"The emulated floppy disk controller in Bochs 2.3 allows local users of the
guest operating system to cause a denial of service (virtual machine crash) via
unspecified vectors, resulting in a divide-by-zero error."
I've contacted upstream about this, awaiting their response.
Since upstream isn't making any progress with regards to this, I've investigated
this a bit further.
This CVS stems from someone doing virtual machine / pc research and the original
report mentions not one but 2 vulnerabilities:
2893 is a reproducible, most likely exploitable, buffer overflow in the ne2000
driver. For which a fix is in CVS, I will issue a fixed package for this shortly
2894 is a report of a divide by zero error in the floppy, which the researcher
managed to trigger once by feeding random bytes to the emulated floppy
controller. This is not reproducable, and upstream has audited the code and can
not find any divide by zero conditions, so I'm assuming this issue is moot.
bochs-2.3-5.fc7 has been pushed to the Fedora 7 stable repository. If problems still persist, please make note of it in this bug report.
Reopening this. Hans: this bug was reported against FC6. Could you please also
update the FC6 version? Thanks.
The FC-6 version was fixed at the same time as the F-7 version, but no bodhi, so
no anouncement, closing again.
Upstream wasn't happy about the report of a divide by zero error when feeding
random data to the floppy driver (happened / reported only once). So they have
investigated this issue again, and managed to find one divide by zero condition
after all. That should explain and really fix:
A new version of bochs with a fix for this included is building for all 3
supported Fedora releases as I type this.
bochs-2.3-7.fc7 has been pushed to the Fedora 7 stable repository. If problems still persist, please make note of it in this bug report.