Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 531666 (CVE-2014-8106) - <app-emulation/qemu-2.1.2-r2: cirrus: insufficient blit region checks (CVE-2014-8106)
Summary: <app-emulation/qemu-2.1.2-r2: cirrus: insufficient blit region checks (CVE-20...
Status: RESOLVED FIXED
Alias: CVE-2014-8106
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal normal (vote)
Assignee: Gentoo Security
URL: http://seclists.org/oss-sec/2014/q4/897
Whiteboard: B3 [glsa]
Keywords:
Depends on:
Blocks:
 
Reported: 2014-12-04 13:29 UTC by Kristian Fiskerstrand (RETIRED)
Modified: 2014-12-24 21:29 UTC (History)
2 users (show)

See Also:
Package list:
Runtime testing required: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Kristian Fiskerstrand (RETIRED) gentoo-dev 2014-12-04 13:29:56 UTC
From ${URL}:
It was found that the Cirrus blit region checks were insufficient.

Cirrus is the default graphical adapter for x86 in qemu in any released
version, and it's also used for vnc (spice uses qxl).

A privileged guest user could use this flaw to to write outside of vram
allocated buffer boundaries in the host's qemu process with attacker
provided data.

Upstream patch submission:
http://lists.gnu.org/archive/html/qemu-devel/2014-12/msg00508.html

References:
https://bugzilla.redhat.com/show_bug.cgi?id=1169454
Comment 1 Matthias Maier gentoo-dev 2014-12-14 22:53:46 UTC
*qemu-2.1.2-r2 (14 Dec 2014)

  14 Dec 2014; Matthias Maier <tamiko@gentoo.org> +qemu-2.1.2-r2.ebuild:
  backport fixes for bugs #530498, #531666 (CVE-2014-8106), #529030
  (CVE-2014-7840), #528922 (528922)

*qemu-2.2.0 (14 Dec 2014)

  14 Dec 2014; Matthias Maier <tamiko@gentoo.org> +qemu-2.2.0.ebuild,
  metadata.xml:
  version bump; cleanup whitespace in metadata.xml

Vulnerable version left in tree: 2.1.2-r1
Unaffected: 2.1.2-r2, 2.2.0


Arches, please stabilize app-emulation/qemu-2.1.2-r2

Target keywords: amd64 x86
Comment 2 Agostino Sarubbo gentoo-dev 2014-12-21 11:37:12 UTC
amd64 stable
Comment 3 Agostino Sarubbo gentoo-dev 2014-12-21 11:41:58 UTC
x86 stable.

Maintainer(s), please cleanup.
Security, please vote.
Comment 4 Matthias Maier gentoo-dev 2014-12-21 15:42:00 UTC
  21 Dec 2014; Matthias Maier <tamiko@gentoo.org> -qemu-2.1.2-r1.ebuild:
  drop vulnerable, bug #531666 (CVE-2014-8106)
Comment 5 Kristian Fiskerstrand (RETIRED) gentoo-dev 2014-12-21 15:53:53 UTC
GLSA Vote: Yes along with bug 528922 and bug 529030
Comment 6 GLSAMaker/CVETool Bot gentoo-dev 2014-12-22 02:57:43 UTC
CVE-2014-8106 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-8106):
  Heap-based buffer overflow in the Cirrus VGA emulator
  (hw/display/cirrus_vga.c) in QEMU before 2.2.0 allows local guest users to
  execute arbitrary code via vectors related to blit regions. NOTE: this
  vulnerability exists because an incomplete fix for CVE-2007-1320.
Comment 7 Yury German Gentoo Infrastructure gentoo-dev 2014-12-22 02:59:21 UTC
Maintainer(s), Thank you for cleanup!

GLSA Vote: Yes
Created a New GLSA request.
Comment 8 GLSAMaker/CVETool Bot gentoo-dev 2014-12-24 21:25:46 UTC
This issue was resolved and addressed in
 GLSA 201412-37 at http://security.gentoo.org/glsa/glsa-201412-37.xml
by GLSA coordinator Yury German (BlueKnight).
Comment 9 GLSAMaker/CVETool Bot gentoo-dev 2014-12-24 21:29:24 UTC
This issue was resolved and addressed in
 GLSA 201412-37 at http://security.gentoo.org/glsa/glsa-201412-37.xml
by GLSA coordinator Yury German (BlueKnight).