qemu: security bump to version 2.10.2

Fixes the following security issues:

CVE-2017-13672: QEMU (aka Quick Emulator), when built with the VGA display
emulator support, allows local guest OS privileged users to cause a denial
of service (out-of-bounds read and QEMU process crash) via vectors involving
display update.

CVE-2017-15118: Stack buffer overflow in NBD server triggered via long
export name

CVE-2017-15119: DoS via large option request

CVE-2017-15268: Qemu through 2.10.0 allows remote attackers to cause a
memory leak by triggering slow data-channel read operations, related to
io/channel-websock.c.

For more details, see the release announcement:
https://lists.nongnu.org/archive/html/qemu-devel/2017-12/msg03618.html

Signed-off-by: Peter Korsgaard <peter@korsgaard.com>

diff --git a/package/qemu/qemu.hash b/package/qemu/qemu.hash
index db43c9a2d879c67f729a1ef6c8510b84280f2db1..1173c1bf3d9000adb72e2a21b5c45bbce8430f1c 100644 (file)
--- a/package/qemu/qemu.hash
+++ b/package/qemu/qemu.hash
@@ -1,4 +1,4 @@
 # Locally computed, tarball verified with GPG signature
-sha256 1dd51a908fc68c7d935b0b31fb184c5669bc23b5a1b081816e824714f2a11caa  qemu-2.10.1.tar.xz
+sha256 fcfdaa1ecdaac8aead616fe811bfb8fe4a8f2cd59796aa446c5175b5af0e829f  qemu-2.10.2.tar.xz
 sha256 6f04ae8364d0079a192b14635f4b1da294ce18724c034c39a6a41d1b09df6100  COPYING
 sha256 48ffe9fc7f1d5462dbd19340bc4dd1d8a9e37c61ed535813e614cbe4a5f0d4df  COPYING.LIB

diff --git a/package/qemu/qemu.mk b/package/qemu/qemu.mk
index 402ad68b5c789e29c5e47b3e4e8ff1f1165d791b..345ef526681ab3c3f75760fa9e1ead3002d725fc 100644 (file)
--- a/package/qemu/qemu.mk
+++ b/package/qemu/qemu.mk
@@ -4,7 +4,7 @@
 #
 ################################################################################
 
-QEMU_VERSION = 2.10.1
+QEMU_VERSION = 2.10.2
 QEMU_SOURCE = qemu-$(QEMU_VERSION).tar.xz
 QEMU_SITE = http://download.qemu.org
 QEMU_LICENSE = GPL-2.0, LGPL-2.1, MIT, BSD-3-Clause, BSD-2-Clause, Others/BSD-1c