On Mon, 05 Jun 2017 13:45:53 +0200 Salvatore Bonaccorso <car...@debian.org> wrote: > Source: qemu > Version: 1:2.8+dfsg-6 > Severity: normal > Tags: patch security upstream fixed-upstream > > Hi, > > the following vulnerability was published for qemu. > > CVE-2017-9375[0]: > usb: xhci infinite recursive call via xhci_kick_ep > > If you fix the vulnerability please also make sure to include the > CVE (Common Vulnerabilities & Exposures) id in your changelog entry. > > For further information see: > > [0] https://security-tracker.debian.org/tracker/CVE-2017-9375 > https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-9375 > [1] http://www.openwall.com/lists/oss-security/2017/06/05/2 > [2] > http://git.qemu.org/?p=qemu.git;a=commitdiff;h=96d87bdda3919bb16f754b3d3fd1227e1f38f13c
This code is present in 2.1 (jessie) version, but xhci device in qemu received quite some changes before this bug has been fixed upstream, backporting the fix might be a bit problematic. Meanwhile, due to large amount of bugfixes for xhci, I can't really say it is actually functional in 2.1. It might be, but it is definitely not of a productional quality, unfortunately. /mjt