Your message dated Mon, 06 Oct 2014 05:17:42 +0000
with message-id <[email protected]>
and subject line Bug#762532: fixed in qemu-kvm 1.1.2+dfsg-6+deb7u4
has caused the Debian Bug report #762532,
regarding CVE-2014-3640: qemu: slirp: NULL pointer deref in sosendto()
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)
--
762532: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=762532
Debian Bug Tracking System
Contact [email protected] with problems
--- Begin Message ---
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Package: qemu
Version: 2.1+dfsg-4
Severity: important
Tags: security, fixed-upstream
Hi,
When guest sends udp packet with source port and source addr 0,
uninitialized socket is picked up when looking for matching and already
created udp sockets, and later passed to sosendto() where NULL pointer
dereference is hit during so->slirp->vnetwork_mask.s_addr access.
Fix this by checking that the socket is not just a socket stub.
Please see this discussion for more information:
http://lists.nongnu.org/archive/html/qemu-devel/2014-09/msg03543.html
- ---
Henri Salo
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.12 (GNU/Linux)
iEYEARECAAYFAlQhGTkACgkQXf6hBi6kbk/46gCfbwwiaD3Zdfbo5z57NihRYfvJ
J34An0KG/kIRMQlB9CYUgcwM9net67oc
=7klY
-----END PGP SIGNATURE-----
--- End Message ---
--- Begin Message ---
Source: qemu-kvm
Source-Version: 1.1.2+dfsg-6+deb7u4
We believe that the bug you reported is fixed in the latest version of
qemu-kvm, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to [email protected],
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Michael Tokarev <[email protected]> (supplier of updated qemu-kvm package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing [email protected])
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Format: 1.8
Date: Tue, 20 May 2014 09:49:42 +0400
Source: qemu-kvm
Binary: qemu-kvm qemu-kvm-dbg kvm
Architecture: source amd64
Version: 1.1.2+dfsg-6+deb7u4
Distribution: wheezy-security
Urgency: medium
Maintainer: Michael Tokarev <[email protected]>
Changed-By: Michael Tokarev <[email protected]>
Description:
kvm - dummy transitional package from kvm to qemu-kvm
qemu-kvm - Full virtualization on x86 hardware
qemu-kvm-dbg - Debugging info for qemu-kvm
Closes: 742730 762532
Changes:
qemu-kvm (1.1.2+dfsg-6+deb7u4) wheezy-security; urgency=medium
.
* image-format-validation patch series backported from 2.0, closing
CVE-2014-0142, CVE-2014-0143, CVE-2014-0144, CVE-2014-0145,
CVE-2014-0146, CVE-2014-0147, CVE-2014-0222, CVE-2014-0223
(Closes: #742730)
* slirp-udp-fix-NULL-pointer-deref-uninit-socket-CVE-2014-3640.patch
closing CVE-2014-3640 (Closes: #762532)
* spice-make-sure-we-don-t-overflow-ssd-buf-CVE-2014-3615.patch and
vbe-rework-sanity-checks-CVE-2014-3615.patch closing CVE-2014-3615
Checksums-Sha1:
033d9670de8d69175df276e8db54018d530ce57c 2151 qemu-kvm_1.1.2+dfsg-6+deb7u4.dsc
5e961540c44528340281ffa8cd84125a984a88a0 88441
qemu-kvm_1.1.2+dfsg-6+deb7u4.debian.tar.gz
55f56f755085478825bcfce503fba01dd2b5abdf 1678162
qemu-kvm_1.1.2+dfsg-6+deb7u4_amd64.deb
ad86b2a14d26380816181c6bded6875be61cfe34 5269962
qemu-kvm-dbg_1.1.2+dfsg-6+deb7u4_amd64.deb
8bff93e26c7f9f42706be9714569f6d25605d7e4 23900
kvm_1.1.2+dfsg-6+deb7u4_amd64.deb
Checksums-Sha256:
2c18102ccc6c4e80d714f23149e63c2fc96fd83c2e8941ac1f04f192b5ad757e 2151
qemu-kvm_1.1.2+dfsg-6+deb7u4.dsc
70303a2c4e188c05f0aa1d99d7e11b7798044c5437413b4b840f00db27997b66 88441
qemu-kvm_1.1.2+dfsg-6+deb7u4.debian.tar.gz
fd6119a6c019e51079f0de58b16b86557fa3b16a57162daee7fbffa9a482f24f 1678162
qemu-kvm_1.1.2+dfsg-6+deb7u4_amd64.deb
3f0cd2f1d9d10789a39b35c082e925b755afe3373f0ad17cf01de6269e354686 5269962
qemu-kvm-dbg_1.1.2+dfsg-6+deb7u4_amd64.deb
9344db2f7fce3439d4098bbe16e0592eee40a2612153d44f31033f2d487a76cd 23900
kvm_1.1.2+dfsg-6+deb7u4_amd64.deb
Files:
c388554c24916995ee9ded2fe8f10ceb 2151 misc optional
qemu-kvm_1.1.2+dfsg-6+deb7u4.dsc
5f035b9aaa4bc4d3b6b22fc55252791c 88441 misc optional
qemu-kvm_1.1.2+dfsg-6+deb7u4.debian.tar.gz
caaae3c9bac9c8c7205c86bb5f247ea6 1678162 misc optional
qemu-kvm_1.1.2+dfsg-6+deb7u4_amd64.deb
180ee0f7236fab62485c0185c8f269ee 5269962 debug extra
qemu-kvm-dbg_1.1.2+dfsg-6+deb7u4_amd64.deb
2faed5be9120dcf1666c1f99cbd00c89 23900 oldlibs extra
kvm_1.1.2+dfsg-6+deb7u4_amd64.deb
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.12 (GNU/Linux)
iQEcBAEBAgAGBQJUL6cUAAoJEL7lnXSkw9fbZdoH/0JBYBUsEQPk4V3EJ3Frf5Mi
C2R9oOEHQV7BxzNBOiEQO74cHArsexHLzmzdBou3YDGgy36LN4LJkRW/BgkRrdk7
u/cJs8dux1D2sMdOOSek7lQtFraW6zc5ARiNQdbedYSyn2R0Z6TxgpqIOluu0t/h
CYby5Smc4pIPy8gKbR3IuzlabVcgDP9cGXfseG12BlhqH+A3CVJEk7N4XPknayvY
grtda2f/fZ/alWYG3oeY3lqsisVV1mrar71uXBGMtwoNpTDz4aOITfvL2C2OnQpL
pOmp+HkwsJYdv4+n2xImJEm84upOFIXIVoyYeDGoJ/yB4ERDCaJiDL6LWU/U8hs=
=2rpy
-----END PGP SIGNATURE-----
--- End Message ---