Please read this before reporting a bug:
https://wiki.archlinux.org/title/Bug_reporting_guidelines
Do NOT report bugs when a package is just outdated, or it is in the AUR. Use the 'flag out of date' link on the package page, or the Mailing List.
REPEAT: Do NOT report bugs for outdated packages!
https://wiki.archlinux.org/title/Bug_reporting_guidelines
Do NOT report bugs when a package is just outdated, or it is in the AUR. Use the 'flag out of date' link on the package page, or the Mailing List.
REPEAT: Do NOT report bugs for outdated packages!
FS#40358 - [qemu] Heap overflow on USB Stack
Attached to Project:
Arch Linux
Opened by Mark E. Lee (bluerider) - Wednesday, 14 May 2014, 13:49 GMT
Last edited by Tobias Powalowski (tpowa) - Thursday, 15 May 2014, 06:51 GMT
Opened by Mark E. Lee (bluerider) - Wednesday, 14 May 2014, 13:49 GMT
Last edited by Tobias Powalowski (tpowa) - Thursday, 15 May 2014, 06:51 GMT
|
DetailsDescription:
A red hat security member has posted information about a heap overflow in the qemu usb stack. See below for quoted message: -------- Hello, Correct post load checks: 1. dev->setup_len == sizeof(dev->data_buf) seems fine, no need to fail migration 2. When state is DATA, passing index > len will cause memcpy with negative length, resulting in heap overflow An user able to alter the saved VM data(either on the disk or over the wire during migration) could use this flaw to to corrupt QEMU process memory on the (destination) host, which could potentially result in arbitrary code execution on the host with the privileges of the QEMU process. Upstream fix: ------------- -> http://article.gmane.org/gmane.comp.emulators.qemu/272322 Thank you. -- Prasad J Pandit / Red Hat Security Response Team |
This task depends upon
Closed by Tobias Powalowski (tpowa)
Thursday, 15 May 2014, 06:51 GMT
Reason for closing: Fixed
Additional comments about closing: 2.0.0-3
Thursday, 15 May 2014, 06:51 GMT
Reason for closing: Fixed
Additional comments about closing: 2.0.0-3