Date: Tue, 13 May 2014 14:05:09 -0400 (EDT) From: cve-assign@...re.org To: ppandit@...hat.com Cc: cve-assign@...re.org, oss-security@...ts.openwall.com Subject: Re: CVE request: Qemu: usb: fix up post load checks -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 > http://article.gmane.org/gmane.comp.emulators.qemu/272322 Here, it appears that the only security fix to http://git.qemu.org/?p=qemu.git;a=blob;f=hw/usb/bus.c;h=e48b19fc29bd9f831cc05990be73ddf49936d6a9;hb=HEAD is the insertion of the "dev->setup_index > dev->setup_len" test. In other words, although the patch corresponds to two bug discoverers, only one discoverer found a security problem. To clarify: we are currently interpreting "dev->setup_len == sizeof(dev->data_buf) seems fine, no need to fail migration" to mean that "dev->setup_len >= sizeof(dev->data_buf)" is too strict a test, and "dev->setup_len > sizeof(dev->data_buf)" is sufficient. It does not imply that an attacker can cross privilege boundaries and cause a denial of service (i.e., a failed migration) by triggering the "dev->setup_len == sizeof(dev->data_buf)" condition. The "dev->setup_index >= sizeof(dev->data_buf)" test was also removed. Similarly, we are interpreting this to mean that that test is superfluous. We are not interpreting this to mean that that test had allowed a denial of service attack. Use CVE-2014-3461 for the "When state is DATA, passing index > len will cause memcpy with negative length, resulting in heap overflow" issue. Note that a related recent commit: http://git.qemu.org/?p=qemu.git;a=commit;h=9f8e9895c504149d7048e9fc5eb5cbb34b16e49a has a CVE-2013-4541 assignment from Red Hat. See https://bugzilla.redhat.com/show_bug.cgi?id=1066384 The http://article.gmane.org/gmane.comp.emulators.qemu/272322 patch represents additional changes needed after that CVE-2013-4541 fix. - -- CVE assignment team, MITRE CVE Numbering Authority M/S M300 202 Burlington Road, Bedford, MA 01730 USA [ PGP key available through http://cve.mitre.org/cve/request_id.html ] -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.14 (SunOS) iQEcBAEBAgAGBQJTcl5nAAoJEKllVAevmvmsgNMH/j/HABgwfnPX0rv8zn12h4w4 7Dybeu2XO7tUy3JrMZdz+DyUY5hu/4dk3/egKSTrRHsS0azm72+OmbI7m0Rxanke VvPcq7BJQuEZwNRUx8WplUUIVrBP4qz3kodSny/Rv5fsMdp8nWGl9GoR8HCZ/6m2 ffIb42sI3dGvmo8fyZPt0seSbZ0gp4H5YUlNlI5GMxJgl6CEOyiv5qp+GqvGnfyB MUcwRL05C1pTVdW19gwAnaJsJr8OF5GqKIAXoGbcee4GV5dMAyxex5nw4J5liL7V L1sJq71MsnjG5+wlyyeHd/1iTpeU9bVpkYQCs1+2XI/CF/eEIV0wZguawgSbeZg= =TKjZ -----END PGP SIGNATURE-----
Powered by blists - more mailing lists
Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.
Powered by Openwall GNU/*/Linux - Powered by OpenVZ