Bug 18489

Summary: qemu new security issues (too many CVEs to list)
Product: Mageia Reporter: David Walser <luigiwalser>
Component: SecurityAssignee: Thierry Vignaud <thierry.vignaud>
Status: RESOLVED WONTFIX QA Contact: Sec team <security>
Severity: normal    
Priority: Normal CC: mageia, marja11, thierry.vignaud, tmb, wilcal.int, zombie_ryushu
Version: 5   
Target Milestone: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Source RPM: qemu-2.4.1-7.mga5.src.rpm CVE: 2016-4439, 2016-4441, 2016-445[34], 2016-4952, 2016-4964, 2016-510[5-7], 2016-5126, 2016-5238, 2016-533[78], 2016-5403, 2016-6351, 2016-6490, 2016-683[3-6], 2016-6888, 2016-7116, 2016-715[5-7], 2016-7161, 2016-7170, 2016-742[1-3], 2016-7466, 2016-790[7-9]
Status comment:
Attachments: qemu fail screen

Description David Walser 2016-05-19 16:22:00 CEST 
Two security issues in qemu were announced today (May 19):
http://openwall.com/lists/oss-security/2016/05/19/3
http://openwall.com/lists/oss-security/2016/05/19/4

Cauldron is affected too.  I imagine we'll fix it there when a new upstream release includes the fixes, or when Fedora does.
Marja Van Waes 2016-05-21 18:20:37 CEST

Assignee: bugsquad => thierry.vignaud
CC: (none) => marja11

Comment 1 David Walser 2016-05-23 15:10:17 CEST 
CVE request for another issue:
http://openwall.com/lists/oss-security/2016/05/23/1
Comment 2 David Walser 2016-05-23 19:44:54 CEST 
(In reply to David Walser from comment #1)
> CVE request for another issue:
> http://openwall.com/lists/oss-security/2016/05/23/1

CVE-2016-4952:
http://openwall.com/lists/oss-security/2016/05/23/4

Summary: qemu new security issues CVE-2016-4439 and CVE-2016-4441 => qemu new security issues CVE-2016-4439, CVE-2016-4441, CVE-2016-4952

Comment 3 David Walser 2016-05-24 15:33:32 CEST 
CVE request for another issue:
http://openwall.com/lists/oss-security/2016/05/24/4
Comment 4 David Walser 2016-05-24 16:52:02 CEST 
(In reply to David Walser from comment #3)
> CVE request for another issue:
> http://openwall.com/lists/oss-security/2016/05/24/4

CVE-2016-4964:
http://openwall.com/lists/oss-security/2016/05/24/7

Summary: qemu new security issues CVE-2016-4439, CVE-2016-4441, CVE-2016-4952 => qemu new security issues CVE-2016-4439, CVE-2016-4441, CVE-2016-4952, CVE-2016-4964

Comment 6 Thierry Vignaud 2016-05-27 00:07:26 CEST 
qemu-2.4.1-6.mga5 has been pushed
This software really is gruyere....

Source RPM: qemu-2.4.1-5.mga5.src.rpm => qemu-2.4.1-6.mga5.src.rpm

Comment 7 David Walser 2016-05-27 03:29:23 CEST 
I see you added patches for CVE-2016-4439 and CVE-2016-4441, but I don't see anything for the other five issues yet.
Comment 8 Marja Van Waes 2016-05-27 13:02:53 CEST 
(In reply to Thierry Vignaud from comment #6)
> qemu-2.4.1-6.mga5 has been pushed
> This software really is gruyere....

Like French Gruyère cheese: full of holes?
https://commons.wikimedia.org/wiki/File:Cheese-gruy%C3%A8re-IGP.jpg?uselang=fr
Comment 9 Rémi Verschelde 2016-05-27 13:05:04 CEST 
(In reply to Marja van Waes from comment #8)
> (In reply to Thierry Vignaud from comment #6)
> > qemu-2.4.1-6.mga5 has been pushed
> > This software really is gruyere....
> 
> Like French Gruyère cheese: full of holes?
> https://commons.wikimedia.org/wiki/File:Cheese-gruy%C3%A8re-IGP.
> jpg?uselang=fr

Indeed :)
Comment 10 Thierry Vignaud 2016-05-27 14:12:05 CEST 
That one isn't holed as qemu is :-)
though on the other hand it show its community is healthy :-)
Comment 11 David Walser 2016-05-27 14:31:43 CEST 
(In reply to David Walser from comment #5)
> 3 more CVE requests:
> http://openwall.com/lists/oss-security/2016/05/25/5
> http://openwall.com/lists/oss-security/2016/05/25/6
> http://openwall.com/lists/oss-security/2016/05/25/7

CVE-2016-510[5-7]:
http://www.openwall.com/lists/oss-security/2016/05/26/7
http://www.openwall.com/lists/oss-security/2016/05/26/8
http://www.openwall.com/lists/oss-security/2016/05/26/9

Summary: qemu new security issues CVE-2016-4439, CVE-2016-4441, CVE-2016-4952, CVE-2016-4964 => qemu new security issues CVE-2016-4439, CVE-2016-4441, CVE-2016-4952, CVE-2016-4964, CVE-2016-510[5-7]

Comment 12 David Walser 2016-05-30 15:42:00 CEST 
Two more (CVE-2016-445[34]):
http://openwall.com/lists/oss-security/2016/05/30/2
http://openwall.com/lists/oss-security/2016/05/30/3

Summary: qemu new security issues CVE-2016-4439, CVE-2016-4441, CVE-2016-4952, CVE-2016-4964, CVE-2016-510[5-7] => qemu new security issues CVE-2016-4439, CVE-2016-4441, CVE-2016-445[34], CVE-2016-4952, CVE-2016-4964, CVE-2016-510[5-7]

Comment 13 David Walser 2016-05-30 17:23:35 CEST 
(In reply to David Walser from comment #7)
> I see you added patches for CVE-2016-4439 and CVE-2016-4441, but I don't see
> anything for the other five issues yet.

