Your message dated Sat, 19 Jan 2013 12:47:06 +0000 with message-id <e1twxpc-0000vn...@franck.debian.org> and subject line Bug#696051: fixed in qemu 0.12.5+dfsg-3squeeze3 has caused the Debian Bug report #696051, regarding potential guest-side buffer overflow caused by e1000 device emulation and large incoming packets - CVE-2012-6075 to be marked as done.
This means that you claim that the problem has been dealt with. If this is not the case it is now your responsibility to reopen the Bug report if necessary, and/or fix the problem forthwith. (NB: If you are a system administrator and have no idea what this message is talking about, this may indicate a serious mail system misconfiguration somewhere. Please contact ow...@bugs.debian.org immediately.) -- 696051: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=696051 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems
--- Begin Message ---Source: qemu Severity: serious Tags: upstream patch pending security When guest does not enable large packet receiving from the qemu-emulated e1000 device, and a large packet is received from the network, qemu will happily transfer whole thing to guest, causing a guest buffer overflow. This is fixed by upstream commit b0d9ffcd0251161c7c92f94804dcf599dfa3edeb , with the following comment by Michael Contreras: Tested with linux guest. This error can potentially be exploited. At the very least it can cause a DoS to a guest system, and in the worse case it could allow remote code execution on the guest system with kernel level privilege. Risk seems low, as the network would need to be configured to allow large packets. So it can be considered a low-risk security issue, too. /mjt
--- End Message ---
--- Begin Message ---Source: qemu Source-Version: 0.12.5+dfsg-3squeeze3 We believe that the bug you reported is fixed in the latest version of qemu, which is due to be installed in the Debian FTP archive. A summary of the changes between this version and the previous one is attached. Thank you for reporting the bug, which will now be closed. If you have further comments please address them to 696...@bugs.debian.org, and the maintainer will reopen the bug report if appropriate. Debian distribution maintenance software pp. Michael Tokarev <m...@tls.msk.ru> (supplier of updated qemu package) (This message was generated automatically at their request; if you believe that there is a problem with it please contact the archive administrators by mailing ftpmas...@debian.org) -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Format: 1.8 Date: Mon, 14 Jan 2013 12:58:32 +0400 Source: qemu Binary: qemu qemu-keymaps qemu-system qemu-user qemu-user-static qemu-utils libqemu-dev Architecture: source all i386 Version: 0.12.5+dfsg-3squeeze3 Distribution: stable-security Urgency: low Maintainer: Debian QEMU Team <pkg-qemu-de...@lists.alioth.debian.org> Changed-By: Michael Tokarev <m...