Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 629350 (CVE-2017-13711) - <app-emulation/qemu-2.10.0: Slirp: use-after-free when sending response
Summary: <app-emulation/qemu-2.10.0: Slirp: use-after-free when sending response
Status: RESOLVED FIXED
Alias: CVE-2017-13711
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal minor (vote)
Assignee: Gentoo Security
URL: https://bugzilla.redhat.com/show_bug....
Whiteboard: B3 [noglsa cve]
Keywords:
Depends on:
Blocks: CVE-2017-12809 CVE-2017-13673
  Show dependency tree
 
Reported: 2017-08-30 07:54 UTC by Agostino Sarubbo
Modified: 2017-11-12 21:45 UTC (History)
1 user (show)

See Also:
Package list:
=app-emulation/qemu-2.10.0
Runtime testing required: Yes
stable-bot: sanity-check+


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Agostino Sarubbo gentoo-dev 2017-08-30 07:54:15 UTC
From ${URL} :

Quick emulator(Qemu) built with the Slirp networking support is vulnerable
to an use-after-free issue. It occurs due to Socket referenced from multiple
packets is freed while responding to a message.

A user/process could use this flaw to crash the Qemu process on the host
resulting in DoS.

Upstream patch:
---------------
  -> https://lists.gnu.org/archive/html/qemu-devel/2017-08/msg05201.html

Reference:
----------
  -> http://www.openwall.com/lists/oss-security/2017/08/29/6


@maintainer(s): after the bump, in case we need to stabilize the package, please let us know if it is ready for the stabilization or not.
Comment 1 Matthias Maier gentoo-dev 2017-09-01 02:03:30 UTC
Upstream patch applied to 2.10.0 version bump

commit ecbdc929ac2d3b34812aa3b3ac07054198a0547c
Author: Matthias Maier <tamiko@gentoo.org>
Date:   Thu Aug 31 20:31:14 2017 -0500

    app-emulation/qemu: version bump to 2.10.0, bug #629350
    
    This version bump also addresses a number of security issues
      CVE-2017-12809, bug #628498
      CVE-2017-13673, bug #629316
      CVE-2017-13711, bug #629350
    
    Package-Manager: Portage-2.3.6, Repoman-2.3.3
Comment 2 Matthias Maier gentoo-dev 2017-09-01 14:19:15 UTC
Let's stabilize in a couple of days, not immediately.
Comment 3 Matthias Maier gentoo-dev 2017-09-07 16:02:19 UTC
Arches, please stabilize app-emulation/qemu-2.10.0
Comment 4 Christopher Díaz Riveros (RETIRED) gentoo-dev Security 2017-09-09 19:40:18 UTC
amd64 tested, ok
Comment 5 Agostino Sarubbo gentoo-dev 2017-09-20 09:59:43 UTC
amd64 stable
Comment 6 manwe 2017-09-20 22:32:20 UTC
Qemu 2.10 breaks Windows guests. Broke mine Win10. Thread on qemu-devel: https://lists.gnu.org/archive/html/qemu-devel/2017-09/msg01695.html
Comment 7 manwe 2017-09-20 22:32:33 UTC
Qemu 2.10 breaks Windows guests. Broke mine Win10. Thread on qemu-devel: https://lists.gnu.org/archive/html/qemu-devel/2017-09/msg01695.html
Comment 8 Thomas Deutschmann gentoo-dev Security 2017-09-23 14:18:36 UTC
x86 stable


@ Maintainer(s): Please cleanup and drop <app-emulation/qemu-2.10.0!
Comment 9 Larry the Git Cow gentoo-dev 2017-11-12 19:44:14 UTC
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=d18e62cc49c851c9d5cd857913318f8c90488f50

commit d18e62cc49c851c9d5cd857913318f8c90488f50
Author:     Matthias Maier <tamiko@gentoo.org>
AuthorDate: 2017-11-12 19:42:32 +0000
Commit:     Matthias Maier <tamiko@gentoo.org>
CommitDate: 2017-11-12 19:43:52 +0000

    app-emulation/qemu: drop vulnerable, bug #629350
    
    Bug: https://bugs.gentoo.org/629350
    Package-Manager: Portage-2.3.8, Repoman-2.3.4

 app-emulation/qemu/Manifest              |   1 -
 app-emulation/qemu/qemu-2.9.0-r56.ebuild | 793 ------------------------------
 app-emulation/qemu/qemu-2.9.0-r57.ebuild | 796 -------------------------------
 3 files changed, 1590 deletions(-)}
Comment 10 Matthias Maier gentoo-dev 2017-11-12 19:44:50 UTC
Security, please vote on glsa.
Comment 11 Christopher Díaz Riveros (RETIRED) gentoo-dev Security 2017-11-12 21:44:51 UTC
(In reply to Matthias Maier from comment #10)
> Security, please vote on glsa.

Thank you tamiko. Closing as fixed

GLSA Vote: No