From ${URL} : Virgil 3d project, used by Quick Emulator(Qemu) to implement 3D GPU support for the virtio GPU, is vulnerable to a null pointer dereference flaw. It could occur when destroying renderer context zero(0) in 'vrend_decode_reset'. A guest user/process could use this flaw to crash the Qemu process instance resulting DoS. Upstream patch: --------------- -> https://cgit.freedesktop.org/virglrenderer/commit/?id=0a5dff15912207b83018485f83e067474e818bab @maintainer(s): after the bump, in case we need to stabilize the package, please let us know if it is ready for the stabilization or not.
commit 07f72dae992b1dd9a13489da0238edd6bd5f6337 Author: Matthias Maier <tamiko@gentoo.org> Date: Wed May 3 00:55:44 2017 -0500 media-libs/virglrenderer: version bump to 0.6.0 This is a hand-packaged version of upstream commit 737c3350850ca4dbc5633b3bdb4118176ce59920 (version 0.6.0 with two additional security patches) containing fixes for the following security issues: CVE-2016-10163, bug #606996 CVE-2017-5580, bug #607022 CVE-2016-10214, bug #608734 CVE-2017-5957, bug #609400 CVE-2017-5956, bug #609402 CVE-2017-5993, bug #609492 CVE-2017-5994, bug #609494 CVE-2017-6210, bug #610678 CVE-2017-6209, bug #610680 CVE-2017-6386, bug #611378 CVE-2017-6355, bug #611380 CVE-2017-6317, bug #611382 Package-Manager: Portage-2.3.5, Repoman-2.3.2
This issue was resolved and addressed in GLSA 201707-06 at https://security.gentoo.org/glsa/201707-06 by GLSA coordinator Thomas Deutschmann (whissi).