Re: [Qemu-devel] [Qemu-stable] [PULL 0/3] Cve 2015 5154 patches

[Stefan Priebe - Profihost AG]

Am 27.07.2015 um 14:28 schrieb John Snow:
> 
> 
> On 07/27/2015 08:10 AM, Stefan Priebe - Profihost AG wrote:
>>
>> Am 27.07.2015 um 14:01 schrieb John Snow:
>>> The following changes since commit f793d97e454a56d17e404004867985622ca1a63b:
>>>
>>>   Merge remote-tracking branch 'remotes/bonzini/tags/for-upstream' into 
>>> staging (2015-07-24 13:07:10 +0100)
>>>
>>> are available in the git repository at:
>>>
>>>   https://github.com/jnsnow/qemu.git tags/cve-2015-5154-pull-request
>>
>> Any details on this CVE? Is RCE possible? Only if IDE is used?
>>
>> Stefan
>>
> 
> It's a heap overflow. The most likely outcome is a segfault, but the
> guest is allowed to continue writing past the end of the PIO buffer at
> its leisure. This makes it similar to CVE-2015-3456.
> 
> This CVE can be mitigated unlike CVE-2015-3456 by just removing the
> CD-ROM drive until the patch can be applied.

Thanks. The seclist article explicitly references xen. So it does not
apply to qemu/kvm? Sorry for asking may be stupid questions.

Stefan

>>> for you to fetch changes up to cb72cba83021fa42719e73a5249c12096a4d1cfc:
>>>
>>>   ide: Clear DRQ after handling all expected accesses (2015-07-26 23:42:53 
>>> -0400)
>>>
>>> ----------------------------------------------------------------
>>>
>>> ----------------------------------------------------------------
>>>
>>> Kevin Wolf (3):
>>>   ide: Check array bounds before writing to io_buffer (CVE-2015-5154)
>>>   ide/atapi: Fix START STOP UNIT command completion
>>>   ide: Clear DRQ after handling all expected accesses
>>>
>>>  hw/ide/atapi.c |  1 +
>>>  hw/ide/core.c  | 32 ++++++++++++++++++++++++++++----
>>>  2 files changed, 29 insertions(+), 4 deletions(-)
>>>