Your message dated Wed, 01 Mar 2017 10:04:15 +0000 with message-id <e1cj17h-0005br...@fasolo.debian.org> and subject line Bug#853006: fixed in qemu 1:2.8+dfsg-3 has caused the Debian Bug report #853006, regarding qemu: CVE-2016-9602: 9p: virtfs allows guest to access host filesystem to be marked as done.
This means that you claim that the problem has been dealt with. If this is not the case it is now your responsibility to reopen the Bug report if necessary, and/or fix the problem forthwith. (NB: If you are a system administrator and have no idea what this message is talking about, this may indicate a serious mail system misconfiguration somewhere. Please contact ow...@bugs.debian.org immediately.) -- 853006: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=853006 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems
--- Begin Message ---Source: qemu Version: 1:2.8+dfsg-1 Severity: grave Tags: security upstream Hi, the following vulnerability was published for qemu. Rationale: I'm raising the issue for now as grave severity, since a privileged user inside guest could use this flaw to access host file system beyond the shared folder and potentially escalating their privileges on a host. But note as well, that the original proposed patch is not fixing the issue, so upstream is still working on a fix[1]. CVE-2016-9602[0]: 9p: virtfs allows guest to access host filesystem If you fix the vulnerability please also make sure to include the CVE (Common Vulnerabilities & Exposures) id in your changelog entry. For further information see: [0] https://security-tracker.debian.org/tracker/CVE-2016-9602 [1] http://www.openwall.com/lists/oss-security/2017/01/17/14 [2] https://bugzilla.redhat.com/show_bug.cgi?id=1413929 Please adjust the affected versions in the BTS as needed. Regards, Salvatore
--- End Message ---
--- Begin Message ---Source: qemu Source-Version: 1:2.8+dfsg-3 We believe that the bug you reported is fixed in the latest version of qemu, which is due to be installed in the Debian FTP archive. A summary of the changes between this version and the previous one is attached. Thank you for reporting the bug, which will now be closed. If you have further comments please address them to 853...@bugs.debian.org, and the maintainer will reopen the bug report if appropriate. Debian distribution maintenance software pp. Michael Tokarev <m...@tls.msk.ru> (supplier of updated qemu package) (This message was generated automatically at their request; if you believe that there is a problem with it please contact the archive administrators by mailing ftpmas...@ftp-master.debian.org) -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 Format: 1.8 Date: Tue, 28 Feb 2017 11:40:18 +0300 Source: qemu Binary: qemu qemu-system qemu-block-extra qemu-system-common qemu-system-misc qemu-system-arm qemu-system-mips qemu-system-ppc qemu-system-sparc qemu-system-x86 qemu-user qemu-user-static qemu-user-binfmt qemu-utils qemu-guest-agent qemu-kvm Architecture: source Version: 1:2.8+dfsg-3 Distribution: unstable Urgency: high Maintainer: Debian QEMU Team <pkg-qemu-de...@lists.alioth.debian.org> Changed-By: Michael Tokarev <m...@tls.msk.ru> Description: qemu - fast processor emulator qemu-block-extra - extra block backend modules for qemu-system and qemu-utils qemu-guest-agent - Guest-side qemu-system agent qemu-kvm - QEMU Full virtualization on x86 hardware qemu-system - QEMU full system emulation binaries qemu-system-arm - QEMU full system emulation binaries (arm) qemu-system-common - QEMU full system emulation binaries (common files) qemu-system-mips - QEMU full system emulation binaries (mips) qemu-system-misc - QEMU full system emulation binaries (miscellaneous) qemu-system-ppc - QEMU full system emulation binaries (ppc) qemu-system-sparc - QEMU full system emulation binaries (sparc) qemu-system-x86 - QEMU full system emulation binaries (x86) qemu-user - QEMU user mode emulation binaries qemu-user-binfmt - QEMU user mode binfmt registration for qemu-user qemu-user-static - QEMU user mode emulation binaries (static version) qemu-utils - QEMU utilities Closes: 839986 846497 853002 853006 853996 854032 854729 854730 854731 854893 855159 855227 855611 855616 855659 855791 Changes: qemu (1:2.8+dfsg-3) unstable; urgency=high . * urgency high due to security fixes . [ Michael Tokarev ] * serial-fix-memory-leak-in-serial-exit-CVE-2017-5579.patch Closes: #853002, CVE-2017-5579 * cirrus-ignore-source-pitch-as-needed-in-blit_is_unsafe.patch (needed for the next patch, CVE-2017-2620 fix) * cirrus-add-blit_is_unsafe-to-cirrus_bitblt_cputovideo-CVE-2017-2620.patch Closes: #855791, CVE-2017-2620 * nbd_client-fix-drop_sync-CVE-2017-2630.diff Closes: #855227, CVE-2017-2630 * sd-sdhci-check-transfer-mode-register-in-multi-block-CVE-2017-5987.patch Closes: #855159, CVE-2017-5987 * vmxnet3-fix-memory-corruption-on-vlan-header-stripping-CVE-2017-6058.patch Closes: #855616, CVE-2017-6058 * 3 CVE fixes from upstream for #853996: sd-sdhci-check-data-length-during-dma_memory_read-CVE-2017-5667.patch megasas-fix-guest-triggered-memory-leak-CVE-2017-5856.patch virtio-gpu-fix-resource-leak-in-virgl_cmd_resource-CVE-2017-5857.patch Closes: #853996, CVE-2017-5667, CVE-2017-5856, CVE-2017-5857 * usb-ccid-check-ccid-apdu-length-CVE-2017-5898.patch Closes: #854729, CVE-2017-5898 * virtio-crypto-fix-possible-integer-and-heap-overflow-CVE-2017-5931.patch Closes: #854730, CVE-2017-5931 * xhci-apply-limits-to-loops-CVE-2017-5973.patch Closes: #855611, CVE-2017-5973 * net-imx-limit-buffer-descriptor-count-CVE-2016-7907.patch Closes: #839986, CVE-2016-7907 * cirrus-fix-oob-access-issue-CVE-2017-2615.patch Closes: #854731, CVE-2017-2615 * 9pfs-symlink-attack-fixes-CVE-2016-9602.patch Closes: #853006 * vnc-do-not-disconnect-on-EAGAIN.patch Closes: #854032 * xhci-fix-event-queue-IRQ-handling.patch (win7 xhci issue fix) * xhci-only-free-completed-transfers.patch Closes: #855659 * char-fix-ctrl-a-b-not-working.patch Closes: https://bugs.launchpad.net/bugs/1654137 * char-drop-data-written-to-a-disconnected-pty.patch Closes: https://bugs.launchpad.net/bugs/1667033 * s390x-use-qemu-cpu-model-in-user-mode.patch Closes: #854893 * d/control is autogenerated, add comment * check if debootstrap is available in qemu-debootstrap Closes: #846497 . [ Christian Ehrhardt ] * (ubuntu) no more skip enable libiscsi (now in main) * (ubuntu) Disable glusterfs (Universe dependency) * (ubuntu) have qemu-system-arm suggest: qemu-efi; this should be a stronger relationship, but qemu-efi is still in universe right now. * (ubuntu) change dependencies for fix of wrong acl for newly created device node on ubuntu Checksums-Sha1: d5dc11d3538dd060f71fbc43045bef33368d70ee 5513 qemu_2.8+dfsg-3.dsc 6dc97a4a9ac7940ad35955fd3b5061fb25b181df 92520 qemu_2.8+dfsg-3.debian.tar.xz Checksums-Sha256: c59ce113cac6a8579d9c7c56b6ab47ae2412c3847262bee4a81804fff184c3b3 5513 qemu_2.8+dfsg-3.dsc 3ac5b4bef0d983b319f3556ea3c5182956f7c99fb5cb4cacf30eca04063aeccd 92520 qemu_2.8+dfsg-3.debian.tar.xz Files: b159f7aabda3b2ba51d9f7e2355778b0 5513 otherosfs optional qemu_2.8+dfsg-3.dsc 3fbd6bce7e95f908a86d1ea695c219f0 92520 otherosfs optional qemu_2.8+dfsg-3.debian.tar.xz -----BEGIN PGP SIGNATURE----- Version: GnuPG v1 iQEcBAEBCAAGBQJYtpbQAAoJEHAbT2saaT5ZWMUH/3Ir5jIi/XP9f215Q1yPDSml DVJuDmH8l+IHNFgq1Hi8rxj4FWT/dVZ4tCnJewiNBrDrZ33C/C7wY0mKrVUdczS/ 74mv+qkTO5+85j39XvJCLvrL4D30EccRwrCHbPDW2RELaL6MO0fdlMiH3dUy93hT fcR93oIjWv+3qfnlC+MLXom6MdYAJ+kSoUpOIUgx23J4yYkXoIgIG9d+LFURhEEv /7FOaIJlwHF1Hd/sUnBsmsUHBj1h0tpJ5xyY36nuhzHmgapQg1x6/WWr/Z40Xa3Z mM4w6fdWtOTpgaSP/UVjtPOpMisNk3Wqr13NfXlm2KHtREk+NR9/K2Q8EB3JMJs= =U/A9 -----END PGP SIGNATURE-----
--- End Message ---
