[VIM] Clarification on old QEMU/NE2000/Xen issues
Steven M. Christey
coley at mitre.org
Tue Oct 30 21:37:20 UTC 2007
Do NOT ask me how long it took to iron all this out, but I thought I'd
explain what I know so far, 'cause it's still not all set in stone :-(
In April/May, Tavis Ormandy released a paper on issues in emulator
packages including Qemu, Bochs, and others. I had provided some CVE's
to him, but there were a couple gaps, and patches started getting
released before I could resolve everything on vendor-sec (I share much
of the blame in this for not actively following up, alas).
As a result of the internal confusion, we had:
CVE-2007-1321 being used in DEBIAN:DSA-1284 to actually talk about 3
separate issues, where REDHAT:RHSA-2007:0323 only meant to cover one
of them with that same CVE.
CVE-2007-1323 was accidentally associated as part of the Qemu
patches, but it was meant for Bochs (this error came from me making
some poor formatting decisions in an email to vendor-sec)
Further complicating this was Xen, which had some of these issues, I
still don't know which.
As of this moment, I've created a couple CVE's.
CVE-2007-1321 - receive integer signedness
CVE-2007-5729 (NEW) - "mtu" heap overflow
CVE-2007-5730 (NEW) - "net socket" heap overflow
CVE-2007-1323 - REJECTED because it was used for multiple issues/products;
Bochs NE2000 RX Frame heap overflow is CVE-2007-2893
I've got an inquiry in to see which of these lower-level CVEs were
addressed in Xen.
Current CVE's are below.
- Steve
======================================================
Name: CVE-2007-1321
Status: Candidate
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-1321
Reference: MISC:http://taviso.decsystem.org/virtsec.pdf
Reference: DEBIAN:DSA-1284
Reference: URL:http://www.debian.org/security/2007/dsa-1284
Reference: REDHAT:RHSA-2007:0323
Reference: URL:http://www.redhat.com/support/errata/RHSA-2007-0323.html
Integer signedness error in the NE2000 emulator in QEMU 0.8.2 allows
local users to trigger a heap-based buffer overflow via certain
register values that bypass sanity checks, aka QEMU NE2000 "receive"
integer signedness error. NOTE: this identifier was inadvertently
used by some sources to cover multiple issues that were labeled
"NE2000 network driver and the socket code," but separate identifiers
have been created for the individual vulnerabilities since there are
sometimes different fixes; see CVE-2007-5729 and CVE-2007-5730.
======================================================
Name: CVE-2007-1323
Status: Candidate
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-1323
** REJECT **
DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: CVE-2007-2893. Reason:
this candidate was intended for one issue, but some sources used this
identifier for a separate issue, and a duplicate identifier had also
been created by the time dual use was detected. Notes: All CVE users
should consult CVE-2007-2893 to determine if it is appropriate. All
references and descriptions in this candidate have been removed to
prevent accidental usage.
======================================================
Name: CVE-2007-2893
Status: Candidate
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-2893
Reference: MISC:http://taviso.decsystem.org/virtsec.pdf
Reference: DEBIAN:DSA-1351
Reference: URL:http://www.debian.org/security/2007/dsa-1351
Reference: BID:24246
Reference: URL:http://www.securityfocus.com/bid/24246
Reference: FRSIRT:ADV-2007-1936
Reference: URL:http://www.frsirt.com/english/advisories/2007/1936
Reference: SECUNIA:25470
Reference: URL:http://secunia.com/advisories/25470
Reference: SECUNIA:26364
Reference: URL:http://secunia.com/advisories/26364
Reference: XF:bochs-ne2000-bo(34508)
Reference: URL:http://xforce.iss.net/xforce/xfdb/34508
Heap-based buffer overflow in the bx_ne2k_c::rx_frame function in
iodev/ne2k.cc in the emulated NE2000 device in Bochs 2.3 allows local
users of the guest operating system to write to arbitrary memory
locations and gain privileges on the host operating system via vectors
that cause TXCNT register values to exceed the device memory size, aka
"RX Frame heap overflow."
======================================================
Name: CVE-2007-5729
Status: Candidate
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-5729
Reference: MISC:http://taviso.decsystem.org/virtsec.pdf
Reference: DEBIAN:DSA-1284
Reference: URL:http://www.debian.org/security/2007/dsa-1284
The NE2000 emulator in QEMU 0.8.2 allows local users to execute
arbitrary code by writing Ethernet frames with a size larger than the
MTU to the EN0_TCNT register, which triggers a heap-based buffer
overflow in the slirp library, aka NE2000 "mtu" heap overflow. NOTE:
some sources have used CVE-2007-1321 to refer to this issue as part of
"NE2000 network driver and the socket code," but this is the correct
identifier for the mtu overflow vulnerability.
======================================================
Name: CVE-2007-5730
Status: Candidate
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-5730
Reference: MISC:http://taviso.decsystem.org/virtsec.pdf
Reference: DEBIAN:DSA-1284
Reference: URL:http://www.debian.org/security/2007/dsa-1284
Heap-based buffer overflow in QEMU 0.8.2 allows local users to execute
arbitrary code via crafted data in the "net socket listen" option, aka
QEMU "net socket" heap overflow. NOTE: some sources have used
CVE-2007-1321 to refer to this issue as part of "NE2000 network driver
and the socket code," but this is the correct identifier for the
individual net socket listen vulnerability.
More information about the VIM
mailing list