|Summary:||<app-emulation/qemu-2.2.1-r2: vnc network decoding lacks checks (CVE-2015-1779)|
|Product:||Gentoo Security||Reporter:||Agostino Sarubbo <ago>|
|Component:||Vulnerabilities||Assignee:||Gentoo Security <security>|
|Whiteboard:||B3 [glsa cve]|
|Package list:||Runtime testing required:||---|
Description Agostino Sarubbo 2015-03-24 13:18:54 UTC
From http://www.openwall.com/lists/oss-security/2015/03/24/9: It was found that the QEMU's websocket frame decoder processed incoming frames without limiting resources used to process the header and payload. An attacker able to access a guest's VNC console could use this flaw to trigger a denial of service on the host by exhausting all available memory and CPU. Acknowledgements: This issue was discovered by Daniel P. Berrange of Red Hat. Upstream patch submission: https://lists.gnu.org/archive/html/qemu-devel/2015-03/msg04894.html From http://www.openwall.com/lists/oss-security/2015/03/24/4: Due to inconsistent error checking, Qemu emulator allows malicious PRDT data to flow from a guest to the host's IDE or AHCI controllers. This could result in infinite loop or memory leakage on the host leading to unbounded resource consumption. A privileged user inside guest could use this flaw to crash the system, resulting in DoS. Upstream fix: ------------- -> http://git.qemu.org/?p=qemu.git;a=commitdiff;h=3251bdcf1c67427d964517053c3d185b46e618e8 @maintainer(s): after the bump, in case we need to stabilize the package, please let us know if it is ready for the stabilization or not.
Comment 1 SpanKY 2015-03-28 03:50:40 UTC
the IDE change has been merged, but not the VNC one. probably going to just wait for that to be sorted out first.
Comment 2 Agostino Sarubbo 2015-03-29 12:49:44 UTC
(In reply to SpanKY from comment #1) > the IDE change has been merged, but not the VNC one. probably going to just > wait for that to be sorted out first. that's fine.
Comment 3 Agostino Sarubbo 2015-04-09 14:49:25 UTC
from http://www.openwall.com/lists/oss-security/2015/04/09/6 : Upstream patches: http://git.qemu.org/?p=qemu.git;a=commit;h=a2bebfd6e09d http://git.qemu.org/?p=qemu.git;a=commit;h=2cdb5e142fb93 Please note that the first patch committed to QEMU project git is slightly different than the initial submission as it includes fix for a regression caused by the original patch.
Comment 4 SpanKY 2015-04-12 00:13:15 UTC
the ide prdt fix is already in qemu-2.2.0, and that's already in stable this bug is now just for the vnc issue
Comment 5 SpanKY 2015-04-12 00:29:27 UTC
Commit message: Add fixes from upstream for CVE-2015-1779 http://sources.gentoo.org/app-emulation/qemu/files/qemu-2.2.1-CVE-2015-1779-1.patch?rev=1.1 http://sources.gentoo.org/app-emulation/qemu/files/qemu-2.2.1-CVE-2015-1779-2.patch?rev=1.1 http://sources.gentoo.org/app-emulation/qemu/qemu-2.2.1-r1.ebuild?rev=1.1
Comment 6 Agostino Sarubbo 2015-05-14 07:10:24 UTC
+ 14 May 2015; Agostino Sarubbo <firstname.lastname@example.org> + -files/qemu-2.1.1-readlink-self.patch, + -files/qemu-2.1.2-vnc-sanitize-bits.patch, -qemu-2.1.2-r2.ebuild, + -qemu-2.1.3-r1.ebuild, -qemu-2.1.3.ebuild, -qemu-2.2.0.ebuild, + -qemu-2.2.1-r1.ebuild, -qemu-2.2.1.ebuild, -qemu-2.3.0.ebuild, + qemu-2.2.1-r2.ebuild: + Stable for amd64/x86 - remove old. Security please vote.
Comment 7 Kristian Fiskerstrand (RETIRED) 2015-10-31 16:26:51 UTC
GLSA Vote: Yes
Comment 8 Stefan Behte (RETIRED) 2015-11-09 22:02:24 UTC
Comment 9 Yury German 2015-12-31 03:49:02 UTC
Arches and Maintainer(s), Thank you for your work. Added to an existing GLSA Request.