Bug#857744: marked as done (qemu: CVE-2016-9603: cirrus: heap buffer overflow via vnc connection)

Tue, 18 Apr 2017 02:06:46 -0700 

Your message dated Tue, 18 Apr 2017 09:04:13 +0000
with message-id <[email protected]>
and subject line Bug#857744: fixed in qemu 1:2.8+dfsg-4
has caused the Debian Bug report #857744,
regarding qemu: CVE-2016-9603: cirrus: heap buffer overflow via vnc connection
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)


-- 
857744: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=857744
Debian Bug Tracking System
Contact [email protected] with problems
--- Begin Message --- 
Source: qemu
Version: 1:2.8+dfsg-3
Severity: grave
Tags: patch security upstream
Justification: user security hole
Control: found -1 2.1+dfsg-1

Hi,

the following vulnerability was published for qemu.

CVE-2016-9603[0]:
cirrus: heap buffer overflow via vnc connection

If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.

For further information see:

[0] https://security-tracker.debian.org/tracker/CVE-2016-9603
    https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-9603
[1] https://bugzilla.redhat.com/show_bug.cgi?id=1430056

Regards,
Salvatore

--- End Message ---
--- Begin Message --- 
Source: qemu
Source-Version: 1:2.8+dfsg-4

We believe that the bug you reported is fixed in the latest version of
qemu, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to [email protected],
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Michael Tokarev <[email protected]> (supplier of updated qemu package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing [email protected])


