Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 807055 (CVE-2021-3682) - <app-emulation/qemu-6.1.0: code execution via malicious SPICE client (CVE-2021-3682)
Summary: <app-emulation/qemu-6.1.0: code execution via malicious SPICE client (CVE-202...
Alias: CVE-2021-3682
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal major (vote)
Assignee: Gentoo Security
Whiteboard: B1 [glsa?]
Keywords: PullRequest
Depends on: 829504
  Show dependency tree
Reported: 2021-08-07 22:44 UTC by John Helmert III
Modified: 2022-04-21 23:45 UTC (History)
5 users (show)

See Also:
Package list:
Runtime testing required: ---


Note You need to log in before you can comment on or make changes to this bug.
Description John Helmert III archtester Gentoo Infrastructure gentoo-dev Security 2021-08-07 22:44:20 UTC
CVE-2021-3682 (

A flaw was found in the USB redirector device emulation of QEMU in versions prior to 6.1.0-rc2. It occurs when dropping packets during a bulk transfer from a SPICE client due to the packet queue being full. A malicious SPICE client could use this flaw to make QEMU call free() with faked heap chunk metadata, resulting in a crash of QEMU or potential code execution with the privileges of the QEMU process on the host.

Unreleased patch:
Comment 1 Larry the Git Cow gentoo-dev 2021-12-20 06:42:33 UTC
The bug has been referenced in the following commit(s):

commit d4dbabb19b26f4203d67e25f78772c5bebf650ff
Author:     John Helmert III <>
AuthorDate: 2021-12-20 04:31:40 +0000
Commit:     Matthias Maier <>
CommitDate: 2021-12-20 06:42:24 +0000

    app-emulation/qemu: drop 6.0.0-r4, 6.0.0-r54, 6.0.1-r1
    Signed-off-by: John Helmert III <>
    Signed-off-by: Matthias Maier <>

 app-emulation/qemu/Manifest                        |   2 -
 .../qemu/files/qemu-5.2.0-cleaner-werror.patch     |  40 -
 .../qemu/files/qemu-5.2.0-dce-locks.patch          |  18 -
 app-emulation/qemu/files/qemu-5.2.0-strings.patch  |  23 -
 app-emulation/qemu/qemu-6.0.0-r4.ebuild            | 910 --------------------
 app-emulation/qemu/qemu-6.0.0-r54.ebuild           | 911 ---------------------
 app-emulation/qemu/qemu-6.0.1-r1.ebuild            | 911 ---------------------
 7 files changed, 2815 deletions(-)