From ${URL} : Qemu emulator built with the MIPSnet controller emulator is vulnerable to a buffer overflow issue. It could occur while receiving network packets in mipsnet_receive(), if the guest NIC is configured to accept large(MTU) packets. A remote user/process could use this flaw to crash Qemu resulting in DoS; OR potentially execute arbitrary code with privileges of the Qemu process on a host. Upstream patch: --------------- -> https://lists.gnu.org/archive/html/qemu-devel/2016-04/msg01131.html Reference: ---------- -> http://www.openwall.com/lists/oss-security/2016/04/11/6 @maintainer(s): after the bump, in case we need to stabilize the package, please let us know if it is ready for the stabilization or not.
still not in upstream, but doesn't seem like a big deal ... doesn't seem like anyone really uses this network device
CVE-2016-4002 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-4002): Buffer overflow in the mipsnet_receive function in hw/net/mipsnet.c in QEMU, when the guest NIC is configured to accept large packets, allows remote attackers to cause a denial of service (memory corruption and QEMU crash) or possibly execute arbitrary code via a packet larger than 1514 bytes. CVE-2016-4001 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-4001): Buffer overflow in the stellaris_enet_receive function in hw/net/stellaris_enet.c in QEMU, when the Stellaris ethernet controller is configured to accept large packets, allows remote attackers to cause a denial of service (QEMU crash) via a large packet.
(In reply to GLSAMaker/CVETool Bot from comment #2) > CVE-2016-4002 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-4002): > Buffer overflow in the mipsnet_receive function in hw/net/mipsnet.c in > QEMU, > when the guest NIC is configured to accept large packets, allows remote > attackers to cause a denial of service (memory corruption and QEMU crash) > or > possibly execute arbitrary code via a packet larger than 1514 bytes. > Patch is in master right now so hopefully on the next release: http://git.qemu.org/?p=qemu.git;a=commit;h=3af9187fc6caaf415ab9c0c6d92c9678f65cb17f > CVE-2016-4001 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-4001): > Buffer overflow in the stellaris_enet_receive function in > hw/net/stellaris_enet.c in QEMU, when the Stellaris ethernet controller is > configured to accept large packets, allows remote attackers to cause a > denial of service (QEMU crash) via a large packet. Same here... patch is in master as well: http://git.qemu.org/?p=qemu.git;a=commit;h=3a15cc0e1ee7168db0782133d2607a6bfa422d66
(In reply to Aaron Bauman from comment #3) > (In reply to GLSAMaker/CVETool Bot from comment #2) > > CVE-2016-4002 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-4002): > > Buffer overflow in the mipsnet_receive function in hw/net/mipsnet.c in > > QEMU, > > when the guest NIC is configured to accept large packets, allows remote > > attackers to cause a denial of service (memory corruption and QEMU crash) > > or > > possibly execute arbitrary code via a packet larger than 1514 bytes. > > > > Patch is in master right now so hopefully on the next release: > > http://git.qemu.org/?p=qemu.git;a=commit; > h=3af9187fc6caaf415ab9c0c6d92c9678f65cb17f This did not make it into 2.6.0 release. > > > CVE-2016-4001 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-4001): > > Buffer overflow in the stellaris_enet_receive function in > > hw/net/stellaris_enet.c in QEMU, when the Stellaris ethernet controller is > > configured to accept large packets, allows remote attackers to cause a > > denial of service (QEMU crash) via a large packet. > > Same here... patch is in master as well: > > http://git.qemu.org/?p=qemu.git;a=commit; > h=3a15cc0e1ee7168db0782133d2607a6bfa422d66 This one is good, sorry.
Fixed in at least version 2.7.0. Stabilization of 2.7.0 in #592430 commit 671df1de7a8611d59307ffcd448af451c15003ed Author: Matthias Maier <tamiko@gentoo.org> Date: Sun Sep 4 23:25:32 2016 -0500 app-emulation/qemu: version bump to 2.7.0, various security fixes 3af9187fc6caaf415ab9c0c6d92c9678f65cb17f -> CVE-2016-4001, bug #579734 3a15cc0e1ee7168db0782133d2607a6bfa422d66 -> CVE-2016-4002, bug #579734 c98c6c105f66f05aa0b7c1d2a4a3f716450907ef -> CVE-2016-4439, bug #583496 6c1fef6b59563cc415f21e03f81539ed4b33ad90 -> CVE-2016-4441, bug #583496 06630554ccbdd25780aa03c3548aaff1eb56dffd -> , bug #583952 844864fbae66935951529408831c2f22367a57b6 -> CVE-2016-5337, bug #584094 b60bdd1f1ee1616b7a9aeeffb4088e1ce2710fb2 -> , bug #584102 1b85898025c4cd95dce673d15e67e60e98e91731 -> , bug #584146 521360267876d3b6518b328051a2e56bca55bef8 -> CVE-2016-4453, bug #584514 4e68a0ee17dad7b8d870df0081d4ab2e079016c2 -> CVE-2016-4454, bug #584514 a6b3167fa0e825aebb5a7cd8b437b6d41584a196 -> CVE-2016-5126, bug #584630 ff589551c8e8e9e95e211b9d8daafb4ed39f1aec -> CVE-2016-5338, bug #584918 d3cdc49138c30be1d3c2f83d18f85d9fdee95f1a -> CVE-2016-5238, bug #584918 1e7aed70144b4673fc26e73062064b6724795e5f -> , bug #589924 afd9096eb1882f23929f5b5c177898ed231bac66 -> CVE-2016-5403, bug #589928 eb700029c7836798046191d62d595363d92c84d4 -> CVE-2016-6835, bug #591244 ead315e43ea0c2ca3491209c6c8db8ce3f2bbe05 -> CVE-2016-6834, bug #591374 6c352ca9b4ee3e1e286ea9e8434bd8e69ac7d0d8 -> CVE-2016-6833, bug #591380 47882fa4975bf0b58dd74474329fdd7154e8f04c -> CVE-2016-6888, bug #591678 805b5d98c649d26fc44d2d7755a97f18e62b438a 56f101ecce0eafd09e2daf1c4eeb1377d6959261 fff39a7ad09da07ef490de05c92c91f22f8002f2 -> , bug #592430 Package-Manager: portage-2.2.28
*** Bug 579614 has been marked as a duplicate of this bug. ***
This issue was resolved and addressed in GLSA 201609-01 at https://security.gentoo.org/glsa/201609-01 by GLSA coordinator Yury German (BlueKnight).