CVE-2017-5856 in Ubuntu

CVE-2017-5856

Priority

Description

Memory leak in the megasas_handle_dcmd function in hw/scsi/megasas.c in
QEMU (aka Quick Emulator) allows local guest OS privileged users to cause a
denial of service (host memory consumption) via MegaRAID Firmware Interface
(MFI) commands with the sglist size set to a value over 2 Gb.

References

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-5856
http://www.openwall.com/lists/oss-security/2017/02/01/19
https://usn.ubuntu.com/usn/usn-3261-1

Bugs

https://bugzilla.redhat.com/show_bug.cgi?id=1418342
http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=853996

Notes

Package

Source: qemu (LP Ubuntu Debian)

Upstream:	needed
Ubuntu 12.04 ESM (Precise Pangolin):	DNE
Ubuntu 14.04 ESM (Trusty Tahr):	released (2.0.0+dfsg-2ubuntu1.33)
Ubuntu 16.04 LTS (Xenial Xerus):	released (1:2.5+dfsg-5ubuntu10.11)
Ubuntu 18.04 LTS (Bionic Beaver):	not-affected (1:2.8+dfsg-3ubuntu2)
Ubuntu 19.10 (Eoan Ermine):	not-affected (1:2.8+dfsg-3ubuntu2)
Ubuntu 20.04 (Focal Fossa):	not-affected (1:2.8+dfsg-3ubuntu2)

Patches:

Upstream:

http://git.qemu.org/?p=qemu.git;a=commit;h=765a707000e838c30b18d712fe6cb3dd8e0435f3

Package

Source: qemu-kvm (LP Ubuntu Debian)

Upstream:	needed
Ubuntu 12.04 ESM (Precise Pangolin):	needed
Ubuntu 14.04 ESM (Trusty Tahr):	DNE
Ubuntu 16.04 LTS (Xenial Xerus):	DNE
Ubuntu 18.04 LTS (Bionic Beaver):	DNE
Ubuntu 19.10 (Eoan Ermine):	DNE
Ubuntu 20.04 (Focal Fossa):	DNE

More Information

Updated: 2020-01-29 18:48:37 UTC (commit 40f18bf14da5fb50662e1f861ea594a462b207fe)