qemu-devel
[Top][All Lists]
Advanced
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [Qemu-devel] [PULL for-2.6 0/5] vga security fixes (CVE-2016-3710, C

From: Peter Maydell
Subject: Re: [Qemu-devel] [PULL for-2.6 0/5] vga security fixes (CVE-2016-3710, CVE-2016-3712)
Date: Mon, 9 May 2016 14:06:49 +0100 
On 9 May 2016 at 13:51, Gerd Hoffmann <address@hidden> wrote:
>   Hi,
>
> Here comes a pull request for 2.6, fixing two security issues in the
> vga emulation code.
>
> The first one (CVE-2016-3710, patch #1) is pretty serious, allowing the
> guest read and write host memory.  Possibly allows the guest to break
> out of the vm.
>
> The second one (CVE-2016-3712) is a read overflow.  DoS only (allows the
> guest crash qemu).
>
> Both flaws are simliar:  Programming the vga using both bochs vbe
> registers and standard vga registers, create a unusual video mode,
> bypass sanity checks that way.  See actual patch descriptions for more
> details.
>
> please pull,
>   Gerd
>
> The following changes since commit 277abf15a60f7653bfb05ffb513ed74ffdaea1b7:
>
>   configure: Check if struct fsxattr is available from linux header 
> (2016-05-02 13:04:26 +0100)
>
> are available in the git repository at:
>
>   git://git.kraxel.org/qemu tags/pull-vga-20160509-1
>
> for you to fetch changes up to fd3c136b3e1482cd0ec7285d6bc2a3e6a62c38d7:
>
>   vga: make sure vga register setup for vbe stays intact (CVE-2016-3712). 
> (2016-05-02 16:02:59 +0200)
>
> ----------------------------------------------------------------
> vga security fixes (CVE-2016-3710, CVE-2016-3712)
>
> ----------------------------------------------------------------

Applied to master, thanks. That was all we were waiting for to
release 2.6, so I will tag rc5 this afternoon and barring disaster
tag the final release (same contents) on Wednesday.

thanks
-- PMM
reply via email to
[Prev in Thread] Current Thread [Next in Thread]