| Summary: | <app-emulation/qemu-2.1.2-r1: vnc: insufficient bits_per_pixel from the client sanitization (CVE-2014-7815) | ||
|---|---|---|---|
| Product: | Gentoo Security | Reporter: | Agostino Sarubbo <ago> |
| Component: | Vulnerabilities | Assignee: | Gentoo Security <security> |
| Status: | RESOLVED FIXED | ||
| Severity: | minor | CC: | cardoe, qemu+disabled |
| Priority: | Normal | ||
| Version: | unspecified | ||
| Hardware: | All | ||
| OS: | Linux | ||
| URL: | https://bugzilla.redhat.com/show_bug.cgi?id=1157641 | ||
| Whiteboard: | B3 [glsa] | ||
| Package list: | Runtime testing required: | --- | |
Commit message: Add fix from upstream for vnc arg sanitizing http://sources.gentoo.org/app-emulation/qemu/files/qemu-2.1.2-vnc-sanitize-bits.patch?rev=1.1 http://sources.gentoo.org/app-emulation/qemu/qemu-2.1.2-r1.ebuild?rev=1.1 ppc and ppc64 does not have a stable keyword. amd64 stable x86 stable. Maintainer(s), please cleanup. Security, please vote. cleanup done. Added to existing GLSA request CVE-2014-7815 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-7815): The set_pixel_format function in ui/vnc.c in QEMU allows remote attackers to cause a denial of service (crash) via a small bytes_per_pixel value. This issue was resolved and addressed in GLSA 201412-01 at http://security.gentoo.org/glsa/glsa-201412-01.xml by GLSA coordinator Kristian Fiskerstrand (K_F). |
From ${URL} : bits_per_pixel that are less than 8 could result in accessing non-initialized buffers later in the code due to the expectation that bytes_per_pixel value that is used to initialize these buffers is never zero. An attacker having access to the guest's VNC console could use this flaw to crash the guest. Upstream patch submission: http://lists.gnu.org/archive/html/qemu-devel/2014-10/msg03210.html @maintainer(s): after the bump, in case we need to stabilize the package, please let us know if it is ready for the stabilization or not.