Bug 237343 - (CVE-2007-1321) CVE-2007-1321 xen QEMU NE2000 emulation issues
CVE-2007-1321 xen QEMU NE2000 emulation issues
Status: CLOSED CURRENTRELEASE
Product: Security Response
Classification: Other
Component: vulnerability (Show other bugs)
unspecified
All Linux
low Severity low
: ---
: ---
Assigned To: Don Dutile
impact=low,source=vendorsec,reported=...
: Security
Depends On: 237468 296271 296281
Blocks:
  Show dependency treegraph
 
Reported: 2007-04-20 17:46 EDT by Marcel Holtmann
Modified: 2009-10-22 10:59 EDT (History)
4 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2009-10-22 10:59:01 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)
was the proposed patch for all the issues (so includes these 3 too) (14.21 KB, patch)
2007-10-10 10:04 EDT, Mark J. Cox (Product Security)
no flags Details | Diff

  None (edit)
Description Marcel Holtmann 2007-04-20 17:46:31 EDT
* NE2000 "mtu" heap overflow
Ethernet frames written into the ne2000 device registers do not have
their packet size checked against the mtu before being transfered,
resulting in large values in the TCNT register overwriting a heap
buffer with arbitrary attacker controller data from the devices memory
banks. The pcnet32 card may also be affected (the attached patch would
solve it if so).

* QEMU "net socket" heap overflow.
QEMU does not perform adequate sanity checking on data received via
the "net socket listen" option, resulting in an exploitable heap
overflow. This could be reached by attackers on the host, or other
guests.

* QEMU NE2000 "receive" integer signedness error
Nonsensical values in specific device registers can result in sanity
checks being bypassed, an integer overflowing and attacker controlled
data overflowing a heap buffer.
Comment 2 RHEL Product and Program Management 2007-05-04 09:26:50 EDT
This request was evaluated by Red Hat Product Management for inclusion in a Red
Hat Enterprise Linux maintenance release.  Product Management has requested
further review of this request by Red Hat Engineering, for potential
inclusion in a Red Hat Enterprise Linux Update release for currently deployed
products.  This request is not yet committed for inclusion in an Update
release.
Comment 3 Mark J. Cox (Product Security) 2007-09-19 09:16:39 EDT
public via http://taviso.decsystem.org/virtsec.pdf
Comment 4 Mark J. Cox (Product Security) 2007-09-19 09:23:18 EDT
The severity of these NE2000 issues is probably low (or none at all) since since
xen uses the rtl8139 driver by default.
Comment 5 Mark J. Cox (Product Security) 2007-09-19 09:24:08 EDT
see also http://lists.xensource.com/archives/html/xen-devel/2007-05/msg00021.html
Comment 8 Mark J. Cox (Product Security) 2007-10-10 10:04:07 EDT
Created attachment 222511 [details]
was the proposed patch for all the issues (so includes these 3 too)
Comment 9 Mark J. Cox (Product Security) 2007-10-10 10:12:09 EDT
For clarity, the CVE-2007-1321 as fixed in RHSA-2007:0323 applies to this single
issue:

* QEMU NE2000 "receive" integer signedness error
Nonsensical values in specific device registers can result in sanity
checks being bypassed, an integer overflowing and attacker controlled
data overflowing a heap buffer.

It is likely the other two issues mentioned will get their own CVE names, of
which only one applies to Xen (and is also impact=low) and therefore we will
create a new tracking bug for that once allocated.
Comment 11 Chris Lalancette 2007-10-10 10:56:48 EDT
OK, here's the matrix of problems and fixes (O means the fix is present, X mean
it isn't present, and NA means not applicable):

                "mtu" heap     "net socket" heap   "receive" integer signedness
                ----------------------------------------------------------------
5.0.z           |     NA     |         X         |            O
5.1             |     NA     |         X         |            O
upstream Qemu   |     X      |         X         |            O
upstream Xen    |     NA     |         X         |            O

So in summary, we have the fixes for problem 3; 1 doesn't apply to us; and 2 is
still a problem, although a low priority one, in all of the upstream projects as
well as 5.0.z and 5.1.

Chris Lalancette
Comment 14 Chris Lalancette 2009-10-22 10:59:01 EDT
All of the bugs depending on this one were closed -> errata long ago.  Closing this tracking bug.

Chris Lalancette

Note You need to log in before you can comment on or make changes to this bug.