Page MenuHomeFreeBSD

emulators/qemu-devel: multiple vulnerabilities
ClosedPublic

Authored by feld on Sep 17 2015, 5:50 PM.

Details

Summary

Hello,

These CVEs have not been dealth with in the ports tree yet. I'm not sure
if non-devel qemu or static/sbruno/etc flavors are also vulnerable?
Maybe Xen stuff? Can someone lend a hand?

Thanks!

Diff Detail

Repository
rP FreeBSD ports repository
Lint
No Linters Available
Unit
No Unit Test Coverage
Build Status
Buildable 558
Build 558: arc lint + arc unit

Event Timeline

feld retitled this revision from to emulators/qemu-devel: multiple vulnerabilities.
feld updated this object.
feld edited the test plan for this revision. (Show Details)
feld added subscribers: sbruno, nox, junovitch.

Regarding emulators/qemu,
It may be vulnerable and we do have CVE-2015-5154, CVE-2015-5166, CVE-2015-5165 from a prior PR still valid against this. In https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=202402#c17 Sean brought up getting guidance from Juergen on a way ahead.

Regarding emulators/qemu-sbruno and emulators/qemu-user-static,
They would be impacted and it looks like https://github.com/seanbruno/qemu-bsd-user will need a fresh pull from upstream.

Regarding Xen,
I don't see any security advisory from them just yet at http://xenbits.xen.org/xsa/

The goalposts keep moving. Here's another one we need to patch

http://seclists.org/oss-sec/2015/q3/579

I suspect that this might be a deprecated review at this time. emulators/qemu now tracks the stable release of QEMU.

In D3691#76188, @feld wrote:

The goalposts keep moving. Here's another one we need to patch

http://seclists.org/oss-sec/2015/q3/579

This has been addressed in qemu-devel 2.5.0.

This revision was automatically updated to reflect the committed changes.