Summary: | <app-emulation/qemu-2.2.1-r2: vnc network decoding lacks checks (CVE-2015-1779) | ||
---|---|---|---|
Product: | Gentoo Security | Reporter: | Agostino Sarubbo <ago> |
Component: | Vulnerabilities | Assignee: | Gentoo Security <security> |
Status: | RESOLVED FIXED | ||
Severity: | minor | CC: | cardoe, qemu+disabled |
Priority: | Normal | ||
Version: | unspecified | ||
Hardware: | All | ||
OS: | Linux | ||
Whiteboard: | B3 [glsa cve] | ||
Package list: | Runtime testing required: | --- |
Description
Agostino Sarubbo
2015-03-24 13:18:54 UTC
the IDE change has been merged, but not the VNC one. probably going to just wait for that to be sorted out first. (In reply to SpanKY from comment #1) > the IDE change has been merged, but not the VNC one. probably going to just > wait for that to be sorted out first. that's fine. from http://www.openwall.com/lists/oss-security/2015/04/09/6 : Upstream patches: http://git.qemu.org/?p=qemu.git;a=commit;h=a2bebfd6e09d http://git.qemu.org/?p=qemu.git;a=commit;h=2cdb5e142fb93 Please note that the first patch committed to QEMU project git is slightly different than the initial submission as it includes fix for a regression caused by the original patch. the ide prdt fix is already in qemu-2.2.0, and that's already in stable this bug is now just for the vnc issue Commit message: Add fixes from upstream for CVE-2015-1779 http://sources.gentoo.org/app-emulation/qemu/files/qemu-2.2.1-CVE-2015-1779-1.patch?rev=1.1 http://sources.gentoo.org/app-emulation/qemu/files/qemu-2.2.1-CVE-2015-1779-2.patch?rev=1.1 http://sources.gentoo.org/app-emulation/qemu/qemu-2.2.1-r1.ebuild?rev=1.1 + 14 May 2015; Agostino Sarubbo <ago@gentoo.org> + -files/qemu-2.1.1-readlink-self.patch, + -files/qemu-2.1.2-vnc-sanitize-bits.patch, -qemu-2.1.2-r2.ebuild, + -qemu-2.1.3-r1.ebuild, -qemu-2.1.3.ebuild, -qemu-2.2.0.ebuild, + -qemu-2.2.1-r1.ebuild, -qemu-2.2.1.ebuild, -qemu-2.3.0.ebuild, + qemu-2.2.1-r2.ebuild: + Stable for amd64/x86 - remove old. Security please vote. GLSA Vote: Yes Vote: NO. Arches and Maintainer(s), Thank you for your work. Added to an existing GLSA Request. This issue was resolved and addressed in GLSA 201602-01 at https://security.gentoo.org/glsa/201602-01 by GLSA coordinator Kristian Fiskerstrand (K_F). |