From ${URL} : Quick Emulator(Qemu) built with the Virtio Crypto device emulation support is vulnerable to an integer overflow issue. It could occur while handling data encryption/decryption requests in 'virtio_crypto_handle_sym_req'. A privileged user inside guest could use this flaw to crash the Qemu process resulting in DoS or potentially execute arbitrary code on the host with privileges of the Qemu process. Upstream patch: --------------- -> https://lists.nongnu.org/archive/html/qemu-devel/2017-01/msg01368.html Reference: ---------- -> https://bugzilla.redhat.com/show_bug.cgi?id=1420092 This issue was reported by Mr Li Qiang of 360.cn Inc. git commit: http://git.qemu-project.org/?p=qemu.git;a=commit;h=a08aaff811fb194950f79711d2afe5a892ae03a4 @maintainer(s): after the bump, in case we need to stabilize the package, please let us know if it is ready for the stabilization or not.
Stabilization on this bug. Arches, please test and mark stable =app-emulation/qemu-2.8.0-r1 Target-keywords: "amd64 x86" commit 69f166f734e87c4d5b025e9f2bbfcfba3d7cddcb Author: Matthias Maier <tamiko@gentoo.org> Date: Sun Feb 12 22:50:18 2017 -0600 app-emulation/qemu: fix various security issues, bug #608728 and others This commit applies upstream patches to 2.8.0 for the following CVEs CVE-2016-10155 #606720 CVE-2017-2615 #608034 CVE-2017-5525 #606264 CVE-2017-5552 #606722 CVE-2017-5578 #607000 CVE-2017-5579 #607100 CVE-2017-5667 #607766 CVE-2017-5856 #608036 CVE-2017-5857 #608038 CVE-2017-5898 #608520 CVE-2017-5931 #608728 Package-Manager: Portage-2.3.3, Repoman-2.3.1
amd64 stable
x86 stable. Maintainer(s), please cleanup. Security, please add it to the existing request, or file a new one.
commit 639357e1a6012e2f609a6e5956f59addb86fcf53 Author: Matthias Maier <tamiko@gentoo.org> Date: Tue Feb 14 10:45:26 2017 -0600 app-emulation/qemu: remove vulnerable, bug #608728 Package-Manager: Portage-2.3.3, Repoman-2.3.1
New GLSA request filed.
This issue was resolved and addressed in GLSA 201702-28 at https://security.gentoo.org/glsa/201702-28 by GLSA coordinator Thomas Deutschmann (whissi).