From: Kevin Wolf <kwolf@redhat.com>
To: Stefan Priebe - Profihost AG <s.priebe@profihost.ag>
Cc: peter.maydell@linaro.org, John Snow <jsnow@redhat.com>,
qemu-devel@nongnu.org, qemu-stable@nongnu.org
Subject: Re: [Qemu-devel] [Qemu-stable] [PULL 0/3] Cve 2015 5154 patches
Date: Mon, 27 Jul 2015 15:38:51 +0200 [thread overview]
Message-ID: <20150727133851.GB4889@noname.redhat.com> (raw)
In-Reply-To: <55B6313E.6010302@profihost.ag>
Am 27.07.2015 um 15:25 hat Stefan Priebe - Profihost AG geschrieben:
>
> Am 27.07.2015 um 14:28 schrieb John Snow:
> >
> >
> > On 07/27/2015 08:10 AM, Stefan Priebe - Profihost AG wrote:
> >>
> >> Am 27.07.2015 um 14:01 schrieb John Snow:
> >>> The following changes since commit f793d97e454a56d17e404004867985622ca1a63b:
> >>>
> >>> Merge remote-tracking branch 'remotes/bonzini/tags/for-upstream' into staging (2015-07-24 13:07:10 +0100)
> >>>
> >>> are available in the git repository at:
> >>>
> >>> https://github.com/jnsnow/qemu.git tags/cve-2015-5154-pull-request
> >>
> >> Any details on this CVE? Is RCE possible? Only if IDE is used?
> >>
> >> Stefan
> >>
> >
> > It's a heap overflow. The most likely outcome is a segfault, but the
> > guest is allowed to continue writing past the end of the PIO buffer at
> > its leisure. This makes it similar to CVE-2015-3456.
> >
> > This CVE can be mitigated unlike CVE-2015-3456 by just removing the
> > CD-ROM drive until the patch can be applied.
>
> Thanks. The seclist article explicitly references xen. So it does not
> apply to qemu/kvm? Sorry for asking may be stupid questions.
The IDE emulation is shared between Xen and KVM, so both are affected.
The reason why the seclist mail only mentions Xen is probably because
the Xen security team posted it.
Meanwhile there is also a Red Hat CVE page available, which mentions
qemu-kvm: https://access.redhat.com/security/cve/CVE-2015-5154
Kevin
next prev parent reply other threads:[~2015-07-27 13:39 UTC|newest]
Thread overview: 13+ messages / expand[flat|nested] mbox.gz Atom feed top
2015-07-27 12:01 [Qemu-devel] [PULL 0/3] Cve 2015 5154 patches John Snow
2015-07-27 12:01 ` [Qemu-devel] [PULL 1/3] ide: Check array bounds before writing to io_buffer (CVE-2015-5154) John Snow
2015-07-27 12:01 ` [Qemu-devel] [PULL 2/3] ide/atapi: Fix START STOP UNIT command completion John Snow
2015-07-27 12:01 ` [Qemu-devel] [PULL 3/3] ide: Clear DRQ after handling all expected accesses John Snow
2015-07-27 12:10 ` [Qemu-devel] [Qemu-stable] [PULL 0/3] Cve 2015 5154 patches Stefan Priebe - Profihost AG
2015-07-27 12:28 ` John Snow
2015-07-27 13:25 ` Stefan Priebe - Profihost AG
2015-07-27 13:38 ` Kevin Wolf [this message]
2015-07-27 13:46 ` Peter Lieven
2015-07-27 13:54 ` Kevin Wolf
2015-07-27 14:05 ` Peter Lieven
2015-07-27 12:34 ` John Snow
2015-07-27 13:44 ` [Qemu-devel] " Peter Maydell
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20150727133851.GB4889@noname.redhat.com \
--to=kwolf@redhat.com \
--cc=jsnow@redhat.com \
--cc=peter.maydell@linaro.org \
--cc=qemu-devel@nongnu.org \
--cc=qemu-stable@nongnu.org \
--cc=s.priebe@profihost.ag \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).