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

Format: 1.8
Date: Mon, 03 Apr 2017 16:28:49 +0300
Source: qemu
Binary: qemu qemu-system qemu-block-extra qemu-system-common qemu-system-misc 
qemu-system-arm qemu-system-mips qemu-system-ppc qemu-system-sparc 
qemu-system-x86 qemu-user qemu-user-static qemu-user-binfmt qemu-utils 
qemu-guest-agent qemu-kvm
Architecture: source
Version: 1:2.8+dfsg-4
Distribution: unstable
Urgency: high
Maintainer: Debian QEMU Team <[email protected]>
Changed-By: Michael Tokarev <[email protected]>
Description:
 qemu       - fast processor emulator
 qemu-block-extra - extra block backend modules for qemu-system and qemu-utils
 qemu-guest-agent - Guest-side qemu-system agent
 qemu-kvm   - QEMU Full virtualization on x86 hardware
 qemu-system - QEMU full system emulation binaries
 qemu-system-arm - QEMU full system emulation binaries (arm)
 qemu-system-common - QEMU full system emulation binaries (common files)
 qemu-system-mips - QEMU full system emulation binaries (mips)
 qemu-system-misc - QEMU full system emulation binaries (miscellaneous)
 qemu-system-ppc - QEMU full system emulation binaries (ppc)
 qemu-system-sparc - QEMU full system emulation binaries (sparc)
 qemu-system-x86 - QEMU full system emulation binaries (x86)
 qemu-user  - QEMU user mode emulation binaries
 qemu-user-binfmt - QEMU user mode binfmt registration for qemu-user
 qemu-user-static - QEMU user mode emulation binaries (static version)
 qemu-utils - QEMU utilities
Closes: 840950 844566 846084 856969 857744 859854
Changes:
 qemu (1:2.8+dfsg-4) unstable; urgency=high
 .
   * usb-ohci-limit-the-number-of-link-eds-CVE-2017-6505.patch
     Closes: #856969, CVE-2017-6505
   * linux-user-fix-apt-get-update-on-linux-user-hppa.patch
     Closes: #846084
   * update to 2.8.1 upstream stable/bugfix release
     (v2.8.1.diff from upstream, except of seabios blob bits).
     Closes: #857744, CVE-2016-9603
     Patches dropped because they're included in 2.8.1 release:
      9pfs-symlink-attack-fixes-CVE-2016-9602.patch
      char-fix-ctrl-a-b-not-working.patch
      cirrus-add-blit_is_unsafe-to-cirrus_bitblt_cputovideo-CVE-2017-2620.patch
      cirrus-fix-oob-access-issue-CVE-2017-2615.patch
      cirrus-ignore-source-pitch-as-needed-in-blit_is_unsafe.patch
      linux-user-fix-s390x-safe-syscall-for-z900.patch
      nbd_client-fix-drop_sync-CVE-2017-2630.patch
      s390x-use-qemu-cpu-model-in-user-mode.patch
      sd-sdhci-check-data-length-during-dma_memory_read-CVE-2017-5667.patch
      virtio-crypto-fix-possible-integer-and-heap-overflow-CVE-2017-5931.patch
      vmxnet3-fix-memory-corruption-on-vlan-header-stripping-CVE-2017-6058.patch
   * bump seabios dependency to 1.10.2 due to ahci fix in 2.8.1
   * 9pfs-fix-file-descriptor-leak-CVE-2017-7377.patch
     (Closes: #859854, CVE-2017-7377)
   * dma-rc4030-limit-interval-timer-reload-value-CVE-2016-8667.patch
     Closes: #840950, CVE-2016-8667
   * make d/control un-writable to stop users from changing a generated file
   * two patches from upstream to fix user-mode network with IPv6
     slirp-make-RA-build-more-flexible.patch
     slirp-send-RDNSS-in-RA-only-if-host-has-an-IPv6-DNS.patch
     (Closes: #844566)
Checksums-Sha1:
 5f5b776f9d7c2beea9a2e8e04c7796b04aafebcc 5551 qemu_2.8+dfsg-4.dsc
 b835f29184ab3603ded9f1a125f0a0f1105c4255 113924 qemu_2.8+dfsg-4.debian.tar.xz
 3925546a2f789495225046c91888cbc6b9800234 10240 qemu_2.8+dfsg-4_source.buildinfo
Checksums-Sha256:
 f603cf3374992c289aba54e00ada26cad87e5f308f3ae75223143a33f48b06e2 5551 
qemu_2.8+dfsg-4.dsc
 75d58a998e23d63a487c7da2448e6b8f89b6f676d79015176223c212dd13091a 113924 
qemu_2.8+dfsg-4.debian.tar.xz
 9be5e2a7714a953586dc3c08d41c82581125a51cc44b4ddc7e56deceff880ee7 10240 
qemu_2.8+dfsg-4_source.buildinfo
Files:
 8d85db5eacd832851653f94e381de18a 5551 otherosfs optional qemu_2.8+dfsg-4.dsc
 47092a8502555c58898ac782c999966f 113924 otherosfs optional 
qemu_2.8+dfsg-4.debian.tar.xz
 89a786f008bb4d955f5371287c7f6c6b 10240 otherosfs optional 
qemu_2.8+dfsg-4_source.buildinfo

-----BEGIN PGP SIGNATURE-----

iQFDBAEBCAAtFiEEe3O61ovnosKJMUsicBtPaxppPlkFAlj1zi0PHG1qdEB0bHMu
bXNrLnJ1AAoJEHAbT2saaT5ZHXQH/0ePF2U6ocuBQZNHzDbe+KM3oodFw2oQGpQY
Eai9NrMv+aS+9c/MgjpzjiEaushHI03ilqNFVMIBJENzXzCTPymGLDbesm9OhzXF
aLVahhdJkkPYAQS47bkzJzE1HlonsPIc8w5ACGccJEcuB3i9vtyw8d+wETpg9M//
4YRSN5FPyZ9VvlZlxyyLfYwvs4yp1JvjGM+Rvg8mWGPJUsJujFedwaP2hKmGuwC/
QdtuXG2HOpspnnkWUb0IElUXgzVHzexgOiCOD9Rnurv23l5Aj6r9XXIL5BcaJ8Fd
m1lHXkgWRbWm/tt7C376LzlrTSaiLOFOcOw34ywXOoSqRrXX3nk=
=Rep0
-----END PGP SIGNATURE-----

--- End Message ---

Reply via email to