Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!

Bug 571566 (CVE-2016-1568)

Summary: <app-emulation/qemu-2.5.0-r1: ide: ahci use-after-free vulnerability in aio port commands (CVE-2016-1568)
Product: Gentoo Security Reporter: Agostino Sarubbo <ago>
Component: VulnerabilitiesAssignee: Gentoo Security <security>
Status: RESOLVED FIXED    
Severity: normal CC: qemu+disabled
Priority: Normal    
Version: unspecified   
Hardware: All   
OS: Linux   
URL: http://www.openwall.com/lists/oss-security/2016/01/09/1
Whiteboard: B2 [glsa cleanup cve]
Package list:
Runtime testing required: ---

Description Agostino Sarubbo gentoo-dev 2016-01-11 17:04:02 UTC
From ${URL} :

Qemu emulator built with the IDE AHCI Emulation support is vulnerable to a use 
after free(kind of) issue. It could occur after processing AHCI Native Command 
Queuing(NCQ) AIO commands.

A privileged user inside guest could use this flaw to crash the Qemu process 
instance or might potentially execute arbitrary code with privileges of the 
Qemu process on the host.

Upstream fix:
- -------------
   -> https://lists.gnu.org/archive/html/qemu-devel/2016-01/msg01184.html

Reference:
- ----------
   -> https://bugzilla.redhat.com/show_bug.cgi?id=1288532



@maintainer(s): after the bump, in case we need to stabilize the package, please let us know if it is ready for the stabilization or not.
Comment 1 SpanKY gentoo-dev 2016-01-18 05:00:28 UTC
fix is in qemu-2.5.0-r1 in the tree now

http://gitweb.gentoo.org/repo/gentoo.git/commit/?id=96bdea53ec5c2e6d80e30b288043e34bfc766e25
Comment 2 Agostino Sarubbo gentoo-dev 2016-01-18 09:25:29 UTC
@vapier: is fine to stabilize 2.5.0-r1?
Comment 3 Doug Goldstein (RETIRED) gentoo-dev 2016-01-26 14:16:38 UTC
(In reply to Agostino Sarubbo from comment #2)
> @vapier: is fine to stabilize 2.5.0-r1?

Should be. Get the arches going.
Comment 4 Agostino Sarubbo gentoo-dev 2016-01-26 14:59:20 UTC
amd64 stable
Comment 5 Agostino Sarubbo gentoo-dev 2016-01-26 15:00:19 UTC
x86 stable.

Maintainer(s), please cleanup.
Security, please add it to the existing request, or file a new one.
Comment 6 Kristian Fiskerstrand (RETIRED) gentoo-dev 2016-01-26 18:57:48 UTC
Added to existing GLSA draft
Comment 7 GLSAMaker/CVETool Bot gentoo-dev 2016-01-26 19:01:00 UTC
CVE-2016-1568 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-1568):
  A user-after-free vulnerability was discovered in the QEMU emulator built
  with IDE AHCI emulation support. The flaw could occur after processing AHCI
  Native Command Queuing(NCQ) AIO commands. A privileged user inside the guest
  could use this flaw to crash the QEMU process instance (denial of service)
  or potentially execute arbitrary code on the host with QEMU-process
  privileges.
Comment 8 GLSAMaker/CVETool Bot gentoo-dev 2016-02-04 09:35:46 UTC
This issue was resolved and addressed in
 GLSA 201602-01 at https://security.gentoo.org/glsa/201602-01
by GLSA coordinator Kristian Fiskerstrand (K_F).