Bug 237342 (CVE-2007-1320) - CVE-2007-1320 xen/qemu Cirrus LGD-54XX "bitblt" Heap Overflow
Summary: CVE-2007-1320 xen/qemu Cirrus LGD-54XX "bitblt" Heap Overflow
Keywords:
Status: CLOSED CURRENTRELEASE
Alias: CVE-2007-1320
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
high
high
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL:
Whiteboard:
Depends On: 237467 296271 296281 448524 448525 CVE-2008-4539
Blocks: 471055
TreeView+ depends on / blocked
 
Reported: 2007-04-20 21:41 UTC by Marcel Holtmann
Modified: 2019-09-29 12:20 UTC (History)
11 users (show)

Fixed In Version: 65-7.fc9
Doc Type: Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed: 2011-07-13 17:55:13 UTC
Embargoed:


Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Red Hat Product Errata RHSA-2007:0323 0 normal SHIPPED_LIVE Important: xen security update 2007-10-02 20:53:38 UTC

Description Marcel Holtmann 2007-04-20 21:41:55 UTC
The cirrus_invalidate_region() routine used during video-to-video copy
operations in the cirrus vga extension code omits bounds checking in
multiple locations, allowing you to overwrite adjacent buffers by
attempting to mark non-existent regions as dirty. Successful
exploitation would result in a complete compromise of the qemu
process. Additionally multiple bitblt operations omit bounds checking,
where the srcpitch or dstpitch coefficients cause the operation to
exceed the bounds of the vram buffer.

Comment 1 Daniel Berrangé 2007-04-25 00:04:36 UTC
Upstream applied this fix:

http://xenbits.xensource.com/xen-unstable.hg?rev/9e86260b95a4


Comment 2 RHEL Program Management 2007-05-04 13:27:07 UTC
This request was evaluated by Red Hat Product Management for inclusion in a Red
Hat Enterprise Linux maintenance release.  Product Management has requested
further review of this request by Red Hat Engineering, for potential
inclusion in a Red Hat Enterprise Linux Update release for currently deployed
products.  This request is not yet committed for inclusion in an Update
release.

Comment 5 Mark J. Cox 2007-09-19 13:21:18 UTC
public via http://taviso.decsystem.org/virtsec.pdf

Comment 8 Tomas Hoger 2008-05-27 06:50:45 UTC
It seems that this issue did not get fixed in qemu / kvm at the time of fix
being applied to Xen.  Following patch was recently applied in the qemu SVN to
address this issue:

http://svn.savannah.gnu.org/viewvc/?view=rev&root=qemu&revision=4340

Cirrus seems to be the default graphics adapter used by current kvm versions.


Comment 9 Glauber Costa 2008-05-27 13:14:10 UTC
I created bugs #448524 and #448525 as clones of this one for Fedora.

Comment 10 Lubomir Rintel 2008-05-27 14:09:57 UTC
*** Bug 448524 has been marked as a duplicate of this bug. ***

Comment 11 Fedora Update System 2008-05-29 02:33:07 UTC
kvm-65-7.fc9 has been pushed to the Fedora 9 stable repository.  If problems still persist, please make note of it in this bug report.

Comment 12 Fedora Update System 2008-05-29 02:48:57 UTC
kvm-60-6.fc8 has been pushed to the Fedora 8 stable repository.  If problems still persist, please make note of it in this bug report.

Comment 13 Don Dutile (Red Hat) 2008-09-03 17:06:02 UTC
Closing since XS patch was applied to RHEL5 when it rebased to xen-3.1.0
and comment 11 & comment 12 indicate the fix is included in fc8 & fc9.

Comment 14 Tomas Hoger 2008-09-04 06:52:30 UTC
Is this fixed in current qemu versions as well?

Comment 16 Atsushi SAKAI 2008-11-04 04:11:50 UTC
Hi, Tomas

I am looking around the patch.
It needs to add originally.
Since 0.9.1 Released on Jan 2008,
But a patch itself created on after that.

=====
version change
bellard [Sun, 6 Jan 2008 17:10:54 +0000 (17:10 +0000)]

http://git.kernel.dk/?p=qemu.git;a=commitdiff;h=bfe312121eb80226f0cb2d4b7c2b9b5fafecd93e
=======

1)CVE-2007-1320 - Cirrus LGD-54XX "bitblt" heap overflow
aurel32 [Mon, 5 May 2008 21:26:31 +0000 (21:26 +0000)]

I have just noticed that patch for CVE-2007-1320 has never been applied
to the QEMU CVS. Please find it below.
http://git.kernel.dk/?p=qemu.git;a=commitdiff;h=b2eb849d4b1fdb6f35d5c46958c7f703cf64cfef


2)CVE-2008-4539: fix a heap overflow in Cirrus emulation
aurel32 [Sat, 1 Nov 2008 00:53:39 +0000 (00:53 +0000)]

The code in hw/cirrus_vga.c has changed a lot between CVE-2007-1320 has
been announced and the patch has been applied. As a consequence it has
wrongly applied and QEMU is still vulnerable to this bug if using VNC.

(noticed by Jan Niehusmann)

http://git.kernel.dk/?p=qemu.git;a=commitdiff;h=65d35a09979e63541afc5bfc595b9f1b1b4ae069

Thanks
Atsushi SAKAI

Comment 20 Tomas Hoger 2008-11-11 14:45:40 UTC
Atsushi, thanks for providing links to qemu upstream commits.

I checked status of qemu, kvm and xen packages currently in Fedora with respect to this bug and CVE-2008-4539.

qemu:
- versions checked:
  qemu-0.9.0-7.fc8 qemu-0.9.1-6.fc9 qemu-0.9.1-10.fc10
- no patch applied, all versions require patch for CVE-2007-1320
- as CVE-2007-1320 was not yet addressed in qemu, CVE-2008-4539 does not apply

kvm:
- versions checked:
  kvm-60-6.fc8 kvm-65-10.fc9 kvm-74-5.fc10 kvm-78-4.fc11
- all versions have original patch for CVE-2007-1320, which is also included
  in upstream sources in 70
- all require patch for CVE-2008-4539

xen:
- xen upstream seems to use completely different patch to address this issue, see comment #1 or:
http://xenbits.xensource.com/xen-3.1-testing.hg?file/623a07dda15c/tools/ioemu/patches/qemu-cirrus-bounds-checks

Comment 21 Chris Lalancette 2011-07-13 17:55:13 UTC
This is ancient, and all of the affected versions have been patches (as far as I know).  Closing this out.


Note You need to log in before you can comment on or make changes to this bug.