from-pending-packets-CVE-2017-13711.patch
qemu (1:2.8+dfsg-6+deb9u2) stretch-security; urgency=high
  * slirp-check-len-against-dhcp-options-array-end-CVE-2017-11434.patch
  * exec-use-qemu_ram_ptr_length-to-access-guest-ram-CVE-2017-11334.patch
  * usb-redir-fix-stack-overflow-in-usbredir_log_data-CVE-2017-10806.patch
qemu (1:2.8+dfsg-6+deb9u1) stretch-security; urgency=high
  * net-e1000e-fix-an-infinite-loop-issue-CVE-2017-9310.patch
  * usb-ohci-fix-error-return-code-in-servicing-iso-td-CVE-2017-9330.patch
  * ide-ahci-call-cleanup-function-in-ahci-unit-CVE-2017-9373.patch
  * usb-ehci-fix-memory-leak-in-ehci-CVE-2017-9374.patch
  * nbd-ignore-SIGPIPE-CVE-2017-10664.patch
  * nbd-fully-initialize-client-in-case-of-failed-negotiation-CVE-2017-9524.patch
    nbd-fix-regression-on-resiliency-to-port-scan-CVE-2017-9524.patch
  * xen-disk-don-t-leak-stack-data-via-response-ring-CVE-2017-10911.patch
qemu (1:2.8+dfsg-6) unstable; urgency=high
  * 9pfs-local-forbid-client-access-to-metadata-CVE-2017-7493.patch
qemu (1:2.8+dfsg-5) unstable; urgency=high
  * 9pfs-local-set-path-of-export-root-to-dot-CVE-2017-7471.patch
  * 9pfs-xattr-fix-memory-leak-in-v9fs_list_xattr-CVE-2017-8086.patch
  * vmw_pvscsi-check-message-ring-page-count-at-init-CVE-2017-8112.patch
  * scsi-avoid-an-off-by-one-error-in-megasas_mmio_write-CVE-2017-8380.patch
  * input-limit-kbd-queue-depth-CVE-2017-8379.patch
  * audio-release-capture-buffers-CVE-2017-8309.patch
qemu (1:2.8+dfsg-4) unstable; urgency=high
  * usb-ohci-limit-the-number-of-link-eds-CVE-2017-6505.patch
  * update to 2.8.1 upstream stable/bugfix release (CVE-2016-9603)
    (v2.8.1.diff from upstream, except of seabios blob bits).    
  * 9pfs-fix-file-descriptor-leak-CVE-2017-7377.patch
  * dma-rc4030-limit-interval-timer-reload-value-CVE-2016-8667.patch

