Bug 241799 (CVE-2007-2894)

Summary: CVE-2007-2894: bochs guest OS local user DoS
Product: [Fedora] Fedora Reporter: Ville Skyttä <ville.skytta>
Component: bochsAssignee: Hans de Goede <hdegoede>
Status: CLOSED ERRATA QA Contact: Fedora Extras Quality Assurance <extras-qa>
Severity: medium Docs Contact:
Priority: medium    
Version: 6CC: fedora-security-list, lkundrak
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
URL: http://nvd.nist.gov/nvd.cfm?cvename=CVE-2007-2894
Whiteboard:
Fixed In Version: 2.3-7.fc7 Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2007-08-24 05:41:32 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Ville Skyttä 2007-05-30 18:32:36 UTC 
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2007-2894

"The emulated floppy disk controller in Bochs 2.3 allows local users of the
guest operating system to cause a denial of service (virtual machine crash) via
unspecified vectors, resulting in a divide-by-zero error."
Comment 1 Hans de Goede 2007-06-02 07:49:44 UTC 
I've contacted upstream about this, awaiting their response.
Comment 2 Hans de Goede 2007-07-18 17:37:10 UTC 
Since upstream isn't making any progress with regards to this, I've investigated
this a bit further.

This CVS stems from someone doing virtual machine / pc research and the original
report mentions not one but 2 vulnerabilities:
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2007-2893
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2007-2894

2893 is a reproducible, most likely exploitable, buffer overflow in the ne2000
driver. For which a fix is in CVS, I will issue a fixed package for this shortly

2894 is a report of a divide by zero error in the floppy, which the researcher
managed to trigger once by feeding random bytes to the emulated floppy
controller. This is not reproducable, and upstream has audited the code and can
not find any divide by zero conditions, so I'm assuming this issue is moot.
Comment 3 Fedora Update System 2007-07-19 16:45:17 UTC 
bochs-2.3-5.fc7 has been pushed to the Fedora 7 stable repository.  If problems still persist, please make note of it in this bug report.
Comment 4 Lubomir Kundrak 2007-08-02 12:38:36 UTC 
Reopening this. Hans: this bug was reported against FC6. Could you please also
update the FC6 version? Thanks.
Comment 5 Hans de Goede 2007-08-02 22:13:28 UTC 
The FC-6 version was fixed at the same time as the F-7 version, but no bodhi, so
no anouncement, closing again.
Comment 6 Hans de Goede 2007-08-22 07:52:45 UTC 
Upstream wasn't happy about the report of a divide by zero error when feeding
random data to the floppy driver (happened / reported only once). So they have
investigated this issue again, and managed to find one divide by zero condition
after all. That should explain and really fix:
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2007-2894

See:
https://sourceforge.net/tracker/?func=detail&atid=112580&aid=1729822&group_id=12580

A new version of bochs with a fix for this included is building for all 3
supported Fedora releases as I type this.
Comment 7 Fedora Update System 2007-08-24 05:41:27 UTC 
bochs-2.3-7.fc7 has been pushed to the Fedora 7 stable repository.  If problems still persist, please make note of it in this bug report.