From ${URL} : Quick Emulator(Qemu) built with the Virtio GPU Device emulator support is vulnerable to an out of bounds memory access issue. It could occur while processing 'VIRTIO_GPU_CMD_GET_CAPSET' command. A guest user/process could use this flaw to crash the Qemu process instance on a host, resulting in DoS. Upstream patch: --------------- -> https://lists.gnu.org/archive/html/qemu-devel/2016-12/msg01903.html Reference: ---------- -> http://www.openwall.com/lists/oss-security/2016/12/20/1 @maintainer(s): after the bump, in case we need to stabilize the package, please let us know if it is ready for the stabilization or not.
i've added it to our 2.8.0 ebuild
Stabilization will be happen as part of bug 601824.
New GLSA request filed.
No ACE/RCE, downgraded to B3.
This issue was resolved and addressed in GLSA 201701-49 at https://security.gentoo.org/glsa/201701-49 by GLSA coordinator Aaron Bauman (b-man).
Re-opened for cleanup.
Vulnerable versions removed, please close. commit cd0007ee8270ccd2773604782ddcc4b67fa3a103 Author: Matthias Maier <tamiko@gentoo.org> Date: Sun Feb 12 22:08:18 2017 -0600 app-emulation/qemu: drop old versions 2.7.0, 2.7.1 Package-Manager: Portage-2.3.3, Repoman-2.3.1
All done, repository is clean.
