Bug 201064

Summary: emulators/qemu: Heap overflow in QEMU PCNET controller, allowing guest->host escape (CVE-2015-3209)
Product: Ports & Packages Reporter: Kubilay Kocak <koobs>
Component: Individual Port(s)Assignee: Juergen Lock <nox>
Status: Closed FIXED    
Severity: Affects Many People CC: ports-secteam, sbruno
Priority: --- Keywords: needs-patch, needs-qa, security
Version: LatestFlags: nox: maintainer-feedback+
koobs: merge-quarterly?
Hardware: Any   
OS: Any   
URL: http://xenbits.xen.org/xsa/advisory-135.html

Description Kubilay Kocak freebsd_committer freebsd_triage 2015-06-23 00:19:38 UTC
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-3209

A guest which has access to an emulated PCNET network device
(e.g. with "model=pcnet" in their VIF configuration) can exploit this
vulnerability to take over the qemu process elevating its privilege to
that of the qemu process.

Check if it applies to

emulators/qemu
emulators/qemu-devel
emulators/qemu-sbruno
emulators/qemu-user-static
Comment 1 Sean Bruno freebsd_committer 2015-06-23 15:16:30 UTC
emulators/qemu-sbruno
emulators/qemu-user-static

These two port aren't used to generate qemu-system binaries.

The qemu-user-static is a slave port to qemu-sbruno, and the code in qemu-user-static does have this vulnerability if it is used to generate qemu-system binaries.
Comment 2 commit-hook freebsd_committer 2015-06-26 19:13:38 UTC
A commit references this bug:

Author: nox
Date: Fri Jun 26 19:13:32 UTC 2015
New revision: 390663
URL: https://svnweb.freebsd.org/changeset/ports/390663

Log:
  Document qemu pcnet guest to host escape vulnerability - CVE-2015-3209

  PR:		201064
  Submitted by:	koobs
  Security:	https://vuxml.FreeBSD.org/freebsd/acd5d037-1c33-11e5-be9c-6805ca1d3bb1.html

Changes:
  head/security/vuxml/vuln.xml
Comment 3 commit-hook freebsd_committer 2015-06-26 19:15:40 UTC
A commit references this bug:

Author: nox
Date: Fri Jun 26 19:14:43 UTC 2015
New revision: 390664
URL: https://svnweb.freebsd.org/changeset/ports/390664

Log:
  - Apply fixes for pcnet guest to host escape vulnerability - CVE-2015-3209.
  - Bump PORTREVISIONs.

  PR:		201064
  Submitted by:	koobs
  Security:	https://vuxml.FreeBSD.org/freebsd/acd5d037-1c33-11e5-be9c-6805ca
  1d3bb1.html

Changes:
  head/emulators/qemu/Makefile
  head/emulators/qemu/files/patch-CVE-2015-3209
  head/emulators/qemu-devel/Makefile
  head/emulators/qemu-devel/files/patch-CVE-2015-3209
  head/emulators/qemu-sbruno/Makefile
  head/emulators/qemu-sbruno/files/patch-CVE-2015-3209
Comment 4 Juergen Lock freebsd_committer 2015-06-27 11:51:06 UTC
Committed.  Thanks!