Products Openwall GNU/*/Linux   server OS Linux Kernel Runtime Guard John the Ripper   password cracker Free & Open Source for any platform in the cloud Pro for Linux Pro for macOS Wordlists   for password cracking passwdqc   policy enforcement Free & Open Source for Unix Pro for Windows (Active Directory) yescrypt   KDF & password hashing yespower   Proof-of-Work (PoW) crypt_blowfish   password hashing phpass   ditto in PHP tcb   better password shadowing Pluggable Authentication Modules scanlogd   port scan detector popa3d   tiny POP3 daemon blists   web interface to mailing lists msulogin   single user mode login php_mt_seed   mt_rand() cracker Services Publications Articles Presentations Resources Mailing lists Community wiki Source code repositories (GitHub) Source code repositories (CVSweb) File archive & mirrors How to verify digital signatures OVE IDs What's new

Date: Mon, 30 Nov 2015 14:32:00 +0530 (IST)
From: P J P <ppandit@...hat.com>
To: oss security list <oss-security@...ts.openwall.com>
cc: Qinghao Tang <luodalongde@...il.com>, Liu Ling <liuling-it@....cn>
Subject: CVE-2015-7504 Qemu: net: pcnet: heap overflow vulnerability in
 loopback mode

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

   Hello,

Qemu emulator built with the AMD PC-Net II Ethernet Controller support is 
vulnerable to a heap buffer overflow flaw. While receiving packets in the 
loopback mode, it appends CRC code to the receive buffer. If the data size 
given is same as the receive buffer size, the appended CRC code overwrites 4 
bytes beyond this 's->buffer' array.

A privileged(CAP_SYS_RAWIO) user inside guest could use this flaw to crash the 
Qemu instance resulting in DoS or potentially execute arbitrary code with 
privileges of the Qemu process on the host.

Upstream fix:
- -------------
   -> https://lists.gnu.org/archive/html/qemu-devel/2015-11/msg06342.html


CVE-2015-7504 has been assigned to this issue by Red Hat Inc.

This issue was independently discovered by Qinghao Tang of QIHU 360 Marvel 
Team and Ling Liu of Qihoo 360 Inc.


Thank you.
- --
Prasad J Pandit / Red Hat Product Security Team
47AF CE69 3A90 54AA 9045 1053 DD13 3D32 FE5B 041F

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1

iQIcBAEBAgAGBQJWXBCIAAoJEN0TPTL+WwQfFcAP/A1Avl24d0BptZ8jsmqXwhhl
GdG0cVnxkAgzoihwWcQykpOl/enXi7wsp1qC2WU6hzaqAZaKNSOmhlqwkztA+0tN
20+HEOItR96aHWzunRbGzZok9ypRD4MkicPkL53Cr0XiRWArzKKiSU7pcTlYkPQB
vrcOD8WZRFyRGGQxUDGsVnnCqwPwrubwBMDuebVkC6B2BdXi1fy3pVrgRwHPuKgP
2oIepF2lDM+RmdaMFcvyJBA75r9RnJSXUqiCsqLRWiY/UXzmXQqz32ywOAGhil7b
lfSZFehtqBESr4wdlzXHGjTHmdyFywVvLAr7cXyVT+l35hchKfKVZ/O+8PKa61Gc
09MXy+SeHE5NU1cmZHuB0CO+CbCpa2oCnDjifF5RTykItcP3o/NEjz/GeFXfjTKc
BWxB5vhhMZU+0Hsh3L/gN+5QwpH1bAyDh6zMGyX9cu2y6M1jGnNo0GIYx3hg94x3
Lc1N72n3VtVn1qFfok0QTDEK0futZQVKAw6uC4UaEcTWlQfBFQkq67KEBCSB2qRp
ddYdyzHTgxJkOQXz4vuV5hHxjtnJUXWc/S3MjyPZt1734dVi56yrVmAMnnWBVvR+
WF6ql8UjaCIYmOPnuzmi3iZad91iyzHREDEtjLzXs2R4VFI47sODmLas+3zjqHS8
kD76rYKh6VuhSafoveXJ
=niQP
-----END PGP SIGNATURE-----

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.