[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: [Qemu-devel] [PULL for-2.6 0/5] vga security fixes (CVE-2016-3710, C
From: |
Peter Maydell |
Subject: |
Re: [Qemu-devel] [PULL for-2.6 0/5] vga security fixes (CVE-2016-3710, CVE-2016-3712) |
Date: |
Mon, 9 May 2016 14:06:49 +0100 |
On 9 May 2016 at 13:51, Gerd Hoffmann <address@hidden> wrote:
> Hi,
>
> Here comes a pull request for 2.6, fixing two security issues in the
> vga emulation code.
>
> The first one (CVE-2016-3710, patch #1) is pretty serious, allowing the
> guest read and write host memory. Possibly allows the guest to break
> out of the vm.
>
> The second one (CVE-2016-3712) is a read overflow. DoS only (allows the
> guest crash qemu).
>
> Both flaws are simliar: Programming the vga using both bochs vbe
> registers and standard vga registers, create a unusual video mode,
> bypass sanity checks that way. See actual patch descriptions for more
> details.
>
> please pull,
> Gerd
>
> The following changes since commit 277abf15a60f7653bfb05ffb513ed74ffdaea1b7:
>
> configure: Check if struct fsxattr is available from linux header
> (2016-05-02 13:04:26 +0100)
>
> are available in the git repository at:
>
> git://git.kraxel.org/qemu tags/pull-vga-20160509-1
>
> for you to fetch changes up to fd3c136b3e1482cd0ec7285d6bc2a3e6a62c38d7:
>
> vga: make sure vga register setup for vbe stays intact (CVE-2016-3712).
> (2016-05-02 16:02:59 +0200)
>
> ----------------------------------------------------------------
> vga security fixes (CVE-2016-3710, CVE-2016-3712)
>
> ----------------------------------------------------------------
Applied to master, thanks. That was all we were waiting for to
release 2.6, so I will tag rc5 this afternoon and barring disaster
tag the final release (same contents) on Wednesday.
thanks
-- PMM
- [Qemu-devel] [PULL for-2.6 0/5] vga security fixes (CVE-2016-3710, CVE-2016-3712), Gerd Hoffmann, 2016/05/09
- [Qemu-devel] [PULL 4/5] vga: update vga register setup on vbe changes, Gerd Hoffmann, 2016/05/09
- [Qemu-devel] [PULL 2/5] vga: add vbe_enabled() helper, Gerd Hoffmann, 2016/05/09
- [Qemu-devel] [PULL 5/5] vga: make sure vga register setup for vbe stays intact (CVE-2016-3712)., Gerd Hoffmann, 2016/05/09
- [Qemu-devel] [PULL 1/5] vga: fix banked access bounds checking (CVE-2016-3710), Gerd Hoffmann, 2016/05/09
- [Qemu-devel] [PULL 3/5] vga: factor out vga register setup, Gerd Hoffmann, 2016/05/09
- Re: [Qemu-devel] [PULL for-2.6 0/5] vga security fixes (CVE-2016-3710, CVE-2016-3712),
Peter Maydell <=