Bug 241799 - (CVE-2007-2894) CVE-2007-2894: bochs guest OS local user DoS
CVE-2007-2894: bochs guest OS local user DoS
Status: CLOSED ERRATA
Product: Fedora
Classification: Fedora
Component: bochs (Show other bugs)
6
All Linux
medium Severity medium
: ---
: ---
Assigned To: Hans de Goede
Fedora Extras Quality Assurance
http://nvd.nist.gov/nvd.cfm?cvename=C...
: Security
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2007-05-30 14:32 EDT by Ville Skyttä
Modified: 2007-11-30 17:12 EST (History)
2 users (show)

See Also:
Fixed In Version: 2.3-7.fc7
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2007-08-24 01:41:32 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

  None (edit)
Description Ville Skyttä 2007-05-30 14:32:36 EDT
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2007-2894

"The emulated floppy disk controller in Bochs 2.3 allows local users of the
guest operating system to cause a denial of service (virtual machine crash) via
unspecified vectors, resulting in a divide-by-zero error."
Comment 1 Hans de Goede 2007-06-02 03:49:44 EDT
I've contacted upstream about this, awaiting their response.
Comment 2 Hans de Goede 2007-07-18 13:37:10 EDT
Since upstream isn't making any progress with regards to this, I've investigated
this a bit further.

This CVS stems from someone doing virtual machine / pc research and the original
report mentions not one but 2 vulnerabilities:
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2007-2893
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2007-2894

2893 is a reproducible, most likely exploitable, buffer overflow in the ne2000
driver. For which a fix is in CVS, I will issue a fixed package for this shortly

2894 is a report of a divide by zero error in the floppy, which the researcher
managed to trigger once by feeding random bytes to the emulated floppy
controller. This is not reproducable, and upstream has audited the code and can
not find any divide by zero conditions, so I'm assuming this issue is moot.



Comment 3 Fedora Update System 2007-07-19 12:45:17 EDT
bochs-2.3-5.fc7 has been pushed to the Fedora 7 stable repository.  If problems still persist, please make note of it in this bug report.
Comment 4 Lubomir Kundrak 2007-08-02 08:38:36 EDT
Reopening this. Hans: this bug was reported against FC6. Could you please also
update the FC6 version? Thanks.
Comment 5 Hans de Goede 2007-08-02 18:13:28 EDT
The FC-6 version was fixed at the same time as the F-7 version, but no bodhi, so
no anouncement, closing again.
Comment 6 Hans de Goede 2007-08-22 03:52:45 EDT
Upstream wasn't happy about the report of a divide by zero error when feeding
random data to the floppy driver (happened / reported only once). So they have
investigated this issue again, and managed to find one divide by zero condition
after all. That should explain and really fix:
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2007-2894

See:
https://sourceforge.net/tracker/?func=detail&atid=112580&aid=1729822&group_id=12580

A new version of bochs with a fix for this included is building for all 3
supported Fedora releases as I type this.
Comment 7 Fedora Update System 2007-08-24 01:41:27 EDT
bochs-2.3-7.fc7 has been pushed to the Fedora 7 stable repository.  If problems still persist, please make note of it in this bug report.

Note You need to log in before you can comment on or make changes to this bug.