Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 555532 (CVE-2015-5154) - app-emultation/xen-tools-{4.2.5-r9,4.5.1-r2}: QEMU heap overflow flaw while processing certain ATAPI commands (XSA-138) (CVE-2015-5154)
Summary: app-emultation/xen-tools-{4.2.5-r9,4.5.1-r2}: QEMU heap overflow flaw while p...
Alias: CVE-2015-5154
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal normal (vote)
Assignee: Gentoo Security
Whiteboard: A2 [glsa cve]
Depends on:
Reported: 2015-07-21 07:49 UTC by Kristian Fiskerstrand (RETIRED)
Modified: 2016-04-05 07:00 UTC (History)
3 users (show)

See Also:
Package list:
Runtime testing required: ---


Note You need to log in before you can comment on or make changes to this bug.
Description Kristian Fiskerstrand (RETIRED) gentoo-dev 2015-07-21 07:49:58 UTC
Xen Security Advisory CVE-2015-5154 / XSA-138

   QEMU heap overflow flaw while processing certain ATAPI commands.

             *** EMBARGOED UNTIL 2015-07-27 12:00 UTC ***


The QEMU security team has predisclosed the following advisory:

    A heap overflow flaw was found in the way QEMU's IDE subsystem
    handled I/O buffer access while processing certain ATAPI commands.

    A privileged guest user in a guest with CDROM drive enabled could
    potentially use this flaw to execute arbitrary code on the host
    with the privileges of the host's QEMU process corresponding to
    the guest.


An HVM guest which has access to an emulated IDE CDROM device
(e.g. with a device with "devtype=cdrom", or the "cdrom" convenience
alias, in the VBD configuration) can exploit this vulnerability to
take over the qemu process elevating its privilege to that of the qemu


All Xen systems running x86 HVM guests without stubdomains which have
been configured with an emulated CD-ROM driver model are vulnerable.

Systems using qemu-dm stubdomain device models (for example, by
specifying "device_model_stubdomain_override=1" in xl's domain
configuration files) are NOT vulnerable.

Both the traditional "qemu-xen" or upstream qemu device models are
potentially vulnerable.

Systems running only PV guests are NOT vulnerable.

ARM systems are NOT vulnerable.


Avoiding the use of emulated CD-ROM devices altogether, by not
specifying such devices in the domain configuration, will avoid this

Enabling stubdomains will mitigate this issue, by reducing the
escalation to only those privileges accorded to the service domain.

qemu-dm stubdomains are only available with the traditional "qemu-xen"


Applying the appropriate attached patch resolves this issue.

xsa138-qemut-{1,2}.patch     qemu-xen-traditional, Xen unstable, Xen 4.5.x,
                             Xen 4.4.x, Xen 4.3.x, Xen 4.2.x
xsa138-qemuu-{1,2,3}.patch   qemu-upstream, xen unstable, Xen 4.5.x,
                             Xen 4.4.x, Xen 4.3.x
xsa138-qemuu-{1,3}.patch     qemu-upstream, Xen 4.2.x

NOTE: xsa138-qemuu-2.patch is not required for Xen 4.2.x.

$ sha256sum xsa138*.patch
7e385455379d88658b8ab0d4c1effffe9af21fff2e1dc0fe51cacc779afc83a4  xsa138-qemut-1.patch
c9a89082e36a0646a6fe002c6892d966d415d11ad5cfdcfea7e9c8d7a3f1316c  xsa138-qemut-2.patch
a076808f543c82aeac2f0239a4a46d9baadcd4e4b0a2f9ae7ded99cf59cffde6  xsa138-qemuu-1.patch
ed16dca7d2c179d0931d6e2503264d6593547a803eb3f08f6db7fff2127509a9  xsa138-qemuu-2.patch
090bdec00ede1f0ace1af52833038a74971e060d0c176b42bfca08511d36c644  xsa138-qemuu-3.patch


Deployment of patches or mitigations is NOT permitted (except on
systems used and administered only by organisations which are members
of the Xen Project Security Issues Predisclosure List).  Specifically,
deployment on public cloud systems is NOT permitted.

The decision not to permit deployment was made by the group that, at
their discretion, disclosed the issue to the Xen Project Security

Deployment is permitted only AFTER the embargo ends.

(Note: this during-embargo deployment notice is retained in
post-embargo publicly released Xen Project advisories, even though it
is then no longer applicable.  This is to enable the community to have
oversight of the Xen Project Security Team's decisionmaking.)

For more information about permissible uses of embargoed information,
consult the Xen Project community's agreed Security Policy:
Comment 1 Kristian Fiskerstrand (RETIRED) gentoo-dev 2015-07-21 07:59:37 UTC
This is likely relevant for Qemu as well
Comment 2 Kristian Fiskerstrand (RETIRED) gentoo-dev 2015-07-27 12:06:11 UTC
Issue is now public
Comment 3 Doug Goldstein (RETIRED) gentoo-dev 2015-07-27 18:27:52 UTC
(In reply to Kristian Fiskerstrand from comment #1)
> This is likely relevant for Qemu as well

Its purely a qemu issue and not specific to Xen itself.
Comment 4 Kristian Fiskerstrand (RETIRED) gentoo-dev 2015-07-27 18:37:19 UTC
*** Bug 556050 has been marked as a duplicate of this bug. ***
Comment 5 Doug Goldstein (RETIRED) gentoo-dev 2015-07-27 19:34:08 UTC
addressed in qemu-2.3.0-r4
Comment 6 Yixun Lan archtester gentoo-dev 2015-07-30 01:30:09 UTC
+*xen-tools-4.5.1-r2 (30 Jul 2015)
+*xen-tools-4.2.5-r9 (30 Jul 2015)
+  30 Jul 2015; Yixun Lan <> +xen-tools-4.2.5-r9.ebuild,
+  +xen-tools-4.5.1-r2.ebuild:
+  security bump, bug 555532; bump ovmf to 2015/06/29, commit
+  cb9a7ebabcd6b8a49dc0854b2f9592d732b5afbd

Arches, please test and mark stable:
Target keywords Both : "amd64 x86"

Target keywords Only: "amd64"
Comment 7 Agostino Sarubbo gentoo-dev 2015-07-30 09:57:14 UTC
amd64 stable
Comment 8 Agostino Sarubbo gentoo-dev 2015-07-30 09:59:04 UTC
x86 stable.

Maintainer(s), please cleanup.
Security, please add it to the existing request, or file a new one.
Comment 9 Yixun Lan archtester gentoo-dev 2015-07-31 03:12:27 UTC
+  31 Jul 2015; Yixun Lan <> -xen-tools-4.2.5-r8.ebuild,
+  -xen-tools-4.5.1-r1.ebuild:
+  clean vulnerable ebuild due to security bug #555532
Comment 10 Yury German Gentoo Infrastructure gentoo-dev 2015-12-31 03:42:00 UTC
Arches and Maintainer(s), Thank you for your work.

Added to an existing GLSA Request.
Comment 11 GLSAMaker/CVETool Bot gentoo-dev 2016-04-05 07:00:51 UTC
This issue was resolved and addressed in
 GLSA 201604-03 at
by GLSA coordinator Yury German (BlueKnight).