Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bugzilla DB migration completed. Please report issues to Infra team via email via infra@gentoo.org or IRC
Bug 608734 (CVE-2016-10214) - <media-libs/virglrenderer-0.6.0: host memory leak issue in virgl_resource_attach_backing
Summary: <media-libs/virglrenderer-0.6.0: host memory leak issue in virgl_resource_att...
Status: RESOLVED FIXED
Alias: CVE-2016-10214
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal minor (vote)
Assignee: Gentoo Security
URL: http://www.openwall.com/lists/oss-sec...
Whiteboard: B4 [glsa cve]
Keywords:
Depends on: CVE-2017-6317
Blocks:
  Show dependency tree
 
Reported: 2017-02-09 11:04 UTC by Agostino Sarubbo
Modified: 2017-07-08 12:37 UTC (History)
1 user (show)

See Also:
Package list:
Runtime testing required: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Agostino Sarubbo gentoo-dev 2017-02-09 11:04:50 UTC
From ${URL} :

Virgil 3d project, used by Quick Emulator(Qemu) to implement 3D GPU support 
for the virtio GPU, is vulnerable to memory leakage issue. It could occur when 
a guest invokes a 'VIRTIO_GPU_CMD_RESOURCE_ATTACH_BACKING' command.

A guest user/process could use this flaw to leak host memory leading to DoS.

Upstream patch:
---------------
   -> https://cgit.freedesktop.org/virglrenderer/commit/?id=40b0e7813325b08077b6f541b3989edb2d86d837

Reference:
----------
   -> https://bugzilla.redhat.com/show_bug.cgi?id=1420266


@maintainer(s): after the bump, in case we need to stabilize the package, please let us know if it is ready for the stabilization or not.
Comment 1 Matthias Maier gentoo-dev 2017-05-03 06:13:47 UTC
commit 07f72dae992b1dd9a13489da0238edd6bd5f6337
Author: Matthias Maier <tamiko@gentoo.org>
Date:   Wed May 3 00:55:44 2017 -0500

    media-libs/virglrenderer: version bump to 0.6.0
    
    This is a hand-packaged version of upstream commit
    
      737c3350850ca4dbc5633b3bdb4118176ce59920
    
    (version 0.6.0 with two additional security patches)
    containing fixes for the following security issues:
    
    CVE-2016-10163, bug #606996
    CVE-2017-5580,  bug #607022
    CVE-2016-10214, bug #608734
    CVE-2017-5957,  bug #609400
    CVE-2017-5956,  bug #609402
    CVE-2017-5993,  bug #609492
    CVE-2017-5994,  bug #609494
    CVE-2017-6210,  bug #610678
    CVE-2017-6209,  bug #610680
    CVE-2017-6386,  bug #611378
    CVE-2017-6355,  bug #611380
    CVE-2017-6317,  bug #611382
    
    Package-Manager: Portage-2.3.5, Repoman-2.3.2
Comment 2 GLSAMaker/CVETool Bot gentoo-dev 2017-07-08 12:37:09 UTC
This issue was resolved and addressed in
 GLSA 201707-06 at https://security.gentoo.org/glsa/201707-06
by GLSA coordinator Thomas Deutschmann (whissi).