Here's the Fedora advisory for tv's last commit (May 29 advisory):
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/IVF5EBNXMHJOF63QDTVXG7G7S7UK5AMP/
Comment 14 David Walser 2016-05-31 06:47:00 CEST 
CVE-2016-5126:
http://openwall.com/lists/oss-security/2016/05/30/7

Summary: qemu new security issues CVE-2016-4439, CVE-2016-4441, CVE-2016-445[34], CVE-2016-4952, CVE-2016-4964, CVE-2016-510[5-7] => qemu new security issues CVE-2016-4439, CVE-2016-4441, CVE-2016-445[34], CVE-2016-4952, CVE-2016-4964, CVE-2016-510[5-7], CVE-2016-5126

Comment 15 David Walser 2016-06-01 13:24:16 CEST 
(In reply to David Walser from comment #13)
> (In reply to David Walser from comment #7)
> > I see you added patches for CVE-2016-4439 and CVE-2016-4441, but I don't see
> > anything for the other five issues yet.
> 
> Here's the Fedora advisory for tv's last commit (May 29 advisory):
> https://lists.fedoraproject.org/archives/list/package-announce@lists.
> fedoraproject.org/thread/IVF5EBNXMHJOF63QDTVXG7G7S7UK5AMP/

http://lwn.net/Vulnerabilities/689261/
Comment 16 David Walser 2016-06-02 18:08:44 CEST 
Another CVE request:
http://openwall.com/lists/oss-security/2016/06/02/2
Comment 17 David Walser 2016-06-02 18:50:29 CEST 
(In reply to David Walser from comment #16)
> Another CVE request:
> http://openwall.com/lists/oss-security/2016/06/02/2

CVE-2016-5238:
http://openwall.com/lists/oss-security/2016/06/02/9

Summary: qemu new security issues CVE-2016-4439, CVE-2016-4441, CVE-2016-445[34], CVE-2016-4952, CVE-2016-4964, CVE-2016-510[5-7], CVE-2016-5126 => qemu new security issues CVE-2016-4439, CVE-2016-4441, CVE-2016-445[34], CVE-2016-4952, CVE-2016-4964, CVE-2016-510[5-7], CVE-2016-5126, CVE-2016-5238

Comment 18 David Walser 2016-06-07 12:18:32 CEST 
Another CVE request:
http://www.openwall.com/lists/oss-security/2016/06/07/3
Comment 19 David Walser 2016-06-08 12:30:57 CEST 
Yet another CVE request:
http://www.openwall.com/lists/oss-security/2016/06/08/3
Comment 20 David Walser 2016-06-08 21:01:29 CEST 
LWN reference for CVE-2016-5107:
http://lwn.net/Vulnerabilities/690402/
Comment 21 David Walser 2016-06-08 23:17:31 CEST 
(In reply to David Walser from comment #18)
> Another CVE request:
> http://www.openwall.com/lists/oss-security/2016/06/07/3

CVE-2016-5338:
http://openwall.com/lists/oss-security/2016/06/08/14

(In reply to David Walser from comment #19)
> Yet another CVE request:
> http://www.openwall.com/lists/oss-security/2016/06/08/3

CVE-2016-5337:
http://openwall.com/lists/oss-security/2016/06/08/13

Summary: qemu new security issues CVE-2016-4439, CVE-2016-4441, CVE-2016-445[34], CVE-2016-4952, CVE-2016-4964, CVE-2016-510[5-7], CVE-2016-5126, CVE-2016-5238 => qemu new security issues CVE-2016-4439, CVE-2016-4441, CVE-2016-445[34], CVE-2016-4952, CVE-2016-4964, CVE-2016-510[5-7], CVE-2016-5126, CVE-2016-5238, CVE-2016-533[78]

Comment 22 David Walser 2016-06-13 22:00:20 CEST 
LWN reference for CVE-2016-4952:
http://lwn.net/Vulnerabilities/691104/
Comment 23 David Walser 2016-06-28 00:28:24 CEST 
LWN reference for CVE-2016-4964 CVE-2016-4454 CVE-2016-4453 CVE-2016-5126 CVE-2016-5238:
http://lwn.net/Vulnerabilities/692861/
Comment 24 David Walser 2016-07-26 19:17:38 CEST 
Another CVE request:
http://openwall.com/lists/oss-security/2016/07/25/14
Comment 25 David Walser 2016-07-26 23:07:19 CEST 
(In reply to David Walser from comment #24)
> Another CVE request:
> http://openwall.com/lists/oss-security/2016/07/25/14

