Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 585368 - app-emulation/qemu: scsi: megasas: information leakage in megasas_ctrl_get_info
Summary: app-emulation/qemu: scsi: megasas: information leakage in megasas_ctrl_get_info
Status: RESOLVED DUPLICATE of bug 584094
Alias: None
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal minor (vote)
Assignee: Gentoo Security
URL: https://bugzilla.redhat.com/show_bug....
Whiteboard:
Keywords:
Depends on:
Blocks:
 
Reported: 2016-06-08 10:12 UTC by Agostino Sarubbo
Modified: 2016-07-01 00:15 UTC (History)
1 user (show)

See Also:
Package list:
Runtime testing required: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Agostino Sarubbo gentoo-dev 2016-06-08 10:12:30 UTC
From ${URL} :

Quick Emulator(Qemu) built with the MegaRAID SAS 8708EM2 Host Bus Adapter
emulation support is vulnerable to an information leakage issue. It
could occur while processing MegaRAID Firmware Interface(MFI) command to read
device control information in 'megasas_ctrl_get_info'.

A privileged user inside guest could use this flaw to leak host memory bytes.

Upstream patch:
---------------
  -> https://lists.gnu.org/archive/html/qemu-devel/2016-06/msg01969.html

Reference:
----------
  -> http://www.openwall.com/lists/oss-security/2016/06/08/3


@maintainer(s): after the bump, in case we need to stabilize the package, please let us know if it is ready for the stabilization or not.
Comment 1 Aaron Bauman Gentoo Infrastructure gentoo-dev Security 2016-07-01 00:15:33 UTC
This same issue was addressed in CVE-2016-5337.

*** This bug has been marked as a duplicate of bug 584094 ***