@tls.msk.ru> Description: libqemu-dev - static libraries and headers for QEMU qemu - fast processor emulator qemu-keymaps - QEMU keyboard maps qemu-system - QEMU full system emulation binaries qemu-user - QEMU user mode emulation binaries qemu-user-static - QEMU user mode emulation binaries (static version) qemu-utils - QEMU utilities Closes: 696051 Changes: qemu (0.12.5+dfsg-3squeeze3) stable-security; urgency=low . * CVE-2012-6075 fix (Closes: #696051): e1000-discard-packets-that-are-too-long-if-not-SBP-and-not-LPE.patch e1000-discard-oversized-packets-based-on-SBP_LPE.patch Checksums-Sha1: a3b7d7a896810f14320ff1ea71ea50791d254392 2136 qemu_0.12.5+dfsg-3squeeze3.dsc 61cefb1a8ca3f17584a92c620391d8a7b2e39406 47382 qemu_0.12.5+dfsg-3squeeze3.diff.gz 1a5ac13bfcc83e8aad7cb4c4992e19d5297aa201 48124 qemu-keymaps_0.12.5+dfsg-3squeeze3_all.deb 8284b0bacb67a37f6225f0fbc946f003baf87c9d 105342 qemu_0.12.5+dfsg-3squeeze3_i386.deb 7763b542e7467bc6230bc775f01ca1d95ab2f249 12290714 qemu-system_0.12.5+dfsg-3squeeze3_i386.deb bc311f53cc7bbe3226fe382193e002f7f039b340 4208362 qemu-user_0.12.5+dfsg-3squeeze3_i386.deb cf9315ddbd950453344781f3e6419f0453aef9ff 8892142 qemu-user-static_0.12.5+dfsg-3squeeze3_i386.deb 3ffd353458acb378bbbd2f9f803e0e7948bc631f 367890 qemu-utils_0.12.5+dfsg-3squeeze3_i386.deb 83eb339da5ec640ee7156837fb9a3725ed74a120 5000410 libqemu-dev_0.12.5+dfsg-3squeeze3_i386.deb Checksums-Sha256: 90551888d4ccb92953ecac439bcf635211480d213954b2949353f0ae7e44f3d8 2136 qemu_0.12.5+dfsg-3squeeze3.dsc d76ba1b4f2b5f41b801fec87cc830124092084af463048e969a0a2515114b29c 47382 qemu_0.12.5+dfsg-3squeeze3.diff.gz 7b8ea484218ea551e8eecc01312de630d8bdb17988fd4d383e0d81625dd10561 48124 qemu-keymaps_0.12.5+dfsg-3squeeze3_all.deb ea48c94c0cfe3b5207c9bbd94bb0d75d170b1b2bb31774b048c445551d682911 105342 qemu_0.12.5+dfsg-3squeeze3_i386.deb fce14b831768434b253f101cb7d7d7fa857467390ee4385dec50faa8546f094a 12290714 qemu-system_0.12.5+dfsg-3squeeze3_i386.deb 53c935d2c8c9e0befdf10c05f1ee61d8b6af9a44273a81bc69be8e0b1e64032f 4208362 qemu-user_0.12.5+dfsg-3squeeze3_i386.deb 1cda3e806edb4eae01d50ddedb6041c530d8fceec9f948f8b422b48406994118 8892142 qemu-user-static_0.12.5+dfsg-3squeeze3_i386.deb f758de81c56213ad5afcd56a1638e39d4bdb01fd850171fb713594f41a9012b7 367890 qemu-utils_0.12.5+dfsg-3squeeze3_i386.deb e8b98209d28978edddc2592fe9d570059ad87e9cc45870349cd12bad3527b4e4 5000410 libqemu-dev_0.12.5+dfsg-3squeeze3_i386.deb Files: 5867c73c07abf55285902199c7b0c8d8 2136 misc optional qemu_0.12.5+dfsg-3squeeze3.dsc 9699cee27ad7c6d23de2aa5fb413f891 47382 misc optional qemu_0.12.5+dfsg-3squeeze3.diff.gz e7bd8b3077577c08d87419e5e975d208 48124 misc optional qemu-keymaps_0.12.5+dfsg-3squeeze3_all.deb 0ad8619aceaceb891c4ca31fb3b2d482 105342 misc optional qemu_0.12.5+dfsg-3squeeze3_i386.deb 2ab7cbb2c72a2c7dadfa6df82ff7ef4b 12290714 misc optional qemu-system_0.12.5+dfsg-3squeeze3_i386.deb 7d8c1df327e6b9b2469bfce1a128e12b 4208362 misc optional qemu-user_0.12.5+dfsg-3squeeze3_i386.deb 1712aab1c73d55b88dfba0de3f6d1fb8 8892142 misc optional qemu-user-static_0.12.5+dfsg-3squeeze3_i386.deb 05cf317e46c8878586ad67c2e372aa19 367890 misc optional qemu-utils_0.12.5+dfsg-3squeeze3_i386.deb f40b3d08d18ba7b252e5e45350a5a6ee 5000410 libdevel optional libqemu-dev_0.12.5+dfsg-3squeeze3_i386.deb -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.12 (GNU/Linux) iJwEAQECAAYFAlD1G9IACgkQUlPFrXTwyDjOywP6Ay+pz9B9FH4dHfLupawxuAtl j5Qn6vauglTXmLsYu8Fa6g5SC8OHhye+9wHj/8QlqDlU4BqPPjLaiJ6BO+wbAxtp UdI9Pl/EEAL02iVowH4g0bteXvfaTLq0uJADvlSCpwaXilILAFDL6p65Aqu9Uw8W GjQ03t1nl2tO+MxwP0Y= =Lt9g -----END PGP SIGNATURE-----
--- End Message ---
