Bug 549402

Summary:	app-emulation/qemu security vulnerability CVE-2015-3456 ("Venom")
Product:	Gentoo Linux	Reporter:	Daniel Kenzelmann <gentoo>
Component:	Current packages	Assignee:	Gentoo Linux bug wranglers <bug-wranglers>
Status:	RESOLVED DUPLICATE
Severity:	critical	CC:	toto
Priority:	Normal
Version:	unspecified
Hardware:	All
OS:	Linux
URL:	http://git.qemu.org/?p=qemu.git;a=commitdiff;h=e907746266721f305d67bc0718795fedee2e824c
Whiteboard:
Package list:		Runtime testing required:	---
Attachments:	Patch from qemu git

Description Daniel Kenzelmann 2015-05-13 18:49:16 UTC

During processing of certain commands such as FD_CMD_READ_ID and
FD_CMD_DRIVE_SPECIFICATION_COMMAND the fifo memory access could
get out of bounds leading to memory corruption with values coming
from the guest.

Fix this by making sure that the index is always bounded by the
allocated memory.

This is CVE-2015-3456.

Reproducible: Always

Comment 1 Daniel Kenzelmann 2015-05-13 18:50:52 UTC

Patch is in URL value above, putting it here again for visibility.

http://git.qemu.org/?p=qemu.git;a=commitdiff;h=e907746266721f305d67bc0718795fedee2e824c

Comment 2 Daniel Kenzelmann 2015-05-13 18:57:33 UTC

Created attachment 403210 [details, diff]
Patch from qemu git

Comment 3 Daniel Kenzelmann 2015-05-13 19:00:40 UTC

--- qemu-2.3.0.ebuild	2015-04-28 11:20:05.000000000 +0200
+++ qemu-2.3.0.ebuild	2015-05-13 21:00:02.318525020 +0200
@@ -257,6 +257,7 @@
 	use nls || rm -f po/*.po
 
 	epatch "${FILESDIR}"/qemu-1.7.0-cflags.patch
+	epatch "${FILESDIR}"/qemu-2.3.0-CVE-2015-3456.patch # CVE-2015-3456
 	[[ -n ${BACKPORTS} ]] && \
 		EPATCH_FORCE=yes EPATCH_SUFFIX="patch" EPATCH_SOURCE="${S}/patches" \
 			epatch

Comment 4 Daniel Kenzelmann 2015-05-13 19:03:11 UTC

Duplicate of 549404 :-) closing...

*** This bug has been marked as a duplicate of bug 549404 ***