From secunia security advisory at $URL: Description: The vulnerability is caused due to a boundary error within the "process_tx_desc()" function (hw/e1000.c) when handling legacy mode packets while reading DMA requests. This can be exploited to cause a heap-based buffer overflow via a specially crafted packet. Solution: Fixed in the GIT repository. Original Advisory: https://bugzilla.redhat.com/show_bug.cgi?id=772075
@qemu: Sorry for extra works, please check if this vulnerability is verified also in 0.x version. - If yes we must stabilize a new revision that will contains the fix. - If not you should only bump an updated version of 1.x, no stabilization needed
For qemu-kvm-1.0, this is fixed in qemu-kvm-1.0-r2.
(In reply to comment #1) > @qemu: > > Sorry for extra works, please check if this vulnerability is verified also in > 0.x version. > - If yes we must stabilize a new revision that will contains the fix. > - If not you should only bump an updated version of 1.x, no stabilization > needed It affects all back versions as far as I can tell.
Am I correct in thinking this is fixed in both qemu-1.0-r2 and qemu-kvm-1.0-r2? If so, shall we move forward with stabilization? Thanks!
(In reply to comment #4) > Am I correct in thinking this is fixed in both qemu-1.0-r2 and qemu-kvm-1.0-r2? > If so, shall we move forward with stabilization? Thanks! Yes, you are correct.
> > Am I correct in thinking this is fixed in both qemu-1.0-r2 and qemu-kvm-1.0-r2? > > If so, shall we move forward with stabilization? Thanks! > > Yes, you are correct. I ask for stable keywords for =app-emulation/qemu-0.11.1-r1 for arches: x86 amd64 It's a qemu-0.11.1 with security patch on top, so some QA problems are still in place. I am sticking with old 0.11.1 version as it's the latest version supporting kqemu.
Well it was my intent (qemu-kvm maintainer) and lu_zero's (qemu maintainer) intent to drop app-emulation/qemu from the tree entirely with the release of app-emulation/qemu-kvm.
qemu is staying around mostly for qemu-user usage. We might drop qemu and use just qemu-kvm and qemu-user-static since those are the main usages.
CVE-2012-0029 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-0029): Heap-based buffer overflow in the process_tx_desc function in the e1000 emulation (hw/e1000.c) in qemu-kvm 0.12, and possibly other versions, allows guest OS users to cause a denial of service (QEMU crash) and possibly execute arbitrary code via crafted legacy mode packets.
Added to pending GLSA request.
stabilize: app-emulation/qemu-kvm-1.0-r3 (as requested in bug #373997) target keywords: amd64 x86
Hi, this is not fixed in 1.0-r3, but in 1.0.1! http://wiki.qemu.org/ChangeLog/1.0#1.0.1 -> "e1000: bounds packet size against buffer size" -> http://repo.or.cz/w/qemu.git/commitdiff/d0ed2d2
Oh my. It's actually fixed with qemu-kvm-1.0-e1000-bounds-packet-size-against-buffer-size.patch, I just made a mistake when unpacking. Ignore the last message, sorry for bugspam.
Moved to [glsa]. If I am puzzling this out correctly, we stabilized a fixed qemu-kvm, =app-emulation/qemu-kvm-1.0-r3, in bug 373997, and a fixed qemu, =app-emulation/qemu-0.11.1, via bug 356685.
This issue was resolved and addressed in GLSA 201210-04 at http://security.gentoo.org/glsa/glsa-201210-04.xml by GLSA coordinator Stefan Behte (craig).