Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!

Bug 623016 (CVE-2017-10664)

Summary: <app-emulation/qemu-2.9.0-r56: qemu-nbd: server breaks with SIGPIPE upon client abort
Product: Gentoo Security Reporter: Kristian Fiskerstrand (RETIRED) <k_f>
Component: VulnerabilitiesAssignee: Gentoo Security <security>
Severity: normal CC: qemu+disabled
Priority: Normal    
Version: unspecified   
Hardware: All   
OS: Linux   
Whiteboard: B3 [noglsa cve]
Package list:
Runtime testing required: ---
Bug Depends on: 625614    
Bug Blocks:    

Description Kristian Fiskerstrand (RETIRED) gentoo-dev 2017-06-29 09:45:46 UTC
From $URL:

Quick Emulator(Qemu) built with the Network Block Device(NBD) Server support is vulnerable to a crash via SIGPIPE signal. It could occur if a client aborts connection due to any failure during negotiation.

A remote user/process could use this flaw to crash the qemu-nbd server resulting in DoS.

Upstream patch:

Comment 1 Matthias Maier gentoo-dev 2017-07-26 18:58:39 UTC
commit 606c4d5b81243fb243bd38a21326e60c3318138c (HEAD -> master, origin/master, origin/HEAD)
Author: Matthias Maier <>
Date:   Wed Jul 26 13:53:25 2017 -0500

    app-emulation/qemu: security patches
     CVE-2017-7539,  bug #625850
     CVE-2017-10664, bug #623016
     CVE-2017-10806, bug #624088
    Package-Manager: Portage-2.3.6, Repoman-2.3.3