From secunia security advisory at $URL:
The vulnerability is caused due to a boundary error within the "process_tx_desc()" function (hw/e1000.c) when handling legacy mode packets while reading DMA requests. This can be exploited to cause a heap-based buffer overflow via a specially crafted packet.
Fixed in the GIT repository.
Sorry for extra works, please check if this vulnerability is verified also in 0.x version.
- If yes we must stabilize a new revision that will contains the fix.
- If not you should only bump an updated version of 1.x, no stabilization needed
For qemu-kvm-1.0, this is fixed in qemu-kvm-1.0-r2.
(In reply to comment #1)
> Sorry for extra works, please check if this vulnerability is verified also in
> 0.x version.
> - If yes we must stabilize a new revision that will contains the fix.
> - If not you should only bump an updated version of 1.x, no stabilization
It affects all back versions as far as I can tell.
Am I correct in thinking this is fixed in both qemu-1.0-r2 and qemu-kvm-1.0-r2? If so, shall we move forward with stabilization? Thanks!
(In reply to comment #4)
> Am I correct in thinking this is fixed in both qemu-1.0-r2 and qemu-kvm-1.0-r2?
> If so, shall we move forward with stabilization? Thanks!
Yes, you are correct.
> > Am I correct in thinking this is fixed in both qemu-1.0-r2 and qemu-kvm-1.0-r2?
> > If so, shall we move forward with stabilization? Thanks!
> Yes, you are correct.
I ask for stable keywords for
It's a qemu-0.11.1 with security patch on top, so some QA problems
are still in place.
I am sticking with old 0.11.1 version as it's the latest version
Well it was my intent (qemu-kvm maintainer) and lu_zero's (qemu maintainer) intent to drop app-emulation/qemu from the tree entirely with the release of app-emulation/qemu-kvm.
qemu is staying around mostly for qemu-user usage. We might drop qemu and use just qemu-kvm and qemu-user-static since those are the main usages.
Heap-based buffer overflow in the process_tx_desc function in the e1000
emulation (hw/e1000.c) in qemu-kvm 0.12, and possibly other versions, allows
guest OS users to cause a denial of service (QEMU crash) and possibly
execute arbitrary code via crafted legacy mode packets.
Added to pending GLSA request.
stabilize: app-emulation/qemu-kvm-1.0-r3 (as requested in bug #373997)
target keywords: amd64 x86
this is not fixed in 1.0-r3, but in 1.0.1!
http://wiki.qemu.org/ChangeLog/1.0#1.0.1 -> "e1000: bounds packet size against buffer size" -> http://repo.or.cz/w/qemu.git/commitdiff/d0ed2d2
Oh my. It's actually fixed with qemu-kvm-1.0-e1000-bounds-packet-size-against-buffer-size.patch, I just made a mistake when unpacking. Ignore the last message, sorry for bugspam.
Moved to [glsa].
If I am puzzling this out correctly, we stabilized a fixed qemu-kvm, =app-emulation/qemu-kvm-1.0-r3, in bug 373997, and a fixed qemu, =app-emulation/qemu-0.11.1, via bug 356685.
This issue was resolved and addressed in
GLSA 201210-04 at http://security.gentoo.org/glsa/glsa-201210-04.xml
by GLSA coordinator Stefan Behte (craig).