Bugzilla Bug 188148

Tavis Ormandy discovered two issues that affect bochs <= 2.3

The first issue is caused by a heap overflow error in the emulated NE2000
device that allows a large value in the TXCNT register to exceed the available
memory, which could be exploited by an attacker with "root" privileges on a
vulnerable guest system to execute arbitrary code on the host system.

The second vulnerability is caused by a divide-by-zero in the emulated floppy
disk controller, which could be exploited by malicious users to terminate the
bochs process, creating a denial of service condition.

http://www.frsirt.com/english/advisories/2007/1936

CC'ing maintainer and setting whiteboard status.

Debian seems to have fixed this with DSA 1351-1.

fedora also published a fix which links to the following already closed (in
cvs) upstream bug report :

http://sourceforge.net/tracker/?func=detail&atid=112580&aid=1729822&group_id=12580

fedora's CVS contains patches for both bugs that apply to 2.3 in :

http://cvs.fedoraproject.org/viewcvs/devel/bochs/

Created an attachment (id=129950) [details]
fix for CVE-2007-2893 from CVS

reconstructed from CVS with information from fedora package.

tested in bochs-2.3 for amd64

Created an attachment (id=129952) [details]
fix for CVE-2007-2894 from CVS

reconstructed from CVS with information from fedora package.

tested in bochs-2.3 for amd64

lu_zero please advise.

bochs-2.3 doesn't build for me and I'm tempted to remove it since qemu covers
the needs in a simpler and faster way. I'll try to come up either with a
snapshot that builds or using the patches on the previous version.

spent more time on bochs-2.3 and eventually sorted my, seems to be, local
issue.

Ebuild committed as ~arch

Arches please stabilise app-emulation/bochs-2.3

lu_zero did ppc and x86 has been stabled by me

alpha stable

amd64 stable

Please file GLSA request

(In reply to comment #13)
> Please file GLSA request
> 
done.

GLSA 200711-21