From mboxrd@z Thu Jan 1 00:00:00 1970 Received: from eggs.gnu.org ([2001:4830:134:3::10]:38908) by lists.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1ZJj1k-0001Gm-Ir for qemu-devel@nongnu.org; Mon, 27 Jul 2015 10:05:13 -0400 Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71) (envelope-from ) id 1ZJj1h-00036l-BR for qemu-devel@nongnu.org; Mon, 27 Jul 2015 10:05:12 -0400 Received: from mx-v6.kamp.de ([2a02:248:0:51::16]:36639 helo=mx01.kamp.de) by eggs.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1ZJj1h-000344-0L for qemu-devel@nongnu.org; Mon, 27 Jul 2015 10:05:09 -0400 Message-ID: <55B63A8C.6050003@kamp.de> Date: Mon, 27 Jul 2015 16:05:00 +0200 From: Peter Lieven MIME-Version: 1.0 References: <1437998503-1865-1-git-send-email-jsnow@redhat.com> <55B61FC0.9000706@profihost.ag> <55B623E9.40201@redhat.com> <55B6313E.6010302@profihost.ag> <20150727133851.GB4889@noname.redhat.com> <55B63643.4010407@kamp.de> <20150727135459.GC4889@noname.redhat.com> In-Reply-To: <20150727135459.GC4889@noname.redhat.com> Content-Type: text/plain; charset=windows-1252; format=flowed Content-Transfer-Encoding: 7bit Subject: Re: [Qemu-devel] [Qemu-stable] [PULL 0/3] Cve 2015 5154 patches List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , To: Kevin Wolf Cc: peter.maydell@linaro.org, qemu-stable@nongnu.org, John Snow , qemu-devel@nongnu.org, Stefan Priebe - Profihost AG Am 27.07.2015 um 15:54 schrieb Kevin Wolf: > Am 27.07.2015 um 15:46 hat Peter Lieven geschrieben: >> Am 27.07.2015 um 15:38 schrieb Kevin Wolf: >> >> Am 27.07.2015 um 15:25 hat Stefan Priebe - Profihost AG geschrieben: >> >> Am 27.07.2015 um 14:28 schrieb John Snow: >> >> >> On 07/27/2015 08:10 AM, Stefan Priebe - Profihost AG wrote: >> >> Am 27.07.2015 um 14:01 schrieb John Snow: >> >> The following changes since commit f793d97e454a56d17e404004867985622ca1a63b: >> >> Merge remote-tracking branch 'remotes/bonzini/tags/for-upstream' into staging (2015-07-24 13:07:10 +0100) >> >> are available in the git repository at: >> >> https://github.com/jnsnow/qemu.git tags/cve-2015-5154-pull-request >> >> Any details on this CVE? Is RCE possible? Only if IDE is used? >> >> Stefan >> >> >> It's a heap overflow. The most likely outcome is a segfault, but the >> guest is allowed to continue writing past the end of the PIO buffer at >> its leisure. This makes it similar to CVE-2015-3456. >> >> This CVE can be mitigated unlike CVE-2015-3456 by just removing the >> CD-ROM drive until the patch can be applied. >> >> Thanks. The seclist article explicitly references xen. So it does not >> apply to qemu/kvm? Sorry for asking may be stupid questions. >> >> The IDE emulation is shared between Xen and KVM, so both are affected. >> The reason why the seclist mail only mentions Xen is probably because >> the Xen security team posted it. >> >> Meanwhile there is also a Red Hat CVE page available, which mentions >> qemu-kvm: https://access.redhat.com/security/cve/CVE-2015-5154 >> >> >> The redhat advisory says that some Redhat versions are not affected >> "because they did not backport the upstream commit that introduced this issue >> ". >> >> Can you point out which commit exactly introduced the issue? > That's the commit that introduced the code fixed in patch 2: Commit > ce560dcf ('ATAPI: STARTSTOPUNIT only eject/load media if powercondition > is 0'). Okay, so as far as I can see this is in any Qemu >= 1.3.0. Peter