CVE-2016-6351:
http://openwall.com/lists/oss-security/2016/07/26/7

Summary: qemu new security issues CVE-2016-4439, CVE-2016-4441, CVE-2016-445[34], CVE-2016-4952, CVE-2016-4964, CVE-2016-510[5-7], CVE-2016-5126, CVE-2016-5238, CVE-2016-533[78] => qemu new security issues CVE-2016-4439, CVE-2016-4441, CVE-2016-445[34], CVE-2016-4952, CVE-2016-4964, CVE-2016-510[5-7], CVE-2016-5126, CVE-2016-5238, CVE-2016-533[78], CVE-2016-6351

Comment 26 David Walser 2016-07-27 18:47:15 CEST 
CVE-2016-5403:
http://openwall.com/lists/oss-security/2016/07/27/4

Summary: qemu new security issues CVE-2016-4439, CVE-2016-4441, CVE-2016-445[34], CVE-2016-4952, CVE-2016-4964, CVE-2016-510[5-7], CVE-2016-5126, CVE-2016-5238, CVE-2016-533[78], CVE-2016-6351 => qemu new security issues CVE-2016-4439, CVE-2016-4441, CVE-2016-445[34], CVE-2016-4952, CVE-2016-4964, CVE-2016-510[5-7], CVE-2016-5126, CVE-2016-5238, CVE-2016-533[78], CVE-2016-5403, CVE-2016-6351

Comment 27 David Walser 2016-07-28 16:37:43 CEST 
Another CVE request:
http://openwall.com/lists/oss-security/2016/07/28/4
Comment 28 David Walser 2016-07-28 19:46:02 CEST 
(In reply to David Walser from comment #27)
> Another CVE request:
> http://openwall.com/lists/oss-security/2016/07/28/4

CVE-2016-6490:
http://openwall.com/lists/oss-security/2016/07/28/9

Summary: qemu new security issues CVE-2016-4439, CVE-2016-4441, CVE-2016-445[34], CVE-2016-4952, CVE-2016-4964, CVE-2016-510[5-7], CVE-2016-5126, CVE-2016-5238, CVE-2016-533[78], CVE-2016-5403, CVE-2016-6351 => qemu new security issues CVE-2016-4439, CVE-2016-4441, CVE-2016-445[34], CVE-2016-4952, CVE-2016-4964, CVE-2016-510[5-7], CVE-2016-5126, CVE-2016-5238, CVE-2016-533[78], CVE-2016-5403, CVE-2016-6351, CVE-2016-6490

Comment 29 David Walser 2016-08-08 21:28:50 CEST 
LWN reference for CVE-2016-5403 and CVE-2016-6351:
http://lwn.net/Vulnerabilities/695959/
Comment 31 David Walser 2016-08-12 13:54:27 CEST 
And another:
http://www.openwall.com/lists/oss-security/2016/08/12/1
Comment 32 David Walser 2016-08-18 15:25:12 CEST 
(In reply to David Walser from comment #30)
> Three more CVE requests:
> http://openwall.com/lists/oss-security/2016/08/11/5
> http://openwall.com/lists/oss-security/2016/08/11/7
> http://openwall.com/lists/oss-security/2016/08/11/8

(In reply to David Walser from comment #31)
> And another:
> http://www.openwall.com/lists/oss-security/2016/08/12/1

CVE-2016-683[3-6] assigned for these:
http://openwall.com/lists/oss-security/2016/08/18/3
http://openwall.com/lists/oss-security/2016/08/18/7
http://openwall.com/lists/oss-security/2016/08/18/4
http://openwall.com/lists/oss-security/2016/08/18/5

Summary: qemu new security issues CVE-2016-4439, CVE-2016-4441, CVE-2016-445[34], CVE-2016-4952, CVE-2016-4964, CVE-2016-510[5-7], CVE-2016-5126, CVE-2016-5238, CVE-2016-533[78], CVE-2016-5403, CVE-2016-6351, CVE-2016-6490 => qemu new security issues CVE-2016-4439, CVE-2016-4441, CVE-2016-445[34], CVE-2016-4952, CVE-2016-4964, CVE-2016-510[5-7], CVE-2016-5126, CVE-2016-5238, CVE-2016-533[78], CVE-2016-5403, CVE-2016-6351, CVE-2016-6490, CVE-2016-683[3-6]

Comment 33 David Walser 2016-08-19 15:56:43 CEST 
Another CVE request:
http://openwall.com/lists/oss-security/2016/08/19/6
Comment 34 David Walser 2016-08-19 17:10:14 CEST 
(In reply to David Walser from comment #33)
> Another CVE request:
> http://openwall.com/lists/oss-security/2016/08/19/6

CVE-2016-6888:
http://openwall.com/lists/oss-security/2016/08/19/10

Summary: qemu new security issues CVE-2016-4439, CVE-2016-4441, CVE-2016-445[34], CVE-2016-4952, CVE-2016-4964, CVE-2016-510[5-7], CVE-2016-5126, CVE-2016-5238, CVE-2016-533[78], CVE-2016-5403, CVE-2016-6351, CVE-2016-6490, CVE-2016-683[3-6] => qemu new security issues CVE-2016-4439, CVE-2016-4441, CVE-2016-445[34], CVE-2016-4952, CVE-2016-4964, CVE-2016-510[5-7], CVE-2016-5126, CVE-2016-5238, CVE-2016-533[78], CVE-2016-5403, CVE-2016-6351, CVE-2016-6490, CVE-2016-683[3-6], CVE-2016-6888

