CVE-2017-5856 in Ubuntu

CVE-2017-5856

Priority

Description

Memory leak in the megasas_handle_dcmd function in hw/scsi/megasas.c in
QEMU (aka Quick Emulator) allows local guest OS privileged users to cause a
denial of service (host memory consumption) via MegaRAID Firmware Interface
(MFI) commands with the sglist size set to a value over 2 Gb.

References

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-5856
http://www.openwall.com/lists/oss-security/2017/02/01/19
https://usn.ubuntu.com/usn/usn-3261-1

Bugs

https://bugzilla.redhat.com/show_bug.cgi?id=1418342
http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=853996

Package

Source: qemu (LP Ubuntu Debian)

Upstream:	needed
Ubuntu 12.04 ESM (Precise Pangolin):	DNE
Ubuntu 14.04 LTS (Trusty Tahr):	released (2.0.0+dfsg-2ubuntu1.33)
Ubuntu 16.04 LTS (Xenial Xerus):	released (1:2.5+dfsg-5ubuntu10.11)
Ubuntu 18.04 LTS (Bionic Beaver):	not-affected (1:2.8+dfsg-3ubuntu2)
Ubuntu 18.10 (Cosmic Cuttlefish):	not-affected (1:2.8+dfsg-3ubuntu2)
Ubuntu 19.04 (Disco Dingo):	not-affected (1:2.8+dfsg-3ubuntu2)

Patches:

Upstream:

http://git.qemu.org/?p=qemu.git;a=commit;h=765a707000e838c30b18d712fe6cb3dd8e0435f3

Package

Source: qemu-kvm (LP Ubuntu Debian)

Upstream:	needed
Ubuntu 12.04 ESM (Precise Pangolin):	needed
Ubuntu 14.04 LTS (Trusty Tahr):	DNE
Ubuntu 16.04 LTS (Xenial Xerus):	DNE
Ubuntu 18.04 LTS (Bionic Beaver):	DNE
Ubuntu 18.10 (Cosmic Cuttlefish):	DNE
Ubuntu 19.04 (Disco Dingo):	DNE

More Information

Updated: 2019-01-14 21:26:23 UTC (commit 51f9b73af244ba86b9321e46e526586c25a8e060)