Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!

Bug 598772 (CVE-2016-9106)

Summary: <app-emulation/qemu-2.7.0-r6: 9pfs: memory leakage in v9fs_write
Product: Gentoo Security Reporter: Agostino Sarubbo <ago>
Component: VulnerabilitiesAssignee: Gentoo Security <security>
Severity: minor CC: qemu+disabled
Priority: Normal    
Version: unspecified   
Hardware: All   
OS: Linux   
Whiteboard: B4 [noglsa]
Package list:
Runtime testing required: ---
Bug Depends on:    
Bug Blocks: 598328    

Description Agostino Sarubbo gentoo-dev 2016-11-02 11:06:04 UTC
From ${URL} :

Quick Emulator(Qemu) built with the VirtFS, host directory sharing via Plan 9 
File System(9pfs) support, is vulnerable to a memory leakage issue. It could 
occur when calling v9fs_write call.

A privileged user inside guest could use this flaw to leak the host memory 
bytes resulting in DoS for other services.

Upstream patches:


@maintainer(s): after the bump, in case we need to stabilize the package, please let us know if it is ready for the stabilization or not.
Comment 1 Matthias Maier gentoo-dev 2016-11-12 17:33:10 UTC
Arches, please stabilize


Target keywords: "amd64 x86"

commit cad0a6324b5d4a5954893dfd29b5b97ee7a361d3
Author: Matthias Maier <>
Date:   Sat Nov 12 11:26:09 2016 -0600

    app-emulation/qemu: security fixes, bug #598772
        CVE-2016-9102, bug #598328
        CVE-2016-9103, bug #598328
        CVE-2016-9104, bug #598328
        CVE-2016-9105, bug #598328
        CVE-2016-9106, bug #598772
    Package-Manager: portage-2.3.0
Comment 2 Agostino Sarubbo gentoo-dev 2016-11-13 13:08:17 UTC
amd64 stable
Comment 3 Agostino Sarubbo gentoo-dev 2016-11-13 13:10:06 UTC
x86 stable.

Maintainer(s), please cleanup.
Security, please vote.
Comment 4 Matthias Maier gentoo-dev 2016-11-13 17:19:58 UTC
Commit e374c1ca4ae657866957ab34d42306ad61b29825
Author: Matthias Maier <>
Date:   Sun Nov 13 11:17:38 2016 -0600

    app-emulation/qemu: drop vulnerable 2.7.0-r5, bug #598772
    Package-Manager: portage-2.3.0
Comment 5 Aaron Bauman (RETIRED) gentoo-dev 2016-11-17 07:01:13 UTC
GLSA Vote: No