Bug 201064 - emulators/qemu: Heap overflow in QEMU PCNET controller, allowing guest->host escape (CVE-2015-3209)
Summary: emulators/qemu: Heap overflow in QEMU PCNET controller, allowing guest->host ...
Status: Closed FIXED
Alias: None
Product: Ports & Packages
Classification: Unclassified
Component: Individual Port(s) (show other bugs)
Version: Latest
Hardware: Any Any
: --- Affects Many People
Assignee: Juergen Lock
URL: http://xenbits.xen.org/xsa/advisory-1...
Keywords: needs-patch, needs-qa, security
Depends on:
Blocks:
 
Reported: 2015-06-23 00:19 UTC by Kubilay Kocak
Modified: 2015-06-27 11:51 UTC (History)
2 users (show)

See Also:
nox: maintainer-feedback+
koobs: merge-quarterly?


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Kubilay Kocak freebsd_committer freebsd_triage 2015-06-23 00:19:38 UTC
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-3209

A guest which has access to an emulated PCNET network device
(e.g. with "model=pcnet" in their VIF configuration) can exploit this
vulnerability to take over the qemu process elevating its privilege to
that of the qemu process.

Check if it applies to

emulators/qemu
emulators/qemu-devel
emulators/qemu-sbruno
emulators/qemu-user-static
Comment 1 Sean Bruno freebsd_committer 2015-06-23 15:16:30 UTC
emulators/qemu-sbruno
emulators/qemu-user-static

These two port aren't used to generate qemu-system binaries.

The qemu-user-static is a slave port to qemu-sbruno, and the code in qemu-user-static does have this vulnerability if it is used to generate qemu-system binaries.
Comment 2 commit-hook freebsd_committer 2015-06-26 19:13:38 UTC
A commit references this bug:

Author: nox
Date: Fri Jun 26 19:13:32 UTC 2015
New revision: 390663
URL: https://svnweb.freebsd.org/changeset/ports/390663

Log:
  Document qemu pcnet guest to host escape vulnerability - CVE-2015-3209

  PR:		201064
  Submitted by:	koobs
  Security:	https://vuxml.FreeBSD.org/freebsd/acd5d037-1c33-11e5-be9c-6805ca1d3bb1.html

Changes:
  head/security/vuxml/vuln.xml
Comment 3 commit-hook freebsd_committer 2015-06-26 19:15:40 UTC
A commit references this bug:

Author: nox
Date: Fri Jun 26 19:14:43 UTC 2015
New revision: 390664
URL: https://svnweb.freebsd.org/changeset/ports/390664

Log:
  - Apply fixes for pcnet guest to host escape vulnerability - CVE-2015-3209.
  - Bump PORTREVISIONs.

  PR:		201064
  Submitted by:	koobs
  Security:	https://vuxml.FreeBSD.org/freebsd/acd5d037-1c33-11e5-be9c-6805ca
  1d3bb1.html

Changes:
  head/emulators/qemu/Makefile
  head/emulators/qemu/files/patch-CVE-2015-3209
  head/emulators/qemu-devel/Makefile
  head/emulators/qemu-devel/files/patch-CVE-2015-3209
  head/emulators/qemu-sbruno/Makefile
  head/emulators/qemu-sbruno/files/patch-CVE-2015-3209
Comment 4 Juergen Lock freebsd_committer 2015-06-27 11:51:06 UTC
Committed.  Thanks!