Your message dated Mon, 06 Oct 2014 05:17:10 +0000
with message-id <[email protected]>
and subject line Bug#762532: fixed in qemu 1.1.2+dfsg-6a+deb7u4
has caused the Debian Bug report #762532,
regarding CVE-2014-3640: qemu: slirp: NULL pointer deref in sosendto()
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)


-- 
762532: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=762532
Debian Bug Tracking System
Contact [email protected] with problems
--- Begin Message ---
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Package: qemu
Version: 2.1+dfsg-4
Severity: important
Tags: security, fixed-upstream

Hi,

When guest sends udp packet with source port and source addr 0,
uninitialized socket is picked up when looking for matching and already
created udp sockets, and later passed to sosendto() where NULL pointer
dereference is hit during so->slirp->vnetwork_mask.s_addr access.

Fix this by checking that the socket is not just a socket stub.

Please see this discussion for more information:
http://lists.nongnu.org/archive/html/qemu-devel/2014-09/msg03543.html

- ---
Henri Salo
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.12 (GNU/Linux)

iEYEARECAAYFAlQhGTkACgkQXf6hBi6kbk/46gCfbwwiaD3Zdfbo5z57NihRYfvJ
J34An0KG/kIRMQlB9CYUgcwM9net67oc
=7klY
-----END PGP SIGNATURE-----

--- End Message ---
--- Begin Message ---
Source: qemu
Source-Version: 1.1.2+dfsg-6a+deb7u4

We believe that the bug you reported is fixed in the latest version of
qemu, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to [email protected],
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Michael Tokarev <[email protected]> (supplier of updated qemu package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing [email protected])


