Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 611382 (CVE-2017-6317) - <media-libs/virglrenderer-0.6.0: memory leak in add_shader_program()
Summary: <media-libs/virglrenderer-0.6.0: memory leak in add_shader_program()
Status: RESOLVED FIXED
Alias: CVE-2017-6317
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal minor (vote)
Assignee: Gentoo Security
URL: https://bugzilla.redhat.com/show_bug....
Whiteboard: B3 [glsa cve]
Keywords:
Depends on:
Blocks: CVE-2016-10163 CVE-2017-5580 CVE-2016-10214 CVE-2017-5957 CVE-2017-5956 CVE-2017-5993 CVE-2017-5994 CVE-2017-6210 CVE-2017-6209 CVE-2017-6386 CVE-2017-6355
  Show dependency tree
 
Reported: 2017-03-02 08:56 UTC by Agostino Sarubbo
Modified: 2017-07-08 12:38 UTC (History)
1 user (show)

See Also:
Package list:
media-libs/virglrenderer-0.6.0
Runtime testing required: ---
stable-bot: sanity-check+


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Agostino Sarubbo gentoo-dev 2017-03-02 08:56:04 UTC
From ${URL} :

Virgil 3d project, used by Quick Emulator(Qemu) to implement 3D GPU support
for the virtio GPU, is vulnerable to a memory leakageissue. It could occur
while in add_shader_program().

A guest user/process could use this flaw to leak host memory resulting in DoS.

Upstream patch:
---------------
  -> https://cgit.freedesktop.org/virglrenderer/commit/?id=a2f12a1b0f95b13b6f8dc3d05d7b74b4386394e4

Reference:
----------
  -> http://www.openwall.com/lists/oss-security/2017/02/24/5


@maintainer(s): after the bump, in case we need to stabilize the package, please let us know if it is ready for the stabilization or not.
Comment 1 Matthias Maier gentoo-dev 2017-05-03 06:05:12 UTC
commit 07f72dae992b1dd9a13489da0238edd6bd5f6337
Author: Matthias Maier <tamiko@gentoo.org>
Date:   Wed May 3 00:55:44 2017 -0500

    media-libs/virglrenderer: version bump to 0.6.0
    
    This is a hand-packaged version of upstream commit
    
      737c3350850ca4dbc5633b3bdb4118176ce59920
    
    (version 0.6.0 with two additional security patches)
    containing fixes for the following security issues:
    
    CVE-2016-10163, bug #606996
    CVE-2017-5580,  bug #607022
    CVE-2016-10214, bug #608734
    CVE-2017-5957,  bug #609400
    CVE-2017-5956,  bug #609402
    CVE-2017-5993,  bug #609492
    CVE-2017-5994,  bug #609494
    CVE-2017-6210,  bug #610678
    CVE-2017-6209,  bug #610680
    CVE-2017-6386,  bug #611378
    CVE-2017-6355,  bug #611380
    CVE-2017-6317,  bug #611382
    
    Package-Manager: Portage-2.3.5, Repoman-2.3.2
Comment 2 Matthias Maier gentoo-dev 2017-05-03 06:26:06 UTC
Arches, please stabilize
  =media-libs/virglrenderer-0.6.0

Target-keywords: "amd64 x86"
Comment 3 Agostino Sarubbo gentoo-dev 2017-05-03 08:19:25 UTC
amd64 stable
Comment 4 Agostino Sarubbo gentoo-dev 2017-05-04 15:55:46 UTC
x86 stable.

Maintainer(s), please cleanup.
Security, please vote.
Comment 5 Yury German Gentoo Infrastructure gentoo-dev 2017-05-05 00:13:25 UTC
Arches and Maintainer(s), Thank you for your work.

Maintainer(s), please drop the vulnerable version(s).
Comment 6 Matthias Maier gentoo-dev 2017-05-05 01:09:08 UTC
commit 52fcce66174f326a1b1647b443f89dc7db39303c
Author: Matthias Maier <tamiko@gentoo.org>
Date:   Thu May 4 20:06:58 2017 -0500

    media-libs/virglrenderer: drop vulnerable, bug #611382
    
    Package-Manager: Portage-2.3.5, Repoman-2.3.2
Comment 7 GLSAMaker/CVETool Bot gentoo-dev 2017-07-08 12:38:22 UTC
This issue was resolved and addressed in
 GLSA 201707-06 at https://security.gentoo.org/glsa/201707-06
by GLSA coordinator Thomas Deutschmann (whissi).