From https://bugzilla.redhat.com/show_bug.cgi?id=1337505: Quick Emulator(Qemu) built with the ESP/NCR53C9x controller emulation support is vulnerable to an OOB write access issue. The controller uses 16-byte FIFO buffer for command and data transfer. The OOB write occurs while writing to this command buffer in routine get_cmd(). A privileged user inside guest could use this flaw to crash the Qemu process resulting in DoS. Upstream patch: --------------- -> https://lists.gnu.org/archive/html/qemu-devel/2016-05/msg03274.html Reference: ---------- -> http://www.openwall.com/lists/oss-security/2016/05/19/4 From https://bugzilla.redhat.com/show_bug.cgi?id=1337502: Quick Emulator(Qemu) built with the ESP/NCR53C9x controller emulation support is vulnerable to an OOB write access issue. The controller uses 16-byte FIFO buffer for command and data transfer. The OOB write occurs while writing to this command buffer in esp_reg_write(). A privileged user inside guest could use this flaw to crash the Qemu process resulting in DoS OR potentially leverage it to execute arbitrary code with privileges of the Qemu process on the host. Upstream patch: --------------- -> https://lists.gnu.org/archive/html/qemu-devel/2016-05/msg03273.html Reference: ---------- -> http://www.openwall.com/lists/oss-security/2016/05/19/3 @maintainer(s): after the bump, in case we need to stabilize the package, please let us know if it is ready for the stabilization or not.
CVE-2016-4441 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-4441): The get_cmd function in hw/scsi/esp.c in the 53C9X Fast SCSI Controller (FSC) support in QEMU does not properly check DMA length, which allows local guest OS administrators to cause a denial of service (out-of-bounds write and QEMU process crash) via unspecified vectors, involving an SCSI command. CVE-2016-4439 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-4439): The esp_reg_write function in hw/scsi/esp.c in the 53C9X Fast SCSI Controller (FSC) support in QEMU does not properly check command buffer length, which allows local guest OS administrators to cause a denial of service (out-of-bounds write and QEMU process crash) or potentially execute arbitrary code on the QEMU host via unspecified vectors.
(In reply to GLSAMaker/CVETool Bot from comment #1) > CVE-2016-4441 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-4441): > The get_cmd function in hw/scsi/esp.c in the 53C9X Fast SCSI Controller > (FSC) support in QEMU does not properly check DMA length, which allows > local > guest OS administrators to cause a denial of service (out-of-bounds write > and QEMU process crash) via unspecified vectors, involving an SCSI command. > Upstream patch: http://git.qemu.org/?p=qemu.git;a=commit;h=6c1fef6b59563cc415f21e03f81539ed4b33ad90 > CVE-2016-4439 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-4439): > The esp_reg_write function in hw/scsi/esp.c in the 53C9X Fast SCSI > Controller (FSC) support in QEMU does not properly check command buffer > length, which allows local guest OS administrators to cause a denial of > service (out-of-bounds write and QEMU process crash) or potentially execute > arbitrary code on the QEMU host via unspecified vectors. Upstream patch: http://git.qemu.org/?p=qemu.git;a=commit;h=c98c6c105f66f05aa0b7c1d2a4a3f716450907ef
Fixed in at least version 2.7.0. Stabilization of 2.7.0 in #592430 commit 671df1de7a8611d59307ffcd448af451c15003ed Author: Matthias Maier <tamiko@gentoo.org> Date: Sun Sep 4 23:25:32 2016 -0500 app-emulation/qemu: version bump to 2.7.0, various security fixes 3af9187fc6caaf415ab9c0c6d92c9678f65cb17f -> CVE-2016-4001, bug #579734 3a15cc0e1ee7168db0782133d2607a6bfa422d66 -> CVE-2016-4002, bug #579734 c98c6c105f66f05aa0b7c1d2a4a3f716450907ef -> CVE-2016-4439, bug #583496 6c1fef6b59563cc415f21e03f81539ed4b33ad90 -> CVE-2016-4441, bug #583496 06630554ccbdd25780aa03c3548aaff1eb56dffd -> , bug #583952 844864fbae66935951529408831c2f22367a57b6 -> CVE-2016-5337, bug #584094 b60bdd1f1ee1616b7a9aeeffb4088e1ce2710fb2 -> , bug #584102 1b85898025c4cd95dce673d15e67e60e98e91731 -> , bug #584146 521360267876d3b6518b328051a2e56bca55bef8 -> CVE-2016-4453, bug #584514 4e68a0ee17dad7b8d870df0081d4ab2e079016c2 -> CVE-2016-4454, bug #584514 a6b3167fa0e825aebb5a7cd8b437b6d41584a196 -> CVE-2016-5126, bug #584630 ff589551c8e8e9e95e211b9d8daafb4ed39f1aec -> CVE-2016-5338, bug #584918 d3cdc49138c30be1d3c2f83d18f85d9fdee95f1a -> CVE-2016-5238, bug #584918 1e7aed70144b4673fc26e73062064b6724795e5f -> , bug #589924 afd9096eb1882f23929f5b5c177898ed231bac66 -> CVE-2016-5403, bug #589928 eb700029c7836798046191d62d595363d92c84d4 -> CVE-2016-6835, bug #591244 ead315e43ea0c2ca3491209c6c8db8ce3f2bbe05 -> CVE-2016-6834, bug #591374 6c352ca9b4ee3e1e286ea9e8434bd8e69ac7d0d8 -> CVE-2016-6833, bug #591380 47882fa4975bf0b58dd74474329fdd7154e8f04c -> CVE-2016-6888, bug #591678 805b5d98c649d26fc44d2d7755a97f18e62b438a 56f101ecce0eafd09e2daf1c4eeb1377d6959261 fff39a7ad09da07ef490de05c92c91f22f8002f2 -> , bug #592430 Package-Manager: portage-2.2.28
Added to an existing GLSA Request.
This issue was resolved and addressed in GLSA 201609-01 at https://security.gentoo.org/glsa/201609-01 by GLSA coordinator Yury German (BlueKnight).