Comment 35 Thierry Vignaud 2016-08-25 23:33:18 CEST 
All relevant fixes up to CVE-5403 were merged in stable-2.6 branch and thus are in the 2.6.1 rpm for cauldron

Relevant fixes up to CVE-2016-5338 were merged in qemu-2.4.1-7.mga5

Assignee: thierry.vignaud => qa-bugs
Source RPM: qemu-2.4.1-6.mga5.src.rpm => qemu-2.4.1-7.mga5.src.rpm

Thierry Vignaud 2016-08-25 23:33:50 CEST

CC: (none) => thierry.vignaud
CVE: (none) => 2016-4439, 2016-4441, 2016-445[34], 2016-4952, 2016-4964, 2016-510[5-7], 2016-5126, 2016-5238, 2016-533[78], 2016-5403, 2016-6351, 2016-6490, 2016-683[3-6], 2016-6888

Comment 36 David Walser 2016-08-26 17:41:02 CEST 
Note that the affected code for CVE-2016-4964 is not present in 2.4, hence no patch for that in the Mageia 5 package.

For Mageia 5, you did miss CVE-2016-5126 and CVE-2016-5403.  RedHat (RHEL7) has patches for those that should apply to our package:
https://git.centos.org/blob/rpms!qemu-kvm.git/6078803a0db76660aef491907f795bb23ad33357/SOURCES!kvm-block-iscsi-avoid-potential-overflow-of-acb-task-cdb.patch
https://git.centos.org/blob/rpms!qemu-kvm.git/6078803a0db76660aef491907f795bb23ad33357/SOURCES!kvm-virtio-error-out-if-guest-exceeds-virtqueue-size.patch

from https://rhn.redhat.com/errata/RHSA-2016-1606.html

I'm not sure if the other patch added in that update is needed (see here):
https://git.centos.org/commit/rpms!qemu-kvm.git/6078803a0db76660aef491907f795bb23ad33357
Comment 37 Thierry Vignaud 2016-08-26 20:08:02 CEST 
Well they're not in the 2.4 branch:
http://pkgs.fedoraproject.org/cgit/rpms/qemu.git/log/?h=f23
Comment 38 David Walser 2016-08-26 20:09:48 CEST 
(In reply to Thierry Vignaud from comment #37)
> Well they're not in the 2.4 branch:
> http://pkgs.fedoraproject.org/cgit/rpms/qemu.git/log/?h=f23

Fedora isn't always perfect about patching qemu; they missed those two.  The qemu-kvm version patched in RHEL7 is even older, so 2.4 certainly is affected, and like I said, by visual inspection, those two patches should apply cleanly.
Comment 39 David Walser 2016-08-31 02:08:53 CEST 
CVE-2016-7116:
http://openwall.com/lists/oss-security/2016/08/30/3

There are other possible security issues linked from that post as well.

Full CVE list:
CVE-2016-4439, CVE-2016-4441, CVE-2016-445[34], CVE-2016-4952, CVE-2016-4964, CVE-2016-510[5-7], CVE-2016-5126, CVE-2016-5238, CVE-2016-533[78], CVE-2016-5403, CVE-2016-6351, CVE-2016-6490, CVE-2016-683[3-6], CVE-2016-6888, CVE-2016-7116

Now we have so many CVEs, we've overflowed the bug subject field :D.

CVE: 2016-4439, 2016-4441, 2016-445[34], 2016-4952, 2016-4964, 2016-510[5-7], 2016-5126, 2016-5238, 2016-533[78], 2016-5403, 2016-6351, 2016-6490, 2016-683[3-6], 2016-6888 => 2016-4439, 2016-4441, 2016-445[34], 2016-4952, 2016-4964, 2016-510[5-7], 2016-5126, 2016-5238, 2016-533[78], 2016-5403, 2016-6351, 2016-6490, 2016-683[3-6], 2016-6888, 2016-7116
Summary: qemu new security issues CVE-2016-4439, CVE-2016-4441, CVE-2016-445[34], CVE-2016-4952, CVE-2016-4964, CVE-2016-510[5-7], CVE-2016-5126, CVE-2016-5238, CVE-2016-533[78], CVE-2016-5403, CVE-2016-6351, CVE-2016-6490, CVE-2016-683[3-6], CVE-2016-6888 => qemu new security issues (too many CVEs to list)

Comment 40 William Kenney 2016-09-01 19:34:36 CEST 
Created attachment 8385 [details]
qemu fail screen

CC: (none) => wilcal.int

Comment 41 William Kenney 2016-09-01 19:35:02 CEST 
On real hardware, M5, KDE, 64-bit

Package(s) under test:
qemu qemu-img

default install of qemu qemu-img

[root@localhost wilcal]# uname -a
Linux localhost 4.4.16-desktop-1.mga5 #1 SMP Tue Jul 26 09:23:40 UTC 2016 x86_64 x86_64 x86_64 GNU/Linux
[root@localhost wilcal]# urpmi x11-driver-video-nvidia-current
Package x11-driver-video-nvidia-current-352.79-3.mga5.nonfree.x86_64 is already installed
[root@localhost wilcal]# urpmi qemu
Package qemu-2.4.1-5.mga5.x86_64 is already installed
[root@localhost wilcal]# urpmi qemu-img
Package qemu-img-2.4.1-5.mga5.x86_64 is already installed

create /home/wilcal/qemu_test
into that copy file: Mageia-5-LiveCD-GNOME-en-i586-CD.iso
using a terminal in /home/wilcal/qemu_test run:
qemu-kvm -net user -net nic,model=virtio -cdrom Mageia-5-LiveCD-GNOME-en-i586-CD.iso -boot d -m 512
M5 i586 Gnome Live-CD opens then fails with the attached message.

