Bug 237343 (CVE-2007-1321)

Summary: CVE-2007-1321 xen QEMU NE2000 emulation issues
Product: [Other] Security Response Reporter: Marcel Holtmann <holtmann>
Component: vulnerabilityAssignee: Don Dutile (Red Hat) <ddutile>
Status: CLOSED CURRENTRELEASE QA Contact:
Severity: low Docs Contact:
Priority: low    
Version: unspecifiedCC: clalance, kreilly, security-response-team, xen-maint
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2009-10-22 14:59:01 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 237468, 296271, 296281    
Bug Blocks:    
Attachments:
Description Flags
was the proposed patch for all the issues (so includes these 3 too) none

Description Marcel Holtmann 2007-04-20 21:46:31 UTC 
* NE2000 "mtu" heap overflow
Ethernet frames written into the ne2000 device registers do not have
their packet size checked against the mtu before being transfered,
resulting in large values in the TCNT register overwriting a heap
buffer with arbitrary attacker controller data from the devices memory
banks. The pcnet32 card may also be affected (the attached patch would
solve it if so).

* QEMU "net socket" heap overflow.
QEMU does not perform adequate sanity checking on data received via
the "net socket listen" option, resulting in an exploitable heap
overflow. This could be reached by attackers on the host, or other
guests.

* QEMU NE2000 "receive" integer signedness error
Nonsensical values in specific device registers can result in sanity
checks being bypassed, an integer overflowing and attacker controlled
data overflowing a heap buffer.
Comment 2 RHEL Program Management 2007-05-04 13:26:50 UTC 
This request was evaluated by Red Hat Product Management for inclusion in a Red
Hat Enterprise Linux maintenance release.  Product Management has requested
further review of this request by Red Hat Engineering, for potential
inclusion in a Red Hat Enterprise Linux Update release for currently deployed
products.  This request is not yet committed for inclusion in an Update
release.
Comment 3 Mark J. Cox 2007-09-19 13:16:39 UTC 
public via http://taviso.decsystem.org/virtsec.pdf
Comment 4 Mark J. Cox 2007-09-19 13:23:18 UTC 
The severity of these NE2000 issues is probably low (or none at all) since since
xen uses the rtl8139 driver by default.
Comment 5 Mark J. Cox 2007-09-19 13:24:08 UTC 
see also http://lists.xensource.com/archives/html/xen-devel/2007-05/msg00021.html
Comment 8 Mark J. Cox 2007-10-10 14:04:07 UTC 
Created attachment 222511 [details]
was the proposed patch for all the issues (so includes these 3 too)
Comment 9 Mark J. Cox 2007-10-10 14:12:09 UTC 
For clarity, the CVE-2007-1321 as fixed in RHSA-2007:0323 applies to this single
issue:

* QEMU NE2000 "receive" integer signedness error
Nonsensical values in specific device registers can result in sanity
checks being bypassed, an integer overflowing and attacker controlled
data overflowing a heap buffer.

It is likely the other two issues mentioned will get their own CVE names, of
which only one applies to Xen (and is also impact=low) and therefore we will
create a new tracking bug for that once allocated.
Comment 11 Chris Lalancette 2007-10-10 14:56:48 UTC 
OK, here's the matrix of problems and fixes (O means the fix is present, X mean
it isn't present, and NA means not applicable):

                "mtu" heap     "net socket" heap   "receive" integer signedness
                ----------------------------------------------------------------
5.0.z           |     NA     |         X         |            O
5.1             |     NA     |         X         |            O
upstream Qemu   |     X      |         X         |            O
upstream Xen    |     NA     |         X         |            O

So in summary, we have the fixes for problem 3; 1 doesn't apply to us; and 2 is
still a problem, although a low priority one, in all of the upstream projects as
well as 5.0.z and 5.1.

Chris Lalancette
Comment 14 Chris Lalancette 2009-10-22 14:59:01 UTC 
All of the bugs depending on this one were closed -> errata long ago.  Closing this tracking bug.

Chris Lalancette