Bug 1014109 (CVE-2016-9907)

Summary: VUL-0: CVE-2016-9907: qemu: usb: redirector: memory leakage when destroying redirector
Product: [Novell Products] SUSE Security Incidents Reporter: Mikhail Kasimov <mikhail.kasimov>
Component: IncidentsAssignee: Bruce Rogers <brogers>
Status: RESOLVED FIXED QA Contact: Security Team bot <security-team>
Severity: Normal    
Priority: P3 - Medium CC: brogers, meissner
Version: unspecified   
Target Milestone: ---   
Hardware: Other   
OS: Other   
Whiteboard: .
Found By: --- Services Priority:
Business Priority: Blocker: ---
Marketing QA Status: --- IT Deployment: ---

Description Mikhail Kasimov 2016-12-07 01:07:50 UTC 
Reference: http://seclists.org/oss-sec/2016/q4/609
===============================================================================
  Hello,

Quick Emulator(Qemu) built with the USB redirector usb-guest support is vulnerable to a memory leakage flaw. It could occur while destroying the USB redirector in 'usbredir_handle_destroy'.


A guest user/process could use this issue to leak host memory, resulting in DoS for a host.


Upstream patch:
---------------
  -> https://lists.gnu.org/archive/html/qemu-devel/2016-11/msg01379.html

Thank you.
--
Prasad J Pandit / Red Hat Product Security Team
47AF CE69 3A90 54AA 9045 1053 DD13 3D32 FE5B 041F
===============================================================================
Comment 1 Swamp Workflow Management 2016-12-07 23:00:27 UTC 
bugbot adjusting priority
Comment 2 Marcus Meissner 2016-12-08 07:18:49 UTC 
CVE-2016-9907
Comment 3 Matthias Gerstner 2016-12-08 10:40:50 UTC 
Analysis shows the following qemu/kvm codestreams are affected:

kvm:

SUSE:SLE-11-SP3:Update/kvm/qemu-1.4.2/hw/usb/redirect.c:1294
SUSE:SLE-11-SP4:Update/kvm/qemu-1.4.2/hw/usb/redirect.c:1294

qemu:

SUSE:SLE-12:Update/qemu/qemu-2.0.2/hw/usb/redirect.c:1316
SUSE:SLE-12-SP1:Update/qemu/qemu-2.3.1/hw/usb/redirect.c:1402
SUSE:SLE-12-SP2:Update/qemu/qemu-2.6.2/hw/usb/redirect.c:1409
Comment 4 Swamp Workflow Management 2017-01-13 19:11:58 UTC 
SUSE-SU-2017:0127-1: An update that solves 13 vulnerabilities and has two fixes is now available.

Category: security (important)
Bug References: 1007454,1008519,1009109,1013285,1013341,1013764,1013767,1014109,1014110,1014111,1014112,1014256,1014514,1016779,937125
CVE References: CVE-2016-9102,CVE-2016-9103,CVE-2016-9381,CVE-2016-9776,CVE-2016-9845,CVE-2016-9846,CVE-2016-9907,CVE-2016-9908,CVE-2016-9911,CVE-2016-9912,CVE-2016-9913,CVE-2016-9921,CVE-2016-9922
Sources used:
SUSE Linux Enterprise Server for Raspberry Pi 12-SP2 (src):    qemu-2.6.2-39.1
SUSE Linux Enterprise Server 12-SP2 (src):    qemu-2.6.2-39.1
SUSE Linux Enterprise Desktop 12-SP2 (src):    qemu-2.6.2-39.1
Comment 5 Swamp Workflow Management 2017-01-18 11:11:24 UTC 
openSUSE-SU-2017:0194-1: An update that solves 13 vulnerabilities and has two fixes is now available.

Category: security (important)
Bug References: 1007454,1008519,1009109,1013285,1013341,1013764,1013767,1014109,1014110,1014111,1014112,1014256,1014514,1016779,937125
CVE References: CVE-2016-9102,CVE-2016-9103,CVE-2016-9381,CVE-2016-9776,CVE-2016-9845,CVE-2016-9846,CVE-2016-9907,CVE-2016-9908,CVE-2016-9911,CVE-2016-9912,CVE-2016-9913,CVE-2016-9921,CVE-2016-9922
Sources used:
openSUSE Leap 42.2 (src):    qemu-2.6.2-26.1, qemu-linux-user-2.6.2-26.1, qemu-testsuite-2.6.2-26.1
Comment 6 Bruce Rogers 2017-03-08 16:20:58 UTC 
Fixed.
Comment 7 Swamp Workflow Management 2017-03-10 20:09:20 UTC 
SUSE-SU-2017:0661-1: An update that solves 11 vulnerabilities and has two fixes is now available.

