Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 290643 (CVE-2009-3616) - <app-emulation/qemu-0.11.1 Denial of Service (CVE-2009-3616)
Summary: <app-emulation/qemu-0.11.1 Denial of Service (CVE-2009-3616)
Status: RESOLVED OBSOLETE
Alias: CVE-2009-3616
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: High minor (vote)
Assignee: Gentoo Security
URL: https://bugzilla.redhat.com/show_bug....
Whiteboard: B0 [glsa]
Keywords:
Depends on: CVE-2008-2382
Blocks:
  Show dependency tree
 
Reported: 2009-10-26 21:52 UTC by Tobias Heinlein (RETIRED)
Modified: 2013-08-28 01:58 UTC (History)
1 user (show)

See Also:
Package list:
Runtime testing required: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Tobias Heinlein (RETIRED) gentoo-dev 2009-10-26 21:52:04 UTC
Another vulnerability has been found, see $URL for more details and patches.

It seems unclear to me if 0.9.x is also affected. However, we still have bug #252266 open which affects 0.9.x.
Apparently 0.10.x and 0.11.x are the way to go these days. Do we want to fix 0.9.x and figure out whether this issue here also affects 0.9.x (and if yes, backport the relatively long patch), or should be apply the existing backported patch for 0.10.6 and stabilise that (or even 0.11.x)?

Luca, please advise.
Comment 1 Tobias Heinlein (RETIRED) gentoo-dev 2009-10-26 21:55:48 UTC
CVE-2009-3616 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2009-3616):
  Multiple use-after-free vulnerabilities in vnc.c in the VNC server in
  QEMU 0.10.6 and earlier might allow guest OS users to execute
  arbitrary code on the host OS by establishing a connection from a VNC
  client and then (1) disconnecting during data transfer, (2) sending a
  message using incorrect integer data types, or (3) using the Fuzzy
  Screen Mode protocol, related to double free vulnerabilities.

Comment 2 Stefan Behte (RETIRED) gentoo-dev Security 2009-11-06 14:13:34 UTC
VMs are often used for security reasons, setting whiteboard.
Comment 3 Sean Amoss gentoo-dev Security 2012-03-09 17:33:34 UTC
Creating new GLSA request
Comment 4 Doug Goldstein gentoo-dev 2012-10-20 16:51:17 UTC
Affected versions are removed from the tree.
Comment 5 Doug Goldstein gentoo-dev 2013-08-28 01:23:41 UTC
@security: follow up ping
Comment 6 Chris Reffett gentoo-dev Security 2013-08-28 01:58:49 UTC
Four year old bugs aren't worth the time. Byebye.