Gentoo Bug 221943 - app-emulation/qemu-softmmu < 0.9.1-r3 "drive_init()" security bypass (CVE-2008-2004)

Bug List: (This bug is not in your last search results) Show last search results Search page Enter new bug

Bug#:	221943
Alias:
Product:
Component:
Status:	ASSIGNED
Resolution:
Assigned To:	Gentoo Security <security@gentoo.org>

Hardware:
OS:
Version:
Priority:
Severity:

Reporter:	Celso Fernandes (icezimm) <celso.fernandes@gmail.com>
Add CC:
CC:	Remove selected CCs

URL:
Summary:
Status Whiteboard:
Keywords:

Flags:			Requestee:
	Pending
	Approved
	Assigned_To		()

Filename	Description	Type	Creator	Created	Size	Actions
qemu-softmmu-0.9.1-CVE-2008-2004.patch	patch for qemu-softmmu-0.9.1 bug CVE-2008-2004 #221943	patch	Celso Fernandes (icezimm)	2008-05-13 14:05 0000	1.96 KB	Details \| Diff
Create a New Attachment (proposed patch, testcase, etc.)						View All

Bug 221943 depends on:			Show dependency tree
Bug 221943 blocks:	212351		Show dependency tree

Additional Comments: (this is where you put emerge --info)

Add to CC list

Not eligible to see or edit group visibility for this bug.

Leave as ASSIGNED
Resolve bug, changing resolution to
Resolve bug, mark it as duplicate of bug #
Reassign bug to
Reassign bug to default assignee of selected component

View Bug Activity | Format For Printing | XML | Clone This Bug

Description:

Opened: 2008-05-13 13:23 0000

QEMU could allow a local attacker to bypass security restrictions caused by an
error in the drive_init function. By writing a header to a raw formatted disk
image that specifies another image format, an attacker on a guest instance
could exploit this vulnerability to read arbitrary files on the host.

Reproducible: Always

Steps to Reproduce:
Affects QEMU 0.9.1

------- Comment #1 From Pierre-Yves Rofes 2008-05-13 14:01:40 0000 -------

Thanks for the report, but please let us rate the severity of the bug ;-)

lu_zero: patch can be found at:
http://svn.savannah.gnu.org/viewvc/?view=rev&root=qemu&revision=4277

please bump as necessary.

------- Comment #2 From Celso Fernandes (icezimm) 2008-05-13 14:05:13 0000 -------

Created an attachment (id=153053) [details]
patch for qemu-softmmu-0.9.1 bug CVE-2008-2004 #221943

------- Comment #3 From Celso Fernandes (icezimm) 2008-05-13 14:09:15 0000 -------

(In reply to comment #2)
> Created an attachment (id=153053) [edit] [details]
> patch for qemu-softmmu-0.9.1 bug CVE-2008-2004 #221943
> 

don't know if this is the right procedure to propose a patch, so I posted the
patch last comment (forgot to add these lines, shame on me hehehehe)

so here they are, tested the patch here, and it's working.

--- qemu-softmmu-0.9.1-r2.ebuild        2008-05-13 11:06:47.000000000 -0300
+++ qemu-softmmu-0.9.1-r3.ebuild        2008-05-13 11:02:47.000000000 -0300
@@ -46,6 +46,7 @@

        cd "${S}"
        epatch "${FILESDIR}/${P}-CVE-2008-0928.patch" #212351
+       epatch "${FILESDIR}/${P}-CVE-2008-2004.patch" #221943
        # Alter target makefiles to accept CFLAGS set via flag-o.
        sed -i 's/^\(C\|OP_C\|HELPER_C\)FLAGS=/\1FLAGS+=/' \
                Makefile Makefile.target tests/Makefile

------- Comment #4 From Luca Barbato 2008-05-14 14:50:22 0000 -------

Committed

------- Comment #5 From Sune Kloppenborg Jeppesen 2008-05-14 18:36:17 0000 -------

Reopening it for possible stable marking and GLSA decision (No CVS access atm
so I can't check wether it was committed directly to stable).

------- Comment #6 From Robert Buchholz 2008-05-14 19:24:39 0000 -------

Celso: both linking the patch in the repository, or attaching it to the bug are
fine. There's no need to give the diff to the ebuild though, as the additional
epatch line is trivial. Thanks for your report!

------- Comment #7 From Robert Buchholz 2008-05-14 19:25:39 0000 -------

I don't see the commit in the tree yet, so still [ebuild].

------- Comment #8 From Robert Buchholz 2008-05-14 19:37:22 0000 -------

Sorry, my bad.

Arches, please test and mark stable:
=app-emulation/qemu-softmmu-0.9.1-r3
Target keywords : "amd64 ppc release x86"
Already stabled : "x86"
Missing keywords: "amd64 ppc release"

------- Comment #9 From Markus Meier 2008-05-14 20:25:58 0000 -------

amd64 stable

------- Comment #10 From Tobias Scherbaum 2008-05-29 08:37:28 0000 -------

this one is already stable for ppc

------- Comment #11 From Peter Volkov 2008-05-30 07:44:42 0000 -------

Fixed in release snapshot. This bug is finally is GLSA vote ready ;)

------- Comment #12 From Pierre-Yves Rofes 2008-06-01 18:19:01 0000 -------

(In reply to comment #11)
> Fixed in release snapshot. This bug is finally is GLSA vote ready ;)
> 

Thanks Peter for the reminder ;)
I vote NO.

------- Comment #13 From Robert Buchholz 2008-06-16 22:53:41 0000 -------

I think we could GLSA this bug together with bug 212351. By itself, I would
vote no.

------- Comment #14 From Raphael Marichez 2008-08-05 15:13:24 0000 -------

OK with bug 212351

------- Comment #15 From Matt Drew 2008-09-08 16:58:20 0000 -------

I vote yes, with bug 212351.

------- Comment #16 From Pierre-Yves Rofes 2008-09-18 21:55:14 0000 -------

(In reply to comment #13)
> I think we could GLSA this bug together with bug 212351. By itself, I would
> vote no.

(In reply to comment #14)
> OK with bug 212351
> 

(In reply to comment #15)
> I vote yes, with bug 212351.

Request was already filed with... bug 212351 :)

Bug List: (This bug is not in your last search results) Show last search results Search page Enter new bug

Bugzilla Bug 221943

app-emulation/qemu-softmmu < 0.9.1-r3 "drive_init()" security bypass (CVE-2008-2004)

Last modified: 2008-09-18 21:55:14 0000