Test platform:
Intel Core i7-2600K Sandy Bridge 3.4GHz
GIGABYTE GA-Z68X-UD3-B3 LGA 1155 MoBo
GIGABYTE GV-N440D3-1GI Nvidia GeForce GT 440 (Fermi) 1GB
RTL8111/8168B PCI Express 1Gbit Ethernet
DRAM 16GB (4 x 4GB)
Mageia 5 64-bit, Nvidia driver
Comment 42 David Walser 2016-09-01 20:14:43 CEST 
This isn't ready for QA yet.

Assignee: qa-bugs => thierry.vignaud

Comment 43 David Walser 2016-09-07 03:36:09 CEST 
CVE-2016-715[5-7]:
http://www.openwall.com/lists/oss-security/2016/09/07/1
http://www.openwall.com/lists/oss-security/2016/09/07/2
http://www.openwall.com/lists/oss-security/2016/09/07/3

CVE: 2016-4439, 2016-4441, 2016-445[34], 2016-4952, 2016-4964, 2016-510[5-7], 2016-5126, 2016-5238, 2016-533[78], 2016-5403, 2016-6351, 2016-6490, 2016-683[3-6], 2016-6888, 2016-7116 => 2016-4439, 2016-4441, 2016-445[34], 2016-4952, 2016-4964, 2016-510[5-7], 2016-5126, 2016-5238, 2016-533[78], 2016-5403, 2016-6351, 2016-6490, 2016-683[3-6], 2016-6888, 2016-7116, 2016-715[5-7]

Comment 44 David Walser 2016-09-09 17:17:15 CEST 
CVE-2016-7170:
http://www.openwall.com/lists/oss-security/2016/09/09/7

CVE: 2016-4439, 2016-4441, 2016-445[34], 2016-4952, 2016-4964, 2016-510[5-7], 2016-5126, 2016-5238, 2016-533[78], 2016-5403, 2016-6351, 2016-6490, 2016-683[3-6], 2016-6888, 2016-7116, 2016-715[5-7] => 2016-4439, 2016-4441, 2016-445[34], 2016-4952, 2016-4964, 2016-510[5-7], 2016-5126, 2016-5238, 2016-533[78], 2016-5403, 2016-6351, 2016-6490, 2016-683[3-6], 2016-6888, 2016-7116, 2016-715[5-7], 2016-7170

Comment 45 David Walser 2016-09-12 22:12:14 CEST 
(In reply to David Walser from comment #39)
> CVE-2016-7116:
> http://openwall.com/lists/oss-security/2016/08/30/3

LWN reference:
http://lwn.net/Vulnerabilities/700388/
Comment 46 David Walser 2016-09-16 19:29:40 CEST 
CVE-2016-742[1-3]:
http://www.openwall.com/lists/oss-security/2016/09/16/9
http://www.openwall.com/lists/oss-security/2016/09/16/10
http://www.openwall.com/lists/oss-security/2016/09/16/11

CVE: 2016-4439, 2016-4441, 2016-445[34], 2016-4952, 2016-4964, 2016-510[5-7], 2016-5126, 2016-5238, 2016-533[78], 2016-5403, 2016-6351, 2016-6490, 2016-683[3-6], 2016-6888, 2016-7116, 2016-715[5-7], 2016-7170 => 2016-4439, 2016-4441, 2016-445[34], 2016-4952, 2016-4964, 2016-510[5-7], 2016-5126, 2016-5238, 2016-533[78], 2016-5403, 2016-6351, 2016-6490, 2016-683[3-6], 2016-6888, 2016-7116, 2016-715[5-7], 2016-7170, 2016-742[1-3]

Comment 47 David Walser 2016-09-21 00:30:33 CEST 
CVE-2016-7466:
http://openwall.com/lists/oss-security/2016/09/20/3

CVE: 2016-4439, 2016-4441, 2016-445[34], 2016-4952, 2016-4964, 2016-510[5-7], 2016-5126, 2016-5238, 2016-533[78], 2016-5403, 2016-6351, 2016-6490, 2016-683[3-6], 2016-6888, 2016-7116, 2016-715[5-7], 2016-7170, 2016-742[1-3] => 2016-4439, 2016-4441, 2016-445[34], 2016-4952, 2016-4964, 2016-510[5-7], 2016-5126, 2016-5238, 2016-533[78], 2016-5403, 2016-6351, 2016-6490, 2016-683[3-6], 2016-6888, 2016-7116, 2016-715[5-7], 2016-7170, 2016-742[1-3], 2016-7466

Comment 48 David Walser 2016-09-23 19:34:32 CEST 
CVE-2016-7161:
http://www.openwall.com/lists/oss-security/2016/09/23/8

CVE: 2016-4439, 2016-4441, 2016-445[34], 2016-4952, 2016-4964, 2016-510[5-7], 2016-5126, 2016-5238, 2016-533[78], 2016-5403, 2016-6351, 2016-6490, 2016-683[3-6], 2016-6888, 2016-7116, 2016-715[5-7], 2016-7170, 2016-742[1-3], 2016-7466 => 2016-4439, 2016-4441, 2016-445[34], 2016-4952, 2016-4964, 2016-510[5-7], 2016-5126, 2016-5238, 2016-533[78], 2016-5403, 2016-6351, 2016-6490, 2016-683[3-6], 2016-6888, 2016-7116, 2016-715[5-7], 2016-7161, 2016-7170, 2016-742[1-3], 2016-7466

