Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!

Bug 252266 (CVE-2008-2382)

Summary: <app-emulation/qemu-0.11.1 Denial of Service (CVE-2008-2382)
Product: Gentoo Security Reporter: Bruno Buss <bruno.buss>
Component: VulnerabilitiesAssignee: Gentoo Security <security>
Status: RESOLVED OBSOLETE    
Severity: minor CC: jesse, lu_zero
Priority: High    
Version: unspecified   
Hardware: All   
OS: Linux   
URL: http://www.coresecurity.com/content/vnc-remote-dos
Whiteboard: B3 [glsa]
Package list:
Runtime testing required: ---
Bug Depends on:    
Bug Blocks: 290643    

Description Bruno Buss 2008-12-23 13:31:52 UTC
Description:
"The VNC server of Qemu and KVM virtualization solutions are vulnerable to a remote DoS, when specially crafted packets are received by the host VNC server causing an infinite loop.

Successful exploitation causes the host server to enter an infinite loop and cease to function. The vulnerability can be triggered remotely by external hosts or virtualized guests. No special privileges are required to perform the Denial of Service."

Also from Secunia:
http://secunia.com/Advisories/33293/

Fix in SVN:
http://svn.savannah.gnu.org/viewvc?view=rev&root=qemu&revision=6121
Comment 1 Tobias Heinlein (RETIRED) gentoo-dev 2009-10-26 21:53:50 UTC
Luca, I see there are lots of bugs open against qemu and there is a lot to do, so I don't want to put too much pressure on you. However, our latest stable qemu seems to be in a bad situation security-wise. Please see bug #290643.
Comment 2 Jesse Adelman 2010-01-18 23:47:16 UTC
0.12.1 was released on December 20th. Perhaps just bumping the version will ameliorate the security problem, and update Portage to track upstream's release.  Cheers!

"QEMU Changelog

version 0.12.1:
  - loader: fix rom loading at address 0 (fixes target-arm) (Aurelien Jarno)
  - loader: fix rom_copy (fixes multiboot) (Kevin Wolf)

version 0.12.0:
  - Update to SeaBIOS 0.5.0
  - e1000: fix device link status in Linux (Anthony Liguori)
  - monitor: fix QMP for balloon command (Luiz Capitulino)
  - QMP: Return an empty dict by default (Luiz Capitulino)
  - QMP: Only handle converted commands (Luiz Capitulino)
  - pci: support PCI based option rom loading (Gerd Hoffman/Anthony Liguori)
  - Fix backcompat for hotplug of SCSI controllers (Daniel P. Berrange)
  - fdc: fix migration from 0.11 (Juan Quintela)
  - vmware-vga: fix segv on cursor resize. (Dave Airlie)
  - vmware-vga: various fixes (Dave Airlie/Anthony Liguori)
  - qdev: improve property error reporting. (Gerd Hoffmann)
  - fix vga names in default_list (Gerd Hoffmann)
  - usb-host: check mon before using it. (Gerd Hoffmann)
  - usb-net: use qdev for -usbdevice (Gerd Hoffmann)
  - monitor: Catch printing to non-existent monitor (Luiz Capitulino)
  - Avoid permanently disabled QEMU monitor when UNIX migration fails (Daniel P. Berrange)
  - Fix loading of ELF multiboot kernels (Kevin Wolf)
  - qemu-io: Fix memory leak (Kevin Wolf)
  - Fix thinko in linuxboot.S (Paolo Bonzini)
  - target-i386: Fix evaluation of DR7 register (Jan Kiszka)
  - vnc: hextile: do not generate ForegroundSpecified and SubrectsColoured tiles (Anthony Liguori)
  - S390: Bail out without KVM (Alexander Graf)
  - S390: Don't tell guest we're updating config space (Alexander Graf)
  - target-s390: Fail on unknown instructions (Alexander Graf)
  - osdep: Fix runtime failure on older Linux kernels (Andre Przywara)
  - Fix a make -j race (Juergen Lock)
  - target-alpha: Fix generic ctz64. (Richard Henderson)
  - s390: Fix buggy assignment (Stefan Weil)
  - target-mips: fix user-mode emulation startup (Nathan Froyd)
  - target-i386: Update CPUID feature set for TCG (Andre Przywara)
  - s390: fix build on 32 bit host (Michael S. Tsirkin)

version 0.12.0-rc2:
  - v2: properly save kvm system time msr registers (Glauber Costa)
  - convert more monitor commands to qmp (Luiz Capitulino)
  - vnc: fix capslock tracking logic. (Gerd Hoffmann)
  - QemuOpts: allow larger option values. (Gerd Hoffmann)
  - scsi: fix drive hotplug. (Gerd Hoffmann)
  - pci: don't hw_error() when no slot is available. (Gerd Hoffmann)
  - pci: don't abort() when trying to hotplug with acpi off. (Gerd Hoffmann)
  - allow default devices to be implemented in config file (Gerd Hoffman)
  - vc: colorize chardev title line with blue background. (Gerd Hoffmann)
  - chardev: make chardevs specified in config file work. (Gerd Hoffmann)
  - qdev: also match bus name for global properties (Gerd Hoffmann)
  - qdev: add command line option to set global defaults for properties. (Gerd Hoffmann)
  - kvm: x86: Save/restore exception_index (Jan Kiszka)
  - qdev: Replace device names containing whitespace (Markus Armbruster)
  - fix rtc-td-hack on host without high-res timers (Gleb Natapov)
  - virtio: verify features on load (Michael S. Tsirkin)
  - vmware_vga: add rom file so that it boots. (Dave Airlie)
  - Do not abort on qemu_malloc(0) in production builds (Anthony Liguori)
  - Fix ARM userspace strex implementation. (Paul Brook)
  - qemu: delete rule target on error (Michael S. Tsirkin)
  - QMP: add human-readable description to error response (Markus Armbruster)
  - convert more monitor commands to QError (Markus Armbruster)
  - monitor: Fix double-prompt after "change vnc passwd BLA" (Markus Armbruster)
  - monitor: do_cont(): Don't ask for passwords (Luiz Capitulino)
  - monitor: Introduce 'block_passwd' command (Luiz Capitulino)
  - pci: interrupt disable bit support (Michael S. Tsirkin)
  - pci: interrupt status bit implementation (Michael S. Tsirkin)
  - pci: prepare irq code for interrupt state (Michael S. Tsirkin)
  - msix: function mask support (Michael S. Tsirkin)
  - msix: macro rename for function mask support (Michael S. Tsirkin)
  - cpuid: Fix multicore setup on Intel (Andre Przywara)
  - kvm: x86: Fix initial kvm_has_msr_star (Jan Kiszka)
  - Update OpenBIOS images to r640 (Aurelien Jarno)"
Comment 3 Sean Amoss (RETIRED) gentoo-dev Security 2012-03-09 17:34:20 UTC
GLSA vote: yes.
Comment 4 Tim Sammut (RETIRED) gentoo-dev 2012-03-11 06:52:45 UTC
GLSA Vote: yes, too. Added to existing request.
Comment 5 Sergey Popov (RETIRED) gentoo-dev 2013-01-21 17:02:04 UTC
@security, <app-emulation/qemu-0.11.1 is gone from tree some time ago, maybe this should be closed?