* NE2000 "mtu" heap overflow Ethernet frames written into the ne2000 device registers do not have their packet size checked against the mtu before being transfered, resulting in large values in the TCNT register overwriting a heap buffer with arbitrary attacker controller data from the devices memory banks. The pcnet32 card may also be affected (the attached patch would solve it if so). * QEMU "net socket" heap overflow. QEMU does not perform adequate sanity checking on data received via the "net socket listen" option, resulting in an exploitable heap overflow. This could be reached by attackers on the host, or other guests. * QEMU NE2000 "receive" integer signedness error Nonsensical values in specific device registers can result in sanity checks being bypassed, an integer overflowing and attacker controlled data overflowing a heap buffer.
This request was evaluated by Red Hat Product Management for inclusion in a Red Hat Enterprise Linux maintenance release. Product Management has requested further review of this request by Red Hat Engineering, for potential inclusion in a Red Hat Enterprise Linux Update release for currently deployed products. This request is not yet committed for inclusion in an Update release.
public via http://taviso.decsystem.org/virtsec.pdf
The severity of these NE2000 issues is probably low (or none at all) since since xen uses the rtl8139 driver by default.
see also http://lists.xensource.com/archives/html/xen-devel/2007-05/msg00021.html
Created attachment 222511 [details] was the proposed patch for all the issues (so includes these 3 too)
For clarity, the CVE-2007-1321 as fixed in RHSA-2007:0323 applies to this single issue: * QEMU NE2000 "receive" integer signedness error Nonsensical values in specific device registers can result in sanity checks being bypassed, an integer overflowing and attacker controlled data overflowing a heap buffer. It is likely the other two issues mentioned will get their own CVE names, of which only one applies to Xen (and is also impact=low) and therefore we will create a new tracking bug for that once allocated.
OK, here's the matrix of problems and fixes (O means the fix is present, X mean it isn't present, and NA means not applicable): "mtu" heap "net socket" heap "receive" integer signedness ---------------------------------------------------------------- 5.0.z | NA | X | O 5.1 | NA | X | O upstream Qemu | X | X | O upstream Xen | NA | X | O So in summary, we have the fixes for problem 3; 1 doesn't apply to us; and 2 is still a problem, although a low priority one, in all of the upstream projects as well as 5.0.z and 5.1. Chris Lalancette
All of the bugs depending on this one were closed -> errata long ago. Closing this tracking bug. Chris Lalancette