Comment 49 David Walser 2016-09-26 20:53:45 CEST 
LWN reference for...
CVE-2016-6490 CVE-2016-683[346] CVE-2016-6888 CVE-2016-715[67] CVE-2016-7422:
http://lwn.net/Vulnerabilities/701926/
Comment 50 David Walser 2016-10-03 18:14:25 CEST 
CVE-2016-790[7-9]:
http://openwall.com/lists/oss-security/2016/10/03/4
http://openwall.com/lists/oss-security/2016/10/03/5
http://openwall.com/lists/oss-security/2016/10/03/6

CVE: 2016-4439, 2016-4441, 2016-445[34], 2016-4952, 2016-4964, 2016-510[5-7], 2016-5126, 2016-5238, 2016-533[78], 2016-5403, 2016-6351, 2016-6490, 2016-683[3-6], 2016-6888, 2016-7116, 2016-715[5-7], 2016-7161, 2016-7170, 2016-742[1-3], 2016-7466 => 2016-4439, 2016-4441, 2016-445[34], 2016-4952, 2016-4964, 2016-510[5-7], 2016-5126, 2016-5238, 2016-533[78], 2016-5403, 2016-6351, 2016-6490, 2016-683[3-6], 2016-6888, 2016-7116, 2016-715[5-7], 2016-7161, 2016-7170, 2016-742[1-3], 2016-7466, 2016-790[7-9]

Comment 51 David Walser 2016-10-08 20:41:55 CEST 
CVE-2016-799[45]:
http://openwall.com/lists/oss-security/2016/10/08/3
http://openwall.com/lists/oss-security/2016/10/08/4

I can't even fit these into the CVE field because it's full :o(
Comment 53 David Walser 2016-10-11 20:27:43 CEST 
LWN reference for CVE-2016-7161 CVE-2016-7170 CVE-2016-7908:
http://lwn.net/Vulnerabilities/703244/
Comment 55 David Walser 2016-10-19 22:07:03 CEST 
LWN reference for CVE-2016-7466 CVE-2016-8576 CVE-2016-7995:
http://lwn.net/Vulnerabilities/703985/
Comment 57 David Walser 2016-10-24 19:28:12 CEST 
LWN reference for CVE-2016-7155:
http://lwn.net/Vulnerabilities/704471/
Comment 58 David Walser 2016-10-27 14:30:29 CEST 
LWN reference for CVE-2016-8577 CVE-2016-8578 CVE-2016-8669:
http://lwn.net/Vulnerabilities/704701/
Comment 60 David Walser 2016-10-31 20:21:19 CET 
LWN reference for CVE-2016-7909 CVE-2016-8909 CVE-2016-8910:
http://lwn.net/Vulnerabilities/705120/
Comment 61 David Walser 2016-11-04 16:11:14 CET 
(In reply to David Walser from comment #59)
> CVE-2016-910[1-6]:

LWN reference:
http://lwn.net/Vulnerabilities/705578/
Comment 62 David Walser 2016-11-10 19:08:10 CET 
LWN reference for CVE-2016-7421 CVE-2016-7423 CVE-2016-7994 CVE-2016-8668:
http://lwn.net/Vulnerabilities/706117/
Comment 63 Nicolas Lécureuil 2016-11-18 01:37:59 CET 
thierry, what do you think about updating qemu to branch 2.6 ?

CC: (none) => mageia

Comment 64 David Walser 2016-11-21 21:08:13 CET 
LWN reference for CVE-2016-7907:
https://lwn.net/Vulnerabilities/707046/
Comment 65 David Walser 2016-11-25 19:56:43 CET 
LWN reference for CVE-2016-8667:
https://lwn.net/Vulnerabilities/707363/
Comment 71 David Walser 2016-12-26 18:56:03 CET 
LWN reference for CVE-2016-9911:
https://lwn.net/Vulnerabilities/710212/
Comment 72 David Walser 2017-01-16 18:52:41 CET 
LWN reference for CVE-2016-9845 CVE-2016-9846 CVE-2016-9907 CVE-2016-9908 CVE-2016-9912:
https://lwn.net/Vulnerabilities/711782/
Comment 73 David Walser 2017-01-17 15:17:43 CET 
CVE-2016-9602:
http://openwall.com/lists/oss-security/2017/01/17/12
Comment 74 David Walser 2017-01-18 22:29:03 CET 
CVE-2017-5525:
http://openwall.com/lists/oss-security/2017/01/18/7
Comment 75 David Walser 2017-01-18 22:29:33 CET 
CVE-2017-5526:
http://openwall.com/lists/oss-security/2017/01/18/8
Comment 76 David Walser 2017-01-21 23:29:31 CET 
CVE-2016-10155 and CVE-2017-5552:
http://openwall.com/lists/oss-security/2017/01/21/4
http://openwall.com/lists/oss-security/2017/01/21/5
Comment 77 David Walser 2017-01-24 02:45:31 CET 
LWN reference for CVE-2016-9923:
https://lwn.net/Vulnerabilities/712302/

