188148 2007-08-08 19:10 0000 app-emulation/bochs DoS and heap overflow (CVE 2007-28{93,94}) 2007-11-18 00:21:26 0000 1 1 1 Unclassified Gentoo Security Vulnerabilities unspecified All Linux RESOLVED FIXED B1 [glsa] P2 major --- 1 mjf@gentoo.org security@gentoo.org carenas@sajinet.com.pe lu_zero@gentoo.org mjf@gentoo.org 2007-08-08 19:10:26 0000 Tavis Ormandy discovered two issues that affect bochs <= 2.3 The first issue is caused by a heap overflow error in the emulated NE2000 device that allows a large value in the TXCNT register to exceed the available memory, which could be exploited by an attacker with "root" privileges on a vulnerable guest system to execute arbitrary code on the host system. The second vulnerability is caused by a divide-by-zero in the emulated floppy disk controller, which could be exploited by malicious users to terminate the bochs process, creating a denial of service condition. http://www.frsirt.com/english/advisories/2007/1936 mjf@gentoo.org 2007-08-08 19:16:38 0000 CC'ing maintainer and setting whiteboard status. jaervosz@gentoo.org 2007-08-14 10:45:47 0000 Debian seems to have fixed this with DSA 1351-1. carenas@sajinet.com.pe 2007-09-03 21:30:26 0000 fedora also published a fix which links to the following already closed (in cvs) upstream bug report : http://sourceforge.net/tracker/?func=detail&atid=112580&aid=1729822&group_id=12580 fedora's CVS contains patches for both bugs that apply to 2.3 in : http://cvs.fedoraproject.org/viewcvs/devel/bochs/ carenas@sajinet.com.pe 2007-09-03 22:29:14 0000 Created an attachment (id=129950) fix for CVE-2007-2893 from CVS reconstructed from CVS with information from fedora package. tested in bochs-2.3 for amd64 carenas@sajinet.com.pe 2007-09-03 22:30:22 0000 Created an attachment (id=129952) fix for CVE-2007-2894 from CVS reconstructed from CVS with information from fedora package. tested in bochs-2.3 for amd64 jaervosz@gentoo.org 2007-09-08 15:32:57 0000 lu_zero please advise. lu_zero@gentoo.org 2007-09-09 00:10:24 0000 bochs-2.3 doesn't build for me and I'm tempted to remove it since qemu covers the needs in a simpler and faster way. I'll try to come up either with a snapshot that builds or using the patches on the previous version. lu_zero@gentoo.org 2007-09-09 11:47:33 0000 spent more time on bochs-2.3 and eventually sorted my, seems to be, local issue. Ebuild committed as ~arch fauli@gentoo.org 2007-09-09 11:52:12 0000 Arches please stabilise app-emulation/bochs-2.3 fauli@gentoo.org 2007-09-09 16:10:53 0000 lu_zero did ppc and x86 has been stabled by me armin76@gentoo.org 2007-09-10 09:57:22 0000 alpha stable angelos@gentoo.org 2007-09-16 15:08:00 0000 amd64 stable fauli@gentoo.org 2007-09-16 16:51:54 0000 Please file GLSA request py@gentoo.org 2007-09-29 14:10:35 0000 (In reply to comment #13) > Please file GLSA request > done. py@gentoo.org 