From ${URL} : It was found that vmstate_xhci_event field list was missing VMSTATE_END_OF_LIST() terminator and traversing through this list would result in out-of-bounds access during vm state saving and loading. Depending on how vmstate_xhci_event is placed in the qemu binary, this issue can range from non-issue, infinite loop to (potentially) privilege escalation in case the we end up with fields that have info and/or field_exist members initialized in a way that is useful for exploitation (most probably unlikely). In the worst case, attacker able to alter the migration data could use this flaw to to corrupt QEMU process memory. Upstream commit: http://git.qemu.org/?p=qemu.git;a=commit;h=3afca1d6d413592c2b78cf28f52fa24a586d8f56 @maintainer(s): after the bump, in case we need to stabilize the package, please let us know if it is ready for the stabilization or not.
guess this was included in the 2.1.0 release which i added a few weeks ago. i'd give it the normal 30 day and then stabilize.
CVE-2014-5263 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-5263): vmstate_xhci_event in hw/usb/hcd-xhci.c in QEMU 1.6.0 does not terminate the list with the VMSTATE_END_OF_LIST macro, which allows attackers to cause a denial of service (out-of-bounds access, infinite loop, and memory corruption) and possibly gain privileges via unspecified vectors.
Stabilized in Bug # 520688
Arches and Mainter(s), Thank you for your work. Added to an existing GLSA request.
This issue was resolved and addressed in GLSA 201412-01 at http://security.gentoo.org/glsa/glsa-201412-01.xml by GLSA coordinator Kristian Fiskerstrand (K_F).
