Am 27.07.2015 um 14:28 schrieb John Snow: > > > On 07/27/2015 08:10 AM, Stefan Priebe - Profihost AG wrote: >> >> Am 27.07.2015 um 14:01 schrieb John Snow: >>> The following changes since commit f793d97e454a56d17e404004867985622ca1a63b: >>> >>> Merge remote-tracking branch 'remotes/bonzini/tags/for-upstream' into >>> staging (2015-07-24 13:07:10 +0100) >>> >>> are available in the git repository at: >>> >>> https://github.com/jnsnow/qemu.git tags/cve-2015-5154-pull-request >> >> Any details on this CVE? Is RCE possible? Only if IDE is used? >> >> Stefan >> > > It's a heap overflow. The most likely outcome is a segfault, but the > guest is allowed to continue writing past the end of the PIO buffer at > its leisure. This makes it similar to CVE-2015-3456. > > This CVE can be mitigated unlike CVE-2015-3456 by just removing the > CD-ROM drive until the patch can be applied.
Thanks. The seclist article explicitly references xen. So it does not apply to qemu/kvm? Sorry for asking may be stupid questions. Stefan >>> for you to fetch changes up to cb72cba83021fa42719e73a5249c12096a4d1cfc: >>> >>> ide: Clear DRQ after handling all expected accesses (2015-07-26 23:42:53 >>> -0400) >>> >>> ---------------------------------------------------------------- >>> >>> ---------------------------------------------------------------- >>> >>> Kevin Wolf (3): >>> ide: Check array bounds before writing to io_buffer (CVE-2015-5154) >>> ide/atapi: Fix START STOP UNIT command completion >>> ide: Clear DRQ after handling all expected accesses >>> >>> hw/ide/atapi.c | 1 + >>> hw/ide/core.c | 32 ++++++++++++++++++++++++++++---- >>> 2 files changed, 29 insertions(+), 4 deletions(-) >>>