From ${URL} : During migration, the values read from migration stream during ram load are not validated. Especially offset in host_from_stream_offset() and also the length of the writes in the callers of the said function. A user able to alter the savevm data (either on the disk or over the wire during migration) could use either of these flaws to corrupt QEMU process memory on the (destination) host, which could potentially result in arbitrary code execution on the host with the privileges of the QEMU process. Upstream patch submission -- http://thread.gmane.org/gmane.comp.emulators.qemu/306117 @maintainer(s): after the bump, in case we need to stabilize the package, please let us know if it is ready for the stabilization or not.
*qemu-2.1.2-r2 (14 Dec 2014) 14 Dec 2014; Matthias Maier <tamiko@gentoo.org> +qemu-2.1.2-r2.ebuild: backport fixes for bugs #530498, #531666 (CVE-2014-8106), #529030 (CVE-2014-7840), #528922 (528922) *qemu-2.2.0 (14 Dec 2014) 14 Dec 2014; Matthias Maier <tamiko@gentoo.org> +qemu-2.2.0.ebuild, metadata.xml: version bump; cleanup whitespace in metadata.xml Vulnerable version left in tree: 2.1.2-r1 Unaffected: 2.1.2-r2, 2.2.0 Stabilization for 2.1.2-r2 on bug #531666
Security, please vote.
As Part of Bug: 53166 Kristian Fiskerstrand gentoo-dev Security 2014-12-21 10:53:53 EST GLSA Vote: Yes along with bug 528922 and bug 529030 Maintainer(s), Thank you for cleanup! GLSA Vote: Yes Added to an existing GLSA request.
CVE-2014-7840 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-7840): The host_from_stream_offset function in arch_init.c in QEMU, when loading RAM during migration, allows remote attackers to execute arbitrary code via a crafted (1) offset or (2) length value in savevm data.
This issue was resolved and addressed in GLSA 201412-37 at http://security.gentoo.org/glsa/glsa-201412-37.xml by GLSA coordinator Yury German (BlueKnight).
