CVE-2014-8106 insufficient blit region check

Bug #1400775 reported by Alex Bligh on 2014-12-09
256
This bug affects 1 person
Affects Status Importance Assigned to Milestone
qemu (Ubuntu)
Undecided
Marc Deslauriers
Lucid
Undecided
Unassigned
Precise
Undecided
Unassigned
Trusty
Undecided
Marc Deslauriers
Utopic
Undecided
Marc Deslauriers
Vivid
Undecided
Marc Deslauriers
qemu-kvm (Ubuntu)
Undecided
Unassigned
Lucid
Undecided
Marc Deslauriers
Precise
Undecided
Marc Deslauriers
Trusty
Undecided
Unassigned
Utopic
Undecided
Unassigned
Vivid
Undecided
Unassigned

Bug Description

The following references describe an insufficient blit region check issue in qemu:
  https://security-tracker.debian.org/tracker/CVE-2014-8106
  https://lists.nongnu.org/archive/html/qemu-devel/2014-12/msg00508.html

This vulnerability potentially allows root within a guest to perform a denial of service and perhaps execute arbitrary code with the privileges of the qemu host process.

Fixes upstream appear to be:
http://git.qemu.org/?p=qemu.git;a=commitdiff;h=d3532a0db02296e687711b8cdc7791924efccea0;hp=db12451decf7dfe0f083564183e135f2095228b9
http://git.qemu.org/?p=qemu.git;a=commitdiff;h=bf25983345ca44aec3dd92c57142be45452bd38a;hp=d3532a0db02296e687711b8cdc7791924efccea0

I am using the following, but believe this vulnerability exists in (at least) T, U and V. It may exist in P or L (unchecked).

$ lsb_release -a
No LSB modules are available.
Distributor ID: Ubuntu
Description: Ubuntu 14.04.1 LTS
Release: 14.04

CVE References

Alex Bligh (ubuntu-alex-org) wrote :

Made this public as the links to which it refers are public.

information type: Private Security → Public Security
Changed in qemu (Ubuntu Lucid):
status: New → Confirmed
Changed in qemu (Ubuntu Precise):
status: New → Confirmed
Changed in qemu (Ubuntu Trusty):
status: New → Confirmed
Changed in qemu (Ubuntu Utopic):
status: New → Confirmed
Changed in qemu (Ubuntu Vivid):
status: New → Confirmed
Changed in qemu (Ubuntu Lucid):
assignee: nobody → Marc Deslauriers (mdeslaur)
Changed in qemu (Ubuntu Precise):
assignee: nobody → Marc Deslauriers (mdeslaur)
Changed in qemu (Ubuntu Trusty):
assignee: nobody → Marc Deslauriers (mdeslaur)
Changed in qemu (Ubuntu Utopic):
assignee: nobody → Marc Deslauriers (mdeslaur)
Changed in qemu (Ubuntu Vivid):
assignee: nobody → Marc Deslauriers (mdeslaur)
Changed in qemu-kvm (Ubuntu Trusty):
status: New → Invalid
Changed in qemu-kvm (Ubuntu Utopic):
status: New → Invalid
Changed in qemu-kvm (Ubuntu Vivid):
status: New → Invalid
Changed in qemu (Ubuntu Lucid):
assignee: Marc Deslauriers (mdeslaur) → nobody
status: Confirmed → Invalid
Changed in qemu (Ubuntu Precise):
assignee: Marc Deslauriers (mdeslaur) → nobody
status: Confirmed → Invalid
Changed in qemu-kvm (Ubuntu Lucid):
assignee: nobody → Marc Deslauriers (mdeslaur)
status: New → Confirmed
Changed in qemu-kvm (Ubuntu Precise):
assignee: nobody → Marc Deslauriers (mdeslaur)
status: New → Confirmed
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package qemu - 2.1+dfsg-4ubuntu6.3

---------------
qemu (2.1+dfsg-4ubuntu6.3) utopic-security; urgency=medium

  * SECURITY UPDATE: code execution via savevm data
    - debian/patches/CVE-2014-7840.patch: validate parameters in
      arch_init.c.
    - CVE-2014-7840
  * SECURITY UPDATE: code execution via cirrus vga blit regions
    (LP: #1400775)
    - debian/patches/CVE-2014-8106.patch: properly validate blit regions in
      hw/display/cirrus_vga.c.
    - CVE-2014-8106
 -- Marc Deslauriers <email address hidden> Wed, 10 Dec 2014 15:53:57 -0500

Changed in qemu (Ubuntu Utopic):
status: Confirmed → Fix Released
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package qemu-kvm - 0.12.3+noroms-0ubuntu9.26

---------------
qemu-kvm (0.12.3+noroms-0ubuntu9.26) lucid-security; urgency=medium

  * SECURITY UPDATE: code execution via cirrus vga blit regions
    (LP: #1400775)
    - debian/patches/CVE-2014-8106.patch: properly validate blit regions in
      hw/cirrus_vga.c.
    - CVE-2014-8106
 -- Marc Deslauriers <email address hidden> Wed, 10 Dec 2014 16:18:02 -0500

Changed in qemu-kvm (Ubuntu Lucid):
status: Confirmed → Fix Released
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package qemu - 2.0.0+dfsg-2ubuntu1.9

---------------
qemu (2.0.0+dfsg-2ubuntu1.9) trusty-security; urgency=medium

  * SECURITY UPDATE: code execution via savevm data
    - debian/patches/CVE-2014-7840.patch: validate parameters in
      arch_init.c.
    - CVE-2014-7840
  * SECURITY UPDATE: code execution via cirrus vga blit regions
    (LP: #1400775)
    - debian/patches/CVE-2014-8106.patch: properly validate blit regions in
      hw/display/cirrus_vga.c.
    - CVE-2014-8106
 -- Marc Deslauriers <email address hidden> Wed, 10 Dec 2014 16:00:51 -0500

Changed in qemu (Ubuntu Trusty):
status: Confirmed → Fix Released
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package qemu-kvm - 1.0+noroms-0ubuntu14.21

---------------
qemu-kvm (1.0+noroms-0ubuntu14.21) precise-security; urgency=medium

  * SECURITY UPDATE: code execution via savevm data
    - debian/patches/CVE-2014-7840.patch: validate parameters in
      arch_init.c.
    - CVE-2014-7840
  * SECURITY UPDATE: code execution via cirrus vga blit regions
    (LP: #1400775)
    - debian/patches/CVE-2014-8106.patch: properly validate blit regions in
      hw/cirrus_vga.c.
    - CVE-2014-8106
 -- Marc Deslauriers <email address hidden> Wed, 10 Dec 2014 16:11:32 -0500

Changed in qemu-kvm (Ubuntu Precise):
status: Confirmed → Fix Released
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package qemu - 2.1+dfsg-7ubuntu5

---------------
qemu (2.1+dfsg-7ubuntu5) vivid; urgency=medium

  * SECURITY UPDATE: code execution via savevm data
    - debian/patches/CVE-2014-7840.patch: validate parameters in
      arch_init.c.
    - CVE-2014-7840
  * SECURITY UPDATE: code execution via cirrus vga blit regions
    (LP: #1400775)
    - debian/patches/CVE-2014-8106.patch: properly validate blit regions in
      hw/display/cirrus_vga.c.
    - CVE-2014-8106
 -- Marc Deslauriers <email address hidden> Thu, 11 Dec 2014 14:11:52 -0500

Changed in qemu (Ubuntu Vivid):
status: Confirmed → Fix Released
To post a comment you must log in.
This report contains Public Security information  Edit
Everyone can see this security related information.

Other bug subscribers