Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 567868 (CVE-2015-8567) - <app-emulation/qemu-2.5.0-r1: net: vmxnet3: host memory leakage (CVE-2015-{8567,8568})
Summary: <app-emulation/qemu-2.5.0-r1: net: vmxnet3: host memory leakage (CVE-2015-{85...
Alias: CVE-2015-8567
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal minor (vote)
Assignee: Gentoo Security
Whiteboard: B3 [glsa cve]
: 568330 (view as bug list)
Depends on:
Reported: 2015-12-09 16:46 UTC by Agostino Sarubbo
Modified: 2016-04-02 17:50 UTC (History)
1 user (show)

See Also:
Package list:
Runtime testing required: ---


Note You need to log in before you can comment on or make changes to this bug.
Description Agostino Sarubbo gentoo-dev 2015-12-09 16:46:19 UTC
From ${URL} :

Qemu emulator built with a VMWARE VMXNET3 paravirtual NIC emulator support is
vulnerable to a memory leakage flaw. It occurs when a guest repeatedly tries
to activate the vmxnet3 device.

A privileged guest user could use this flaw to leak host memory, resulting
in DoS on the host.

Upstream patch:

@maintainer(s): after the bump, in case we need to stabilize the package, please let us know if it is ready for the stabilization or not.
Comment 1 Kristian Fiskerstrand (RETIRED) gentoo-dev 2015-12-15 14:06:23 UTC
*** Bug 568330 has been marked as a duplicate of this bug. ***
Comment 2 Kristian Fiskerstrand (RETIRED) gentoo-dev 2015-12-15 14:07:33 UTC
Updated link to upstream patch:
Comment 3 SpanKY gentoo-dev 2015-12-15 15:23:26 UTC
i don't generally bother pulling in patches anymore until they've been merged into upstream git
Comment 4 SpanKY gentoo-dev 2016-01-18 05:00:25 UTC
fix is in qemu-2.5.0-r1 in the tree now
Comment 5 Agostino Sarubbo gentoo-dev 2016-01-26 15:03:10 UTC
The stabilization happened in bug 571566
Comment 6 Kristian Fiskerstrand (RETIRED) gentoo-dev 2016-01-26 19:05:50 UTC
Added to existing GLSA draft
Comment 7 GLSAMaker/CVETool Bot gentoo-dev 2016-02-04 09:34:37 UTC
This issue was resolved and addressed in
 GLSA 201602-01 at
by GLSA coordinator Kristian Fiskerstrand (K_F).
Comment 8 Yury German Gentoo Infrastructure gentoo-dev 2016-02-14 18:08:57 UTC
Re-Opening for cleanup. 

Maintainers, the GLSA has been released please clean up the Vulnerable versions.
Comment 9 Doug Goldstein (RETIRED) gentoo-dev 2016-02-15 15:29:09 UTC
Thanks for the report. Fixed in