Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 649616 (CVE-2018-7550) - <app-emulation/qemu-2.11.1-r1: i386: multiboot OOB access while loading kernel image
Summary: <app-emulation/qemu-2.11.1-r1: i386: multiboot OOB access while loading kerne...
Status: RESOLVED FIXED
Alias: CVE-2018-7550
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal normal (vote)
Assignee: Gentoo Security
URL: https://bugzilla.redhat.com/show_bug....
Whiteboard: B2 [glsa+ cve]
Keywords:
Depends on:
Blocks: 651668
  Show dependency tree
 
Reported: 2018-03-05 09:22 UTC by Agostino Sarubbo
Modified: 2018-04-08 23:32 UTC (History)
1 user (show)

See Also:
Package list:
app-emulation/qemu-2.11.1-r1
Runtime testing required: ---
stable-bot: sanity-check+


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Agostino Sarubbo gentoo-dev 2018-03-05 09:22:27 UTC
From ${URL} :

Quick Emulator(QEMU) built with the PC System Emulator with multiboot feature
support is vulnerable to an OOB r/w memory access issue. It could occur while
loading a kernel image during a guest boot if muliboot head addresses
mh_load_end_addr was greater than mh_bss_end_addr.

A user/process could use this flaw to potentially achieve arbitrary code
execution on a host.

Upstream patch:
---------------
  -> https://lists.gnu.org/archive/html/qemu-devel/2018-02/msg06890.html


@maintainer(s): after the bump, in case we need to stabilize the package, please let us know if it is ready for the stabilization or not.
Comment 1 Larry the Git Cow gentoo-dev 2018-03-18 20:02:04 UTC
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=927222f7ee40d2289d759ea2bceee1cc68d81a32

commit 927222f7ee40d2289d759ea2bceee1cc68d81a32
Author:     Matthias Maier <tamiko@gentoo.org>
AuthorDate: 2018-03-18 19:33:04 +0000
Commit:     Matthias Maier <tamiko@gentoo.org>
CommitDate: 2018-03-18 20:01:50 +0000

    app-emulation/qemu: 2.11.1: apply security patches
    
         * disable capstone
         * apply patch for CVE-2018-7550
    
    Bug: https://bugs.gentoo.org/647570
    Bug: https://bugs.gentoo.org/649616
    
    Package-Manager: Portage-2.3.24, Repoman-2.3.6

 app-emulation/qemu/qemu-2.11.1-r1.ebuild | 805 +++++++++++++++++++++++++++++++
 1 file changed, 805 insertions(+)

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=46d903c2665d2910a22d78656c5f7bafdf702135

commit 46d903c2665d2910a22d78656c5f7bafdf702135
Author:     Matthias Maier <tamiko@gentoo.org>
AuthorDate: 2018-03-18 19:08:44 +0000
Commit:     Matthias Maier <tamiko@gentoo.org>
CommitDate: 2018-03-18 20:01:49 +0000

    app-emulation/qemu: 2.11.1: New binary blob pinning, CVE patches, maintenance
    
     * new binary blobs pinning
        =sys-firmware/edk2-ovmf-2017_p20180211
        =sys-firmware/ipxe-1.0.0_p20180211
        =sys-firmware/seabios-1.11.0
        =sys-firmware/sgabios-0.1_pre8-r1
        =sys-firmware/vgabios-0.7a-r1
       keyword ebuild
    
     * fix include path for capstone, bug 647570
     * add USE=capstone support, bug 647570
    
     * apply patch for CVE-2018-7550
    
    Closes: https://bugs.gentoo.org/647570
    Bug: https://bugs.gentoo.org/649616
    Package-Manager: Portage-2.3.24, Repoman-2.3.6

 app-emulation/qemu/Manifest                                 |  1 +
 .../qemu/files/qemu-2.11.1-capstone_include_path.patch      | 11 +++++++++++
 app-emulation/qemu/metadata.xml                             |  1 +
 .../qemu/{qemu-2.11.1-r50.ebuild => qemu-2.11.1-r51.ebuild} | 13 ++++++-------
 4 files changed, 19 insertions(+), 7 deletions(-)}
Comment 2 Matthias Maier gentoo-dev 2018-03-18 20:17:01 UTC
Patch added to 2.11.1-r1. Arches, please stabilize.
Comment 3 Mikle Kolyada archtester Gentoo Infrastructure gentoo-dev Security 2018-03-19 08:12:09 UTC
amd64 stable
Comment 4 Thomas Deutschmann gentoo-dev Security 2018-03-29 14:54:10 UTC
x86 stable
Comment 5 Thomas Deutschmann gentoo-dev Security 2018-03-29 15:23:56 UTC
x86 stable
Comment 6 Christopher Díaz Riveros (RETIRED) gentoo-dev Security 2018-04-08 17:36:24 UTC
New GLSA Request filed.
Comment 7 GLSAMaker/CVETool Bot gentoo-dev 2018-04-08 23:32:33 UTC
This issue was resolved and addressed in
 GLSA 201804-08 at https://security.gentoo.org/glsa/201804-08
by GLSA coordinator Aaron Bauman (b-man).