[Git][security-tracker-team/security-tracker][master] Concluded that qemu update is not necessary for strech. CVE-2021-3607, 3608...

Ola Lundqvist (@opal) opal at debian.org
Mon Jun 21 21:47:42 BST 2021 


Ola Lundqvist pushed to branch master at Debian Security Tracker / security-tracker


Commits:
937faf5c by Ola Lundqvist at 2021-06-21T22:47:24+02:00
Concluded that qemu update is not necessary for strech. CVE-2021-3607, 3608 and CVE-2021-3582 not affected since the vulnerable code is introduced in some later version of the product. CVE-2021-3592 are marked as no-dsa for strech just as for buster.

- - - - -


2 changed files:

- data/CVE/list
- data/dla-needed.txt


Changes:

=====================================
data/CVE/list
=====================================
@@ -508,11 +508,13 @@ CVE-2021-34827
 CVE-2021-3608 [pvrdma: uninitialized memory unmap in pvrdma_ring_init()]
 	RESERVED
 	- qemu <unfixed>
+	[stretch] - qemu <not-affected> (Vulnerable code introduced later)
 	NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=1973383
 	TODO: check details, upstream report
 CVE-2021-3607 [pvrdma: unchecked malloc size due to integer overflow in init_dev_ring()]
 	RESERVED
 	- qemu <unfixed>
+	[stretch] - qemu <not-affected> (Vulnerable code introduced later)
 	NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=1973349
 	TODO: check details, upstream report
 CVE-2021-3606
@@ -1112,6 +1114,7 @@ CVE-2021-3595 (An invalid pointer initialization issue was found in the SLiRP ne
 	- libslirp <unfixed> (bug #989996)
 	- qemu 1:4.1-2
 	[buster] - qemu <no-dsa> (Minor issue)
+	[stretch] - qemu <no-dsa> (Minor issue)
 	NOTE: https://gitlab.freedesktop.org/slirp/libslirp/-/commit/93e645e72a056ec0b2c16e0299fc5c6b94e4ca17 (v4.6.0)
 	NOTE: https://gitlab.freedesktop.org/slirp/libslirp/-/commit/3f17948137155f025f7809fdc38576d5d2451c3d (v4.6.0)
 	NOTE: https://gitlab.freedesktop.org/slirp/libslirp/-/commit/990163cf3ac86b7875559f49602c4d76f46f6f30 (v4.6.0)
@@ -1120,6 +1123,7 @@ CVE-2021-3594 (An invalid pointer initialization issue was found in the SLiRP ne
 	- libslirp <unfixed> (bug #989995)
 	- qemu 1:4.1-2
 	[buster] - qemu <no-dsa> (Minor issue)
+	[stretch] - qemu <no-dsa> (Minor issue)
 	NOTE: https://gitlab.freedesktop.org/slirp/libslirp/-/commit/93e645e72a056ec0b2c16e0299fc5c6b94e4ca17 (v4.6.0)
 	NOTE: https://gitlab.freedesktop.org/slirp/libslirp/-/commit/74572be49247c8c5feae7c6e0b50c4f569ca9824 (v4.6.0)
 	NOTE: qemu 1:4.1-2 switched to system libslirp, marking that version as fixed.
@@ -1127,6 +1131,7 @@ CVE-2021-3593 (An invalid pointer initialization issue was found in the SLiRP ne
 	- libslirp <unfixed> (bug #989994)
 	- qemu 1:4.1-2
 	[buster] - qemu <no-dsa> (Minor issue)
+	[stretch] - qemu <no-dsa> (Minor issue)
 	NOTE: https://gitlab.freedesktop.org/slirp/libslirp/-/commit/93e645e72a056ec0b2c16e0299fc5c6b94e4ca17 (v4.6.0)
 	NOTE: https://gitlab.freedesktop.org/slirp/libslirp/-/commit/de71c15de66ba9350bf62c45b05f8fbff166517b (v4.6.0)
 	NOTE: qemu 1:4.1-2 switched to system libslirp, marking that version as fixed.
@@ -1134,6 +1139,7 @@ CVE-2021-3592 (An invalid pointer initialization issue was found in the SLiRP ne
 	- libslirp <unfixed> (bug #989993)
 	- qemu 1:4.1-2
 	[buster] - qemu <no-dsa> (Minor issue)
+	[stretch] - qemu <no-dsa> (Minor issue)
 	NOTE: https://gitlab.freedesktop.org/slirp/libslirp/-/commit/93e645e72a056ec0b2c16e0299fc5c6b94e4ca17 (v4.6.0)
 	NOTE: https://gitlab.freedesktop.org/slirp/libslirp/-/commit/f13cad45b25d92760bb0ad67bec0300a4d7d5275 (v4.6.0)
 	NOTE: https://gitlab.freedesktop.org/slirp/libslirp/-/commit/2eca0838eee1da96204545e22cdaed860d9d7c6c (v4.6.0)
@@ -2530,6 +2536,7 @@ CVE-2021-3587 [nfc: fix NULL ptr dereference in llcp_sock_getname() after failed
 CVE-2021-3582 [hw/rdma: Fix possible mremap overflow in the pvrdma device]
 	RESERVED
 	- qemu <unfixed>
+	[stretch] - qemu <not-affected> (Vulnerable code introduced later)
 	NOTE: https://lists.nongnu.org/archive/html/qemu-devel/2021-06/msg04148.html
 	TODO: check
 CVE-2021-33907


=====================================
data/dla-needed.txt
=====================================
@@ -80,8 +80,6 @@ python-babel
  NOTE: 20210620: http://people.debian.org/~abhijith/backport_of_3a700b5.patch (abhijith)
  NOTE: 20210620: Revisit when it have an assigned CVE Id. (abhijith)
 --
-qemu
---
 rabbitmq-server (Abhijith PA)
 --
 ruby-actionpack-page-caching



View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/937faf5c4fc0d2baf7f387d47796c93683c00183

-- 
View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/937faf5c4fc0d2baf7f387d47796c93683c00183
You're receiving this email because of your account on salsa.debian.org.


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://alioth-lists.debian.net/pipermail/debian-security-tracker-commits/attachments/20210621/f03a0a8e/attachment.htm>

More information about the debian-security-tracker-commits mailing list