Bug 611382 (CVE-2017-6317)

Summary:	<media-libs/virglrenderer-0.6.0: memory leak in add_shader_program()
Product:	Gentoo Security	Reporter:	Agostino Sarubbo <ago>
Component:	Vulnerabilities	Assignee:	Gentoo Security <security>
Status:	RESOLVED FIXED
Severity:	minor	CC:	qemu+disabled
Priority:	Normal	Flags:	stable-bot: sanity-check+
Version:	unspecified
Hardware:	All
OS:	Linux
URL:	https://bugzilla.redhat.com/show_bug.cgi?id=1426756
Whiteboard:	B3 [glsa cve]
Package list:	media-libs/virglrenderer-0.6.0	Runtime testing required:	---
Bug Depends on:
Bug Blocks:	606996, 607022, 608734, 609400, 609402, 609492, 609494, 610678, 610680, 611378, 611380

Description Agostino Sarubbo gentoo-dev

2017-03-02 08:56:04 UTC

From ${URL} :

Virgil 3d project, used by Quick Emulator(Qemu) to implement 3D GPU support
for the virtio GPU, is vulnerable to a memory leakageissue. It could occur
while in add_shader_program().

A guest user/process could use this flaw to leak host memory resulting in DoS.

Upstream patch:
---------------
  -> https://cgit.freedesktop.org/virglrenderer/commit/?id=a2f12a1b0f95b13b6f8dc3d05d7b74b4386394e4

Reference:
----------
  -> http://www.openwall.com/lists/oss-security/2017/02/24/5


@maintainer(s): after the bump, in case we need to stabilize the package, please let us know if it is ready for the stabilization or not.

Comment 1 Matthias Maier gentoo-dev

2017-05-03 06:05:12 UTC

commit 07f72dae992b1dd9a13489da0238edd6bd5f6337
Author: Matthias Maier <tamiko@gentoo.org>
Date:   Wed May 3 00:55:44 2017 -0500

    media-libs/virglrenderer: version bump to 0.6.0
    
    This is a hand-packaged version of upstream commit
    
      737c3350850ca4dbc5633b3bdb4118176ce59920
    
    (version 0.6.0 with two additional security patches)
    containing fixes for the following security issues:
    
    CVE-2016-10163, bug #606996
    CVE-2017-5580,  bug #607022
    CVE-2016-10214, bug #608734
    CVE-2017-5957,  bug #609400
    CVE-2017-5956,  bug #609402
    CVE-2017-5993,  bug #609492
    CVE-2017-5994,  bug #609494
    CVE-2017-6210,  bug #610678
    CVE-2017-6209,  bug #610680
    CVE-2017-6386,  bug #611378
    CVE-2017-6355,  bug #611380
    CVE-2017-6317,  bug #611382
    
    Package-Manager: Portage-2.3.5, Repoman-2.3.2

Comment 2 Matthias Maier gentoo-dev

2017-05-03 06:26:06 UTC

Arches, please stabilize
  =media-libs/virglrenderer-0.6.0

Target-keywords: "amd64 x86"

Comment 3 Agostino Sarubbo gentoo-dev

2017-05-03 08:19:25 UTC

amd64 stable

Comment 4 Agostino Sarubbo gentoo-dev

2017-05-04 15:55:46 UTC

x86 stable.

Maintainer(s), please cleanup.
Security, please vote.

Comment 5 Yury German Gentoo Infrastructure

2017-05-05 00:13:25 UTC

Arches and Maintainer(s), Thank you for your work.

Maintainer(s), please drop the vulnerable version(s).

Comment 6 Matthias Maier gentoo-dev

2017-05-05 01:09:08 UTC

commit 52fcce66174f326a1b1647b443f89dc7db39303c
Author: Matthias Maier <tamiko@gentoo.org>
Date:   Thu May 4 20:06:58 2017 -0500

    media-libs/virglrenderer: drop vulnerable, bug #611382
    
    Package-Manager: Portage-2.3.5, Repoman-2.3.2

Comment 7 GLSAMaker/CVETool Bot gentoo-dev

2017-07-08 12:38:22 UTC

This issue was resolved and addressed in
 GLSA 201707-06 at https://security.gentoo.org/glsa/201707-06
by GLSA coordinator Thomas Deutschmann (whissi).