Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 573816 (CVE-2016-2841) - <app-emulation/qemu-2.5.0-r3: net: ne2000: infinite loop in ne2000_receive (CVE-2016-2841)
Summary: <app-emulation/qemu-2.5.0-r3: net: ne2000: infinite loop in ne2000_receive (C...
Status: RESOLVED FIXED
Alias: CVE-2016-2841
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal minor (vote)
Assignee: Gentoo Security
URL: https://lists.gnu.org/archive/html/qe...
Whiteboard: B3 [glsa cve]
Keywords:
: 576264 (view as bug list)
Depends on:
Blocks:
 
Reported: 2016-02-04 09:10 UTC by Agostino Sarubbo
Modified: 2016-09-26 00:36 UTC (History)
2 users (show)

See Also:
Package list:
Runtime testing required: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Agostino Sarubbo gentoo-dev 2016-02-04 09:10:58 UTC
From ${URL} :

Qemu emulator built with the NE2000 NIC emulation support is vulnerable to an infinite loop issue. 
It could occur when receiving packets over the network.

A privileged user inside guest could use this flaw to crash the Qemu instance resulting in DoS.

Upstream patch:
---------------
  -> https://lists.gnu.org/archive/html/qemu-devel/2016-02/msg00340.html


@maintainer(s): after the bump, in case we need to stabilize the package, please let us know if it is ready for the stabilization or not.
Comment 1 Agostino Sarubbo gentoo-dev 2016-03-02 15:48:35 UTC
*** Bug 576264 has been marked as a duplicate of this bug. ***
Comment 2 SpanKY gentoo-dev 2016-03-23 04:21:45 UTC
fix is still under debate.  referenced patch is an incomplete fix.
Comment 3 Agostino Sarubbo gentoo-dev 2016-03-25 08:21:21 UTC
(In reply to SpanKY from comment #2)
> fix is still under debate.  referenced patch is an incomplete fix.

I didn't full understand.
Do you mean that this commit http://git.qemu.org/?p=qemu.git;a=commitdiff;h=415ab35a441eca767d033a2702223e785b9d5190 is an incomplete fix?
Comment 4 SpanKY gentoo-dev 2016-03-28 20:52:57 UTC
(In reply to Agostino Sarubbo from comment #3)

he posted:
>   Okay. Though I'm not sure if it's the right place for it, because more
> than buffer is full, it says buffer does not exist.

but if that's all they plan on merging for now, then i guess that's it.
Comment 6 Aaron Bauman Gentoo Infrastructure gentoo-dev Security 2016-03-29 00:26:58 UTC
@arches, please stabilize:

=app-emulation/qemu-2.5.0-r3
Comment 7 Aaron Bauman Gentoo Infrastructure gentoo-dev Security 2016-03-29 00:34:38 UTC
I apologize for the bug spam but a little more digging lead to a tested patch.

(In reply to SpanKY from comment #4)
> (In reply to Agostino Sarubbo from comment #3)
> 
> he posted:
> >   Okay. Though I'm not sure if it's the right place for it, because more
> > than buffer is full, it says buffer does not exist.
> 
> but if that's all they plan on merging for now, then i guess that's it.

@Mike, here is the tested patch for your review and implementation.  Thank you.

https://lists.gnu.org/archive/html/qemu-devel/2016-02/msg05546.html
Comment 8 SpanKY gentoo-dev 2016-03-29 00:47:24 UTC
(In reply to Aaron Bauman from comment #7)

that was the one Agostino & i were discussing and is already merged ...
Comment 9 Aaron Bauman Gentoo Infrastructure gentoo-dev Security 2016-03-29 01:21:24 UTC
(In reply to SpanKY from comment #8)
> (In reply to Aaron Bauman from comment #7)
> 
> that was the one Agostino & i were discussing and is already merged ...

My apologies.  I should have caught that.


@arches, please stabilize:

=app-emulation/qemu-2.5.0-r3
Comment 10 Agostino Sarubbo gentoo-dev 2016-03-29 08:20:51 UTC
amd64 stable
Comment 11 Agostino Sarubbo gentoo-dev 2016-03-29 08:21:38 UTC
x86 stable.

Maintainer(s), please cleanup.
Comment 12 Aaron Bauman Gentoo Infrastructure gentoo-dev Security 2016-06-11 11:31:25 UTC
@maintainers, please cleanup or let us know if there is more time needed.
Comment 13 GLSAMaker/CVETool Bot gentoo-dev 2016-07-01 00:24:50 UTC
CVE-2016-2841 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-2841):
  The ne2000_receive function in the NE2000 NIC emulation support
  (hw/net/ne2000.c) in QEMU before 2.5.1 allows local guest OS administrators
  to cause a denial of service (infinite loop and QEMU process crash) via
  crafted values for the PSTART and PSTOP registers, involving ring buffer
  control.
Comment 14 Matthias Maier gentoo-dev 2016-09-05 05:31:17 UTC
commit 01e6cb9bcad3046a7223e31c4b533485d6ca0877
Author: Matthias Maier <tamiko@gentoo.org>
Date:   Sun Sep 4 22:58:05 2016 -0500

    app-emulation/qemu: remove vulnerable 2.5.0
    
    Package-Manager: portage-2.2.28
Comment 15 GLSAMaker/CVETool Bot gentoo-dev 2016-09-26 00:36:23 UTC
This issue was resolved and addressed in
 GLSA 201609-01 at https://security.gentoo.org/glsa/201609-01
by GLSA coordinator Yury German (BlueKnight).