| Summary: | <media-libs/virglrenderer-0.6.0: OOB access while parsing instruction | ||
|---|---|---|---|
| Product: | Gentoo Security | Reporter: | Agostino Sarubbo <ago> |
| Component: | Vulnerabilities | Assignee: | Gentoo Security <security> |
| Status: | RESOLVED FIXED | ||
| Severity: | minor | CC: | boothf, qemu+disabled |
| Priority: | Normal | ||
| Version: | unspecified | ||
| Hardware: | All | ||
| OS: | Linux | ||
| URL: | https://bugzilla.redhat.com/show_bug.cgi?id=1415986 | ||
| Whiteboard: | B3 [glsa cve] | ||
| Package list: | Runtime testing required: | --- | |
| Bug Depends on: | 611382 | ||
| Bug Blocks: | |||
*** Bug 607174 has been marked as a duplicate of this bug. *** commit 07f72dae992b1dd9a13489da0238edd6bd5f6337 Author: Matthias Maier <tamiko@gentoo.org> Date: Wed May 3 00:55:44 2017 -0500 media-libs/virglrenderer: version bump to 0.6.0 This is a hand-packaged version of upstream commit 737c3350850ca4dbc5633b3bdb4118176ce59920 (version 0.6.0 with two additional security patches) containing fixes for the following security issues: CVE-2016-10163, bug #606996 CVE-2017-5580, bug #607022 CVE-2016-10214, bug #608734 CVE-2017-5957, bug #609400 CVE-2017-5956, bug #609402 CVE-2017-5993, bug #609492 CVE-2017-5994, bug #609494 CVE-2017-6210, bug #610678 CVE-2017-6209, bug #610680 CVE-2017-6386, bug #611378 CVE-2017-6355, bug #611380 CVE-2017-6317, bug #611382 Package-Manager: Portage-2.3.5, Repoman-2.3.2 This issue was resolved and addressed in GLSA 201707-06 at https://security.gentoo.org/glsa/201707-06 by GLSA coordinator Thomas Deutschmann (whissi). |
From ${URL} : Virgil 3d project, used by Quick Emulator(Qemu) to implement 3D GPU support for the virtio GPU, is vulnerable to an OOB array access issue. It could occur when parsing texture instructions in parse_instruction(). A guest user/process could use this flaw to crash the Qemu process instance resulting DoS. Upstream patch: --------------- -> https://lists.freedesktop.org/archives/virglrenderer-devel/2017-January/000105.html @maintainer(s): after the bump, in case we need to stabilize the package, please let us know if it is ready for the stabilization or not.