629350 – (CVE-2017-13711) <app-emulation/qemu-2.10.0: Slirp: use-after-free when sending response

Bug 629350 (CVE-2017-13711) - <app-emulation/qemu-2.10.0: Slirp: use-after-free when sending response

Summary: <app-emulation/qemu-2.10.0: Slirp: use-after-free when sending response

Status:	RESOLVED FIXED

Alias:	CVE-2017-13711

Product:	Gentoo Security
Classification:	Unclassified
Component:	Vulnerabilities (show other bugs)
Hardware:	All Linux

Importance:	Normal minor (vote)
Assignee:	Gentoo Security

URL:	https://bugzilla.redhat.com/show_bug....
Whiteboard:	B3 [noglsa cve]
Keywords:

Depends on:
Blocks:	CVE-2017-12809 CVE-2017-13673
	Show dependency tree

Reported:	2017-08-30 07:54 UTC by Agostino Sarubbo
Modified:	2017-11-12 21:45 UTC (History)
CC List:	1 user (show)

See Also:
Package list:	=app-emulation/qemu-2.10.0
Runtime testing required:	Yes

Flags:	stable-bot: sanity-check+

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Agostino Sarubbo gentoo-dev

2017-08-30 07:54:15 UTC

From ${URL} :

Quick emulator(Qemu) built with the Slirp networking support is vulnerable
to an use-after-free issue. It occurs due to Socket referenced from multiple
packets is freed while responding to a message.

A user/process could use this flaw to crash the Qemu process on the host
resulting in DoS.

Upstream patch:
---------------
  -> https://lists.gnu.org/archive/html/qemu-devel/2017-08/msg05201.html

Reference:
----------
  -> http://www.openwall.com/lists/oss-security/2017/08/29/6


@maintainer(s): after the bump, in case we need to stabilize the package, please let us know if it is ready for the stabilization or not.

Comment 1 Matthias Maier gentoo-dev

2017-09-01 02:03:30 UTC

Upstream patch applied to 2.10.0 version bump

commit ecbdc929ac2d3b34812aa3b3ac07054198a0547c
Author: Matthias Maier <tamiko@gentoo.org>
Date:   Thu Aug 31 20:31:14 2017 -0500

    app-emulation/qemu: version bump to 2.10.0, bug #629350
    
    This version bump also addresses a number of security issues
      CVE-2017-12809, bug #628498
      CVE-2017-13673, bug #629316
      CVE-2017-13711, bug #629350
    
    Package-Manager: Portage-2.3.6, Repoman-2.3.3

Comment 2 Matthias Maier gentoo-dev

2017-09-01 14:19:15 UTC

Let's stabilize in a couple of days, not immediately.

Comment 3 Matthias Maier gentoo-dev

2017-09-07 16:02:19 UTC

Arches, please stabilize app-emulation/qemu-2.10.0

Comment 4 Christopher Díaz Riveros (RETIRED) gentoo-dev

2017-09-09 19:40:18 UTC

amd64 tested, ok

Comment 5 Agostino Sarubbo gentoo-dev

2017-09-20 09:59:43 UTC

amd64 stable

Comment 6 manwe 2017-09-20 22:32:20 UTC

Qemu 2.10 breaks Windows guests. Broke mine Win10. Thread on qemu-devel: https://lists.gnu.org/archive/html/qemu-devel/2017-09/msg01695.html

Comment 7 manwe 2017-09-20 22:32:33 UTC

Qemu 2.10 breaks Windows guests. Broke mine Win10. Thread on qemu-devel: https://lists.gnu.org/archive/html/qemu-devel/2017-09/msg01695.html

Comment 8 Thomas Deutschmann (RETIRED) gentoo-dev

2017-09-23 14:18:36 UTC

x86 stable


@ Maintainer(s): Please cleanup and drop <app-emulation/qemu-2.10.0!

Comment 9 Larry the Git Cow gentoo-dev

2017-11-12 19:44:14 UTC

The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=d18e62cc49c851c9d5cd857913318f8c90488f50

commit d18e62cc49c851c9d5cd857913318f8c90488f50
Author:     Matthias Maier <tamiko@gentoo.org>
AuthorDate: 2017-11-12 19:42:32 +0000
Commit:     Matthias Maier <tamiko@gentoo.org>
CommitDate: 2017-11-12 19:43:52 +0000

    app-emulation/qemu: drop vulnerable, bug #629350
    
    Bug: https://bugs.gentoo.org/629350
    Package-Manager: Portage-2.3.8, Repoman-2.3.4

 app-emulation/qemu/Manifest              |   1 -
 app-emulation/qemu/qemu-2.9.0-r56.ebuild | 793 ------------------------------
 app-emulation/qemu/qemu-2.9.0-r57.ebuild | 796 -------------------------------
 3 files changed, 1590 deletions(-)}

Comment 10 Matthias Maier gentoo-dev

2017-11-12 19:44:50 UTC

Security, please vote on glsa.

Comment 11 Christopher Díaz Riveros (RETIRED) gentoo-dev

2017-11-12 21:44:51 UTC

(In reply to Matthias Maier from comment #10)
> Security, please vote on glsa.

Thank you tamiko. Closing as fixed

GLSA Vote: No