During processing of certain commands such as FD_CMD_READ_ID and FD_CMD_DRIVE_SPECIFICATION_COMMAND the fifo memory access could get out of bounds leading to memory corruption with values coming from the guest. Fix this by making sure that the index is always bounded by the allocated memory. This is CVE-2015-3456. Reproducible: Always
Patch is in URL value above, putting it here again for visibility. http://git.qemu.org/?p=qemu.git;a=commitdiff;h=e907746266721f305d67bc0718795fedee2e824c
Created attachment 403210 [details, diff] Patch from qemu git
--- qemu-2.3.0.ebuild 2015-04-28 11:20:05.000000000 +0200 +++ qemu-2.3.0.ebuild 2015-05-13 21:00:02.318525020 +0200 @@ -257,6 +257,7 @@ use nls || rm -f po/*.po epatch "${FILESDIR}"/qemu-1.7.0-cflags.patch + epatch "${FILESDIR}"/qemu-2.3.0-CVE-2015-3456.patch # CVE-2015-3456 [[ -n ${BACKPORTS} ]] && \ EPATCH_FORCE=yes EPATCH_SUFFIX="patch" EPATCH_SOURCE="${S}/patches" \ epatch
Duplicate of 549404 :-) closing... *** This bug has been marked as a duplicate of bug 549404 ***