Package: qemu-kvm Version: 0.12.5+dfsg-5+squeeze3 Severity: grave Tags: upstream security squeeze sid
The virtio_queue_notify() function checks that the virtqueue number is less than the maximum number of virtqueues. A signed comparison is used but the virtqueue number could be negative if a buggy or malicious guest is run. This results in memory accesses outside of the virtqueue array. This can be triggered by malicious guest - unprivileged guest user can either crash the qemu process or, possible, gain extra privileges on the host. Additional information: http://patchwork.ozlabs.org/patch/94604/ (upstream patch) https://bugzilla.redhat.com/show_bug.cgi?id=717399 The problem affects both sqeeze and sid versions. It is present in lenny too, but that one is hopeless (we should provide fixes for lenny backports instead). -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
