Bug 237342 - (CVE-2007-1320) CVE-2007-1320 xen/qemu Cirrus LGD-54XX "bitblt" Heap Overflow
CVE-2007-1320 xen/qemu Cirrus LGD-54XX "bitblt" Heap Overflow
Status: CLOSED CURRENTRELEASE
Product: Security Response
Classification: Other
Component: vulnerability (Show other bugs)
unspecified
All Linux
high Severity high
: ---
: ---
Assigned To: Red Hat Product Security
impact=important,source=vendorsec,rep...
: Reopened, Security
Depends On: 237467 296271 296281 448524 448525 CVE-2008-4539
Blocks: 471055
  Show dependency treegraph
 
Reported: 2007-04-20 17:41 EDT by Marcel Holtmann
Modified: 2014-12-05 03:52 EST (History)
11 users (show)

See Also:
Fixed In Version: 65-7.fc9
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2011-07-13 13:55:13 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

  None (edit)
Description Marcel Holtmann 2007-04-20 17:41:55 EDT
The cirrus_invalidate_region() routine used during video-to-video copy
operations in the cirrus vga extension code omits bounds checking in
multiple locations, allowing you to overwrite adjacent buffers by
attempting to mark non-existent regions as dirty. Successful
exploitation would result in a complete compromise of the qemu
process. Additionally multiple bitblt operations omit bounds checking,
where the srcpitch or dstpitch coefficients cause the operation to
exceed the bounds of the vram buffer.
Comment 1 Daniel Berrange 2007-04-24 20:04:36 EDT
Upstream applied this fix:

http://xenbits.xensource.com/xen-unstable.hg?rev/9e86260b95a4
Comment 2 RHEL Product and Program Management 2007-05-04 09:27:07 EDT
This request was evaluated by Red Hat Product Management for inclusion in a Red
Hat Enterprise Linux maintenance release.  Product Management has requested
further review of this request by Red Hat Engineering, for potential
inclusion in a Red Hat Enterprise Linux Update release for currently deployed
products.  This request is not yet committed for inclusion in an Update
release.
Comment 5 Mark J. Cox (Product Security) 2007-09-19 09:21:18 EDT
public via http://taviso.decsystem.org/virtsec.pdf
Comment 8 Tomas Hoger 2008-05-27 02:50:45 EDT
It seems that this issue did not get fixed in qemu / kvm at the time of fix
being applied to Xen.  Following patch was recently applied in the qemu SVN to
address this issue:

http://svn.savannah.gnu.org/viewvc/?view=rev&root=qemu&revision=4340

Cirrus seems to be the default graphics adapter used by current kvm versions.
Comment 9 Glauber Costa 2008-05-27 09:14:10 EDT
I created bugs #448524 and #448525 as clones of this one for Fedora.
Comment 10 Lubomir Rintel 2008-05-27 10:09:57 EDT
*** Bug 448524 has been marked as a duplicate of this bug. ***
Comment 11 Fedora Update System 2008-05-28 22:33:07 EDT
kvm-65-7.fc9 has been pushed to the Fedora 9 stable repository.  If problems still persist, please make note of it in this bug report.
Comment 12 Fedora Update System 2008-05-28 22:48:57 EDT
kvm-60-6.fc8 has been pushed to the Fedora 8 stable repository.  If problems still persist, please make note of it in this bug report.
Comment 13 Don Dutile 2008-09-03 13:06:02 EDT
Closing since XS patch was applied to RHEL5 when it rebased to xen-3.1.0
and comment 11 & comment 12 indicate the fix is included in fc8 & fc9.
Comment 14 Tomas Hoger 2008-09-04 02:52:30 EDT
Is this fixed in current qemu versions as well?
Comment 16 Atsushi SAKAI 2008-11-03 23:11:50 EST
Hi, Tomas

I am looking around the patch.
It needs to add originally.
Since 0.9.1 Released on Jan 2008,
But a patch itself created on after that.

=====
version change
bellard [Sun, 6 Jan 2008 17:10:54 +0000 (17:10 +0000)]

http://git.kernel.dk/?p=qemu.git;a=commitdiff;h=bfe312121eb80226f0cb2d4b7c2b9b5fafecd93e
=======

1)CVE-2007-1320 - Cirrus LGD-54XX "bitblt" heap overflow
aurel32 [Mon, 5 May 2008 21:26:31 +0000 (21:26 +0000)]

I have just noticed that patch for CVE-2007-1320 has never been applied
to the QEMU CVS. Please find it below.
http://git.kernel.dk/?p=qemu.git;a=commitdiff;h=b2eb849d4b1fdb6f35d5c46958c7f703cf64cfef


2)CVE-2008-4539: fix a heap overflow in Cirrus emulation
aurel32 [Sat, 1 Nov 2008 00:53:39 +0000 (00:53 +0000)]

The code in hw/cirrus_vga.c has changed a lot between CVE-2007-1320 has
been announced and the patch has been applied. As a consequence it has
wrongly applied and QEMU is still vulnerable to this bug if using VNC.

(noticed by Jan Niehusmann)

http://git.kernel.dk/?p=qemu.git;a=commitdiff;h=65d35a09979e63541afc5bfc595b9f1b1b4ae069

Thanks
Atsushi SAKAI
Comment 20 Tomas Hoger 2008-11-11 09:45:40 EST
Atsushi, thanks for providing links to qemu upstream commits.

I checked status of qemu, kvm and xen packages currently in Fedora with respect to this bug and CVE-2008-4539.

qemu:
- versions checked:
  qemu-0.9.0-7.fc8 qemu-0.9.1-6.fc9 qemu-0.9.1-10.fc10
- no patch applied, all versions require patch for CVE-2007-1320
- as CVE-2007-1320 was not yet addressed in qemu, CVE-2008-4539 does not apply

kvm:
- versions checked:
  kvm-60-6.fc8 kvm-65-10.fc9 kvm-74-5.fc10 kvm-78-4.fc11
- all versions have original patch for CVE-2007-1320, which is also included
  in upstream sources in 70
- all require patch for CVE-2008-4539

xen:
- xen upstream seems to use completely different patch to address this issue, see comment #1 or:
http://xenbits.xensource.com/xen-3.1-testing.hg?file/623a07dda15c/tools/ioemu/patches/qemu-cirrus-bounds-checks
Comment 21 Chris Lalancette 2011-07-13 13:55:13 EDT
This is ancient, and all of the affected versions have been patches (as far as I know).  Closing this out.

Note You need to log in before you can comment on or make changes to this bug.