On Tue, Apr 28, 2009 at 03:34:32PM -0400, Michael S. Gilbert wrote: > Package: qemu > Severity: important > Tags: security > Tags: fixed 0.9.1+svn20081101-1 > > Hi, > > The following CVE (Common Vulnerabilities & Exposures) id was > published for qemu. > > CVE-2008-4539[0]: > | Heap-based buffer overflow in the Cirrus VGA implementation in (1) KVM > | before kvm-82 and (2) QEMU on Debian GNU/Linux and Ubuntu might allow > | local users to gain privileges by using the VNC console for a > | connection, aka the LGD-54XX "bitblt" heap overflow. NOTE: this issue > | exists because of an incorrect fix for CVE-2007-1320. > > This is already fixed in version 0.9.1+svn20081101-1 in unstable. > Please coordinate with the security team ([email protected]) to > prepare packages for the stable releases. > > If you fix the vulnerability please also make sure to include the > CVE id in your changelog entry. >
This is fixed in the lenny branch of the SVN. The bug is not present in etch, as the correct original fix for CVE-2007-1320 is applied. -- Aurelien Jarno GPG: 1024D/F1BCDB73 [email protected] http://www.aurel32.net -- To UNSUBSCRIBE, email to [email protected] with a subject of "unsubscribe". Trouble? Contact [email protected]
