Bug 188148 - app-emulation/bochs DoS and heap overflow (CVE 2007-28{93,94})
Bug#: 188148 Product:  Gentoo Security Version: unspecified Platform: All
OS/Version: Linux Status: RESOLVED Severity: major Priority: P2
Resolution: FIXED Assigned To: security@gentoo.org Reported By: mjf@gentoo.org
Component: Vulnerabilities
URL: 
Summary: app-emulation/bochs DoS and heap overflow (CVE 2007-28{93,94})
Keywords:  
Status Whiteboard: B1 [glsa]
Opened: 2007-08-08 19:10 0000
Description:   Opened: 2007-08-08 19:10 0000 
Tavis Ormandy discovered two issues that affect bochs <= 2.3

The first issue is caused by a heap overflow error in the emulated NE2000
device that allows a large value in the TXCNT register to exceed the available
memory, which could be exploited by an attacker with "root" privileges on a
vulnerable guest system to execute arbitrary code on the host system.

The second vulnerability is caused by a divide-by-zero in the emulated floppy
disk controller, which could be exploited by malicious users to terminate the
bochs process, creating a denial of service condition.

http://www.frsirt.com/english/advisories/2007/1936

------- Comment #1 From Matt Fleming (RETIRED) 2007-08-08 19:16:38 0000 ------- 
CC'ing maintainer and setting whiteboard status.

------- Comment #2 From Sune Kloppenborg Jeppesen 2007-08-14 10:45:47 0000 ------- 
Debian seems to have fixed this with DSA 1351-1.

------- Comment #3 From Carlo Marcelo Arenas Belon 2007-09-03 21:30:26 0000 ------- 
fedora also published a fix which links to the following already closed (in
cvs) upstream bug report :

http://sourceforge.net/tracker/?func=detail&atid=112580&aid=1729822&group_id=12580

fedora's CVS contains patches for both bugs that apply to 2.3 in :

http://cvs.fedoraproject.org/viewcvs/devel/bochs/

------- Comment #4 From Carlo Marcelo Arenas Belon 2007-09-03 22:29:14 0000 ------- 
Created an attachment (id=129950) [details]
fix for CVE-2007-2893 from CVS

reconstructed from CVS with information from fedora package.

tested in bochs-2.3 for amd64

------- Comment #5 From Carlo Marcelo Arenas Belon 2007-09-03 22:30:22 0000 ------- 
Created an attachment (id=129952) [details]
fix for CVE-2007-2894 from CVS

reconstructed from CVS with information from fedora package.

tested in bochs-2.3 for amd64

------- Comment #6 From Sune Kloppenborg Jeppesen 2007-09-08 15:32:57 0000 ------- 
lu_zero please advise.

------- Comment #7 From Luca Barbato 2007-09-09 00:10:24 0000 ------- 
bochs-2.3 doesn't build for me and I'm tempted to remove it since qemu covers
the needs in a simpler and faster way. I'll try to come up either with a
snapshot that builds or using the patches on the previous version.

------- Comment #8 From Luca Barbato 2007-09-09 11:47:33 0000 ------- 
spent more time on bochs-2.3 and eventually sorted my, seems to be, local
issue.

Ebuild committed as ~arch

------- Comment #9 From Christian Faulhammer 2007-09-09 11:52:12 0000 ------- 
Arches please stabilise app-emulation/bochs-2.3

------- Comment #10 From Christian Faulhammer 2007-09-09 16:10:53 0000 ------- 
lu_zero did ppc and x86 has been stabled by me

------- Comment #11 From Raúl Porcel 2007-09-10 09:57:22 0000 ------- 
alpha stable

------- Comment #12 From Christoph Mende 2007-09-16 15:08:00 0000 ------- 
amd64 stable

------- Comment #13 From Christian Faulhammer 2007-09-16 16:51:54 0000 ------- 
Please file GLSA request

------- Comment #14 From Pierre-Yves Rofes 2007-09-29 14:10:35 0000 ------- 
(In reply to comment #13)
> Please file GLSA request
> 
done.

------- Comment #15 From Pierre-Yves Rofes 2007-11-18 00:21:26 0000 ------- 
GLSA 200711-21