Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 400595 (CVE-2012-0029) - app-emulation/qemu-{0.11.1,kvm-1.0-r3} "process_tx_desc()" Buffer Overflow Vulnerability (CVE-2012-0029)
Summary: app-emulation/qemu-{0.11.1,kvm-1.0-r3} "process_tx_desc()" Buffer Overflow V...
Status: RESOLVED FIXED
Alias: CVE-2012-0029
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal normal (vote)
Assignee: Gentoo Security
URL: https://secunia.com/advisories/47740/
Whiteboard: B1 [glsa]
Keywords:
Depends on: CVE-2011-2512
Blocks:
  Show dependency tree
 
Reported: 2012-01-24 13:09 UTC by Agostino Sarubbo
Modified: 2012-10-18 20:59 UTC (History)
3 users (show)

See Also:
Package list:
Runtime testing required: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Agostino Sarubbo gentoo-dev 2012-01-24 13:09:32 UTC
From secunia security advisory at $URL:

Description:
The vulnerability is caused due to a boundary error within the "process_tx_desc()" function (hw/e1000.c) when handling legacy mode packets while reading DMA requests. This can be exploited to cause a heap-based buffer overflow via a specially crafted packet.


Solution:
Fixed in the GIT repository.

Original Advisory:
https://bugzilla.redhat.com/show_bug.cgi?id=772075
Comment 1 Agostino Sarubbo gentoo-dev 2012-01-24 13:14:04 UTC
@qemu:

Sorry for extra works, please check if this vulnerability is verified also in 0.x version. 
- If yes we must stabilize a new revision that will contains the fix. 
- If not you should only bump an updated version of 1.x, no stabilization needed
Comment 2 Doug Goldstein (RETIRED) gentoo-dev 2012-01-25 06:29:51 UTC
For qemu-kvm-1.0, this is fixed in qemu-kvm-1.0-r2.
Comment 3 Doug Goldstein (RETIRED) gentoo-dev 2012-01-25 06:32:06 UTC
(In reply to comment #1)
> @qemu:
> 
> Sorry for extra works, please check if this vulnerability is verified also in
> 0.x version. 
> - If yes we must stabilize a new revision that will contains the fix. 
> - If not you should only bump an updated version of 1.x, no stabilization
> needed

It affects all back versions as far as I can tell.
Comment 4 Tim Sammut (RETIRED) gentoo-dev 2012-01-28 04:45:13 UTC
Am I correct in thinking this is fixed in both qemu-1.0-r2 and qemu-kvm-1.0-r2? If so, shall we move forward with stabilization? Thanks!
Comment 5 Sergei Trofimovich (RETIRED) gentoo-dev 2012-01-28 07:37:21 UTC
(In reply to comment #4)
> Am I correct in thinking this is fixed in both qemu-1.0-r2 and qemu-kvm-1.0-r2?
> If so, shall we move forward with stabilization? Thanks!

Yes, you are correct.
Comment 6 Sergei Trofimovich (RETIRED) gentoo-dev 2012-01-28 11:56:15 UTC
> > Am I correct in thinking this is fixed in both qemu-1.0-r2 and qemu-kvm-1.0-r2?
> > If so, shall we move forward with stabilization? Thanks!
> 
> Yes, you are correct.

I ask for stable keywords for
    =app-emulation/qemu-0.11.1-r1
for arches:
    x86 amd64

It's a qemu-0.11.1 with security patch on top, so some QA problems
are still in place.

I am sticking with old 0.11.1 version as it's the latest version
supporting kqemu.
Comment 7 Doug Goldstein (RETIRED) gentoo-dev 2012-01-28 21:10:44 UTC
Well it was my intent (qemu-kvm maintainer) and lu_zero's (qemu maintainer) intent to drop app-emulation/qemu from the tree entirely with the release of app-emulation/qemu-kvm.
Comment 8 Luca Barbato gentoo-dev 2012-01-28 21:18:34 UTC
qemu is staying around mostly for qemu-user usage. We might drop qemu and use just qemu-kvm and qemu-user-static since those are the main usages.
Comment 9 GLSAMaker/CVETool Bot gentoo-dev 2012-01-30 12:18:02 UTC
CVE-2012-0029 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-0029):
  Heap-based buffer overflow in the process_tx_desc function in the e1000
  emulation (hw/e1000.c) in qemu-kvm 0.12, and possibly other versions, allows
  guest OS users to cause a denial of service (QEMU crash) and possibly
  execute arbitrary code via crafted legacy mode packets.
Comment 10 Stefan Behte (RETIRED) gentoo-dev Security 2012-02-27 21:58:24 UTC
Added to pending GLSA request.
Comment 11 Doug Goldstein (RETIRED) gentoo-dev 2012-03-08 16:21:13 UTC
stabilize: app-emulation/qemu-kvm-1.0-r3 (as requested in bug #373997)

target keywords: amd64 x86
Comment 12 Stefan Behte (RETIRED) gentoo-dev Security 2012-04-03 09:52:26 UTC
Hi,

this is not fixed in 1.0-r3, but in 1.0.1!

http://wiki.qemu.org/ChangeLog/1.0#1.0.1 -> "e1000: bounds packet size against buffer size" -> http://repo.or.cz/w/qemu.git/commitdiff/d0ed2d2
Comment 13 Stefan Behte (RETIRED) gentoo-dev Security 2012-04-03 10:06:51 UTC
Oh my. It's actually fixed with qemu-kvm-1.0-e1000-bounds-packet-size-against-buffer-size.patch, I just made a mistake when unpacking. Ignore the last message, sorry for bugspam.
Comment 14 Tim Sammut (RETIRED) gentoo-dev 2012-05-09 22:51:25 UTC
Moved to [glsa]. 

If I am puzzling this out correctly, we stabilized a fixed qemu-kvm, =app-emulation/qemu-kvm-1.0-r3, in bug 373997, and a fixed qemu, =app-emulation/qemu-0.11.1, via bug 356685.
Comment 15 GLSAMaker/CVETool Bot gentoo-dev 2012-10-18 20:59:34 UTC
This issue was resolved and addressed in
 GLSA 201210-04 at http://security.gentoo.org/glsa/glsa-201210-04.xml
by GLSA coordinator Stefan Behte (craig).