From ${URL} : Description A vulnerability has been reported in Qemu, which can be exploited by malicious, local users in a guest virtual machine to cause a DoS (Denial of Service). The vulnerability is caused due to a use-after-free error when handling hot-unplugging of virtio devices and can be exploited to cause a crash of the Qemu daemon. The vulnerability is reported in versions 1.4.0 through 1.6.0. Solution: No official solution is currently available. Provided and/or discovered by: Sibiao Luo, Red Hat Original Advisory: https://bugzilla.redhat.com/show_bug.cgi?id=1012633 @maintainer(s): after the bump, in case we need to stabilize the package, please say explicitly if it is ready for the stabilization or not.
My plan is to fix this in 1.6.1 and stabilize that along with 1.5.4.
Hola. qemu-1.6.1 has already been released. But i bet you guys are aware of that.
CVE-2013-4377 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-4377): Use-after-free vulnerability in the virtio-pci implementation in Qemu 1.4.0 through 1.6.0 allows local users to cause a denial of service (daemon crash) by "hot-unplugging" a virtio device.
this was merged starting with the 1.7.1 release
This issue was resolved and addressed in GLSA 201408-17 at http://security.gentoo.org/glsa/glsa-201408-17.xml by GLSA coordinator Kristian Fiskerstrand (K_F).
