557025 – (CVE-2010-0297) CVE-2010-0297 kvm-userspace-rhel5: usb-linux.c: fix buffer overflow

Bug 557025 (CVE-2010-0297) - CVE-2010-0297 kvm-userspace-rhel5: usb-linux.c: fix buffer overflow

Summary: CVE-2010-0297 kvm-userspace-rhel5: usb-linux.c: fix buffer overflow

Keywords:
Status:	CLOSED ERRATA
Alias:	CVE-2010-0297
Product:	Security Response
Classification:	Other
Component:	vulnerability
Sub Component:
Version:	unspecified
Hardware:	All
OS:	Linux
Priority:	medium
Severity:	medium
Target Milestone:	---
Assignee:	Red Hat Product Security
QA Contact:
Docs Contact:
URL:
Whiteboard:
Depends On:	560769 560770 560771
Blocks:
TreeView+	depends on / blocked

Reported:	2010-01-20 06:59 UTC by Eugene Teo (Security Response)
Modified:	2019-09-29 12:33 UTC (History)
CC List:	4 users (show)
Fixed In Version:
Doc Type:	Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed:	2013-03-26 15:12:12 UTC
Embargoed:

Attachments	(Terms of Use)

Links
System	ID	Private	Priority	Status	Summary	Last Updated
Red Hat Product Errata	RHSA-2010:0088	0	normal	SHIPPED_LIVE	Important: kvm security and bug fix update	2010-02-09 10:01:51 UTC
Red Hat Product Errata	RHSA-2010:0172	0	normal	SHIPPED_LIVE	Important: rhev-hypervisor security and bug fix update	2010-03-24 15:46:46 UTC

Description Eugene Teo (Security Response) 2010-01-20 06:59:19 UTC

Description of problem:
usb-linux.c: fix buffer overflow - made into 0.11.1. This bug is to ensure we backport this change to 0.10.0.

Comment 5 Josh Bressers 2010-01-20 18:40:11 UTC

The patch for this seems to be here:
http://git.savannah.gnu.org/cgit/qemu.git/commit/?id=babd03fde68093482528010a5435c14ce9128e3f

Comment 6 Josh Bressers 2010-01-20 19:08:31 UTC

So if I understand this correctly.

To exploit this flaw, an attacker would need:
1) A physical USB device plugged into the host machine
2) The USB device "attached" to a guest or the attacker has access to
    libvirtd and can attach a USB device.
3) Enough access to the guest to trigger the buffer overflow (root)

From what I can tell, without spending too much time on this, it's very
likely exploitable. I don't think we can prove it's not, as this will end
up overwriting a bunch of global structures, which would have a rather
unknown result.

Presuming my above alalysis is correct, this flaw is probably moderate.

Comment 10 errata-xmlrpc 2010-02-09 10:02:01 UTC

This issue has been addressed in following products:

  Red Hat Enterprise Linux 5

Via RHSA-2010:0088 https://rhn.redhat.com/errata/RHSA-2010-0088.html

Comment 11 errata-xmlrpc 2010-03-24 15:47:00 UTC

This issue has been addressed in following products:

  Red Hat Enterprise Virtualization for RHEL-5

Via RHSA-2010:0172 https://rhn.redhat.com/errata/RHSA-2010-0172.html

Note You need to log in before you can comment on or make changes to this bug.