Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!

Bug 584094 (CVE-2016-5337)

Summary: <app-emulation/qemu-2.7.0: megasas: stack information leakage while reading configuration (CVE-2016-5337)
Product: Gentoo Security Reporter: Agostino Sarubbo <ago>
Component: VulnerabilitiesAssignee: Gentoo Security <security>
Status: RESOLVED FIXED    
Severity: minor CC: qemu+disabled
Priority: Normal    
Version: unspecified   
Hardware: All   
OS: Linux   
URL: https://bugzilla.redhat.com/show_bug.cgi?id=1339583
Whiteboard: B4 [glsa cve]
Package list:
Runtime testing required: ---
Bug Depends on: 592430    
Bug Blocks:    

Description Agostino Sarubbo gentoo-dev 2016-05-25 13:01:30 UTC
From ${URL} :

Quick Emulator(Qemu) built with the MegaRAID SAS 8708EM2 Host Bus Adapter
emulation support is vulnerable to an information leakage issue. It
could occur while processing MegaRAID Firmware Interface(MFI) command to read
device configuration in 'megasas_dcmd_cfg_read'.

A privileged user inside guest could use this flaw to leak host memory bytes.

Upstream patch
--------------
  -> https://lists.gnu.org/archive/html/qemu-devel/2016-05/msg04419.html


@maintainer(s): after the bump, in case we need to stabilize the package, please let us know if it is ready for the stabilization or not.
Comment 1 GLSAMaker/CVETool Bot gentoo-dev 2016-06-30 23:52:04 UTC
CVE-2016-5337 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-5337):
  The megasas_ctrl_get_info function in hw/scsi/megasas.c in QEMU allows local
  guest OS administrators to obtain sensitive host memory information via
  vectors related to reading device control information.
Comment 2 Aaron Bauman (RETIRED) gentoo-dev 2016-06-30 23:53:22 UTC
(In reply to GLSAMaker/CVETool Bot from comment #1)
> CVE-2016-5337 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-5337):
>   The megasas_ctrl_get_info function in hw/scsi/megasas.c in QEMU allows
> local
>   guest OS administrators to obtain sensitive host memory information via
>   vectors related to reading device control information.

Upstream patch:

http://git.qemu.org/?p=qemu.git;a=commit;h=844864fbae66935951529408831c2f22367a57b6
Comment 3 Aaron Bauman (RETIRED) gentoo-dev 2016-07-01 00:15:33 UTC
*** Bug 585368 has been marked as a duplicate of this bug. ***
Comment 4 Matthias Maier gentoo-dev 2016-09-05 05:39:36 UTC
Fixed in at least version 2.7.0. Stabilization of 2.7.0 in #592430

commit 671df1de7a8611d59307ffcd448af451c15003ed
Author: Matthias Maier <tamiko@gentoo.org>
Date:   Sun Sep 4 23:25:32 2016 -0500

    app-emulation/qemu: version bump to 2.7.0, various security fixes
    
    3af9187fc6caaf415ab9c0c6d92c9678f65cb17f -> CVE-2016-4001, bug #579734
    3a15cc0e1ee7168db0782133d2607a6bfa422d66 -> CVE-2016-4002, bug #579734
    c98c6c105f66f05aa0b7c1d2a4a3f716450907ef -> CVE-2016-4439, bug #583496
    6c1fef6b59563cc415f21e03f81539ed4b33ad90 -> CVE-2016-4441, bug #583496
    06630554ccbdd25780aa03c3548aaff1eb56dffd ->              , bug #583952
    844864fbae66935951529408831c2f22367a57b6 -> CVE-2016-5337, bug #584094
    b60bdd1f1ee1616b7a9aeeffb4088e1ce2710fb2 ->              , bug #584102
    1b85898025c4cd95dce673d15e67e60e98e91731 ->              , bug #584146
    521360267876d3b6518b328051a2e56bca55bef8 -> CVE-2016-4453, bug #584514
    4e68a0ee17dad7b8d870df0081d4ab2e079016c2 -> CVE-2016-4454, bug #584514
    a6b3167fa0e825aebb5a7cd8b437b6d41584a196 -> CVE-2016-5126, bug #584630
    ff589551c8e8e9e95e211b9d8daafb4ed39f1aec -> CVE-2016-5338, bug #584918
    d3cdc49138c30be1d3c2f83d18f85d9fdee95f1a -> CVE-2016-5238, bug #584918
    1e7aed70144b4673fc26e73062064b6724795e5f ->              , bug #589924
    afd9096eb1882f23929f5b5c177898ed231bac66 -> CVE-2016-5403, bug #589928
    eb700029c7836798046191d62d595363d92c84d4 -> CVE-2016-6835, bug #591244
    ead315e43ea0c2ca3491209c6c8db8ce3f2bbe05 -> CVE-2016-6834, bug #591374
    6c352ca9b4ee3e1e286ea9e8434bd8e69ac7d0d8 -> CVE-2016-6833, bug #591380
    47882fa4975bf0b58dd74474329fdd7154e8f04c -> CVE-2016-6888, bug #591678
    
    805b5d98c649d26fc44d2d7755a97f18e62b438a
    56f101ecce0eafd09e2daf1c4eeb1377d6959261
    fff39a7ad09da07ef490de05c92c91f22f8002f2 ->              , bug #592430
    
    Package-Manager: portage-2.2.28
Comment 5 Yury German Gentoo Infrastructure gentoo-dev 2016-09-25 22:50:50 UTC
Arches and Maintainer(s), Thank you for your work.
Added to an existing GLSA Request.
Comment 6 GLSAMaker/CVETool Bot gentoo-dev 2016-09-26 00:37:03 UTC
This issue was resolved and addressed in
 GLSA 201609-01 at https://security.gentoo.org/glsa/201609-01
by GLSA coordinator Yury German (BlueKnight).