Back to qemu PTS page

Accepted qemu 1:2.8+dfsg-6+deb9u10 (source) into oldstable

To: dispatch@tracker.debian.org, debian-lts-changes@lists.debian.org
Subject: Accepted qemu 1:2.8+dfsg-6+deb9u10 (source) into oldstable
From: Debian FTP Masters <ftpmaster@ftp-master.debian.org>
Date: Sat, 25 Jul 2020 16:50:12 +0000
Mail-followup-to: debian-lts@lists.debian.org
Message-id: <E1jzNNE-0004EE-Mq@seger.debian.org>
Reply-to: debian-lts@lists.debian.org
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

Format: 1.8
Date: Sat, 25 Jul 2020 18:40:28 +0300
Source: qemu
Architecture: source
Version: 1:2.8+dfsg-6+deb9u10
Distribution: stretch-security
Urgency: medium
Maintainer: Debian QEMU Team <pkg-qemu-devel@lists.alioth.debian.org>
Changed-By: Michael Tokarev <mjt@tls.msk.ru>
Closes: 865754 961887 961888 964793
Changes:
 qemu (1:2.8+dfsg-6+deb9u10) stretch-security; urgency=medium
 .
   * vnc-fix-memory-leak-when-vnc-disconnect-CVE-2019-20382.patch
     Fix misuse of libz in VNC disconnect, leading to memory leak
     Closes: CVE-2019-20382
   * scsi-lsi-exit-infinite-loop-while-executing-script-CVE-2019-12068.patch
     Fix possible infinite loop in lsi_execute_script (LSI SCSI adapter)
     Closes: CVE-2019-12068
   * iscsi-fix-heap-buffer-overflow-in-iscsi_aio_ioctl_cb.patch
     Fix heap buffer overflow in iSCSI's iscsi_aio_ioctl_cb()
   * slirp-fix-use-afte-free-in-ip_reass-CVE-2020-1983.patch
     Fix another use-after-free in ip_reass() in SLIRP code
     Closes: CVE-2020-1983
   * core-loader-fix-possible-crash-in-rom_copy-CVE-2020-13765.patch
     rom_copy() in hw/core/loader.c allows triggering invalid mem copy op.
     Closes: CVE-2020-13765
   * revert-memory-accept-mismatching-sizes-in-memory_region_access_va...patch
     Closes: CVE-2020-13754, possible OOB memory accesses in a bunch of qemu
     devices which uses min_access_size and max_access_size Memory API fields.
     Also closes: CVE-2020-13791
   * acpi-accept-byte-and-word-access-to-core-ACPI-registers.patch
     replace acpi-tmr-allow-2-byte-reads.patch with a more complete patch
     Closes: #964793
   * xhci-fix-valid.max_access_size-to-access-address-registers.patch
     This is another issue revealed after the CVE-2020-13754 fix
   * exec-set-map-length-to-zero-when-returning-NULL-CVE-2020-13659.patch
     CVE-2020-13659: address_space_map in exec.c can trigger
     a NULL pointer dereference related to BounceBuffer
   * megasas-use-unsigned-type-for-reply_queue_head-and-check-index...patch
     Closes: #961887, CVE-2020-13362, megasas_lookup_frame in hw/scsi/megasas.c
     has an OOB read via a crafted reply_queue_head field from a guest OS user
   * megasas-use-unsigned-type-for-positive-numeric-fields.patch
     fix other possible cases like in CVE-2020-13362 (#961887)
   * 5 more security patches for megasas, avoid TOC-TOU (time-to-check vs
     time-to-use) issues reading various parameters from guest-supplied frame:
