Bug 205814

Summary:	emulators/qemu {-devel}: multiple vulnerabilities
Product:	Ports & Packages	Reporter:	Jason Unovitch <junovitch>
Component:	Individual Port(s)	Assignee:	Muhammad Moinur Rahman <bofh>
Status:	Closed FIXED
Severity:	Affects Only Me	CC:	ahmedsayeed1982, ports-secteam, sbruno, w.schwarzenfeld
Priority:	---	Keywords:	security
Version:	Latest	Flags:	bugzilla: maintainer-feedback? (bofh) junovitch: merge-quarterly?
Hardware:	Any
OS:	Any

Description Jason Unovitch freebsd_committer

2016-01-03 02:20:02 UTC

The following patches are needed (unapplied upstream)

CVE-2015-8345 - https://lists.gnu.org/archive/html/qemu-devel/2015-10/msg03911.html
CVE-2015-8567/CVE-2015-8568 - https://lists.gnu.org/archive/html/qemu-devel/2015-12/msg02299.html
CVE-2015-8613 - https://lists.gnu.org/archive/html/qemu-devel/2015-12/msg03737.html
CVE-2015-8619 - https://lists.gnu.org/archive/html/qemu-devel/2015-12/msg02930.html
CVE-2015-8701 - https://lists.gnu.org/archive/html/qemu-devel/2015-12/msg04629.html

The following patches are applied upstream in the master branch but not yet in a release:

CVE-2015-8558 - http://git.qemu.org/?p=qemu.git;a=commit;h=156a2e4dbffa85997636a7a39ef12da6f1b40254

Comment 1 commit-hook freebsd_committer

2016-01-03 02:26:03 UTC

A commit references this bug:

Author: junovitch
Date: Sun Jan  3 02:25:00 UTC 2016
New revision: 405110
URL: https://svnweb.freebsd.org/changeset/ports/405110

Log:
  Document recent QEMU denial of service vulnerabilities

  PR:		205813
  PR:		205814
  Security:	CVE-2015-8701
  Security:	CVE-2015-8666
  Security:	CVE-2015-8619
  Security:	CVE-2015-8613
  Security:	CVE-2015-8567
  Security:	CVE-2015-8568
  Security:	CVE-2015-8558
  Security:	CVE-2015-7549
  Security:	CVE-2015-8504
  Security:	CVE-2015-7504
  Security:	CVE-2015-7512
  Security:	CVE-2015-8345
  Security:	https://vuxml.FreeBSD.org/freebsd/1384f2fd-b1be-11e5-9728-002590263bf5.html
  Security:	https://vuxml.FreeBSD.org/freebsd/152acff3-b1bd-11e5-9728-002590263bf5.html
  Security:	https://vuxml.FreeBSD.org/freebsd/62ab8707-b1bc-11e5-9728-002590263bf5.html
  Security:	https://vuxml.FreeBSD.org/freebsd/b3f9f8ef-b1bb-11e5-9728-002590263bf5.html
  Security:	https://vuxml.FreeBSD.org/freebsd/9ad8993e-b1ba-11e5-9728-002590263bf5.html
  Security:	https://vuxml.FreeBSD.org/freebsd/60cb2055-b1b8-11e5-9728-002590263bf5.html
  Security:	https://vuxml.FreeBSD.org/freebsd/3fb06284-b1b7-11e5-9728-002590263bf5.html
  Security:	https://vuxml.FreeBSD.org/freebsd/67feba97-b1b5-11e5-9728-002590263bf5.html
  Security:	https://vuxml.FreeBSD.org/freebsd/405446f4-b1b3-11e5-9728-002590263bf5.html
  Security:	https://vuxml.FreeBSD.org/freebsd/b56fe6bb-b1b1-11e5-9728-002590263bf5.html

Changes:
  head/security/vuxml/vuln.xml

Comment 2 Jason Unovitch freebsd_committer

2016-01-03 02:35:24 UTC

PR:
- Add sbruno@ as a courtesy CC... I'm unsure what level these ports are going to be kept in sync in the future.
- Add security tag and add ports-secteam to CC
- Add merge-quarterly? as there will be something to MFH

Comments:
emulators/qemu will have to be updated to 2.5.0 to fix several of the recent issues.

After that, most of these have hit upstream at this time.  One of them is in master but not in any release.  It will probably be in 2.5.1.  I'm unsure how you want to proceed but just we have everything documented as reported so all we'll have to do is fix the version numbers documented in VuXML when we roll out a fix.

Comment 3 Muhammad Moinur Rahman freebsd_committer

2016-01-03 18:33:08 UTC

(In reply to Jason Unovitch from comment #2)
2.5.* is not yet in STABLE release so it will go to current stable 2.4.1 and current devel 2.5.0.

Comment 4 Walter Schwarzenfeld freebsd_triage

2018-01-13 06:20:36 UTC

quemu version is at 2.9.0. I think this is overcome by events.

Comment 5 Sean Bruno freebsd_committer

2018-02-06 19:35:53 UTC

I'm going to close this now as we have updates all of the related qemu ports to versions that have all the associated patches.

Comment 6 Ahmed 2021-11-02 19:48:47 UTC

MARKED AS SPAM