Bug 889301 (CVE-2012-6075) - CVE-2012-6075 qemu: e1000 driver buffer overflow when processing large packets when SBP and LPE flags are disabled
Summary: CVE-2012-6075 qemu: e1000 driver buffer overflow when processing large packet...
Status: CLOSED ERRATA
Alias: CVE-2012-6075
Product: Security Response
Classification: Other
Component: vulnerability   
(Show other bugs)
Version: unspecified
Hardware: All
OS: Linux
high
high
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL:
Whiteboard: impact=important,public=20121216,repo...
Keywords: Security
Depends On: 889304 889305 910839 910840 910841 910842 910843 910844 910845 918288
Blocks: 890969 912639 916344 916610 918294
TreeView+ depends on / blocked
 
Reported: 2012-12-20 18:07 UTC by Jan Lieskovsky
Modified: 2013-04-24 07:39 UTC (History)
23 users (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2013-04-24 07:39:49 UTC
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)


External Trackers
Tracker ID Priority Status Summary Last Updated
Red Hat Product Errata RHSA-2013:0599 normal SHIPPED_LIVE Important: xen security update 2013-03-06 23:47:35 UTC
Red Hat Product Errata RHSA-2013:0608 normal SHIPPED_LIVE Important: kvm security update 2013-03-07 23:43:04 UTC
Red Hat Product Errata RHSA-2013:0609 normal SHIPPED_LIVE Important: qemu-kvm security update 2013-03-07 23:56:18 UTC
Red Hat Product Errata RHSA-2013:0610 normal SHIPPED_LIVE Important: qemu-kvm-rhev security update 2013-03-07 23:42:56 UTC
Red Hat Product Errata RHSA-2013:0636 normal SHIPPED_LIVE Important: rhev-hypervisor6 security and bug fix update 2013-03-13 18:47:11 UTC
Red Hat Product Errata RHSA-2013:0639 normal SHIPPED_LIVE Important: qemu-kvm-rhev security update 2013-03-12 21:57:30 UTC

Description Jan Lieskovsky 2012-12-20 18:07:58 UTC
A buffer overflow flaw was found in the way e1000 emulated device driver of QEMU, a FAST! processor emulator, processed received large e1000 packets, when the SBP and LPE flags were disabled. If the underlying network was configured to allow large (jumbo) packets, a remote attacker could use this flaw to cause relevant guest in question to crash (DoS) or, potentially, the attacker could use this flaw to execute arbitrary code on the guest system with the kernel level privilege.

References:
[1] http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=696051
[2] http://www.openwall.com/lists/oss-security/2012/12/19/9
[3] http://thread.gmane.org/gmane.comp.emulators.qemu/182666
[4] http://www.openwall.com/lists/oss-security/2013/01/17/12

Relevant upstream patches:
[5] http://git.qemu.org/?p=qemu.git;a=commitdiff;h=b0d9ffcd0251161c7c92f94804dcf599dfa3edeb
    http://git.qemu.org/?p=qemu.git;a=commitdiff;h=2c0331f4f7d241995452b99afaf0aab00493334a

Comment 1 Jan Lieskovsky 2012-12-20 18:13:19 UTC
This issue affects the versions of the qemu package, as shipped with Fedora release of 16 and 17. Please schedule an update.

--

This issue (probably [*]) affects the version of the qemu package, as shipped with Fedora EPEL 5. Please schedule an update.

[*] Saying probably above, since in Fedora EPEL 5 version e1000_receive() routine is declared as returning void in comparison with more recent versions. Therefore not definitely sure the deficiency would be present on this version too. Needs further investigation by someone more familiar with the code. P.S.: Feel free to close the upcoming epel-5 bug (if you realise this isn't an issue for Fedora EPEL 5 version). Thank you, Jan.

Comment 2 Jan Lieskovsky 2012-12-20 18:14:28 UTC
Created qemu tracking bugs for this issue

Affects: fedora-all [bug 889304]
Affects: epel-5 [bug 889305]

Comment 3 Jan Lieskovsky 2013-01-02 09:44:08 UTC
The CVE identifier of CVE-2012-6075 has been assigned to this issue:
  http://www.openwall.com/lists/oss-security/2012/12/30/1

Comment 4 Fedora Update System 2013-01-26 15:56:07 UTC
qemu-1.0.1-3.fc17 has been pushed to the Fedora 17 stable repository.  If problems still persist, please make note of it in this bug report.

Comment 5 Fedora Update System 2013-01-26 16:03:16 UTC
qemu-1.2.2-2.fc18 has been pushed to the Fedora 18 stable repository.  If problems still persist, please make note of it in this bug report.

Comment 6 Fedora Update System 2013-01-28 15:19:46 UTC
qemu-0.15.1-9.fc16 has been pushed to the Fedora 16 stable repository.  If problems still persist, please make note of it in this bug report.

Comment 10 Petr Matousek 2013-02-13 16:57:03 UTC
Created xen tracking bugs for this issue

Affects: fedora-all [bug 910845]

Comment 11 Petr Matousek 2013-02-13 17:12:26 UTC
Statement:

(none)

Comment 18 errata-xmlrpc 2013-03-06 18:49:23 UTC
This issue has been addressed in following products:

  Red Hat Enterprise Linux 5

Via RHSA-2013:0599 https://rhn.redhat.com/errata/RHSA-2013-0599.html

Comment 19 errata-xmlrpc 2013-03-07 18:45:36 UTC
This issue has been addressed in following products:

  RHEV-H and Agents for RHEL-6

Via RHSA-2013:0610 https://rhn.redhat.com/errata/RHSA-2013-0610.html

Comment 20 errata-xmlrpc 2013-03-07 18:45:49 UTC
This issue has been addressed in following products:

  Red Hat Enterprise Linux 5

Via RHSA-2013:0608 https://rhn.redhat.com/errata/RHSA-2013-0608.html

Comment 21 errata-xmlrpc 2013-03-07 19:00:22 UTC
This issue has been addressed in following products:

  Red Hat Enterprise Linux 6

Via RHSA-2013:0609 https://rhn.redhat.com/errata/RHSA-2013-0609.html

Comment 22 errata-xmlrpc 2013-03-12 17:58:39 UTC
This issue has been addressed in following products:

  OpenStack Folsom for RHEL 6

Via RHSA-2013:0639 https://rhn.redhat.com/errata/RHSA-2013-0639.html

Comment 23 errata-xmlrpc 2013-03-13 14:47:38 UTC
This issue has been addressed in following products:

  RHEV-H and Agents for RHEL-6

Via RHSA-2013:0636 https://rhn.redhat.com/errata/RHSA-2013-0636.html


Note You need to log in before you can comment on or make changes to this bug.