Bug#939869: marked as done (qemu: CVE-2019-15890)

[Debian Bug Tracking System]

Your message dated Fri, 29 Nov 2019 21:06:22 +0300
with message-id <3e483a16-1e63-bcbf-cf7b-3827db958...@msgid.tls.msk.ru>
and subject line Bug#939869: CVE-2019-15890
has caused the Debian Bug report #939869,
regarding qemu: CVE-2019-15890
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)


-- 
939869: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=939869
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems

--- Begin Message ---

Source: slirp4netns
Version: 0.3.2-1
Severity: grave
Tags: security upstream
Justification: user security hole
Control: clone -1 -2
Control: reassign -2 src:qemu 1:4.1-1
Control: retitle -2 qemu: CVE-2019-15890

Hi,

The following vulnerability was published for slirp4netns.

CVE-2019-15890[0]:
| libslirp 4.0.0, as used in QEMU 4.1.0, has a use-after-free in
| ip_reass in ip_input.c.

I'm filling this with higher serverity as you proably would have
expected, but for buster and older I guess we can follow this as
no-dsa and schedule fixes via point releases or include in future
DSAs. As unprivileged user namespaces are not enabled by default the
former holds surely for slirp4netns itself. The bug is cloned as well
for qemu.

If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.

For further information see:

[0] https://security-tracker.debian.org/tracker/CVE-2019-15890
    https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-15890
[1] https://www.openwall.com/lists/oss-security/2019/09/06/3
[2] 
https://gitlab.freedesktop.org/slirp/libslirp/commit/c59279437eda91841b9d26079c70b8a540d41204

Please adjust the affected versions in the BTS as needed, only looked
at the respective unstable versions.

Regards,
Salvatore

--- End Message ---

--- Begin Message ---

Version: 1:4.1-2

This is fixed in 4.1-2, which switched to a separate libslirp
(where this bug has been fixed a while ago).
I forgot to mention this bug in the changelog.

/mjt

--- End Message ---