     megasas-do-not-read-sense-length-more-than-once-from-frame.patch
     megasas-do-not-read-iovec-count-more-than-once-from-frame.patch
     megasas-do-not-read-DCMD-opcode-more-than-once-from-frame.patch
     megasas-do-not-read-command-more-than-once-from-frame.patch
     megasas-do-not-read-SCSI-req-parameters-more-than-once-from-frame.patch
   * megasas-always-store-SCSIRequest-into-MegasasCmd-CVE-2017-9503.patch
     possible NULL-pointer dereferece caused by privileged guest user
     megasas hba command processing. Closes: #865754, CVE-2017-9503
   * megasas-fix-possible-out-of-bounds-array-access.patch
     Some tracepoints use a guest-controlled value as an index into the
     mfi_frame_desc[] array. Thus a malicious guest could cause a very low
     impact OOB errors here
   * es1370-check-total-frame-count-against-current-frame-CVE-2020-13361.patch
     Closes: #961888, CVE-2020-13361, es1370_transfer_audio in hw/audio/es1370.c
     does not properly validate the frame count, which allows guest OS users
     to trigger an out-of-bounds access during an es1370_write() operation
   * slirp-drop-bogus-IPv6-messages-CVE-2020-10756.patch
     Closes: CVE-2020-10756, possible OOB read in icmp6_send_echoreply()
   * slirp-tcp_emu-fix-unsafe-snprintf-usages-CVE-2020-8608.patch
     (and a preparational patch, slirp-add-fmt-helpers.patch)
     Closes: CVE-2020-8608
   * xgmac-fix-buffer-overflow-in-xgmac_enet_send-CVE-2020-15863.patch
     ARM-only XGMAC NIC, possible buffer overflow during packet transmission
     Closes: CVE-2020-15863
Checksums-Sha1:
 a2af9f53ffd7bff180504dfd2e76f3fc61eb048f 5583 qemu_2.8+dfsg-6+deb9u10.dsc
 6471731adf873823bf127460af01aee5a74dd0d3 184208 qemu_2.8+dfsg-6+deb9u10.debian.tar.xz
 264fdfed79a69ae6f32047bb878296b41106ae35 7945 qemu_2.8+dfsg-6+deb9u10_source.buildinfo
Checksums-Sha256:
 e1ce6086242c33c8e89ee0d00f337767726b6df3ffc5e130bbde73af760f52bc 5583 qemu_2.8+dfsg-6+deb9u10.dsc
 22c9754e755e9eaf3c223e0f3f2052a4bbef569acb231041324ec61b49ae14a1 184208 qemu_2.8+dfsg-6+deb9u10.debian.tar.xz
 d46495e38bffb5cf3c81df687a0eb74e3270f3fd1b41d7b957a88137f00bda05 7945 qemu_2.8+dfsg-6+deb9u10_source.buildinfo
Files:
 8662bffda9502d73c5a4f672ceaf8e98 5583 otherosfs optional qemu_2.8+dfsg-6+deb9u10.dsc
 fdf946e1d0da2f0b03d9da44a960f921 184208 otherosfs optional qemu_2.8+dfsg-6+deb9u10.debian.tar.xz
 a5fc87fff870b41ede5b7ee5891ca2bb 7945 otherosfs optional qemu_2.8+dfsg-6+deb9u10_source.buildinfo

-----BEGIN PGP SIGNATURE-----

iQFDBAEBCAAtFiEEe3O61ovnosKJMUsicBtPaxppPlkFAl8cXcEPHG1qdEB0bHMu
bXNrLnJ1AAoJEHAbT2saaT5ZHA0H/2I1JC5tRlVEBYUxNgwm4J6PFpiFztczPVwF
7n5MsUXQ0Da+arlsPvF3e1wKs94vulBlNQYjrw87UB+1AgUZ9XAFX6OgJ9VTEPVR
afxH3P9sbFwtJwmH1WKJwHgIGYTMnroJBmGTJdMPgNyFR7eyMggE7QfByelIwKu/
empHWCeU9X8PYYPXQEujL7kPdyt1HVpz+J6+7crnORLJmZZVeBQISLuj2DV1BzDd
3BvVpU4o1sv0dQtvp8vEKwbiFF4eSFP5KMC2WvDtJXhWei3NjSsqkzZ+5y0RtAm3
FvZF5xAhQ2Kh6VuLW/QiUbTKpHBR0g1YHHgzCoUDA2c6lDe8R3A=
=jpi7
-----END PGP SIGNATURE-----