Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!

Bug 514680 (CVE-2014-3471)

Summary: <app-emulation/qemu-2.1.0-r1: hw: pci: use after free triggered via guest (CVE-2014-3471)
Product: Gentoo Security Reporter: Kristian Fiskerstrand (RETIRED) <k_f>
Component: VulnerabilitiesAssignee: Gentoo Security <security>
Severity: normal CC: cardoe, qemu+disabled
Priority: Normal    
Version: unspecified   
Hardware: All   
OS: Linux   
Whiteboard: B3 [glsa]
Package list:
Runtime testing required: ---

Description Kristian Fiskerstrand (RETIRED) gentoo-dev 2014-06-23 13:30:21 UTC
Qemu PCIe bus support is vulnerable to a use-after-free flaw. It could occur
via guest, when it tries to hotplug/hotunplug devices on the guest.

A user able to add & delete Virtio block devices on a guest could use this
flaw to crash the Qemu instance resulting in DoS.

Upstream fix in ${URL}
Comment 1 SpanKY gentoo-dev 2014-08-04 06:50:02 UTC
qemu-2.1.0 is in the tree now.  i think we should wait the normal 30 day period.
Comment 2 Yury German Gentoo Infrastructure gentoo-dev 2014-09-09 19:48:22 UTC
Stabilized in Bug # 520688
Comment 3 Yury German Gentoo Infrastructure gentoo-dev 2014-10-05 01:52:01 UTC
Arches and Mainter(s), Thank you for your work.

Added to an existing GLSA request.
Comment 4 GLSAMaker/CVETool Bot gentoo-dev 2014-12-08 22:48:20 UTC
This issue was resolved and addressed in
 GLSA 201412-01 at
by GLSA coordinator Kristian Fiskerstrand (K_F).