[Secure-testing-commits] r48486 - data/CVE

Sat Jan 28 20:29:30 UTC 2017

Author: carnil
Date: 2017-01-28 20:29:30 +0000 (Sat, 28 Jan 2017)
New Revision: 48486

Modified:
   data/CVE/list
Log:
Triage CVE-2017-5578/qemu, mark affected versions

Mark as well unimportant for sid, since 1:2.8+dfsg-2 the virtio gpu
(virtglrenderer) and opengl support was reverted again. The affected
source is still present up to 2.8.

Modified: data/CVE/list
===================================================================

--- data/CVE/list	2017-01-28 20:09:18 UTC (rev 48485)
+++ data/CVE/list	2017-01-28 20:29:30 UTC (rev 48486)
@@ -144,11 +144,15 @@
 	TODO: check
 CVE-2017-5578 [display: virtio-gpu: host memory leakage in virtio_gpu_resource_attach_backing]
 	RESERVED
-	- qemu <unfixed>
-	- qemu-kvm <removed>
-	NOTE: http://git.qemu.org/?p=qemu.git;a=commit;h=204f01b30975923c64006f8067f0937b91eea68b
+	- qemu <unfixed> (unimportant)
+	[jessie] - qemu <not-affected> (Vulnerable code introduced later)
+	[wheezy] - qemu <not-affected> (Vulnerable code introduced later)
+	- qemu-kvm <not-affected> (Vulnerable code introduced later)
+	NOTE: Fixed by: http://git.qemu.org/?p=qemu.git;a=commit;h=204f01b30975923c64006f8067f0937b91eea68b
+	NOTE: Introduced after: http://git.qemu.org/?p=qemu.git;a=commit;h=62232bf48456bda4058ceae05851bc58c1032338 (v2.4.0)
 	NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=1415795
-	TODO: check affected versions
+	NOTE: Marked as unimportant, since 1:2.8+dfsg-2 upload reverts
+	NOTE: enable virtio gpu (virglrenderer) and opengl support"
 CVE-2017-5577 [drm/vc4: Return -EINVAL on the overflow checks failing]
 	RESERVED
 	- linux 4.9.6-1


