From mboxrd@z Thu Jan 1 00:00:00 1970 Received: from eggs.gnu.org ([2001:4830:134:3::10]:57236) by lists.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1ZJiPF-000218-8o for qemu-devel@nongnu.org; Mon, 27 Jul 2015 09:25:30 -0400 Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71) (envelope-from ) id 1ZJiPA-000323-Fa for qemu-devel@nongnu.org; Mon, 27 Jul 2015 09:25:25 -0400 Received: from mail-ph.de-nserver.de ([85.158.179.214]:15467) by eggs.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1ZJiPA-00031h-5w for qemu-devel@nongnu.org; Mon, 27 Jul 2015 09:25:20 -0400 Message-ID: <55B6313E.6010302@profihost.ag> Date: Mon, 27 Jul 2015 15:25:18 +0200 From: Stefan Priebe - Profihost AG MIME-Version: 1.0 References: <1437998503-1865-1-git-send-email-jsnow@redhat.com> <55B61FC0.9000706@profihost.ag> <55B623E9.40201@redhat.com> In-Reply-To: <55B623E9.40201@redhat.com> Content-Type: text/plain; charset=iso-8859-15 Content-Transfer-Encoding: 7bit Subject: Re: [Qemu-devel] [Qemu-stable] [PULL 0/3] Cve 2015 5154 patches List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , To: John Snow , qemu-devel@nongnu.org Cc: peter.maydell@linaro.org, qemu-stable@nongnu.org Am 27.07.2015 um 14:28 schrieb John Snow: > > > On 07/27/2015 08:10 AM, Stefan Priebe - Profihost AG wrote: >> >> Am 27.07.2015 um 14:01 schrieb John Snow: >>> The following changes since commit f793d97e454a56d17e404004867985622ca1a63b: >>> >>> Merge remote-tracking branch 'remotes/bonzini/tags/for-upstream' into staging (2015-07-24 13:07:10 +0100) >>> >>> are available in the git repository at: >>> >>> https://github.com/jnsnow/qemu.git tags/cve-2015-5154-pull-request >> >> Any details on this CVE? Is RCE possible? Only if IDE is used? >> >> Stefan >> > > It's a heap overflow. The most likely outcome is a segfault, but the > guest is allowed to continue writing past the end of the PIO buffer at > its leisure. This makes it similar to CVE-2015-3456. > > This CVE can be mitigated unlike CVE-2015-3456 by just removing the > CD-ROM drive until the patch can be applied. Thanks. The seclist article explicitly references xen. So it does not apply to qemu/kvm? Sorry for asking may be stupid questions. Stefan >>> for you to fetch changes up to cb72cba83021fa42719e73a5249c12096a4d1cfc: >>> >>> ide: Clear DRQ after handling all expected accesses (2015-07-26 23:42:53 -0400) >>> >>> ---------------------------------------------------------------- >>> >>> ---------------------------------------------------------------- >>> >>> Kevin Wolf (3): >>> ide: Check array bounds before writing to io_buffer (CVE-2015-5154) >>> ide/atapi: Fix START STOP UNIT command completion >>> ide: Clear DRQ after handling all expected accesses >>> >>> hw/ide/atapi.c | 1 + >>> hw/ide/core.c | 32 ++++++++++++++++++++++++++++---- >>> 2 files changed, 29 insertions(+), 4 deletions(-) >>>