Bug 241799 (CVE-2007-2894) - CVE-2007-2894: bochs guest OS local user DoS
Summary: CVE-2007-2894: bochs guest OS local user DoS
Keywords:
Status: CLOSED ERRATA
Alias: CVE-2007-2894
Product: Fedora
Classification: Fedora
Component: bochs
Version: 6
Hardware: All
OS: Linux
medium
medium
Target Milestone: ---
Assignee: Hans de Goede
QA Contact: Fedora Extras Quality Assurance
URL: http://nvd.nist.gov/nvd.cfm?cvename=C...
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2007-05-30 18:32 UTC by Ville Skyttä
Modified: 2007-11-30 22:12 UTC (History)
2 users (show)

Fixed In Version: 2.3-7.fc7
Doc Type: Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed: 2007-08-24 05:41:32 UTC
Type: ---


Attachments (Terms of Use)

Description Ville Skyttä 2007-05-30 18:32:36 UTC
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2007-2894

"The emulated floppy disk controller in Bochs 2.3 allows local users of the
guest operating system to cause a denial of service (virtual machine crash) via
unspecified vectors, resulting in a divide-by-zero error."

Comment 1 Hans de Goede 2007-06-02 07:49:44 UTC
I've contacted upstream about this, awaiting their response.


Comment 2 Hans de Goede 2007-07-18 17:37:10 UTC
Since upstream isn't making any progress with regards to this, I've investigated
this a bit further.

This CVS stems from someone doing virtual machine / pc research and the original
report mentions not one but 2 vulnerabilities:
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2007-2893
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2007-2894

2893 is a reproducible, most likely exploitable, buffer overflow in the ne2000
driver. For which a fix is in CVS, I will issue a fixed package for this shortly

2894 is a report of a divide by zero error in the floppy, which the researcher
managed to trigger once by feeding random bytes to the emulated floppy
controller. This is not reproducable, and upstream has audited the code and can
not find any divide by zero conditions, so I'm assuming this issue is moot.





Comment 3 Fedora Update System 2007-07-19 16:45:17 UTC
bochs-2.3-5.fc7 has been pushed to the Fedora 7 stable repository.  If problems still persist, please make note of it in this bug report.

Comment 4 Lubomir Kundrak 2007-08-02 12:38:36 UTC
Reopening this. Hans: this bug was reported against FC6. Could you please also
update the FC6 version? Thanks.

Comment 5 Hans de Goede 2007-08-02 22:13:28 UTC
The FC-6 version was fixed at the same time as the F-7 version, but no bodhi, so
no anouncement, closing again.


Comment 6 Hans de Goede 2007-08-22 07:52:45 UTC
Upstream wasn't happy about the report of a divide by zero error when feeding
random data to the floppy driver (happened / reported only once). So they have
investigated this issue again, and managed to find one divide by zero condition
after all. That should explain and really fix:
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2007-2894

See:
https://sourceforge.net/tracker/?func=detail&atid=112580&aid=1729822&group_id=12580

A new version of bochs with a fix for this included is building for all 3
supported Fedora releases as I type this.


Comment 7 Fedora Update System 2007-08-24 05:41:27 UTC
bochs-2.3-7.fc7 has been pushed to the Fedora 7 stable repository.  If problems still persist, please make note of it in this bug report.


Note You need to log in before you can comment on or make changes to this bug.