Bug 238723

Summary: CVE-2007-13{20-23}, CVE-2007-1366: qemu multiple vulnerabilities
Product: [Fedora] Fedora Reporter: Ville Skyttä <ville.skytta>
Component: xenAssignee: Chris Lalancette <clalance>
Status: CLOSED WONTFIX QA Contact: Fedora Extras Quality Assurance <extras-qa>
Severity: medium Docs Contact:
Priority: medium    
Version: 6CC: fedora-security-list, hdegoede
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
URL: http://www.vuxml.org/freebsd/0ac89b39-f829-11db-b55c-000e0c6d38a9.html
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2008-03-20 00:22:51 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On:    
Bug Blocks: 307471    

Description Ville Skyttä 2007-05-02 16:04:55 UTC 
Not sure if these affect any qemu versions in Fedora, but here goes:

http://www.vuxml.org/freebsd/0ac89b39-f829-11db-b55c-000e0c6d38a9.html

"Several vulnerabilities have been discovered in the QEMU processor emulator,
which may lead to the execution of arbitrary code or denial of service. The
Common Vulnerabilities and Exposures project identifies the following problems:

CVE-2007-1320
Tavis Ormandy discovered that a memory management routine of the Cirrus video
driver performs insufficient bounds checking, which might allow the execution of
arbitrary code through a heap overflow.

CVE-2007-1321
Tavis Ormandy discovered that the NE2000 network driver and the socket code
perform insufficient input validation, which might allow the execution of
arbitrary code through a heap overflow.

CVE-2007-1322
Tavis Ormandy discovered that the "icebp" instruction can be abused to terminate
the emulation, resulting in denial of service.

CVE-2007-1323
Tavis Ormandy discovered that the NE2000 network driver and the socket code
perform insufficient input validation, which might allow the execution of
arbitrary code through a heap overflow.

CVE-2007-1366
Tavis Ormandy discovered that the "aam" instruction can be abused to crash qemu
through a division by zero, resulting in denial of service."
Comment 1 Chris Lalancette 2007-09-26 17:41:34 UTC 
Ug.  I made a mistake, and thought this bug was for xen.  We have the same
problem in FC-6 for Xen, so I'm going to change this one to Xen, and then clone
it for Qemu, so we continue to track for that.

Chris Lalancette
Comment 2 Daniel Berrangé 2008-03-20 00:22:51 UTC 
Fedora Core 6 is end of life and will not receive further updates