There isn't proper checking in legacy mode packets such that if two large packets arrive back to back without the EOP flag set in the first packet, you can easily overrun your buffer. Because data is written to the packets after the packet is processed, this could allow a heap overflow which is exploitable. Acknowledgements: Red Hat would like to thank Nicolae Mogoreanu for reporting this issue.
This issue did affect the versions of xen package as shipped with Red Hat Enterprise Linux 5. This issue did affect the versions of kvm package as shipped with Red Hat Enterprise Linux 5. This issue did affect the versions of qemu-kvm package as shipped with Red Hat Enterprise Linux 6.
Created qemu tracking bugs for this issue Affects: fedora-all [bug 783984]
This issue has been addressed in following products: Red Hat Enterprise Linux 5 Via RHSA-2012:0051 https://rhn.redhat.com/errata/RHSA-2012-0051.html
This issue has been addressed in following products: Red Hat Enterprise Linux 6 Via RHSA-2012:0050 https://rhn.redhat.com/errata/RHSA-2012-0050.html
Statement: (none)
This issue has been addressed in following products: RHEV-H and Agents for RHEL-6 Via RHSA-2012:0109 https://rhn.redhat.com/errata/RHSA-2012-0109.html
This issue has been addressed in following products: RHEV-H, V2V and Agents for RHEL-5 Via RHSA-2012:0168 https://rhn.redhat.com/errata/RHSA-2012-0168.html
This issue has been addressed in following products: Red Hat Enterprise Linux 5 Via RHSA-2012:0370 https://rhn.redhat.com/errata/RHSA-2012-0370.html
qemu-0.15.1-5.fc16 has been pushed to the Fedora 16 stable repository. If problems still persist, please make note of it in this bug report.
qemu-0.14.0-9.fc15 has been pushed to the Fedora 15 stable repository. If problems still persist, please make note of it in this bug report.