Bug 205814 - emulators/qemu {-devel}: multiple vulnerabilities
Summary: emulators/qemu {-devel}: multiple vulnerabilities
Status: Closed FIXED
Alias: None
Product: Ports & Packages
Classification: Unclassified
Component: Individual Port(s) (show other bugs)
Version: Latest
Hardware: Any Any
: --- Affects Only Me
Assignee: Muhammad Moinur Rahman
URL:
Keywords: security
Depends on:
Blocks:
 
Reported: 2016-01-03 02:20 UTC by Jason Unovitch
Modified: 2018-02-06 19:35 UTC (History)
3 users (show)

See Also:
bugzilla: maintainer-feedback? (bofh)
junovitch: merge-quarterly?


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Jason Unovitch freebsd_committer 2016-01-03 02:20:02 UTC
The following patches are needed (unapplied upstream)

CVE-2015-8345 - https://lists.gnu.org/archive/html/qemu-devel/2015-10/msg03911.html
CVE-2015-8567/CVE-2015-8568 - https://lists.gnu.org/archive/html/qemu-devel/2015-12/msg02299.html
CVE-2015-8613 - https://lists.gnu.org/archive/html/qemu-devel/2015-12/msg03737.html
CVE-2015-8619 - https://lists.gnu.org/archive/html/qemu-devel/2015-12/msg02930.html
CVE-2015-8701 - https://lists.gnu.org/archive/html/qemu-devel/2015-12/msg04629.html

The following patches are applied upstream in the master branch but not yet in a release:

CVE-2015-8558 - http://git.qemu.org/?p=qemu.git;a=commit;h=156a2e4dbffa85997636a7a39ef12da6f1b40254
Comment 1 commit-hook freebsd_committer 2016-01-03 02:26:03 UTC
A commit references this bug:

Author: junovitch
Date: Sun Jan  3 02:25:00 UTC 2016
New revision: 405110
URL: https://svnweb.freebsd.org/changeset/ports/405110

Log:
  Document recent QEMU denial of service vulnerabilities

  PR:		205813
  PR:		205814
  Security:	CVE-2015-8701
  Security:	CVE-2015-8666
  Security:	CVE-2015-8619
  Security:	CVE-2015-8613
  Security:	CVE-2015-8567
  Security:	CVE-2015-8568
  Security:	CVE-2015-8558
  Security:	CVE-2015-7549
  Security:	CVE-2015-8504
  Security:	CVE-2015-7504
  Security:	CVE-2015-7512
  Security:	CVE-2015-8345
  Security:	https://vuxml.FreeBSD.org/freebsd/1384f2fd-b1be-11e5-9728-002590263bf5.html
  Security:	https://vuxml.FreeBSD.org/freebsd/152acff3-b1bd-11e5-9728-002590263bf5.html
  Security:	https://vuxml.FreeBSD.org/freebsd/62ab8707-b1bc-11e5-9728-002590263bf5.html
  Security:	https://vuxml.FreeBSD.org/freebsd/b3f9f8ef-b1bb-11e5-9728-002590263bf5.html
  Security:	https://vuxml.FreeBSD.org/freebsd/9ad8993e-b1ba-11e5-9728-002590263bf5.html
  Security:	https://vuxml.FreeBSD.org/freebsd/60cb2055-b1b8-11e5-9728-002590263bf5.html
  Security:	https://vuxml.FreeBSD.org/freebsd/3fb06284-b1b7-11e5-9728-002590263bf5.html
  Security:	https://vuxml.FreeBSD.org/freebsd/67feba97-b1b5-11e5-9728-002590263bf5.html
  Security:	https://vuxml.FreeBSD.org/freebsd/405446f4-b1b3-11e5-9728-002590263bf5.html
  Security:	https://vuxml.FreeBSD.org/freebsd/b56fe6bb-b1b1-11e5-9728-002590263bf5.html

Changes:
  head/security/vuxml/vuln.xml
Comment 2 Jason Unovitch freebsd_committer 2016-01-03 02:35:24 UTC
PR:
- Add sbruno@ as a courtesy CC... I'm unsure what level these ports are going to be kept in sync in the future.
- Add security tag and add ports-secteam to CC
- Add merge-quarterly? as there will be something to MFH

Comments:
emulators/qemu will have to be updated to 2.5.0 to fix several of the recent issues.

After that, most of these have hit upstream at this time.  One of them is in master but not in any release.  It will probably be in 2.5.1.  I'm unsure how you want to proceed but just we have everything documented as reported so all we'll have to do is fix the version numbers documented in VuXML when we roll out a fix.
Comment 3 Muhammad Moinur Rahman freebsd_committer 2016-01-03 18:33:08 UTC
(In reply to Jason Unovitch from comment #2)
2.5.* is not yet in STABLE release so it will go to current stable 2.4.1 and current devel 2.5.0.
Comment 4 Walter Schwarzenfeld freebsd_triage 2018-01-13 06:20:36 UTC
quemu version is at 2.9.0. I think this is overcome by events.
Comment 5 Sean Bruno freebsd_committer 2018-02-06 19:35:53 UTC
I'm going to close this now as we have updates all of the related qemu ports to versions that have all the associated patches.