2007-11-18 00:21:26 0000 GLSA 200711-21 129950 2007-09-03 22:29 0000 fix for CVE-2007-2893 from CVS bochs-2.3-CVE-2007-2893.patch text/plain SW5kZXg6IGlvZGV2L25lMmsuY2MKPT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09 PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PQpSQ1MgZmlsZTogL2N2c3Jvb3QvYm9jaHMv Ym9jaHMvaW9kZXYvbmUyay5jYyx2CnJldHJpZXZpbmcgcmV2aXNpb24gMS45MQpyZXRyaWV2aW5n IHJldmlzaW9uIDEuOTIKZGlmZiAtdSAtcCAtcjEuOTEgLXIxLjkyCi0tLSBpb2Rldi9uZTJrLmNj CTMgRmViIDIwMDcgMTc6NTY6MzUgLTAwMDAJMS45MQorKysgaW9kZXYvbmUyay5jYwkxMCBNYXIg MjAwNyAxNToxNzozMSAtMDAwMAkxLjkyCkBAIC0xMjc4LDggKzEyNzgsOCBAQCB2b2lkIGJ4X25l MmtfYzo6cnhfaGFuZGxlcih2b2lkICphcmcsIGNvCiAgKi8KIHZvaWQgYnhfbmUya19jOjpyeF9m cmFtZShjb25zdCB2b2lkICpidWYsIHVuc2lnbmVkIGlvX2xlbikKIHsKLSAgdW5zaWduZWQgcGFn ZXM7Ci0gIHVuc2lnbmVkIGF2YWlsOworICBpbnQgcGFnZXM7CisgIGludCBhdmFpbDsKICAgdW5z aWduZWQgaWR4OwogICBpbnQgd3JhcHBlZDsKICAgaW50IG5leHRwYWdlOwo= 129952 2007-09-03 22:30 0000 fix for CVE-2007-2894 from CVS bochs-2.3-CVE-2007-2894.patch text/plain SW5kZXg6IGlvZGV2L2Zsb3BweS5jYwo9PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09 PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09ClJDUyBmaWxlOiAvY3Zzcm9vdC9ib2No cy9ib2Nocy9pb2Rldi9mbG9wcHkuY2MsdgpyZXRyaWV2aW5nIHJldmlzaW9uIDEuMTA2CnJldHJp ZXZpbmcgcmV2aXNpb24gMS4xMDcKZGlmZiAtdSAtcCAtcjEuMTA2IC1yMS4xMDcKLS0tIGlvZGV2 L2Zsb3BweS5jYwk2IEFwciAyMDA3IDE1OjIyOjE3IC0wMDAwCTEuMTA2CisrKyBpb2Rldi9mbG9w cHkuY2MJMjEgQXVnIDIwMDcgMTQ6MTg6MTYgLTAwMDAJMS4xMDcKQEAgLTE3ODUsNyArMTc4NSw3 IEBAIGJ4X2Jvb2wgYnhfZmxvcHB5X2N0cmxfYzo6ZXZhbHVhdGVfbWVkaWEKICAgICAgICAgfQog ICAgICAgICBtZWRpYS0+c2VjdG9ycyA9IG1lZGlhLT5oZWFkcyAqIG1lZGlhLT50cmFja3MgKiBt ZWRpYS0+c2VjdG9yc19wZXJfdHJhY2s7CiAgICAgfQotICAgIHJldHVybigxKTsgLy8gc3VjY2Vz cworICAgIHJldHVybiAobWVkaWEtPnNlY3RvcnMgPiAwKTsgLy8gc3VjY2VzcwogICB9CiAKICAg ZWxzZSBpZiAoIFNfSVNDSFIoc3RhdF9idWYuc3RfbW9kZSkKQEAgLTE4MDUsNyArMTgwNSw3IEBA IGJ4X2Jvb2wgYnhfZmxvcHB5X2N0cmxfYzo6ZXZhbHVhdGVfbWVkaWEKICAgICAgIG1lZGlhLT5o ZWFkcyAgICAgICAgICAgICA9IGZsb3BweV90eXBlW3R5cGVfaWR4XS5oZDsKICAgICAgIG1lZGlh LT5zZWN0b3JzX3Blcl90cmFjayA9IGZsb3BweV90eXBlW3R5cGVfaWR4XS5zcHQ7CiAgICAgICBt ZWRpYS0+c2VjdG9ycyAgICAgICAgICAgPSBmbG9wcHlfdHlwZVt0eXBlX2lkeF0uc2VjdG9yczsK LSAgICAgIHJldHVybiAxOworICAgICAgcmV0dXJuIChtZWRpYS0+c2VjdG9ycyA+IDApOwogICAg IH0KICAgICBtZWRpYS0+dHJhY2tzICAgICAgICAgICAgPSBmbG9wcHlfZ2VvbS50cmFjazsKICAg ICBtZWRpYS0+aGVhZHMgICAgICAgICAgICAgPSBmbG9wcHlfZ2VvbS5oZWFkOwpAQCAtMTgyMiw3 ICsxODIyLDcgQEAgYnhfYm9vbCBieF9mbG9wcHlfY3RybF9jOjpldmFsdWF0ZV9tZWRpYQogICAg IG1lZGlhLT5zZWN0b3JzX3Blcl90cmFjayA9IGZsb3BweV90eXBlW3R5cGVfaWR4XS5zcHQ7CiAg ICAgbWVkaWEtPnNlY3RvcnMgICAgICAgICAgID0gZmxvcHB5X3R5cGVbdHlwZV9pZHhdLnNlY3Rv cnM7CiAjZW5kaWYKLSAgICByZXR1cm4gMTsgLy8gc3VjY2VzcworICAgIHJldHVybiAobWVkaWEt PnNlY3RvcnMgPiAwKTsgLy8gc3VjY2VzcwogICB9IGVsc2UgewogICAgIC8vIHVua25vd24gZmls ZSB0eXBlCiAgICAgQlhfRVJST1IoKCJ1bmtub3duIG1vZGUgdHlwZSIpKTsK