[Secure-testing-commits] r51307 - data/CVE

[Salvatore Bonaccorso]

Author: carnil
Date: 2017-05-03 15:16:06 +0000 (Wed, 03 May 2017)
New Revision: 51307

Modified:
   data/CVE/list
Log:
Update status for CVE-2017-7471 and CVE-2016-9602

Modified: data/CVE/list
===================================================================
--- data/CVE/list	2017-05-03 10:37:46 UTC (rev 51306)
+++ data/CVE/list	2017-05-03 15:16:06 UTC (rev 51307)
@@ -2698,11 +2698,14 @@
 CVE-2017-7471 [9p: virtfs allows guest to change filesystem attributes on host]
 	RESERVED
 	- qemu <unfixed> (bug #860785)
-	- qemu-kvm <removed>
+	[jessie] - qemu <not-affected> (Vulnerable code introduced with fix for CVE-2016-9602)
+	[wheezy] - qemu <not-affected> (Vulnerable code introduced with fix for CVE-2016-9602)
+	- qemu-kvm <not-affected> (Vulnerable code introduced with fix for CVE-2016-9602)
 	NOTE: Fixed by: http://git.qemu-project.org/?p=qemu.git;a=commitdiff;h=9c6b899f7a46893ab3b671e341a2234e9c0c060e
 	NOTE: Fixed by (stable-2.8): http://git.qemu-project.org/?p=qemu.git;a=commitdiff;h=96bae145e27d4df62671b4eebd6c735f412016cf (v2.8.1.1)
 	NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=1443401
-	NOTE: introduced by CVE-2016-9602
+	NOTE: Introduced by: http://git.qemu-project.org/?p=qemu.git;a=commitdiff;h=acf22d2264a131ad2695b5a18746dabf0cc8b843
+	NOTE: which is part of the fix for CVE-2016-9602.
 CVE-2017-7470
 	RESERVED
 CVE-2017-7469
@@ -22224,6 +22227,9 @@
 	NOTE: http://www.openwall.com/lists/oss-security/2017/01/17/14
 	NOTE: Upstream patchset: https://lists.gnu.org/archive/html/qemu-devel/2017-01/msg06225.html
 	NOTE: https://bugs.chromium.org/p/project-zero/issues/detail?id=1035
+	NOTE: If fixing this issue for older suites, then make sure not to open the
+	NOTE: CVE-2017-7471 vulnerability and apply as well 9c6b899f7a46893ab3b671e341a2234e9c0c060e
+	NOTE: See further details in the CVE-2017-7471 tracker entry.
 CVE-2016-9601 [Heap-buffer overflow due to Integer overflow in jbig2_image_new function]
 	RESERVED
 	{DSA-3817-1 DLA-874-1}