Description of problem: usb-linux.c: fix buffer overflow - made into 0.11.1. This bug is to ensure we backport this change to 0.10.0.
The patch for this seems to be here: http://git.savannah.gnu.org/cgit/qemu.git/commit/?id=babd03fde68093482528010a5435c14ce9128e3f
So if I understand this correctly. To exploit this flaw, an attacker would need: 1) A physical USB device plugged into the host machine 2) The USB device "attached" to a guest or the attacker has access to libvirtd and can attach a USB device. 3) Enough access to the guest to trigger the buffer overflow (root) From what I can tell, without spending too much time on this, it's very likely exploitable. I don't think we can prove it's not, as this will end up overwriting a bunch of global structures, which would have a rather unknown result. Presuming my above alalysis is correct, this flaw is probably moderate.
This issue has been addressed in following products: Red Hat Enterprise Linux 5 Via RHSA-2010:0088 https://rhn.redhat.com/errata/RHSA-2010-0088.html
This issue has been addressed in following products: Red Hat Enterprise Virtualization for RHEL-5 Via RHSA-2010:0172 https://rhn.redhat.com/errata/RHSA-2010-0172.html