Category: security (important)
Bug References: 1013285,1014109,1014111,1014702,1015048,1015169,1016779,1021129,1022541,1023004,1023053,1023907,1024972
CVE References: CVE-2016-10155,CVE-2016-9776,CVE-2016-9907,CVE-2016-9911,CVE-2016-9921,CVE-2016-9922,CVE-2017-2615,CVE-2017-2620,CVE-2017-5667,CVE-2017-5856,CVE-2017-5898
Sources used:
SUSE Linux Enterprise Server for SAP 12 (src):    qemu-2.0.2-48.31.1
SUSE Linux Enterprise Server 12-LTSS (src):    qemu-2.0.2-48.31.1
Comment 8 Swamp Workflow Management 2017-04-28 19:11:41 UTC 
SUSE-SU-2017:1135-1: An update that solves 10 vulnerabilities and has two fixes is now available.

Category: security (important)
Bug References: 1013285,1014109,1014111,1014702,1015048,1015169,1016779,1021129,1023004,1023053,1023907,1024972
CVE References: CVE-2016-10155,CVE-2016-9776,CVE-2016-9907,CVE-2016-9911,CVE-2016-9921,CVE-2016-9922,CVE-2017-2615,CVE-2017-2620,CVE-2017-5856,CVE-2017-5898
Sources used:
SUSE Linux Enterprise Server 11-SP4 (src):    kvm-1.4.2-59.1
Comment 9 Swamp Workflow Management 2017-05-11 13:09:54 UTC 
SUSE-SU-2017:1241-1: An update that solves 13 vulnerabilities and has four fixes is now available.

Category: security (important)
Bug References: 1013285,1014109,1014111,1014702,1015048,1015169,1016779,1020491,1020589,1020928,1021129,1022541,1023004,1023053,1023907,1024972,937125
CVE References: CVE-2016-10155,CVE-2016-9776,CVE-2016-9907,CVE-2016-9911,CVE-2016-9921,CVE-2016-9922,CVE-2017-2615,CVE-2017-2620,CVE-2017-5525,CVE-2017-5526,CVE-2017-5667,CVE-2017-5856,CVE-2017-5898
Sources used:
SUSE Linux Enterprise Server 12-SP1 (src):    qemu-2.3.1-32.11
SUSE Linux Enterprise Desktop 12-SP1 (src):    qemu-2.3.1-32.11
Comment 10 Swamp Workflow Management 2017-05-16 19:10:29 UTC 
openSUSE-SU-2017:1312-1: An update that solves 13 vulnerabilities and has four fixes is now available.

Category: security (important)
Bug References: 1013285,1014109,1014111,1014702,1015048,1015169,1016779,1020491,1020589,1020928,1021129,1022541,1023004,1023053,1023907,1024972,937125
CVE References: CVE-2016-10155,CVE-2016-9776,CVE-2016-9907,CVE-2016-9911,CVE-2016-9921,CVE-2016-9922,CVE-2017-2615,CVE-2017-2620,CVE-2017-5525,CVE-2017-5526,CVE-2017-5667,CVE-2017-5856,CVE-2017-5898
Sources used:
openSUSE Leap 42.1 (src):    qemu-2.3.1-25.1, qemu-linux-user-2.3.1-25.1, qemu-testsuite-2.3.1-25.1
Comment 11 Swamp Workflow Management 2017-11-24 20:12:49 UTC 
SUSE-SU-2017:3084-1: An update that solves 33 vulnerabilities and has 7 fixes is now available.

Category: security (important)
Bug References: 1013285,1014109,1014111,1014702,1015048,1016779,1020427,1021129,1021741,1023004,1023053,1023907,1024972,1025109,1028184,1028656,1030624,1031051,1034044,1034866,1034908,1035406,1035950,1037242,1038396,1039495,1042159,1042800,1042801,1043296,1045035,1046636,1047674,1048902,1049381,1049785,1056334,1057585,1062069,1063122
CVE References: CVE-2016-10155,CVE-2016-9602,CVE-2016-9603,CVE-2016-9776,CVE-2016-9907,CVE-2016-9911,CVE-2016-9921,CVE-2016-9922,CVE-2017-10664,CVE-2017-10806,CVE-2017-11334,CVE-2017-11434,CVE-2017-13672,CVE-2017-14167,CVE-2017-15038,CVE-2017-15289,CVE-2017-2615,CVE-2017-2620,CVE-2017-5579,CVE-2017-5856,CVE-2017-5898,CVE-2017-5973,CVE-2017-6505,CVE-2017-7471,CVE-2017-7493,CVE-2017-7718,CVE-2017-7980,CVE-2017-8086,CVE-2017-8309,CVE-2017-9330,CVE-2017-9373,CVE-2017-9375,CVE-2017-9503
Sources used:
SUSE Linux Enterprise Server 11-SP3-LTSS (src):    kvm-1.4.2-53.11.1
SUSE Linux Enterprise Point of Sale 11-SP3 (src):    kvm-1.4.2-53.11.1