CVE-2017-5856 in Ubuntu

CVE-2017-5856

Priority

Low

Description

Memory leak in the megasas_handle_dcmd function in hw/scsi/megasas.c in
QEMU (aka Quick Emulator) allows local guest OS privileged users to cause a
denial of service (host memory consumption) via MegaRAID Firmware Interface
(MFI) commands with the sglist size set to a value over 2 Gb.

References

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-5856
http://www.openwall.com/lists/oss-security/2017/02/01/19
http://www.ubuntu.com/usn/usn-3261-1

Bugs

https://bugzilla.redhat.com/show_bug.cgi?id=1418342
http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=853996

Package

Source: qemu-kvm (LP Ubuntu Debian)

Upstream:	needed
Ubuntu 17.10 (Artful Aardvark):	DNE
Ubuntu 12.04 ESM (Precise Pangolin):	needed
Ubuntu 14.04 LTS (Trusty Tahr):	DNE
Ubuntu Core 15.04:	DNE
Ubuntu 16.04 LTS (Xenial Xerus):	DNE
Ubuntu 17.04 (Zesty Zapus):	DNE

Package

Source: qemu (LP Ubuntu Debian)

Upstream:	needed
Ubuntu 17.10 (Artful Aardvark):	not-affected (1:2.8+dfsg-3ubuntu2)
Ubuntu 12.04 ESM (Precise Pangolin):	DNE
Ubuntu 14.04 LTS (Trusty Tahr):	released (2.0.0+dfsg-2ubuntu1.33)
Ubuntu Core 15.04:	DNE
Ubuntu 16.04 LTS (Xenial Xerus):	released (1:2.5+dfsg-5ubuntu10.11)
Ubuntu 17.04 (Zesty Zapus):	not-affected (1:2.8+dfsg-3ubuntu2)

Patches:

Upstream:

http://git.qemu.org/?p=qemu.git;a=commit;h=765a707000e838c30b18d712fe6cb3dd8e0435f3

More Information

Updated: 2017-08-11 23:25:54 UTC (commit 13081)