Xen.org security team
2013-Jan-16 14:50 UTC
Xen Security Advisory 41 (CVE-2012-6075) - qemu (e1000 device driver): Buffer overflow when processing large packets
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Xen Security Advisory CVE-2012-6075 / XSA-41 qemu (e1000 device driver): Buffer overflow when processing large packets SUMMARY AND SOURCES OF INFORMATION ================================= An issue in qemu has been disclosed which we believe affects some users of Xen. The Qemu project has not itself issued an advisory. More information may be available in the advisories published by the distros: https://bugzilla.redhat.com/show_bug.cgi?id=889301 http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=696051 CAVEAT ===== For full and accurate information please refer to those advisories. We have not conducted a full review of the information and patches provided. The rest of the information in this advisory is true to the best of our knowledge at the time of writing. IMPACT ===== The vulnerability impacts any host running HVM (Fully-Emulated) guests which are configured with an e1000 NIC (using "model=e1000") in their VIF configuration. Note that the default emulated NIC is "rtl8139" which is not vulnerable. In a vulnerable configuration a hostile network packet may be able to corrupt the memory of the guest, leading to a guest DoS or remote privilege escalation. We do not believe that this issue enables an attack against the host. MITIGATION ========= Limiting the size of network frames (e.g. by disabling jumbo frames) on the local network and the Xen bridge may reduce or eliminate guests'' vulnerability to the bug. RESOLUTION ========= The patch is this git commit: http://git.qemu.org/?p=qemu.git;a=commitdiff;h=b0d9ffcd0251161c7c92f94804dcf599dfa3edeb The fix has been applied to all qemu branches contained in Xen version 4.1 onwards. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.10 (GNU/Linux) iQEcBAEBAgAGBQJQ9r4JAAoJEIP+FMlX6CvZkmcH+gPMPr1x2G381ytNGLcPjiZI HAYlaRt2dGg2DBFCaTLTuJJ16DztNLsv4hPab25fAs/eTq3SRvtwsYZkzZ0YgUct ItdGseV9IoHRs5xvzkU5yzo/VScBb3hn5T+yMh2uQ1PS5EG+GFEjJlUxeggKEsQW IJMY2+lIPElX8VdYKVIxS/M9IeNlT56sALXE4aA+FylX8CIbPlnErZF5AgubY5Pd MUSnp72CwYjTkfBBvMYpFgxaDVVep72UEhSC1LlN84kIgQ/bXlr7C74G4fi6SvS/ YnyDAld6sX7ALAYzCEO0qYd9VjTUjKh0vv0lvttJXRdUrDN1fwbKhuGWeKFsASI=12x9 -----END PGP SIGNATURE----- _______________________________________________ Xen-users mailing list Xen-users@lists.xen.org http://lists.xen.org/xen-users
Xen.org security team
2013-Jan-17 12:28 UTC
Xen Security Advisory 41 (CVE-2012-6075) - qemu (e1000 device driver): Buffer overflow when processing large packets
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Xen Security Advisory CVE-2012-6075 / XSA-41 version 2 qemu (e1000 device driver): Buffer overflow when processing large packets UPDATES IN VERSION 2 =================== Add a reference to a second required patch. SUMMARY AND SOURCES OF INFORMATION ================================= An issue in qemu has been disclosed which we believe affects some users of Xen. The Qemu project has not itself issued an advisory. More information may be available in the advisories published by the distros: https://bugzilla.redhat.com/show_bug.cgi?id=889301 http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=696051 CAVEAT ===== For full and accurate information please refer to those advisories. We have not conducted a full review of the information and patches provided. The rest of the information in this advisory is true to the best of our knowledge at the time of writing. IMPACT ===== The vulnerability impacts any host running HVM (Fully-Emulated) guests which are configured with an e1000 NIC (using "model=e1000") in their VIF configuration. Note that the default emulated NIC is "rtl8139" which is not vulnerable. In a vulnerable configuration a hostile network packet may be able to corrupt the memory of the guest, leading to a guest DoS or remote privilege escalation. We do not believe that this issue enables an attack against the host. MITIGATION ========= Limiting the size of network frames (e.g. by disabling jumbo frames) on the local network and the Xen bridge may reduce or eliminate guests'' vulnerability to the bug. RESOLUTION ========= There are two patches required. See these git commits: http://git.qemu.org/?p=qemu.git;a=commitdiff;h=b0d9ffcd0251161c7c92f94804dcf599dfa3edeb http://git.qemu.org/?p=qemu.git;a=commitdiff;h=2c0331f4f7d241995452b99afaf0aab00493334a These fixes have both been applied to all qemu branches contained in Xen version 4.1 onwards. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.10 (GNU/Linux) iQEcBAEBAgAGBQJQ9+sEAAoJEIP+FMlX6CvZMwwH/22uA3uKWWK78IdsyjtUx6mv 9IvBW+8gZn80eLaEURYI0zAR8CXpU20OHCWnPKpD2j8OfRdZDNyUCPIcQP6ztMD5 RqUoha0sYW7VeTmPADZmdy5MhjpOaJyhoPibpNeWwhJzX6xf0ukKEuNu4GIMzGf7 tEV90TIi8BevbO9KrNGnU7y1Pj1ZEj8OgBR6TmK0FcJ6A7g45ocIGQyKYHxzqc5U Akk5zgkr895DFUZr/88nHL1Bl7JH+PUIiVUrvco2OG0h06Jrgp4quovI0hzF/zvq yv5SqWyzABd6/QE9DRz9t+VLn4kiF3/c9Zb9XbGwHmhmJYlI8mTKqvD2Q0YMkE0=Xwyw -----END PGP SIGNATURE----- _______________________________________________ Xen-users mailing list Xen-users@lists.xen.org http://lists.xen.org/xen-users