Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [thread-next>] [day] [month] [year] [list]
Message-Id: <E1TvUJp-0002SX-TY@xenbits.xen.org>
Date: Wed, 16 Jan 2013 14:50:21 +0000
From: Xen.org security team <security@....org>
To: xen-announce@...ts.xen.org, xen-devel@...ts.xen.org,
 xen-users@...ts.xen.org, oss-security@...ts.openwall.com
CC: Xen.org security team <security@....org>
Subject: Xen Security Advisory 41 (CVE-2012-6075) - qemu (e1000 device
 driver): Buffer overflow when processing large packets

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

	     Xen Security Advisory CVE-2012-6075 / XSA-41
 qemu (e1000 device driver): Buffer overflow when processing large packets

SUMMARY AND SOURCES OF INFORMATION
==================================

An issue in qemu has been disclosed which we believe affects some
users of Xen.

The Qemu project has not itself issued an advisory. More information
may be available in the advisories published by the distros:

https://bugzilla.redhat.com/show_bug.cgi?id=889301
http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=696051

CAVEAT
======

For full and accurate information please refer to those advisories.
We have not conducted a full review of the information and patches
provided.

The rest of the information in this advisory is true to the best of
our knowledge at the time of writing.

IMPACT
======

The vulnerability impacts any host running HVM (Fully-Emulated) guests
which are configured with an e1000 NIC (using "model=e1000") in their
VIF configuration. Note that the default emulated NIC is "rtl8139"
which is not vulnerable.

In a vulnerable configuration a hostile network packet may be able to
corrupt the memory of the guest, leading to a guest DoS or remote
privilege escalation.

We do not believe that this issue enables an attack against the host.

MITIGATION
==========

Limiting the size of network frames (e.g. by disabling jumbo frames)
on the local network and the Xen bridge may reduce or eliminate
guests' vulnerability to the bug.

RESOLUTION
==========

The patch is this git commit:
  http://git.qemu.org/?p=qemu.git;a=commitdiff;h=b0d9ffcd0251161c7c92f94804dcf599dfa3edeb

The fix has been applied to all qemu branches contained in Xen version
4.1 onwards.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.10 (GNU/Linux)

iQEcBAEBAgAGBQJQ9r4JAAoJEIP+FMlX6CvZkmcH+gPMPr1x2G381ytNGLcPjiZI
HAYlaRt2dGg2DBFCaTLTuJJ16DztNLsv4hPab25fAs/eTq3SRvtwsYZkzZ0YgUct
ItdGseV9IoHRs5xvzkU5yzo/VScBb3hn5T+yMh2uQ1PS5EG+GFEjJlUxeggKEsQW
IJMY2+lIPElX8VdYKVIxS/M9IeNlT56sALXE4aA+FylX8CIbPlnErZF5AgubY5Pd
MUSnp72CwYjTkfBBvMYpFgxaDVVep72UEhSC1LlN84kIgQ/bXlr7C74G4fi6SvS/
YnyDAld6sX7ALAYzCEO0qYd9VjTUjKh0vv0lvttJXRdUrDN1fwbKhuGWeKFsASI=
=12x9
-----END PGP SIGNATURE-----

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.