It was found that the Cirrus blit region checks were insufficient.
Cirrus is the default graphical adapter for x86 in qemu in any released
version, and it's also used for vnc (spice uses qxl).
A privileged guest user could use this flaw to to write outside of vram
allocated buffer boundaries in the host's qemu process with attacker
Upstream patch submission:
*qemu-2.1.2-r2 (14 Dec 2014)
14 Dec 2014; Matthias Maier <email@example.com> +qemu-2.1.2-r2.ebuild:
backport fixes for bugs #530498, #531666 (CVE-2014-8106), #529030
(CVE-2014-7840), #528922 (528922)
*qemu-2.2.0 (14 Dec 2014)
14 Dec 2014; Matthias Maier <firstname.lastname@example.org> +qemu-2.2.0.ebuild,
version bump; cleanup whitespace in metadata.xml
Vulnerable version left in tree: 2.1.2-r1
Unaffected: 2.1.2-r2, 2.2.0
Arches, please stabilize app-emulation/qemu-2.1.2-r2
Target keywords: amd64 x86
Maintainer(s), please cleanup.
Security, please vote.
21 Dec 2014; Matthias Maier <email@example.com> -qemu-2.1.2-r1.ebuild:
drop vulnerable, bug #531666 (CVE-2014-8106)
GLSA Vote: Yes along with bug 528922 and bug 529030
Heap-based buffer overflow in the Cirrus VGA emulator
(hw/display/cirrus_vga.c) in QEMU before 2.2.0 allows local guest users to
execute arbitrary code via vectors related to blit regions. NOTE: this
vulnerability exists because an incomplete fix for CVE-2007-1320.
Maintainer(s), Thank you for cleanup!
GLSA Vote: Yes
Created a New GLSA request.
This issue was resolved and addressed in
GLSA 201412-37 at http://security.gentoo.org/glsa/glsa-201412-37.xml
by GLSA coordinator Yury German (BlueKnight).