It was found that the QEMU's websocket frame decoder processed incoming
frames without limiting resources used to process the header and
payload. An attacker able to access a guest's VNC console could use this
flaw to trigger a denial of service on the host by exhausting all
available memory and CPU.
This issue was discovered by Daniel P. Berrange of Red Hat.
Upstream patch submission:
Due to inconsistent error checking, Qemu emulator allows malicious PRDT data
to flow from a guest to the host's IDE or AHCI controllers. This could result
in infinite loop or memory leakage on the host leading to unbounded resource
A privileged user inside guest could use this flaw to crash the system,
resulting in DoS.
@maintainer(s): after the bump, in case we need to stabilize the package, please let us know if it is ready for the stabilization or not.
the IDE change has been merged, but not the VNC one. probably going to just wait for that to be sorted out first.
(In reply to SpanKY from comment #1)
> the IDE change has been merged, but not the VNC one. probably going to just
> wait for that to be sorted out first.
from http://www.openwall.com/lists/oss-security/2015/04/09/6 :
Please note that the first patch committed to QEMU project git is
slightly different than the initial submission as it includes fix
for a regression caused by the original patch.
the ide prdt fix is already in qemu-2.2.0, and that's already in stable
this bug is now just for the vnc issue
Commit message: Add fixes from upstream for CVE-2015-1779
+ 14 May 2015; Agostino Sarubbo <email@example.com>
+ -files/qemu-2.1.2-vnc-sanitize-bits.patch, -qemu-2.1.2-r2.ebuild,
+ -qemu-2.1.3-r1.ebuild, -qemu-2.1.3.ebuild, -qemu-2.2.0.ebuild,
+ -qemu-2.2.1-r1.ebuild, -qemu-2.2.1.ebuild, -qemu-2.3.0.ebuild,
+ Stable for amd64/x86 - remove old.
Security please vote.
GLSA Vote: Yes
Arches and Maintainer(s), Thank you for your work.
Added to an existing GLSA Request.
This issue was resolved and addressed in
GLSA 201602-01 at https://security.gentoo.org/glsa/201602-01
by GLSA coordinator Kristian Fiskerstrand (K_F).