Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!

Bug 591242 (CVE-2016-6836)

Summary: <app-emulation/qemu-2.7.0: net: vmxnet: Information leakage in vmxnet3_complete_packet (CVE-2016-6836)
Product: Gentoo Security Reporter: Agostino Sarubbo <ago>
Component: VulnerabilitiesAssignee: Gentoo Security <security>
Severity: minor CC: qemu+disabled
Priority: Normal    
Version: unspecified   
Hardware: All   
OS: Linux   
Whiteboard: B4 [glsa cve]
Package list:
Runtime testing required: ---

Description Agostino Sarubbo gentoo-dev 2016-08-14 10:27:06 UTC
From ${URL} :

Quick Emulator(Qemu) built with the VMWARE VMXNET3 NIC device support
is vulnerable to an information leakage issue. It could occur while
processing transmit(tx) queue, when it reaches the end of packet.

A privileged user inside guest could use this leak host memory bytes
to a guest.

Upstream patch:

@maintainer(s): after the bump, in case we need to stabilize the package, please let us know if it is ready for the stabilization or not.
Comment 1 Matthias Maier gentoo-dev 2016-09-05 05:52:24 UTC
Fix applied to 2.7.0. Stabilization of 2.7.0 in #592430

commit ceb67390ecbe843f184b5bde6428cb9e2f3dcd81
Author: Matthias Maier <>
Date:   Mon Sep 5 00:18:46 2016 -0500

    app-emulation/qemu: apply patch for CVE-2016-6836, bug #591242
    Package-Manager: portage-2.2.28
Comment 2 Yury German Gentoo Infrastructure gentoo-dev 2016-09-10 03:35:05 UTC
Added to an existing GLSA Request.
Comment 3 GLSAMaker/CVETool Bot gentoo-dev 2016-09-26 00:38:07 UTC
This issue was resolved and addressed in
 GLSA 201609-01 at
by GLSA coordinator Yury German (BlueKnight).