Bug 20858

Summary: qemu security vulnerability CVE-2017-5579
Product: Mageia Reporter: Zombie Ryushu <zombie_ryushu>
Component: SecurityAssignee: Thierry Vignaud <thierry.vignaud>
Status: RESOLVED DUPLICATE QA Contact: Sec team <security>
Severity: normal    
Priority: Normal CC: marja11, pkg-bugs
Version: Cauldron   
Target Milestone: ---   
Hardware: All   
OS: Linux   
URL: http://www.linuxsecurity.com/content/view/171459/170/
Whiteboard:
Source RPM: qemu-2.8.0-5.mga6 CVE:
Status comment:

Description Zombie Ryushu 2017-05-15 14:39:21 CEST 
QEMU is a generic and open source processor emulator which achieves a good
emulation speed by using dynamic translation. QEMU has two operating modes:

 * Full system emulation. In this mode, QEMU emulates a full system (for
   example a PC), including a processor and various peripherials. It can be
   used to launch different Operating Systems without rebooting the PC or
   to debug system code.
 * User mode emulation. In this mode, QEMU can launch Linux processes compiled
   for one CPU on another CPU.

As QEMU requires no host kernel patches to run, it is safe and easy to use.

--------------------------------------------------------------------------------
Update Information:

* Fix xen pv graphical display failure (bz #1350264) * CVE-2016-8667: dma:
divide by zero error in set_next_tick (bz #1384876) * CVE-2017-5579: serial: fix
memory leak in serial exit (bz #1416161)
--------------------------------------------------------------------------------
References:

  [ 1 ] Bug #1384874 - CVE-2016-8667 Qemu: hw: dma: divide by zero error in set_next_tick
        https://bugzilla.redhat.com/show_bug.cgi?id=1384874
  [ 2 ] Bug #1416157 - CVE-2017-5579 Qemu: serial: host memory leakage 16550A UART emulation
        https://bugzilla.redhat.com/show_bug.cgi?id=1416157
--------------------------------------------------------------------------------

This update can be installed with the "dnf" update program. Use
su -c 'dnf upgrade qemu' at the command line.
For more information, refer to the dnf documentation available at
http://dnf.readthedocs.io/en/latest/command_ref.html#upgrade-command-label
Comment 1 Marja Van Waes 2017-05-15 18:16:56 CEST 
CVE-2017-5579 is mentioned in bug #18489, comment #78
CVE-2016-8667 is mentioned in bug #18489, comment #65

@ David W. & Thierry

Bug 18489 is only about Mageia 5, I guess it's better to keep a separate report for cauldron?

The last time CVEs were mentioned in the cauldron qemu changelog, was on 2016-10-19, when (amongst others) CVE-2016-7466 CVE-2016-8576  and CVE-2016-7995
were fixed. Those CVEs were mentioned in bug #18489, comment #55 

However, qemu-2.8.0 which we got on 2016-12-22, probably contained fixes for part of the security issues that got CVEs after 2016-10-19 I didn't manage to find a list of CVEs that were fixed by 2.8.0

Last Qemu versions upstream are 2.8.1.1 and 2.9.0, both released on Apr 20 2017
(2.9.0 is the unstable branch?) I don't manage to find which CVEs they fix, either :-/

@ all packagers collectively

Please don't hesitate to offer to help fix qemu, if you can help!

QA Contact: (none) => security
Component: RPM Packages => Security
CC: (none) => marja11, pkg-bugs
Blocks: (none) => 18489
Source RPM: qemu => qemu-2.8.0-5.mga6

Comment 2 Marja Van Waes 2017-05-15 18:19:35 CEST 
really assigning, now :-(

Assignee: bugsquad => thierry.vignaud

Comment 3 David Walser 2017-05-16 21:36:10 CEST 
Already reported here with the hundreds of other qemu CVEs:
https://bugs.mageia.org/show_bug.cgi?id=18489#c78

*** This bug has been marked as a duplicate of bug 18489 ***

Resolution: (none) => DUPLICATE
Blocks: 18489 => (none)
Status: NEW => RESOLVED