From ${URL} : The .receive callback of xlnx.xps-ethernetlite doesn't check the length of data before calling memcpy. As a result, the NetClientState object in heap will be overflowed. All versions of qemu with xlnx.xps-ethernetlite are affected. Upstream patch: http://git.qemu.org/?p=qemu.git;a=commit;h=a0d1cbdacff5df4ded16b753b38fdd9da6092968 CVE assignment: http://seclists.org/oss-sec/2016/q3/603 @maintainer(s): after the bump, in case we need to stabilize the package, please let us know if it is ready for the stabilization or not.
This patch already made it into the 2.7.0 release of qemu. Currently stable version in tree is 2.7.0-r3 with no vulnerable version left in the tree.
This issue was resolved and addressed in GLSA 201611-11 at https://security.gentoo.org/glsa/201611-11 by GLSA coordinator Aaron Bauman (b-man).