From ${URL} : Quick Emulator(Qemu) built with the VirtFS, host directory sharing via Plan 9 File System(9pfs) support, is vulnerable to an information disclosure issue. It could occur while accessing extended attributes of a file due to a race condition. A user inside guest could use this flaw to disclose uninitialised heap memory contents on the host. Upstream patch: --------------- -> https://lists.gnu.org/archive/html/qemu-devel/2017-10/msg00729.html Reference: ---------- -> http://www.openwall.com/lists/oss-security/2017/10/06/1 @maintainer(s): after the bump, in case we need to stabilize the package, please let us know if it is ready for the stabilization or not.
The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=23224f9e55bfc2ec41c8a8906a44e60791de07b5 commit 23224f9e55bfc2ec41c8a8906a44e60791de07b5 Author: Matthias Maier <tamiko@gentoo.org> AuthorDate: 2017-11-12 20:10:34 +0000 Commit: Matthias Maier <tamiko@gentoo.org> CommitDate: 2017-11-12 20:22:03 +0000 app-emulation/qemu: Version bump to 2.10.1, various security fixes Bug: https://bugs.gentoo.org/630432 Bug: https://bugs.gentoo.org/633822 Bug: https://bugs.gentoo.org/634070 Bug: https://bugs.gentoo.org/634148 Package-Manager: Portage-2.3.8, Repoman-2.3.4 app-emulation/qemu/Manifest | 1 + .../qemu/files/qemu-2.10.0-CVE-2017-13711.patch | 80 --- .../qemu/files/qemu-2.10.1-CVE-2017-15268.patch | 54 ++ .../qemu/files/qemu-2.10.1-CVE-2017-15289.patch | 58 ++ app-emulation/qemu/qemu-2.10.1.ebuild | 796 +++++++++++++++++++++ 5 files changed, 909 insertions(+), 80 deletions(-)}