Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 188148 - app-emulation/bochs DoS and heap overflow (CVE 2007-28{93,94})
Summary: app-emulation/bochs DoS and heap overflow (CVE 2007-28{93,94})
Status: RESOLVED FIXED
Alias: None
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: High major (vote)
Assignee: Gentoo Security
URL:
Whiteboard: B1 [glsa]
Keywords:
Depends on:
Blocks:
 
Reported: 2007-08-08 19:10 UTC by Matt Fleming (RETIRED)
Modified: 2007-11-18 00:21 UTC (History)
2 users (show)

See Also:
Package list:
Runtime testing required: ---


Attachments
fix for CVE-2007-2893 from CVS (bochs-2.3-CVE-2007-2893.patch,557 bytes, patch)
2007-09-03 22:29 UTC, Carlo Marcelo Arenas Belon
no flags Details | Diff
fix for CVE-2007-2894 from CVS (bochs-2.3-CVE-2007-2894.patch,1.32 KB, patch)
2007-09-03 22:30 UTC, Carlo Marcelo Arenas Belon
no flags Details | Diff

Note You need to log in before you can comment on or make changes to this bug.
Description Matt Fleming (RETIRED) gentoo-dev 2007-08-08 19:10:26 UTC
Tavis Ormandy discovered two issues that affect bochs <= 2.3

The first issue is caused by a heap overflow error in the emulated NE2000 device that allows a large value in the TXCNT register to exceed the available memory, which could be exploited by an attacker with "root" privileges on a vulnerable guest system to execute arbitrary code on the host system.

The second vulnerability is caused by a divide-by-zero in the emulated floppy disk controller, which could be exploited by malicious users to terminate the bochs process, creating a denial of service condition.

http://www.frsirt.com/english/advisories/2007/1936
Comment 1 Matt Fleming (RETIRED) gentoo-dev 2007-08-08 19:16:38 UTC
CC'ing maintainer and setting whiteboard status.
Comment 2 Sune Kloppenborg Jeppesen gentoo-dev 2007-08-14 10:45:47 UTC
Debian seems to have fixed this with DSA 1351-1.
Comment 3 Carlo Marcelo Arenas Belon 2007-09-03 21:30:26 UTC
fedora also published a fix which links to the following already closed (in cvs) upstream bug report :

http://sourceforge.net/tracker/?func=detail&atid=112580&aid=1729822&group_id=12580

fedora's CVS contains patches for both bugs that apply to 2.3 in :

http://cvs.fedoraproject.org/viewcvs/devel/bochs/
Comment 4 Carlo Marcelo Arenas Belon 2007-09-03 22:29:14 UTC
Created attachment 129950 [details, diff]
fix for CVE-2007-2893 from CVS

reconstructed from CVS with information from fedora package.

tested in bochs-2.3 for amd64
Comment 5 Carlo Marcelo Arenas Belon 2007-09-03 22:30:22 UTC
Created attachment 129952 [details, diff]
fix for CVE-2007-2894 from CVS

reconstructed from CVS with information from fedora package.

tested in bochs-2.3 for amd64
Comment 6 Sune Kloppenborg Jeppesen gentoo-dev 2007-09-08 15:32:57 UTC
lu_zero please advise.
Comment 7 Luca Barbato gentoo-dev 2007-09-09 00:10:24 UTC
bochs-2.3 doesn't build for me and I'm tempted to remove it since qemu covers the needs in a simpler and faster way. I'll try to come up either with a snapshot that builds or using the patches on the previous version.
Comment 8 Luca Barbato gentoo-dev 2007-09-09 11:47:33 UTC
spent more time on bochs-2.3 and eventually sorted my, seems to be, local issue.

Ebuild committed as ~arch
Comment 9 Christian Faulhammer (RETIRED) gentoo-dev 2007-09-09 11:52:12 UTC
Arches please stabilise app-emulation/bochs-2.3
Comment 10 Christian Faulhammer (RETIRED) gentoo-dev 2007-09-09 16:10:53 UTC
lu_zero did ppc and x86 has been stabled by me
Comment 11 Raúl Porcel (RETIRED) gentoo-dev 2007-09-10 09:57:22 UTC
alpha stable
Comment 12 Christoph Mende (RETIRED) gentoo-dev 2007-09-16 15:08:00 UTC
amd64 stable
Comment 13 Christian Faulhammer (RETIRED) gentoo-dev 2007-09-16 16:51:54 UTC
Please file GLSA request
Comment 14 Pierre-Yves Rofes (RETIRED) gentoo-dev 2007-09-29 14:10:35 UTC
(In reply to comment #13)
> Please file GLSA request
> 
done.
Comment 15 Pierre-Yves Rofes (RETIRED) gentoo-dev 2007-11-18 00:21:26 UTC
GLSA 200711-21