From http://www.openwall.com/lists/oss-security/2015/03/24/9: It was found that the QEMU's websocket frame decoder processed incoming frames without limiting resources used to process the header and payload. An attacker able to access a guest's VNC console could use this flaw to trigger a denial of service on the host by exhausting all available memory and CPU. Acknowledgements: This issue was discovered by Daniel P. Berrange of Red Hat. Upstream patch submission: https://lists.gnu.org/archive/html/qemu-devel/2015-03/msg04894.html From http://www.openwall.com/lists/oss-security/2015/03/24/4: Due to inconsistent error checking, Qemu emulator allows malicious PRDT data to flow from a guest to the host's IDE or AHCI controllers. This could result in infinite loop or memory leakage on the host leading to unbounded resource consumption. A privileged user inside guest could use this flaw to crash the system, resulting in DoS. Upstream fix: ------------- -> http://git.qemu.org/?p=qemu.git;a=commitdiff;h=3251bdcf1c67427d964517053c3d185b46e618e8 @maintainer(s): after the bump, in case we need to stabilize the package, please let us know if it is ready for the stabilization or not.
the IDE change has been merged, but not the VNC one. probably going to just wait for that to be sorted out first.
(In reply to SpanKY from comment #1) > the IDE change has been merged, but not the VNC one. probably going to just > wait for that to be sorted out first. that's fine.
from http://www.openwall.com/lists/oss-security/2015/04/09/6 : Upstream patches: http://git.qemu.org/?p=qemu.git;a=commit;h=a2bebfd6e09d http://git.qemu.org/?p=qemu.git;a=commit;h=2cdb5e142fb93 Please note that the first patch committed to QEMU project git is slightly different than the initial submission as it includes fix for a regression caused by the original patch.
the ide prdt fix is already in qemu-2.2.0, and that's already in stable this bug is now just for the vnc issue
Commit message: Add fixes from upstream for CVE-2015-1779 http://sources.gentoo.org/app-emulation/qemu/files/qemu-2.2.1-CVE-2015-1779-1.patch?rev=1.1 http://sources.gentoo.org/app-emulation/qemu/files/qemu-2.2.1-CVE-2015-1779-2.patch?rev=1.1 http://sources.gentoo.org/app-emulation/qemu/qemu-2.2.1-r1.ebuild?rev=1.1
+ 14 May 2015; Agostino Sarubbo <ago@gentoo.org> + -files/qemu-2.1.1-readlink-self.patch, + -files/qemu-2.1.2-vnc-sanitize-bits.patch, -qemu-2.1.2-r2.ebuild, + -qemu-2.1.3-r1.ebuild, -qemu-2.1.3.ebuild, -qemu-2.2.0.ebuild, + -qemu-2.2.1-r1.ebuild, -qemu-2.2.1.ebuild, -qemu-2.3.0.ebuild, + qemu-2.2.1-r2.ebuild: + Stable for amd64/x86 - remove old. Security please vote.
GLSA Vote: Yes
Vote: NO.
Arches and Maintainer(s), Thank you for your work. Added to an existing GLSA Request.
This issue was resolved and addressed in GLSA 201602-01 at https://security.gentoo.org/glsa/201602-01 by GLSA coordinator Kristian Fiskerstrand (K_F).
