https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-1779
*** Bug 206726 has been marked as a duplicate of this bug. ***
2015-1779 was applied to qemu master in April of 2015 and pushed out into our versions of qemu-sbruno soon after. Current version of qemu-sbruno should not be affected. qemu-devel is currently version 2.6.0, and has this patch included already.
commit fde069f751a9aa7e597c9d297a9995eca418a403 Merge: b8a86c4 2cdb5e1 Author: Peter Maydell <peter.maydell@linaro.org> Date: Wed Apr 1 17:18:51 2015 +0100 Merge remote-tracking branch 'remotes/kraxel/tags/pull-cve-2015-1779-20150401-2' into staging vnc: fix websocket security issues (cve-2015-1779). # gpg: Signature made Wed Apr 1 16:14:34 2015 BST using RSA key ID D3E87138 # gpg: Good signature from "Gerd Hoffmann (work) <kraxel@redhat.com>" # gpg: aka "Gerd Hoffmann <gerd@kraxel.org>" # gpg: aka "Gerd Hoffmann (private) <kraxel@gmail.com>" * remotes/kraxel/tags/pull-cve-2015-1779-20150401-2: CVE-2015-1779: limit size of HTTP headers from websockets clients CVE-2015-1779: incrementally decode websocket frames Signed-off-by: Peter Maydell <peter.maydell@linaro.org> commit 2cdb5e142fb93e875fa53c52864ef5eb8d5d8b41 Author: Daniel P. Berrange <berrange@redhat.com> Date: Mon Mar 23 22:58:22 2015 +0000 CVE-2015-1779: limit size of HTTP headers from websockets clients The VNC server websockets decoder will read and buffer data from websockets clients until it sees the end of the HTTP headers, as indicated by \r\n\r\n. In theory this allows a malicious to trick QEMU into consuming an arbitrary amount of RAM. In practice, because QEMU runs g_strstr_len() across the buffered header data, it will spend increasingly long burning CPU time searching for the substring match and less & less time reading data. So while this does cause arbitrary memory growth, the bigger problem is that QEMU will be burning 100% of available CPU time. A novnc websockets client typically sends headers of around 512 bytes in length. As such it is reasonable to place a 4096 byte limit on the amount of data buffered while searching for the end of HTTP headers. Signed-off-by: Daniel P. Berrange <berrange@redhat.com> Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
This seems non-trivial to identify affected versions. Anyone have a clue?
(In reply to Mark Felder from comment #4) What do you need me to do? Provide versions of "real" qemu here? Or do you need information on qemu-sbruno?
Just looking up the CVE it seems difficult to find version ranges of real qemu, let alone sbrunu-qemu. I'd have to start digging around to see what versions have this commit in their source.
(In reply to Mark Felder from comment #6) Ok, so you want the explicit package revision as it appears in freebsd ports of the "fixed" versions? If so, I can do that fairly "quickly".
(In reply to Sean Bruno from comment #7) Yeah that would help a lot, and then I can quickly make the vuxml entry.
For qemu-sbruno/qemu-user-static, I updated and captured this fix on: Revision 416288 - Directory Listing Modified Thu Jun 2 19:11:22 2016 UTC (4 months, 2 weeks ago) by sbruno Update to a merged copy of 2.6.50 .... Any version of these two ports prior to 2.6.50 is vulnerable.
According to the git logs of the qemu project, I'm totally wrong. This change was committed to the git master branch prior to the 2.3.0-rc2 release: commit f2155a089600e80cf7bcdc814520ef3304882cc4 Author: Peter Maydell <peter.maydell@linaro.org> Date: Thu Apr 2 18:02:02 2015 +0100 Update version for v2.3.0-rc2 release Signed-off-by: Peter Maydell <peter.maydell@linaro.org> So, for the "official" record, any version older than 2.3.0 is affected. I think that covers everything for now. Anything else?
A commit references this bug: Author: feld Date: Sun Dec 4 21:20:25 UTC 2016 New revision: 427806 URL: https://svnweb.freebsd.org/changeset/ports/427806 Log: Document qemu vulnerability PR: 206725 Security: CVE-2015-1779 Changes: head/security/vuxml/vuln.xml