[Secure-testing-commits] r55636 - data/CVE

Sun Sep 10 19:41:12 UTC 2017

Author: carnil
Date: 2017-09-10 19:41:12 +0000 (Sun, 10 Sep 2017)
New Revision: 55636

Modified:
   data/CVE/list
Log:
Update information for CVE-2017-13673/qemu

Note for reviewers: The set of affected versions in the description seem
missleading. But my tirage could be wrong. The issue is fixed upstream
with
https://git.qemu.org/gitweb.cgi?p=qemu.git;a=commit;h=bfc56535f793c557aa754c50213fc5f882e6482d
which in turns fixes
https://git.qemu.org/gitweb.cgi?p=qemu.git;a=commit;h=fec5e8c92becad223df9d972770522f64aafdb72
That commit made vga display update sthread safe and introduced the
problem with the dirty bitmap snapshots. But please double and trippe
check this claim.

Modified: data/CVE/list
===================================================================

--- data/CVE/list	2017-09-10 19:25:57 UTC (rev 55635)
+++ data/CVE/list	2017-09-10 19:41:12 UTC (rev 55636)
@@ -1561,11 +1561,11 @@
 CVE-2017-13674 (Symantec ProxyClient 3.4 for Windows is susceptible to a privilege ...)
 	NOT-FOR-US: Symantec ProxyClient
 CVE-2017-13673 (The vga display update in Qemu 2.8.0 through 2.9.0 mis-calculated the ...)
-	- qemu <unfixed> (low)
-	[stretch] - qemu <postponed> (Can be fixed along in a future DSA)
-	[jessie] - qemu <postponed> (Can be fixed along in a future DSA)
-	- qemu-kvm <removed>
+	- qemu <not-affected> (Vulnerable code introduced later)
+	- qemu-kvm <not-affected> (Vulnerable code introduced later)
 	NOTE: https://lists.gnu.org/archive/html/qemu-devel/2017-08/msg04685.html
+	NOTE: Fixed by: https://git.qemu.org/gitweb.cgi?p=qemu.git;a=commit;h=bfc56535f793c557aa754c50213fc5f882e6482d
+	NOTE: Introduced by: https://git.qemu.org/gitweb.cgi?p=qemu.git;a=commit;h=fec5e8c92becad223df9d972770522f64aafdb72
 CVE-2017-13672 (QEMU (aka Quick Emulator), when built with the VGA display emulator ...)
 	- qemu <unfixed> (low; bug #873851)
 	[stretch] - qemu <postponed> (Can be fixed along in a future DSA)


