Accepted qemu 1:2.8+dfsg-6+deb9u10 (source) into oldstable
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
Format: 1.8
Date: Sat, 25 Jul 2020 18:40:28 +0300
Source: qemu
Architecture: source
Version: 1:2.8+dfsg-6+deb9u10
Distribution: stretch-security
Urgency: medium
Maintainer: Debian QEMU Team <pkg-qemu-devel@lists.alioth.debian.org>
Changed-By: Michael Tokarev <mjt@tls.msk.ru>
Closes: 865754 961887 961888 964793
Changes:
qemu (1:2.8+dfsg-6+deb9u10) stretch-security; urgency=medium
.
* vnc-fix-memory-leak-when-vnc-disconnect-CVE-2019-20382.patch
Fix misuse of libz in VNC disconnect, leading to memory leak
Closes: CVE-2019-20382
* scsi-lsi-exit-infinite-loop-while-executing-script-CVE-2019-12068.patch
Fix possible infinite loop in lsi_execute_script (LSI SCSI adapter)
Closes: CVE-2019-12068
* iscsi-fix-heap-buffer-overflow-in-iscsi_aio_ioctl_cb.patch
Fix heap buffer overflow in iSCSI's iscsi_aio_ioctl_cb()
* slirp-fix-use-afte-free-in-ip_reass-CVE-2020-1983.patch
Fix another use-after-free in ip_reass() in SLIRP code
Closes: CVE-2020-1983
* core-loader-fix-possible-crash-in-rom_copy-CVE-2020-13765.patch
rom_copy() in hw/core/loader.c allows triggering invalid mem copy op.
Closes: CVE-2020-13765
* revert-memory-accept-mismatching-sizes-in-memory_region_access_va...patch
Closes: CVE-2020-13754, possible OOB memory accesses in a bunch of qemu
devices which uses min_access_size and max_access_size Memory API fields.
Also closes: CVE-2020-13791
* acpi-accept-byte-and-word-access-to-core-ACPI-registers.patch
replace acpi-tmr-allow-2-byte-reads.patch with a more complete patch
Closes: #964793
* xhci-fix-valid.max_access_size-to-access-address-registers.patch
This is another issue revealed after the CVE-2020-13754 fix
* exec-set-map-length-to-zero-when-returning-NULL-CVE-2020-13659.patch
CVE-2020-13659: address_space_map in exec.c can trigger
a NULL pointer dereference related to BounceBuffer
* megasas-use-unsigned-type-for-reply_queue_head-and-check-index...patch
Closes: #961887, CVE-2020-13362, megasas_lookup_frame in hw/scsi/megasas.c
has an OOB read via a crafted reply_queue_head field from a guest OS user
* megasas-use-unsigned-type-for-positive-numeric-fields.patch
fix other possible cases like in CVE-2020-13362 (#961887)
* 5 more security patches for megasas, avoid TOC-TOU (time-to-check vs
time-to-use) issues reading various parameters from guest-supplied frame:
megasas-do-not-read-sense-length-more-than-once-from-frame.patch
megasas-do-not-read-iovec-count-more-than-once-from-frame.patch
megasas-do-not-read-DCMD-opcode-more-than-once-from-frame.patch
megasas-do-not-read-command-more-than-once-from-frame.patch
megasas-do-not-read-SCSI-req-parameters-more-than-once-from-frame.patch
* megasas-always-store-SCSIRequest-into-MegasasCmd-CVE-2017-9503.patch
possible NULL-pointer dereferece caused by privileged guest user
megasas hba command processing. Closes: #865754, CVE-2017-9503
* megasas-fix-possible-out-of-bounds-array-access.patch
Some tracepoints use a guest-controlled value as an index into the
mfi_frame_desc[] array. Thus a malicious guest could cause a very low
impact OOB errors here
* es1370-check-total-frame-count-against-current-frame-CVE-2020-13361.patch
Closes: #961888, CVE-2020-13361, es1370_transfer_audio in hw/audio/es1370.c
does not properly validate the frame count, which allows guest OS users
to trigger an out-of-bounds access during an es1370_write() operation
* slirp-drop-bogus-IPv6-messages-CVE-2020-10756.patch
Closes: CVE-2020-10756, possible OOB read in icmp6_send_echoreply()
* slirp-tcp_emu-fix-unsafe-snprintf-usages-CVE-2020-8608.patch
(and a preparational patch, slirp-add-fmt-helpers.patch)
Closes: CVE-2020-8608
* xgmac-fix-buffer-overflow-in-xgmac_enet_send-CVE-2020-15863.patch
ARM-only XGMAC NIC, possible buffer overflow during packet transmission
Closes: CVE-2020-15863
Checksums-Sha1:
a2af9f53ffd7bff180504dfd2e76f3fc61eb048f 5583 qemu_2.8+dfsg-6+deb9u10.dsc
6471731adf873823bf127460af01aee5a74dd0d3 184208 qemu_2.8+dfsg-6+deb9u10.debian.tar.xz
264fdfed79a69ae6f32047bb878296b41106ae35 7945 qemu_2.8+dfsg-6+deb9u10_source.buildinfo
Checksums-Sha256:
e1ce6086242c33c8e89ee0d00f337767726b6df3ffc5e130bbde73af760f52bc 5583 qemu_2.8+dfsg-6+deb9u10.dsc
22c9754e755e9eaf3c223e0f3f2052a4bbef569acb231041324ec61b49ae14a1 184208 qemu_2.8+dfsg-6+deb9u10.debian.tar.xz
d46495e38bffb5cf3c81df687a0eb74e3270f3fd1b41d7b957a88137f00bda05 7945 qemu_2.8+dfsg-6+deb9u10_source.buildinfo
Files:
8662bffda9502d73c5a4f672ceaf8e98 5583 otherosfs optional qemu_2.8+dfsg-6+deb9u10.dsc
fdf946e1d0da2f0b03d9da44a960f921 184208 otherosfs optional qemu_2.8+dfsg-6+deb9u10.debian.tar.xz
a5fc87fff870b41ede5b7ee5891ca2bb 7945 otherosfs optional qemu_2.8+dfsg-6+deb9u10_source.buildinfo
-----BEGIN PGP SIGNATURE-----
iQFDBAEBCAAtFiEEe3O61ovnosKJMUsicBtPaxppPlkFAl8cXcEPHG1qdEB0bHMu
bXNrLnJ1AAoJEHAbT2saaT5ZHA0H/2I1JC5tRlVEBYUxNgwm4J6PFpiFztczPVwF
7n5MsUXQ0Da+arlsPvF3e1wKs94vulBlNQYjrw87UB+1AgUZ9XAFX6OgJ9VTEPVR
afxH3P9sbFwtJwmH1WKJwHgIGYTMnroJBmGTJdMPgNyFR7eyMggE7QfByelIwKu/
empHWCeU9X8PYYPXQEujL7kPdyt1HVpz+J6+7crnORLJmZZVeBQISLuj2DV1BzDd
3BvVpU4o1sv0dQtvp8vEKwbiFF4eSFP5KMC2WvDtJXhWei3NjSsqkzZ+5y0RtAm3
FvZF5xAhQ2Kh6VuLW/QiUbTKpHBR0g1YHHgzCoUDA2c6lDe8R3A=
=jpi7
-----END PGP SIGNATURE-----