Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!

Bug 529030 (CVE-2014-7840)

Summary: <app-emulation/qemu-2.1.2-r2: insufficient parameter validation during ram load (CVE-2014-7840)
Product: Gentoo Security Reporter: Agostino Sarubbo <ago>
Component: VulnerabilitiesAssignee: Gentoo Security <security>
Status: RESOLVED FIXED    
Severity: minor CC: cardoe, qemu+disabled
Priority: Normal    
Version: unspecified   
Hardware: All   
OS: Linux   
URL: https://bugzilla.redhat.com/show_bug.cgi?id=1163075
Whiteboard: B3 [glsa]
Package list:
Runtime testing required: ---

Description Agostino Sarubbo gentoo-dev 2014-11-12 13:11:51 UTC
From ${URL} :

During migration, the values read from migration stream during ram 
load are not validated. Especially offset in host_from_stream_offset()
and also the length of the writes in the callers of the said function.

A user able to alter the savevm data (either on the disk or over the
wire during migration) could use either of these flaws to corrupt QEMU
process memory on the (destination) host, which could potentially
result in arbitrary code execution on the host with the privileges of
the QEMU process.

Upstream patch submission --

http://thread.gmane.org/gmane.comp.emulators.qemu/306117


@maintainer(s): after the bump, in case we need to stabilize the package, please let us know if it is ready for the stabilization or not.
Comment 1 Matthias Maier gentoo-dev 2014-12-14 22:49:34 UTC
*qemu-2.1.2-r2 (14 Dec 2014)

  14 Dec 2014; Matthias Maier <tamiko@gentoo.org> +qemu-2.1.2-r2.ebuild:
  backport fixes for bugs #530498, #531666 (CVE-2014-8106), #529030
  (CVE-2014-7840), #528922 (528922)

*qemu-2.2.0 (14 Dec 2014)

  14 Dec 2014; Matthias Maier <tamiko@gentoo.org> +qemu-2.2.0.ebuild,
  metadata.xml:
  version bump; cleanup whitespace in metadata.xml

Vulnerable version left in tree: 2.1.2-r1
Unaffected: 2.1.2-r2, 2.2.0


Stabilization for 2.1.2-r2 on bug #531666
Comment 2 Matthias Maier gentoo-dev 2014-12-21 15:43:57 UTC
Security, please vote.
Comment 3 Yury German Gentoo Infrastructure gentoo-dev 2014-12-22 03:16:37 UTC
As Part of Bug: 53166
Kristian Fiskerstrand  gentoo-dev  Security 2014-12-21 10:53:53 EST
GLSA Vote: Yes along with bug 528922 and bug 529030

Maintainer(s), Thank you for cleanup!

GLSA Vote: Yes
Added to an existing GLSA request.
Comment 4 GLSAMaker/CVETool Bot gentoo-dev 2014-12-22 03:17:19 UTC
CVE-2014-7840 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-7840):
  The host_from_stream_offset function in arch_init.c in QEMU, when loading
  RAM during migration, allows remote attackers to execute arbitrary code via
  a crafted (1) offset or (2) length value in savevm data.
Comment 5 GLSAMaker/CVETool Bot gentoo-dev 2014-12-24 21:25:39 UTC
This issue was resolved and addressed in
 GLSA 201412-37 at http://security.gentoo.org/glsa/glsa-201412-37.xml
by GLSA coordinator Yury German (BlueKnight).
Comment 6 GLSAMaker/CVETool Bot gentoo-dev 2014-12-24 21:29:17 UTC
This issue was resolved and addressed in
 GLSA 201412-37 at http://security.gentoo.org/glsa/glsa-201412-37.xml
by GLSA coordinator Yury German (BlueKnight).