From ${URL} : Quick emulator(Qemu) built with the BOOTP/DHCP Server support is vulnerable to an OOB read issue. It could occur while parsing the DHCP options and vendor extensions options sent by a client. A user/process could use this flaw to potentially crash the Qemu process on the host resulting in DoS. Upstream patch: --------------- -> https://lists.gnu.org/archive/html/qemu-devel/2017-07/msg05001.html Reference: ---------- -> http://www.openwall.com/lists/oss-security/2017/07/19/2 @maintainer(s): after the bump, in case we need to stabilize the package, please let us know if it is ready for the stabilization or not.
commit e67f10960bca69fdede54d77eb54c4ab72b98d08 Author: Matthias Maier <tamiko@gentoo.org> Date: Wed Jul 26 12:10:46 2017 -0500 app-emulation/qemu: security fixes CVE-2017-11334, bug #621292 CVE-2017-11434, bug #625614 CVE-2017-9503, bug #621184 CVE-2017-9524, bug #621292 Package-Manager: Portage-2.3.6, Repoman-2.3.3
@arches, please stabilize.
An automated check of this bug failed - repoman reported dependency errors (41 lines truncated): > dependency.bad app-emulation/qemu/qemu-2.9.0-r56.ebuild: DEPEND: amd64(default/linux/amd64/13.0) ['~sys-firmware/edk2-ovmf-2017_pre20170505[binary]', '~sys-firmware/seabios-1.10.2[binary,seavgabios]', 'sys-firmware/edk2-ovmf', '>=sys-firmware/seabios-1.10.2[seavgabios]'] > dependency.bad app-emulation/qemu/qemu-2.9.0-r56.ebuild: RDEPEND: amd64(default/linux/amd64/13.0) ['~sys-firmware/edk2-ovmf-2017_pre20170505[binary]', '~sys-firmware/seabios-1.10.2[binary,seavgabios]', 'sys-firmware/edk2-ovmf', '>=sys-firmware/seabios-1.10.2[seavgabios]'] > dependency.bad app-emulation/qemu/qemu-2.9.0-r56.ebuild: DEPEND: amd64(default/linux/amd64/13.0/desktop) ['~sys-firmware/edk2-ovmf-2017_pre20170505[binary]', '~sys-firmware/seabios-1.10.2[binary,seavgabios]', 'sys-firmware/edk2-ovmf', '>=sys-firmware/seabios-1.10.2[seavgabios]']
Updated package list.
An automated check of this bug succeeded - the previous repoman errors are now resolved.
(In reply to Matthias Maier from comment #4) > Updated package list. thanks.
commit 64084b9d4552b611da76774bedf98f180067f43d (HEAD -> master, origin/master, origin/HEAD) Author: Matthias Maier <tamiko@gentoo.org> Date: Thu Aug 31 20:09:04 2017 -0500 app-emulation/qemu: drop vulnerable 2.9.0-r2, bug #625614 Package-Manager: Portage-2.3.6, Repoman-2.3.3 commit bf14d3508d91a707aa4615c5a2d7940fc94b1f5a Author: Matthias Maier <tamiko@gentoo.org> Date: Thu Aug 31 20:07:37 2017 -0500 app-emulation/qemu: stabilize on amd64, x86, bug #625614 Package-Manager: Portage-2.3.6, Repoman-2.3.3 commit 076cda37021c624dff310d7b26ada9a47e51fe3e Author: Matthias Maier <tamiko@gentoo.org> Date: Thu Aug 31 20:06:08 2017 -0500 sys-firmware/seabios: stabilize on amd64, x86, bug #625614 Package-Manager: Portage-2.3.6, Repoman-2.3.3 commit edfe027b092f6558fa96ff761c91547fd2d5a7a9 Author: Matthias Maier <tamiko@gentoo.org> Date: Thu Aug 31 20:04:00 2017 -0500 sys-firmware/edk2-ovmf: stabilize on amd64, x86, bug #625614 Package-Manager: Portage-2.3.6, Repoman-2.3.3
@Arches please test and mark stable. Gentoo Security Padawan ChrisADR
already stabilized by tamiko. GLSA Vote: No