Bug 572412 (CVE-2016-1981)

Summary:	<app-emulation/qemu-2.5.0-r2: e1000 infinite loop in start_xmit and e1000_receive_iov routines (CVE-2016-1981)
Product:	Gentoo Security	Reporter:	Agostino Sarubbo <ago>
Component:	Vulnerabilities	Assignee:	Gentoo Security <security>
Status:	RESOLVED FIXED
Severity:	minor	CC:	qemu+disabled
Priority:	Normal
Version:	unspecified
Hardware:	All
OS:	Linux
URL:	http://www.openwall.com/lists/oss-security/2016/01/19/10
Whiteboard:	B3 [glsa cve]
Package list:		Runtime testing required:	---
Bug Depends on:	578044
Bug Blocks:

Description Agostino Sarubbo gentoo-dev

2016-01-20 08:15:30 UTC

From ${URL} :

Qemu emulator built with the e1000 NIC emulation support is vulnerable to an 
infinite loop issue. It could occur while processing data via transmit or 
receive descriptors, provided the initial receive/transmit descriptor 
head(TDH/RDH) is set outside the allocated descriptor buffer.

A privileged user inside guest could use this flaw to crash the Qemu instance 
resulting in DoS.

Upstream patch
- --------------
   -> https://lists.gnu.org/archive/html/qemu-devel/2016-01/msg03454.html

Reference:
- ----------
   -> https://bugzilla.redhat.com/show_bug.cgi?id=1298570



@maintainer(s): after the bump, in case we need to stabilize the package, please let us know if it is ready for the stabilization or not.

Comment 1 SpanKY gentoo-dev

2016-03-23 04:11:15 UTC

fixed landed upstream here:
http://git.qemu.org/?p=qemu.git;a=commitdiff;h=dd793a74882477ca38d49e191110c17dfee51dcc

Comment 2 SpanKY gentoo-dev

2016-03-23 05:26:00 UTC

this is in qemu-2.5.0-r2 and is fine for stable

Comment 3 Aaron Bauman (RETIRED) gentoo-dev

2016-03-23 06:13:32 UTC

Added to existing GLSA.

Comment 4 Yury German Gentoo Infrastructure

2016-04-02 17:18:29 UTC

Clean as part of bug #567420

Comment 5 GLSAMaker/CVETool Bot gentoo-dev

2016-04-02 18:27:45 UTC

This issue was resolved and addressed in
 GLSA 201604-01 at https://security.gentoo.org/glsa/201604-01
by GLSA coordinator Yury German (BlueKnight).