Bug 557025 (CVE-2010-0297) - CVE-2010-0297 kvm-userspace-rhel5: usb-linux.c: fix buffer overflow
Summary: CVE-2010-0297 kvm-userspace-rhel5: usb-linux.c: fix buffer overflow
Keywords:
Status: CLOSED ERRATA
Alias: CVE-2010-0297
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
medium
medium
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL:
Whiteboard:
Depends On: 560769 560770 560771
Blocks:
TreeView+ depends on / blocked
 
Reported: 2010-01-20 06:59 UTC by Eugene Teo (Security Response)
Modified: 2019-09-29 12:33 UTC (History)
4 users (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed: 2013-03-26 15:12:12 UTC


Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Red Hat Product Errata RHSA-2010:0088 0 normal SHIPPED_LIVE Important: kvm security and bug fix update 2010-02-09 10:01:51 UTC
Red Hat Product Errata RHSA-2010:0172 0 normal SHIPPED_LIVE Important: rhev-hypervisor security and bug fix update 2010-03-24 15:46:46 UTC

Description Eugene Teo (Security Response) 2010-01-20 06:59:19 UTC
Description of problem:
usb-linux.c: fix buffer overflow - made into 0.11.1. This bug is to ensure we backport this change to 0.10.0.

Comment 5 Josh Bressers 2010-01-20 18:40:11 UTC
The patch for this seems to be here:
http://git.savannah.gnu.org/cgit/qemu.git/commit/?id=babd03fde68093482528010a5435c14ce9128e3f

Comment 6 Josh Bressers 2010-01-20 19:08:31 UTC
So if I understand this correctly.

To exploit this flaw, an attacker would need:
1) A physical USB device plugged into the host machine
2) The USB device "attached" to a guest or the attacker has access to
    libvirtd and can attach a USB device.
3) Enough access to the guest to trigger the buffer overflow (root)

From what I can tell, without spending too much time on this, it's very
likely exploitable. I don't think we can prove it's not, as this will end
up overwriting a bunch of global structures, which would have a rather
unknown result.

Presuming my above alalysis is correct, this flaw is probably moderate.

Comment 10 errata-xmlrpc 2010-02-09 10:02:01 UTC
This issue has been addressed in following products:

  Red Hat Enterprise Linux 5

Via RHSA-2010:0088 https://rhn.redhat.com/errata/RHSA-2010-0088.html

Comment 11 errata-xmlrpc 2010-03-24 15:47:00 UTC
This issue has been addressed in following products:

  Red Hat Enterprise Virtualization for RHEL-5

Via RHSA-2010:0172 https://rhn.redhat.com/errata/RHSA-2010-0172.html


Note You need to log in before you can comment on or make changes to this bug.