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Format: 1.8
Date: Tue, 20 May 2014 09:49:42 +0400
Source: qemu
Binary: qemu qemu-keymaps qemu-system qemu-user qemu-user-static qemu-utils
Architecture: source all amd64
Version: 1.1.2+dfsg-6a+deb7u4
Distribution: wheezy-security
Urgency: medium
Maintainer: Debian QEMU Team <[email protected]>
Changed-By: Michael Tokarev <[email protected]>
Description: 
 qemu       - fast processor emulator
 qemu-keymaps - QEMU keyboard maps
 qemu-system - QEMU full system emulation binaries
 qemu-user  - QEMU user mode emulation binaries
 qemu-user-static - QEMU user mode emulation binaries (static version)
 qemu-utils - QEMU utilities
Closes: 742730 762532
Changes: 
 qemu (1.1.2+dfsg-6a+deb7u4) wheezy-security; urgency=medium
 .
   * image-format-validation patch series backported from 2.0, closing
     CVE-2014-0142, CVE-2014-0143, CVE-2014-0144, CVE-2014-0145,
     CVE-2014-0146, CVE-2014-0147, CVE-2014-0222, CVE-2014-0223
     (Closes: #742730)
   * slirp-udp-fix-NULL-pointer-deref-uninit-socket-CVE-2014-3640.patch
     closing CVE-2014-3640 (Closes: #762532)
   * spice-make-sure-we-don-t-overflow-ssd-buf-CVE-2014-3615.patch and
     vbe-rework-sanity-checks-CVE-2014-3615.patch closing CVE-2014-3615
Checksums-Sha1: 
 75418972e5f851c7f2f2f97fd9fbbfc4cdf4f9e8 2631 qemu_1.1.2+dfsg-6a+deb7u4.dsc
 1a379a34bad6c0367455c250ea41bd9562420919 99946 
qemu_1.1.2+dfsg-6a+deb7u4.debian.tar.gz
 29cbf6130b5eb5e300e9ea8960750ca6c3263fec 49506 
qemu-keymaps_1.1.2+dfsg-6a+deb7u4_all.deb
 af87e95c031013696dad6e9909e6f140140e61e6 114694 
qemu_1.1.2+dfsg-6a+deb7u4_amd64.deb
 797b6264037f17ee3213e2dd995325521410c7f1 27892230 
qemu-system_1.1.2+dfsg-6a+deb7u4_amd64.deb
 f5e886553e4fecf2b764f71753006764351df98b 7721160 
qemu-user_1.1.2+dfsg-6a+deb7u4_amd64.deb
 b3bf607e20ea01f40d7d5833269d7ddbb90dbc90 16547038 
qemu-user-static_1.1.2+dfsg-6a+deb7u4_amd64.deb
 1b719c63be490d3ca6a2731fe937f507ecbf6413 663740 
qemu-utils_1.1.2+dfsg-6a+deb7u4_amd64.deb
Checksums-Sha256: 
 41175101b3ca819b13fd8fb43decbedc6d932243e7124d31b2242ce0234a6011 2631 
qemu_1.1.2+dfsg-6a+deb7u4.dsc
 9897dc09173d8b748616da8efb116e06068e93b30ef1386223bb5a2ba31a1d1e 99946 
qemu_1.1.2+dfsg-6a+deb7u4.debian.tar.gz
 3ebe1c3fb70b0be05f3af6b4c9aaa0f192b6b24e045873d2c86c42a01032b72d 49506 
qemu-keymaps_1.1.2+dfsg-6a+deb7u4_all.deb
 ed9595d97da35f54d0b67c371d70cba703b9e2f540c20d501351f45026acc8d6 114694 
qemu_1.1.2+dfsg-6a+deb7u4_amd64.deb
 d754fd26c6df6bcccca0232c9bb56c62ae755eb79bb03a2a140b041296e4d29c 27892230 
qemu-system_1.1.2+dfsg-6a+deb7u4_amd64.deb
 1c535ef6e7e57f722e14cca0c8562505736caa16285a5d59994820c1142ca381 7721160 
qemu-user_1.1.2+dfsg-6a+deb7u4_amd64.deb
 e6b6dd6f50285e2ff0b476cd8b1bec948de0a0dd3fe22a3e1b492f65fae6819d 16547038 
qemu-user-static_1.1.2+dfsg-6a+deb7u4_amd64.deb
 e77941f84c15ca67d9bf8194a7f271d91fde40d6f6312c0b8a246dd71546d8f9 663740 
qemu-utils_1.1.2+dfsg-6a+deb7u4_amd64.deb
Files: 
 dc97eac69c5c1b2548af943b26ff565b 2631 misc optional 
qemu_1.1.2+dfsg-6a+deb7u4.dsc
 3ae68603159e2acdd3028e082e95114d 99946 misc optional 
qemu_1.1.2+dfsg-6a+deb7u4.debian.tar.gz
 cd00c9e61e74c476ad2fb3db6a876027 49506 misc optional 
qemu-keymaps_1.1.2+dfsg-6a+deb7u4_all.deb
 5cac15ac270d69489de4171914919aa2 114694 misc optional 
qemu_1.1.2+dfsg-6a+deb7u4_amd64.deb
 3c6ef9428bca03ff3d15ece8b76ed60a 27892230 misc optional 
qemu-system_1.1.2+dfsg-6a+deb7u4_amd64.deb
 007b979afb55d76f2cb8d48a000086bb 7721160 misc optional 
qemu-user_1.1.2+dfsg-6a+deb7u4_amd64.deb
 ad08b89ca2d2307a2592aec5e8523588 16547038 misc optional 
qemu-user-static_1.1.2+dfsg-6a+deb7u4_amd64.deb
 7cdc10e07284df01718ad975aed806f0 663740 misc optional 
qemu-utils_1.1.2+dfsg-6a+deb7u4_amd64.deb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.12 (GNU/Linux)

iQEcBAEBAgAGBQJUL6cWAAoJEL7lnXSkw9fbAJkH/iqhawf+8hhb9HVEdHf6fWKn
w7mKDhov1u/o7X4OoK1AVfp2qcaljIX30aTREGbhPdsvZGGYUrUFXFZzp0FyqSpK
kPgh29ir3tU7wNGU0jw4XTtsdnI9HRV7nkwmxPOw6Y36KOLOUBl5xIy1JQVhpvw6
nHoHraW357bICN+IGVaLZlG/1w4LnsqqKJw5Oiia5T466tUYC288boCWXczelYdy
QcYdQ7ykqSclnIqoHzFMCV8MsnPfShillRYOuBwt4z2CVNe9yk8ifU6nnjWT5Kg7
ZOFFSJ45a3qEoXLF275OLOqdOAuUTkwXD2ypC71TOn/zoamxtb32a/AmDT8l2MQ=
=IUKd
-----END PGP SIGNATURE-----

--- End Message ---

Reply via email to