From ${URL}: It was found that the Cirrus blit region checks were insufficient. Cirrus is the default graphical adapter for x86 in qemu in any released version, and it's also used for vnc (spice uses qxl). A privileged guest user could use this flaw to to write outside of vram allocated buffer boundaries in the host's qemu process with attacker provided data. Upstream patch submission: http://lists.gnu.org/archive/html/qemu-devel/2014-12/msg00508.html References: https://bugzilla.redhat.com/show_bug.cgi?id=1169454
*qemu-2.1.2-r2 (14 Dec 2014) 14 Dec 2014; Matthias Maier <tamiko@gentoo.org> +qemu-2.1.2-r2.ebuild: backport fixes for bugs #530498, #531666 (CVE-2014-8106), #529030 (CVE-2014-7840), #528922 (528922) *qemu-2.2.0 (14 Dec 2014) 14 Dec 2014; Matthias Maier <tamiko@gentoo.org> +qemu-2.2.0.ebuild, metadata.xml: version bump; cleanup whitespace in metadata.xml Vulnerable version left in tree: 2.1.2-r1 Unaffected: 2.1.2-r2, 2.2.0 Arches, please stabilize app-emulation/qemu-2.1.2-r2 Target keywords: amd64 x86
amd64 stable
x86 stable. Maintainer(s), please cleanup. Security, please vote.
21 Dec 2014; Matthias Maier <tamiko@gentoo.org> -qemu-2.1.2-r1.ebuild: drop vulnerable, bug #531666 (CVE-2014-8106)
GLSA Vote: Yes along with bug 528922 and bug 529030
CVE-2014-8106 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-8106): Heap-based buffer overflow in the Cirrus VGA emulator (hw/display/cirrus_vga.c) in QEMU before 2.2.0 allows local guest users to execute arbitrary code via vectors related to blit regions. NOTE: this vulnerability exists because an incomplete fix for CVE-2007-1320.
Maintainer(s), Thank you for cleanup! GLSA Vote: Yes Created a New GLSA request.
This issue was resolved and addressed in GLSA 201412-37 at http://security.gentoo.org/glsa/glsa-201412-37.xml by GLSA coordinator Yury German (BlueKnight).