From mboxrd@z Thu Jan  1 00:00:00 1970
Received: from eggs.gnu.org ([2001:4830:134:3::10]:35555)
	by lists.gnu.org with esmtp (Exim 4.71)
	(envelope-from <kwolf@redhat.com>) id 1ZJirv-0001W1-Jb
	for qemu-devel@nongnu.org; Mon, 27 Jul 2015 09:55:08 -0400
Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71)
	(envelope-from <kwolf@redhat.com>) id 1ZJiru-0006sO-Ha
	for qemu-devel@nongnu.org; Mon, 27 Jul 2015 09:55:03 -0400
Date: Mon, 27 Jul 2015 15:54:59 +0200
From: Kevin Wolf <kwolf@redhat.com>
Message-ID: <20150727135459.GC4889@noname.redhat.com>
References: <1437998503-1865-1-git-send-email-jsnow@redhat.com>
	<55B61FC0.9000706@profihost.ag> <55B623E9.40201@redhat.com>
	<55B6313E.6010302@profihost.ag>
	<20150727133851.GB4889@noname.redhat.com>
	<55B63643.4010407@kamp.de>
MIME-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
In-Reply-To: <55B63643.4010407@kamp.de>
Subject: Re: [Qemu-devel] [Qemu-stable]   [PULL 0/3] Cve 2015 5154 patches
List-Id: <qemu-devel.nongnu.org>
List-Unsubscribe: <https://lists.nongnu.org/mailman/options/qemu-devel>,
	<mailto:qemu-devel-request@nongnu.org?subject=unsubscribe>
List-Archive: <http://lists.nongnu.org/archive/html/qemu-devel>
List-Post: <mailto:qemu-devel@nongnu.org>
List-Help: <mailto:qemu-devel-request@nongnu.org?subject=help>
List-Subscribe: <https://lists.nongnu.org/mailman/listinfo/qemu-devel>,
	<mailto:qemu-devel-request@nongnu.org?subject=subscribe>
To: Peter Lieven <pl@kamp.de>
Cc: peter.maydell@linaro.org, qemu-stable@nongnu.org, John Snow <jsnow@redhat.com>, qemu-devel@nongnu.org, Stefan Priebe - Profihost AG <s.priebe@profihost.ag>

Am 27.07.2015 um 15:46 hat Peter Lieven geschrieben:
> Am 27.07.2015 um 15:38 schrieb Kevin Wolf:
> 
>     Am 27.07.2015 um 15:25 hat Stefan Priebe - Profihost AG geschrieben:
> 
>         Am 27.07.2015 um 14:28 schrieb John Snow:
> 
> 
>             On 07/27/2015 08:10 AM, Stefan Priebe - Profihost AG wrote:
> 
>                 Am 27.07.2015 um 14:01 schrieb John Snow:
> 
>                     The following changes since commit f793d97e454a56d17e404004867985622ca1a63b:
> 
>                       Merge remote-tracking branch 'remotes/bonzini/tags/for-upstream' into staging (2015-07-24 13:07:10 +0100)
> 
>                     are available in the git repository at:
> 
>                       https://github.com/jnsnow/qemu.git tags/cve-2015-5154-pull-request
> 
>                 Any details on this CVE? Is RCE possible? Only if IDE is used?
> 
>                 Stefan
> 
> 
>             It's a heap overflow. The most likely outcome is a segfault, but the
>             guest is allowed to continue writing past the end of the PIO buffer at
>             its leisure. This makes it similar to CVE-2015-3456.
> 
>             This CVE can be mitigated unlike CVE-2015-3456 by just removing the
>             CD-ROM drive until the patch can be applied.
> 
>         Thanks. The seclist article explicitly references xen. So it does not
>         apply to qemu/kvm? Sorry for asking may be stupid questions.
> 
>     The IDE emulation is shared between Xen and KVM, so both are affected.
>     The reason why the seclist mail only mentions Xen is probably because
>     the Xen security team posted it.
> 
>     Meanwhile there is also a Red Hat CVE page available, which mentions
>     qemu-kvm: https://access.redhat.com/security/cve/CVE-2015-5154
> 
> 
> The redhat advisory says that some Redhat versions are not affected
> "because they did not backport the upstream commit that introduced this issue
> ".
> 
> Can you point out which commit exactly introduced the issue?

That's the commit that introduced the code fixed in patch 2: Commit
ce560dcf ('ATAPI: STARTSTOPUNIT only eject/load media if powercondition
is 0').

Kevin