| Summary: | <media-libs/virglrenderer-0.6.0: null pointer dereference in vrend_decode_reset | ||
|---|---|---|---|
| Product: | Gentoo Security | Reporter: | Agostino Sarubbo <ago> |
| Component: | Vulnerabilities | Assignee: | Gentoo Security <security> |
| Status: | RESOLVED FIXED | ||
| Severity: | minor | CC: | qemu+disabled |
| Priority: | Normal | ||
| Version: | unspecified | ||
| Hardware: | All | ||
| OS: | Linux | ||
| URL: | https://bugzilla.redhat.com/show_bug.cgi?id=1426170 | ||
| Whiteboard: | B3 [glsa cve] | ||
| Package list: | Runtime testing required: | --- | |
| Bug Depends on: | 611382 | ||
| Bug Blocks: | |||
commit 07f72dae992b1dd9a13489da0238edd6bd5f6337 Author: Matthias Maier <tamiko@gentoo.org> Date: Wed May 3 00:55:44 2017 -0500 media-libs/virglrenderer: version bump to 0.6.0 This is a hand-packaged version of upstream commit 737c3350850ca4dbc5633b3bdb4118176ce59920 (version 0.6.0 with two additional security patches) containing fixes for the following security issues: CVE-2016-10163, bug #606996 CVE-2017-5580, bug #607022 CVE-2016-10214, bug #608734 CVE-2017-5957, bug #609400 CVE-2017-5956, bug #609402 CVE-2017-5993, bug #609492 CVE-2017-5994, bug #609494 CVE-2017-6210, bug #610678 CVE-2017-6209, bug #610680 CVE-2017-6386, bug #611378 CVE-2017-6355, bug #611380 CVE-2017-6317, bug #611382 Package-Manager: Portage-2.3.5, Repoman-2.3.2 This issue was resolved and addressed in GLSA 201707-06 at https://security.gentoo.org/glsa/201707-06 by GLSA coordinator Thomas Deutschmann (whissi). |
From ${URL} : Virgil 3d project, used by Quick Emulator(Qemu) to implement 3D GPU support for the virtio GPU, is vulnerable to a null pointer dereference flaw. It could occur when destroying renderer context zero(0) in 'vrend_decode_reset'. A guest user/process could use this flaw to crash the Qemu process instance resulting DoS. Upstream patch: --------------- -> https://cgit.freedesktop.org/virglrenderer/commit/?id=0a5dff15912207b83018485f83e067474e818bab @maintainer(s): after the bump, in case we need to stabilize the package, please let us know if it is ready for the stabilization or not.