Bug 188148

Summary:

app-emulation/bochs DoS and heap overflow (CVE 2007-28{93,94})

Product:

Gentoo Security

Reporter:

Matt Fleming (RETIRED) <mjf>

Component:

Vulnerabilities

Assignee:

Gentoo Security <security>

Status:

RESOLVED FIXED

Severity:

major

CC:

carenas, lu_zero

Priority:

High

Version:

unspecified

Hardware:

All

OS:

Linux

Whiteboard:

B1 [glsa]

Package list:

Runtime testing required:

---

Attachments:

Description	Flags
fix for CVE-2007-2893 from CVS	none
fix for CVE-2007-2894 from CVS	none

Description Matt Fleming (RETIRED) gentoo-dev

2007-08-08 19:10:26 UTC

Tavis Ormandy discovered two issues that affect bochs <= 2.3

The first issue is caused by a heap overflow error in the emulated NE2000 device that allows a large value in the TXCNT register to exceed the available memory, which could be exploited by an attacker with "root" privileges on a vulnerable guest system to execute arbitrary code on the host system.

The second vulnerability is caused by a divide-by-zero in the emulated floppy disk controller, which could be exploited by malicious users to terminate the bochs process, creating a denial of service condition.

http://www.frsirt.com/english/advisories/2007/1936

Comment 1 Matt Fleming (RETIRED) gentoo-dev

2007-08-08 19:16:38 UTC

CC'ing maintainer and setting whiteboard status.

Comment 2 Sune Kloppenborg Jeppesen (RETIRED) gentoo-dev

2007-08-14 10:45:47 UTC

Debian seems to have fixed this with DSA 1351-1.

Comment 3 Carlo Marcelo Arenas Belon 2007-09-03 21:30:26 UTC

fedora also published a fix which links to the following already closed (in cvs) upstream bug report :

http://sourceforge.net/tracker/?func=detail&atid=112580&aid=1729822&group_id=12580

fedora's CVS contains patches for both bugs that apply to 2.3 in :

http://cvs.fedoraproject.org/viewcvs/devel/bochs/

Comment 4 Carlo Marcelo Arenas Belon 2007-09-03 22:29:14 UTC

Created attachment 129950 [details, diff]
fix for CVE-2007-2893 from CVS

reconstructed from CVS with information from fedora package.

tested in bochs-2.3 for amd64

Comment 5 Carlo Marcelo Arenas Belon 2007-09-03 22:30:22 UTC

Created attachment 129952 [details, diff]
fix for CVE-2007-2894 from CVS

reconstructed from CVS with information from fedora package.

tested in bochs-2.3 for amd64

Comment 6 Sune Kloppenborg Jeppesen (RETIRED) gentoo-dev

2007-09-08 15:32:57 UTC

lu_zero please advise.

Comment 7 Luca Barbato gentoo-dev

2007-09-09 00:10:24 UTC

bochs-2.3 doesn't build for me and I'm tempted to remove it since qemu covers the needs in a simpler and faster way. I'll try to come up either with a snapshot that builds or using the patches on the previous version.

Comment 8 Luca Barbato gentoo-dev

2007-09-09 11:47:33 UTC

spent more time on bochs-2.3 and eventually sorted my, seems to be, local issue.

Ebuild committed as ~arch

Comment 9 Christian Faulhammer (RETIRED) gentoo-dev

2007-09-09 11:52:12 UTC

Arches please stabilise app-emulation/bochs-2.3

Comment 10 Christian Faulhammer (RETIRED) gentoo-dev

2007-09-09 16:10:53 UTC

lu_zero did ppc and x86 has been stabled by me

Comment 11 Raúl Porcel (RETIRED) gentoo-dev

2007-09-10 09:57:22 UTC

alpha stable

Comment 12 Christoph Mende (RETIRED) gentoo-dev

2007-09-16 15:08:00 UTC

amd64 stable

Comment 13 Christian Faulhammer (RETIRED) gentoo-dev

2007-09-16 16:51:54 UTC

Please file GLSA request

Comment 14 Pierre-Yves Rofes (RETIRED) gentoo-dev

2007-09-29 14:10:35 UTC

(In reply to comment #13)
> Please file GLSA request
> 
done.

Comment 15 Pierre-Yves Rofes (RETIRED) gentoo-dev

2007-11-18 00:21:26 UTC

GLSA 200711-21