Qemu VGA module allows guest to edit certain registers in 'vbe' and 'vga' modes. ie. guest could set certain 'VGA' registers while in 'VBE' mode. This leads to potential integer overflow or OOB read access issues in Qemu, A privileged guest user could use this flaw to crash the Qemu process on the host resulting in DoS. Upstream patches: ----------------- -> https://lists.gnu.org/archive/html/qemu-devel/2016-05/msg01198.html Reference: ---------- -> http://www.openwall.com/lists/oss-security/2016/05/09/4
Acknowledgments: Name: Zuozhi Fzz (Alibaba Inc.)
Created attachment 1137419 [details] Backtrace report
Statement: (none)
Public via: http://xenbits.xen.org/xsa/advisory-179.html
Created xen tracking bugs for this issue: Affects: fedora-all [bug 1334343]
Created qemu tracking bugs for this issue: Affects: fedora-all [bug 1334342]
xen-4.5.3-3.fc23 has been pushed to the Fedora 23 stable repository. If problems still persist, please make note of it in this bug report.
qemu-2.4.1-9.fc23 has been pushed to the Fedora 23 stable repository. If problems still persist, please make note of it in this bug report.
xen-4.6.1-8.fc24 has been pushed to the Fedora 24 stable repository. If problems still persist, please make note of it in this bug report.
qemu-2.3.1-14.fc22 has been pushed to the Fedora 22 stable repository. If problems still persist, please make note of it in this bug report.
This one caused a regression. How do we handle these? upstream patch (merged in master, queued for 2.6.1 steable update): https://lists.nongnu.org/archive/html/qemu-devel/2016-05/msg03790.html fedora bugs: bug 1339268, bug 1339267
> This one caused a regression. How do we handle these? Does the regression introduce a new security issue? I'd suggest tracking the regression as a separate issue in a new set of BZs for RHEL-6.9 and RHEL-7.3. Whether or not we backport the fix to the respective Z-streams depends on whether or not a customer hits the regression. Setting NEEDINFO to areis for additional review/feedback.
(In reply to Jeff Nelson from comment #14) > > This one caused a regression. How do we handle these? > > Does the regression introduce a new security issue? No.
(In reply to Jeff Nelson from comment #14) > > This one caused a regression. How do we handle these? > > Does the regression introduce a new security issue? > > I'd suggest tracking the regression as a separate issue in a new set of BZs > for RHEL-6.9 and RHEL-7.3. Whether or not we backport the fix to the > respective Z-streams depends on whether or not a customer hits the > regression. My understanding is that this particular security issue is not being backported to z-streams. If that's indeed the case, then given the patches are being reviewed (BZs are POST), there's no need for a new BZ for the regression. We can simply respin the patches.
xen-4.5.3-5.fc22 has been pushed to the Fedora 22 stable repository. If problems still persist, please make note of it in this bug report.
(In reply to Ademar Reis from comment #16) > (In reply to Jeff Nelson from comment #14) > > > This one caused a regression. How do we handle these? > > > > Does the regression introduce a new security issue? > > > > I'd suggest tracking the regression as a separate issue in a new set of BZs > > for RHEL-6.9 and RHEL-7.3. Whether or not we backport the fix to the > > respective Z-streams depends on whether or not a customer hits the > > regression. > > My understanding is that this particular security issue is not being > backported to z-streams. > > If that's indeed the case, then given the patches are being reviewed (BZs > are POST), there's no need for a new BZ for the regression. We can simply > respin the patches. Both CVE-2016-3710 and CVE-2016-3712 are fixed together in one series (RHEL-6 + RHEL-7). RHEL-5 gets the CVE-2016-3710 fix only so no regression there. Patches are out for 6.8 and 7.2.z.
This issue has been addressed in the following products: Red Hat Enterprise Linux 7 Via RHSA-2016:2585 https://rhn.redhat.com/errata/RHSA-2016-2585.html
This issue has been addressed in the following products: Red Hat Enterprise Linux 6 Via RHSA-2017:0621 https://rhn.redhat.com/errata/RHSA-2017-0621.html