Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 571560 (CVE-2016-1714) - <app-emulation/qemu-2.5.0-r2: nvram: OOB r/w access in processing firmware configurations (CVE-2016-1714)
Summary: <app-emulation/qemu-2.5.0-r2: nvram: OOB r/w access in processing firmware co...
Status: RESOLVED FIXED
Alias: CVE-2016-1714
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal normal (vote)
Assignee: Gentoo Security
URL: https://bugzilla.redhat.com/show_bug....
Whiteboard: B2 [glsa cve]
Keywords:
Depends on: 578044
Blocks:
  Show dependency tree
 
Reported: 2016-01-11 16:55 UTC by Agostino Sarubbo
Modified: 2016-04-02 18:27 UTC (History)
1 user (show)

See Also:
Package list:
Runtime testing required: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Agostino Sarubbo gentoo-dev 2016-01-11 16:55:41 UTC
From ${URL} :

Qemu emulator built with the Firmware Configuration device emulation support is
vulnerable to an OOB r/w access issue. It could occur while processing firmware
configurations, if the current configuration entry value was set to be
invalid(FW_CFG_INVALID=0xffff).

A privileged(CAP_SYS_RAWIO) user/process inside guest could use this flaw to
crash the Qemu process instance resulting in DoS OR potentially execute
arbitrary code with privileges of the Qemu process on the host.

Upstream fix:
-------------
  -> https://lists.gnu.org/archive/html/qemu-devel/2016-01/msg00428.html


@maintainer(s): after the bump, in case we need to stabilize the package, please let us know if it is ready for the stabilization or not.
Comment 1 SpanKY gentoo-dev 2016-03-23 04:12:02 UTC
note: that patch was written for qemu-2.3.x and isn't directly relevant to newer versions.  the write code path for example was dropped entirely in qemu-2.4.x.

the read code path was fixed upstream here:
http://git.qemu.org/?p=qemu.git;a=commitdiff;h=66f8fd9dda312191b78d2a2ba2848bcee76127a2
Comment 2 SpanKY gentoo-dev 2016-03-23 05:25:45 UTC
this is in qemu-2.5.0-r2 and is fine for stable
Comment 3 Aaron Bauman Gentoo Infrastructure gentoo-dev Security 2016-03-23 06:12:43 UTC
Added to existing GLSA.
Comment 4 Yury German Gentoo Infrastructure gentoo-dev Security 2016-04-02 17:15:02 UTC
Clean as part of bug #567420
Comment 5 GLSAMaker/CVETool Bot gentoo-dev 2016-04-02 18:27:30 UTC
This issue was resolved and addressed in
 GLSA 201604-01 at https://security.gentoo.org/glsa/201604-01
by GLSA coordinator Yury German (BlueKnight).