Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 549402 - app-emulation/qemu security vulnerability CVE-2015-3456 ("Venom")
Summary: app-emulation/qemu security vulnerability CVE-2015-3456 ("Venom")
Status: RESOLVED DUPLICATE of bug 549404
Alias: None
Product: Gentoo Linux
Classification: Unclassified
Component: Current packages (show other bugs)
Hardware: All Linux
: Normal critical (vote)
Assignee: Gentoo Linux bug wranglers
Depends on:
Reported: 2015-05-13 18:49 UTC by Daniel Kenzelmann
Modified: 2015-05-13 19:03 UTC (History)
1 user (show)

See Also:
Package list:
Runtime testing required: ---

Patch from qemu git (qemu-2.3.0-CVE-2015-3456.patch,2.75 KB, patch)
2015-05-13 18:57 UTC, Daniel Kenzelmann
Details | Diff

Note You need to log in before you can comment on or make changes to this bug.
Description Daniel Kenzelmann 2015-05-13 18:49:16 UTC
During processing of certain commands such as FD_CMD_READ_ID and
FD_CMD_DRIVE_SPECIFICATION_COMMAND the fifo memory access could
get out of bounds leading to memory corruption with values coming
from the guest.

Fix this by making sure that the index is always bounded by the
allocated memory.

This is CVE-2015-3456.

Reproducible: Always
Comment 1 Daniel Kenzelmann 2015-05-13 18:50:52 UTC
Patch is in URL value above, putting it here again for visibility.;a=commitdiff;h=e907746266721f305d67bc0718795fedee2e824c
Comment 2 Daniel Kenzelmann 2015-05-13 18:57:33 UTC
Created attachment 403210 [details, diff]
Patch from qemu git
Comment 3 Daniel Kenzelmann 2015-05-13 19:00:40 UTC
--- qemu-2.3.0.ebuild	2015-04-28 11:20:05.000000000 +0200
+++ qemu-2.3.0.ebuild	2015-05-13 21:00:02.318525020 +0200
@@ -257,6 +257,7 @@
 	use nls || rm -f po/*.po
 	epatch "${FILESDIR}"/qemu-1.7.0-cflags.patch
+	epatch "${FILESDIR}"/qemu-2.3.0-CVE-2015-3456.patch # CVE-2015-3456
 	[[ -n ${BACKPORTS} ]] && \
 		EPATCH_FORCE=yes EPATCH_SUFFIX="patch" EPATCH_SOURCE="${S}/patches" \
Comment 4 Daniel Kenzelmann 2015-05-13 19:03:11 UTC
Duplicate of 549404 :-) closing...

*** This bug has been marked as a duplicate of bug 549404 ***