FS#44954 - [qemu] CVE-2015-3456 fdc: out-of-bounds fifo buffer memory access.

Attached to Project: Arch Linux
Opened by Andrey (Gendalf) - Wednesday, 13 May 2015, 19:43 GMT
Last edited by Allan McRae (Allan) - Thursday, 14 May 2015, 11:36 GMT
Task Type Bug Report
Category Security
Status Closed
Assigned To Tobias Powalowski (tpowa)
Architecture All
Severity Critical
Priority Normal
Reported Version
Due in Version Undecided
Due Date Undecided
Percent Complete 100%
Votes 1
Private No

Details

Description:

An out-of-bounds memory access flaw was found in the way QEMU's virtual Floppy Disk Controller (FDC) handled FIFO buffer access while processing certain FDC commands. A privileged guest user could use this flaw to crash the guest or, potentially, execute arbitrary code on the host with the privileges of the host's QEMU process corresponding to the guest. This issue affects all x86 and x86-64 based HVM Xen and QEMU/KVM/Xen guests

https://securityblog.redhat.com/2015/05/13/venom-dont-get-bitten

Additional info:
* package version(s)
* config and/or log files etc.


Steps to reproduce:
This task depends upon

Closed by  Allan McRae (Allan)
Thursday, 14 May 2015, 11:36 GMT
Reason for closing:  Fixed
Additional comments about closing:  2.3.0-2
2.2.1-5
Comment by Levente Polyak (anthraxx) - Wednesday, 13 May 2015, 22:59 GMT
this also affects all release versions (including 2.3.x in testing).
This vulnerability allows vm escape and arbitrary code execution on the host system.

Please apply following upstream patch for mitigation:
http://git.qemu.org/?p=qemu.git;a=commitdiff;h=e907746266721f305d67bc0718795fedee2e824c
Comment by Mark E. Lee (bluerider) - Thursday, 14 May 2015, 01:28 GMT
Strange that we only have mention of this now. I thought Arch was subscribed to the OSS-security distros list. They should've known since 4/30/2015.
Comment by Allan McRae (Allan) - Thursday, 14 May 2015, 07:55 GMT
I knew since 2015/04/30, but it is embargoed preventing update until it is officially released.

The 2.3.0-2 package in [testing] has the fix. I don't know why it was in [testing] to judge whether it is worth rebuilding the package in [extra] too.

Loading...