From ${URL} : Quick Emulator(Qemu) built with the i8255x (PRO100) NIC emulation support is vulnerable to a memory leakage issue. It could occur while unplugging the device, and doing so repeatedly would result in leaking host memory affecting, other services on the host. A privileged user inside guest could use this flaw to cause a DoS on the host and/or potentially crash the Qemu process on the host. Upstream patch: --------------- -> https://lists.gnu.org/archive/html/qemu-devel/2016-10/msg03024.html Reference: ---------- -> https://bugzilla.redhat.com/show_bug.cgi?id=1389538 This issue was reported by Li Qiang of 360.cn Inc. @maintainer(s): after the bump, in case we need to stabilize the package, please let us know if it is ready for the stabilization or not.
No upstream patch available. The proposed fix [1] got rejected - it breaks migration capabilities [2]. [1] https://lists.gnu.org/archive/html/qemu-devel/2016-10/msg03024.html [2] https://lists.gnu.org/archive/html/qemu-devel/2016-10/msg03592.html
This was fixed via http://git.qemu.org/?p=qemu.git;a=commit;h=2634ab7fe29b3f75d0865b719caf8f310d634aae which is part of v2.8.0 release: $ git tag --contains 2634ab7fe29b3f75d0865b719caf8f310d634aae v2.8.0 Stabilization will be happen as part of bug 601824.
Added to an existing GLSA request.
This issue was resolved and addressed in GLSA 201701-49 at https://security.gentoo.org/glsa/201701-49 by GLSA coordinator Aaron Bauman (b-man).