$ ./tracker.py CVE-2017-9375 CVE-2017-12809 CVE-2017-13672 CVE-2017-14167 CVE-2017-13711 CVE-2017-11434 CVE-2017-11334 CVE-2017-10806 CVE-2017-9310 CVE-2017-9330 CVE-2017-9373 CVE-2017-9374 CVE-2017-10664 CVE-2017-9524 CVE-2017-9524 CVE-2017-10911 CVE-2017-7493 CVE-2017-7471 CVE-2017-8086 CVE-2017-8112 CVE-2017-8380 CVE-2017-8379 CVE-2017-8309 CVE-2017-6505 CVE-2016-9603 CVE-2017-7377 CVE-2016-8667
CVE-2016-   8667        3.0     CVE-2016-8667 Qemu: hw: dma: divide by zero error in set_next_tick
CVE-2016-   9603        5.5     CVE-2016-9603 Qemu: cirrus: heap buffer overflow via vnc connection
CVE-2017-   6505        3.0     CVE-2017-6505 Qemu: usb: an infinite loop issue in ohci_service_ed_list
CVE-2017-   7377        3.0     CVE-2017-7377 Qemu: 9pfs: host memory leakage via v9fs_create
CVE-2017-   7471        7.6     CVE-2017-7471 Qemu: 9p: virtfs allows guest to change filesystem attributes on host
CVE-2017-   7493        7.1     CVE-2017-7493 Qemu: 9pfs: guest privilege escalation in virtfs mapped-file mode
CVE-2017-   8086        3.0     CVE-2017-8086 Qemu: 9pfs: host memory leakage via v9pfs_list_xattr
CVE-2017-   8112        3.0     CVE-2017-8112 Qemu: scsi: vmw_pvscsi: infinite loop in pvscsi_log2
CVE-2017-   8309        3.0     CVE-2017-8309 Qemu: audio: host memory leakage via capture buffer
CVE-2017-   8379        3.0     CVE-2017-8379 Qemu: input: host memory lekage via keyboard events
CVE-2017-   8380        4.4     CVE-2017-8380 Qemu: scsi: megasas: out-of-bounds read in megasas_mmio_write
CVE-2017-   9310        3.0     CVE-2017-9310 Qemu: net: infinite loop in e1000e NIC emulation
CVE-2017-   9330        3.0     CVE-2017-9330 Qemu: usb: ohci: infinite loop due to incorrect return value
CVE-2017-   9373        3.0     CVE-2017-9373 Qemu: ide: ahci host memory leakage during hotunplug
CVE-2017-   9374        3.0     CVE-2017-9374 Qemu: usb: ehci host memory leakage during hotunplug
CVE-2017-   9375        3.0     CVE-2017-9375 Qemu: usb: xhci infinite recursive call via xhci_kick_ep
CVE-2017-   9524        5.3     CVE-2017-9524 Qemu: nbd: segmentation fault due to client non-negotiation
CVE-2017-  10664        5.3     CVE-2017-10664 Qemu: qemu-nbd: server breaks with SIGPIPE upon client abort
CVE-2017-  10806        4.0     CVE-2017-10806 Qemu: usb-redirect: stack buffer overflow in debug logging
CVE-2017-  10911        3.0     CVE-2017-10911 xsa216 xen: blkif responses leak backend stack data (XSA-216)
CVE-2017-  11334        5.5     CVE-2017-11334 Qemu: exec: oob access during dma operation
CVE-2017-  11434        4.3     CVE-2017-11434 Qemu: slirp: out-of-bounds read while parsing dhcp options
CVE-2017-  12809        3.4     CVE-2017-12809 Qemu: ide: flushing of empty CDROM drives leads to NULL dereference
CVE-2017-  13672        3.0     CVE-2017-13672 Qemu: vga: OOB read access during display update
CVE-2017-  13711        3.4     CVE-2017-13711 Qemu: Slirp: use-after-free when sending response
CVE-2017-  14167        4.9     CVE-2017-14167 Qemu: i386: multiboot OOB access while loading kernel image
Comment 1 Philipp Hahn univentionstaff 2018-02-08 22:22:22 CET
r18004 | Bug #46217: qemu_2.8+dfsg-6+deb9u3

Package: qemu
Version: 1:2.8+dfsg-6+deb9u3A~4.2.0.201802081743
Branch: ucs_4.2-0
Scope: errata4.2-3

r18005 | Bug #46217: qemu_2.8+dfsg-6+deb9u3

Package: qemu
Version: 1:2.8+dfsg-6+deb9u3A~4.3.0.201802081754
Branch: ucs_4.3-0

0bd01e20d1 Bug #46217: qemu_1:2.8+dfsg-6+deb9u3A~4.2.0.201802081743
Comment 2 Philipp Hahn univentionstaff 2018-02-27 16:02:53 CET
Broken runtime dependencies:
>  The following packages have unmet dependencies:
>   qemu-system-sparc : Depends: openbios-sparc (> 1.1+svn1395-1~) but it is not going to be installed

This is already broken since UCS-4.2-0:
 it contains "qemu-system-sparc 1:2.8+dfsg-3~bpo8+1A~4.2.0.201703271321",
 which depends on "openbios-sparc (>> 1.1+svn1395-1~)",
 but we only have "openbios-sparc 1.1+svn1306-2".
"qemu-system-sparc" and "openbios" are both unmaintained, but we should fix it anyway. Therefore I announced openbios as unmaintained:
 /usr/sbin/announce_errata --unmaintained openbios.yaml

a7f8896e09 Bug #46217: openbios 1.1.git20160820-1~bpo8+1
195b0ec637 Bug #46217: openbios 1.1.git20160820-1~bpo8+1
Comment 3 Quality Assurance univentionstaff 2018-05-04 16:55:31 CEST
--- mirror/ftp/4.2/unmaintained/4.2-0/source/qemu_2.8+dfsg-3~bpo8+1A~4.2.0.201703271321.dsc
+++ apt/ucs_4.2-0-errata4.2-3/source/qemu_2.8+dfsg-6+deb9u3A~4.2.0.201802081743.dsc
@@ -1,4 +1,4 @@
-1:2.8+dfsg-3~bpo8+1A~4.2.0.201703271321 [Mon, 27 Mar 2017 13:21:14 +0200] Univention builddaemon <buildd@univention.de>:
+1:2.8+dfsg-6+deb9u3A~4.2.0.201802081743 [Thu, 08 Feb 2018 17:43:20 +0100] Univention builddaemon <buildd@univention.de>:
 