LWN reference for CVE-2016-10028:
https://lwn.net/Vulnerabilities/712301/

Yet another CVE request:
http://openwall.com/lists/oss-security/2017/01/23/3
Comment 79 David Walser 2017-02-01 02:15:35 CET 
CVE-2017-5667:
http://openwall.com/lists/oss-security/2017/01/31/10
Comment 80 David Walser 2017-02-01 12:29:44 CET 
CVE-2017-2615:
http://openwall.com/lists/oss-security/2017/02/01/6
Comment 83 David Walser 2017-02-14 01:56:53 CET 
CVE-2017-5973:
http://openwall.com/lists/oss-security/2017/02/13/1
Comment 84 David Walser 2017-02-15 02:06:32 CET 
CVE-2017-5987:
http://openwall.com/lists/oss-security/2017/02/14/8
Comment 85 David Walser 2017-02-15 12:01:12 CET 
CVE-2017-2630:
http://openwall.com/lists/oss-security/2017/02/15/2
Comment 86 David Walser 2017-02-16 12:06:31 CET 
CVE-2017-6000:
http://openwall.com/lists/oss-security/2017/02/16/2
Comment 87 David Walser 2017-02-17 11:55:36 CET 
(In reply to David Walser from comment #86)
> CVE-2017-6000:
> http://openwall.com/lists/oss-security/2017/02/16/2

Rejected as a security issue:
http://openwall.com/lists/oss-security/2017/02/17/1

However, there is a new one.

CVE-2017-6058:
http://openwall.com/lists/oss-security/2017/02/17/2
Comment 88 David Walser 2017-02-22 12:17:18 CET 
CVE-2017-2620:
http://openwall.com/lists/oss-security/2017/02/21/1
Comment 89 David Walser 2017-02-22 19:55:54 CET 
LWN reference for CVE-2016-10155 CVE-2017-5552 CVE-2017-557[89] CVE-2017-5667 CVE-2017-585[67] CVE-2017-5898 CVE-2017-5931:
https://lwn.net/Vulnerabilities/715168/
Comment 90 David Walser 2017-02-23 12:01:35 CET 
CVE-2017-2633:
http://openwall.com/lists/oss-security/2017/02/23/1
Comment 91 David Walser 2017-03-02 11:54:51 CET 
CVE-2017-6414:
http://openwall.com/lists/oss-security/2017/03/01/11
Comment 92 David Walser 2017-03-07 03:17:03 CET 
CVE-2017-6505:
http://openwall.com/lists/oss-security/2017/03/06/6
Comment 93 David Walser 2017-03-15 01:49:15 CET 
CVE-2016-9603:
http://openwall.com/lists/oss-security/2017/03/14/2
Comment 94 David Walser 2017-04-04 03:08:04 CEST 
CVE-2017-7377:
http://openwall.com/lists/oss-security/2017/04/03/2
Comment 96 David Walser 2017-04-22 20:26:12 CEST 
CVE-2017-7980:
http://openwall.com/lists/oss-security/2017/04/21/1
Comment 97 David Walser 2017-04-25 12:13:50 CEST 
CVE-2017-8086:
http://openwall.com/lists/oss-security/2017/04/25/5
Comment 98 David Walser 2017-04-26 12:29:23 CEST 
CVE-2017-8112:
http://openwall.com/lists/oss-security/2017/04/26/5
Marja Van Waes 2017-05-15 18:16:56 CEST

Depends on: (none) => 20858

Comment 100 Zombie Ryushu 2017-05-15 18:33:01 CEST 
I've reported this to Rosa as well, and if they come up with diffs for this set of CVEs, I'll let you folks know.

CC: (none) => zombie_ryushu

Comment 101 David Walser 2017-05-16 21:36:10 CEST 
*** Bug 20858 has been marked as a duplicate of this bug. ***

Depends on: 20858 => (none)

David Walser 2017-05-16 22:02:32 CEST

Whiteboard: (none) => MGA5TOO
Version: 5 => Cauldron

Comment 102 David Walser 2017-05-18 02:31:14 CEST 
CVE-2017-7493:
http://openwall.com/lists/oss-security/2017/05/17/6
Comment 103 David Walser 2017-05-20 12:18:05 CEST 
CVE-2017-9060:
http://openwall.com/lists/oss-security/2017/05/19/1
Comment 104 David Walser 2017-05-31 12:00:05 CEST 
CVE-2017-9310:
http://openwall.com/lists/oss-security/2017/05/31/1
Comment 105 David Walser 2017-06-01 12:05:53 CEST 
CVE-2017-9330:
http://openwall.com/lists/oss-security/2017/06/01/3
Comment 106 Thomas Backlund 2017-06-04 21:18:39 CEST 
I'm currently working on the cauldron package

CC: (none) => tmb

Comment 107 Thomas Backlund 2017-06-04 23:52:41 CEST 
Cauldron fixed as of  qemu-2.8.1.1-1.mga6 currently building

Whiteboard: MGA5TOO => (none)
Version: Cauldron => 5

Comment 108 David Walser 2017-06-05 12:14:10 CEST 
CVE-2017-9373:
http://openwall.com/lists/oss-security/2017/06/05/1
Comment 109 Thomas Backlund 2017-06-05 18:41:58 CEST 
CVE-2017-9375:
http://seclists.org/oss-sec/2017/q2/417

both CVE-2017-9373 and CVE-2017-9375 fixed in Cauldron in qemu-2.8.1.1-2.mga6 currently building
Comment 110 David Walser 2017-06-06 00:32:13 CEST 
(In reply to Thomas Backlund from comment #109)
> CVE-2017-9375:
> http://seclists.org/oss-sec/2017/q2/417

oss-security link for that one:
http://openwall.com/lists/oss-security/2017/06/05/2

