[Git][security-tracker-team/security-tracker][master] Concluded that qemu update is not necessary for strech. CVE-2021-3607, 3608...

Ola Lundqvist (@opal) Mon, 21 Jun 2021 13:47:52 -0700


Ola Lundqvist pushed to branch master at Debian Security Tracker / 
security-tracker



Commits:
937faf5c by Ola Lundqvist at 2021-06-21T22:47:24+02:00
Concluded that qemu update is not necessary for strech. CVE-2021-3607, 3608 and 
CVE-2021-3582 not affected since the vulnerable code is introduced in some 
later version of the product. CVE-2021-3592 are marked as no-dsa for strech 
just as for buster.

- - - - -


2 changed files:

- data/CVE/list
- data/dla-needed.txt


Changes:

=====================================
data/CVE/list
=====================================
@@ -508,11 +508,13 @@ CVE-2021-34827
 CVE-2021-3608 [pvrdma: uninitialized memory unmap in pvrdma_ring_init()]
        RESERVED
        - qemu <unfixed>
+       [stretch] - qemu <not-affected> (Vulnerable code introduced later)
        NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=1973383
        TODO: check details, upstream report
 CVE-2021-3607 [pvrdma: unchecked malloc size due to integer overflow in 
init_dev_ring()]
        RESERVED
        - qemu <unfixed>
+       [stretch] - qemu <not-affected> (Vulnerable code introduced later)
        NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=1973349
        TODO: check details, upstream report
 CVE-2021-3606
@@ -1112,6 +1114,7 @@ CVE-2021-3595 (An invalid pointer initialization issue 
was found in the SLiRP ne
        - libslirp <unfixed> (bug #989996)
        - qemu 1:4.1-2
        [buster] - qemu <no-dsa> (Minor issue)
+       [stretch] - qemu <no-dsa> (Minor issue)
        NOTE: 
https://gitlab.freedesktop.org/slirp/libslirp/-/commit/93e645e72a056ec0b2c16e0299fc5c6b94e4ca17
 (v4.6.0)
        NOTE: 
https://gitlab.freedesktop.org/slirp/libslirp/-/commit/3f17948137155f025f7809fdc38576d5d2451c3d
 (v4.6.0)
        NOTE: 
https://gitlab.freedesktop.org/slirp/libslirp/-/commit/990163cf3ac86b7875559f49602c4d76f46f6f30
 (v4.6.0)
@@ -1120,6 +1123,7 @@ CVE-2021-3594 (An invalid pointer initialization issue 
was found in the SLiRP ne
        - libslirp <unfixed> (bug #989995)
        - qemu 1:4.1-2
        [buster] - qemu <no-dsa> (Minor issue)
+       [stretch] - qemu <no-dsa> (Minor issue)
        NOTE: 
https://gitlab.freedesktop.org/slirp/libslirp/-/commit/93e645e72a056ec0b2c16e0299fc5c6b94e4ca17
 (v4.6.0)
        NOTE: 
https://gitlab.freedesktop.org/slirp/libslirp/-/commit/74572be49247c8c5feae7c6e0b50c4f569ca9824
 (v4.6.0)
        NOTE: qemu 1:4.1-2 switched to system libslirp, marking that version as 
fixed.
@@ -1127,6 +1131,7 @@ CVE-2021-3593 (An invalid pointer initialization issue 
was found in the SLiRP ne
        - libslirp <unfixed> (bug #989994)
        - qemu 1:4.1-2
        [buster] - qemu <no-dsa> (Minor issue)
+       [stretch] - qemu <no-dsa> (Minor issue)
        NOTE: 
https://gitlab.freedesktop.org/slirp/libslirp/-/commit/93e645e72a056ec0b2c16e0299fc5c6b94e4ca17
 (v4.6.0)
        NOTE: 
https://gitlab.freedesktop.org/slirp/libslirp/-/commit/de71c15de66ba9350bf62c45b05f8fbff166517b
 (v4.6.0)
        NOTE: qemu 1:4.1-2 switched to system libslirp, marking that version as 
fixed.
@@ -1134,6 +1139,7 @@ CVE-2021-3592 (An invalid pointer initialization issue 
was found in the SLiRP ne
        - libslirp <unfixed> (bug #989993)
        - qemu 1:4.1-2
        [buster] - qemu <no-dsa> (Minor issue)
+       [stretch] - qemu <no-dsa> (Minor issue)
        NOTE: 
https://gitlab.freedesktop.org/slirp/libslirp/-/commit/93e645e72a056ec0b2c16e0299fc5c6b94e4ca17
 (v4.6.0)
        NOTE: 
https://gitlab.freedesktop.org/slirp/libslirp/-/commit/f13cad45b25d92760bb0ad67bec0300a4d7d5275
 (v4.6.0)
        NOTE: 
https://gitlab.freedesktop.org/slirp/libslirp/-/commit/2eca0838eee1da96204545e22cdaed860d9d7c6c
 (v4.6.0)
@@ -2530,6 +2536,7 @@ CVE-2021-3587 [nfc: fix NULL ptr dereference in 
llcp_sock_getname() after failed
 CVE-2021-3582 [hw/rdma: Fix possible mremap overflow in the pvrdma device]
        RESERVED
        - qemu <unfixed>
+       [stretch] - qemu <not-affected> (Vulnerable code introduced later)
        NOTE: 
https://lists.nongnu.org/archive/html/qemu-devel/2021-06/msg04148.html
        TODO: check
 CVE-2021-33907


=====================================
data/dla-needed.txt
=====================================
@@ -80,8 +80,6 @@ python-babel
  NOTE: 20210620: http://people.debian.org/~abhijith/backport_of_3a700b5.patch 
(abhijith)
  NOTE: 20210620: Revisit when it have an assigned CVE Id. (abhijith)
 --
-qemu
---
 rabbitmq-server (Abhijith PA)
 --
 ruby-actionpack-page-caching



View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/937faf5c4fc0d2baf7f387d47796c93683c00183

-- 
View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/937faf5c4fc0d2baf7f387d47796c93683c00183
You're receiving this email because of your account on salsa.debian.org.

_______________________________________________
debian-security-tracker-commits mailing list
[email protected]
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits

[Git][security-tracker-team/security-tracker][master] Concluded that qemu update is not necessary for strech. CVE-2021-3607, 3608...

Reply via email to