   * UCS auto build. The following patches have been applied to the original source package
     0001-Disable-options-build-dependencies-for-UCS
@@ -12,9 +12,118 @@
     1006-0007-Bug-38877-fix-qemu-kvm-1.1-piix4_pm-incompatibi
     1007-0008-x86-Work-around-SMI-migration-breakages
 
-1:2.8+dfsg-3~bpo8+1 [Mon, 06 Mar 2017 01:04:45 +0300] Michael Tokarev <mjt@tls.msk.ru>:
+1:2.8+dfsg-6+deb9u3 [Mon, 02 Oct 2017 16:11:47 +0300] Michael Tokarev <mjt@tls.msk.ru>:
 
-  * Rebuild for jessie-backports.
+  * xhci-dont-kick-in-xhci_submit-and-xhci_fire_ctl_transfer.patch
+    This is a pre-required patch for the next patch to work right.
+    Closes: #869945
+  * xhci-guard-xhci_kick_epctx-against-recursive-calls-CVE-2017-9375.patch
+    After applying previous patch, this one can be applied again
+    Closes: #864219, CVE-2017-9375
+  * ide-do-not-flush-empty-CDROM-drives-CVE-2017-12809.patch
+    Closes: #873849, CVE-2017-12809
+  * vga-stop-passing-pointers-to-vga_draw_line-functions-CVE-2017-13672.patch
+    Closes: #873851, CVE-2017-13672
+  * multiboot-validate-multiboot-header-address-values-CVE-2017-14167.patch
+    Closes: #874606, CVE-2017-14167
+  * slirp-fix-clearing-ifq_so-from-pending-packets-CVE-2017-13711.patch
+    Closes: #873875, CVE-2017-13711
+  * exec-add-lock-parameter-to-qemu_ram_ptr_length.patch
+    upstream patch fixing memory leak after
+    exec-use-qemu_ram_ptr_length-to-access-guest-ram-CVE-2017-11334.patch
+    Closes: #871648, #871702, #872257
+
+1:2.8+dfsg-6+deb9u2 [Wed, 02 Aug 2017 16:57:34 +0300] Michael Tokarev <mjt@tls.msk.ru>:
+
+  * actually apply the nbd server patches, not only include in debian/patches/
+    Really closes: #865755, CVE-2017-9524
+  * slirp-check-len-against-dhcp-options-array-end-CVE-2017-11434.patch
+    Closes: #869171, CVE-2017-11434
+  * exec-use-qemu_ram_ptr_length-to-access-guest-ram-CVE-2017-11334.patch
+    Closes: #869173, CVE-2017-11334
+  * usb-redir-fix-stack-overflow-in-usbredir_log_data-CVE-2017-10806.patch
+    Closes: #867751, CVE-2017-10806
+  * add reference to #869706 to
+    xen-disk-don-t-leak-stack-data-via-response-ring-CVE-2017-10911.patch
+  * disable xhci recursive calls fix for now, as it causes instant crash
+    (xhci-guard-xhci_kick_epctx-against-recursive-calls-CVE-2017-9375.patch)
+    Reopens: #864219, CVE-2017-9375
+    Closes: #869945
+
+1:2.8+dfsg-6+deb9u1 [Wed, 12 Jul 2017 11:05:16 +0300] Michael Tokarev <mjt@tls.msk.ru>:
+
+  * net-e1000e-fix-an-infinite-loop-issue-CVE-2017-9310.patch
+    Closes: #863840, CVE-2017-9310
+  * usb-ohci-fix-error-return-code-in-servicing-iso-td-CVE-2017-9330.patch
+    Closes: #863943, CVE-2017-9330
+  * ide-ahci-call-cleanup-function-in-ahci-unit-CVE-2017-9373.patch
+    Closes: #864216, CVE-2017-9373
+  * xhci-guard-xhci_kick_epctx-against-recursive-calls-CVE-2017-9375.patch
+    Closes: #864219, CVE-2017-9375
+  * usb-ehci-fix-memory-leak-in-ehci-CVE-2017-9374.patch
+    Closes: #864568, CVE-2017-9374
+  * nbd-ignore-SIGPIPE-CVE-2017-10664.patch
+    Closes: #866674, CVE-2017-10664
+  * nbd-fully-initialize-client-in-case-of-failed-negotiation-CVE-2017-9524.patch
+    nbd-fix-regression-on-resiliency-to-port-scan-CVE-2017-9524.patch
+    Closes: #865755, CVE-2017-9524
+  * xen-disk-don-t-leak-stack-data-via-response-ring-CVE-2017-10911.patch
+    Closes: CVE-2017-10911