> both CVE-2017-9373 and CVE-2017-9375 fixed in Cauldron in
> qemu-2.8.1.1-2.mga6 currently building

Not quite; it didn't build :o(
Comment 111 Thomas Backlund 2017-06-06 12:38:30 CEST 
(In reply to David Walser from comment #110)
> (In reply to Thomas Backlund from comment #109)
> > CVE-2017-9375:
> > http://seclists.org/oss-sec/2017/q2/417
> 
> oss-security link for that one:
> http://openwall.com/lists/oss-security/2017/06/05/2
> 
> > both CVE-2017-9373 and CVE-2017-9375 fixed in Cauldron in
> > qemu-2.8.1.1-2.mga6 currently building
> 
> Not quite; it didn't build :o(

Now fixed.
Comment 112 Thomas Backlund 2017-06-06 17:50:13 CEST 
Another day, another cve

CVE-2017-9374:
http://openwall.com/lists/oss-security/2017/06/06/3

fixed in cauldron
Comment 113 David Walser 2017-06-08 11:18:49 CEST 
CVE-2017-9503:
http://openwall.com/lists/oss-security/2017/06/08/1
Comment 114 Thomas Backlund 2017-06-08 16:19:49 CEST 
(In reply to David Walser from comment #113)
> CVE-2017-9503:
> http://openwall.com/lists/oss-security/2017/06/08/1

fixed in cauldron
Comment 115 David Walser 2017-06-12 12:14:29 CEST 
CVE-2017-9524:
http://openwall.com/lists/oss-security/2017/06/12/1
Comment 116 Thomas Backlund 2017-06-25 00:30:05 CEST 
(In reply to David Walser from comment #115)
> CVE-2017-9524:
> http://openwall.com/lists/oss-security/2017/06/12/1

Fixed in cauldron in qemu-2.8.1.1-5.mga6 (currently building)
Comment 117 David Walser 2017-06-30 23:01:10 CEST 
CVE-2017-10664:
http://openwall.com/lists/oss-security/2017/06/29/1

Already fixed in Cauldron by tmb.
Comment 118 David Walser 2017-07-07 12:30:06 CEST 
CVE-2017-10806:
http://openwall.com/lists/oss-security/2017/07/07/1
Comment 119 David Walser 2017-07-17 12:17:26 CEST 
CVE-2017-11334:
http://openwall.com/lists/oss-security/2017/07/17/4
Comment 120 David Walser 2017-07-20 02:33:55 CEST 
CVE-2017-11434:
http://openwall.com/lists/oss-security/2017/07/19/2
Comment 121 David Walser 2017-07-22 18:51:54 CEST 
CVE-2017-7539:
http://openwall.com/lists/oss-security/2017/07/21/4
Comment 122 David Walser 2017-07-27 02:30:55 CEST 
Fedora advisory fixing several of the more recent ones:
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/BBO4GN7KLLDD66JCIRPV4YS2EQFLOYLW/
Comment 123 Zombie Ryushu 2017-08-09 09:53:13 CEST 
Another CVE For QEMU.

https://www.debian.org/security/2017/dsa-3925
Comment 124 David Walser 2017-08-21 13:52:24 CEST 
CVE-2017-12809:
http://openwall.com/lists/oss-security/2017/08/21/2
Comment 125 David Walser 2017-08-29 22:06:17 CEST 
CVE-2017-13711:
http://www.openwall.com/lists/oss-security/2017/08/29/6
Comment 127 David Walser 2017-09-07 18:33:50 CEST 
CVE-2017-14167:
http://openwall.com/lists/oss-security/2017/09/07/2
Comment 128 David Walser 2017-10-07 17:51:24 CEST 
CVE-2017-15038:
http://openwall.com/lists/oss-security/2017/10/06/1
Comment 129 David Walser 2017-10-12 11:54:31 CEST 
CVE-2017-15268:
http://openwall.com/lists/oss-security/2017/10/12/4
Comment 130 David Walser 2017-10-13 21:41:55 CEST 
CVE-2017-15289:
http://openwall.com/lists/oss-security/2017/10/12/16
Comment 132 David Walser 2017-11-17 14:28:09 CET 
CVE-2017-16845:
http://openwall.com/lists/oss-security/2017/11/17/1
Comment 134 David Walser 2017-12-07 14:59:15 CET 
CVE-2017-17381:
http://openwall.com/lists/oss-security/2017/12/05/2
Comment 135 David Walser 2017-12-22 20:11:30 CET 
CVE-2017-15124:
http://openwall.com/lists/oss-security/2017/12/19/4
Comment 136 David Walser 2017-12-27 00:57:34 CET 
For all practical purposes, this package is as unsupportable as xen is.  I will no longer track security issues in this package either (I already don't for xen).  If anyone wants to update them, that's just fine.

Status: NEW => RESOLVED
Resolution: (none) => WONTFIX

Comment 137 David Walser 2018-01-08 03:35:48 CET 
qemu advisory from RedHat for CVE-2017-5715 mitigations if anyone cares:
https://access.redhat.com/errata/RHSA-2018:0023