+
+1:2.8+dfsg-6 [Tue, 23 May 2017 09:58:03 +0300] Michael Tokarev <mjt@tls.msk.ru>:
+
+  * 9pfs-local-forbid-client-access-to-metadata-CVE-2017-7493.patch
+    Closes: CVE-2017-7493
+  * group all 9p patches together
+  * drop obsolete comment about libiscsi on ubuntu from d/control
+
+1:2.8+dfsg-5 [Wed, 17 May 2017 09:01:24 +0300] Michael Tokarev <mjt@tls.msk.ru>:
+
+  * Security fix release
+  * 9pfs-local-set-path-of-export-root-to-dot-CVE-2017-7471.patch
+    Closes: #860785, CVE-2017-7471
+  * 9pfs-xattr-fix-memory-leak-in-v9fs_list_xattr-CVE-2017-8086.patch
+    Closes: #861348, CVE-2017-8086
+  * vmw_pvscsi-check-message-ring-page-count-at-init-CVE-2017-8112.patch
+    Closes: #861351, CVE-2017-8112
+  * scsi-avoid-an-off-by-one-error-in-megasas_mmio_write-CVE-2017-8380.patch
+    Closes: #862282, CVE-2017-8380
+  * input-limit-kbd-queue-depth-CVE-2017-8379.patch
+    Closes: #862289, CVE-2017-8379
+  * audio-release-capture-buffers-CVE-2017-8309.patch
+    Closes: #862280, CVE-2017-8309
+
+1:2.8+dfsg-4 [Mon, 03 Apr 2017 16:28:49 +0300] Michael Tokarev <mjt@tls.msk.ru>:
+
+  * usb-ohci-limit-the-number-of-link-eds-CVE-2017-6505.patch
+    Closes: #856969, CVE-2017-6505
+  * linux-user-fix-apt-get-update-on-linux-user-hppa.patch
+    Closes: #846084
+  * update to 2.8.1 upstream stable/bugfix release
+    (v2.8.1.diff from upstream, except of seabios blob bits).
+    Closes: #857744, CVE-2016-9603
+    Patches dropped because they're included in 2.8.1 release:
+     9pfs-symlink-attack-fixes-CVE-2016-9602.patch
+     char-fix-ctrl-a-b-not-working.patch
+     cirrus-add-blit_is_unsafe-to-cirrus_bitblt_cputovideo-CVE-2017-2620.patch
+     cirrus-fix-oob-access-issue-CVE-2017-2615.patch
+     cirrus-ignore-source-pitch-as-needed-in-blit_is_unsafe.patch
+     linux-user-fix-s390x-safe-syscall-for-z900.patch
+     nbd_client-fix-drop_sync-CVE-2017-2630.patch
+     s390x-use-qemu-cpu-model-in-user-mode.patch
+     sd-sdhci-check-data-length-during-dma_memory_read-CVE-2017-5667.patch
+     virtio-crypto-fix-possible-integer-and-heap-overflow-CVE-2017-5931.patch
+     vmxnet3-fix-memory-corruption-on-vlan-header-stripping-CVE-2017-6058.patch
+  * bump seabios dependency to 1.10.2 due to ahci fix in 2.8.1
+  * 9pfs-fix-file-descriptor-leak-CVE-2017-7377.patch
+    (Closes: #859854, CVE-2017-7377)
+  * dma-rc4030-limit-interval-timer-reload-value-CVE-2016-8667.patch
+    Closes: #840950, CVE-2016-8667
+  * make d/control un-writable to stop users from changing a generated file
+  * two patches from upstream to fix user-mode network with IPv6
+    slirp-make-RA-build-more-flexible.patch
+    slirp-send-RDNSS-in-RA-only-if-host-has-an-IPv6-DNS.patch
+    (Closes: #844566)
 
 1:2.8+dfsg-3 [Tue, 28 Feb 2017 11:40:18 +0300] Michael Tokarev <mjt@tls.msk.ru>:
Comment 4 Arvid Requate univentionstaff 2018-05-07 11:59:55 CEST
* UCS specific patches slightly adjusted to apply new Debian source package
  (e.g. versioned dependency on updated seabios package shipped in errata4.2-1)
* All UCS specific patches applied during rebuilt
* Comparison to previously shipped version ok
* Comparison to version shipped in UCS 4.3-0 ok
* Test Installation of qemu-utils Ok
* Advisory looks Ok
Comment 5 Arvid Requate univentionstaff 2018-05-08 14:56:59 CEST
<http://errata.software-univention.de/ucs/4.2/395.html>