Bug 1026612 (CVE-2017-2633)

Summary: VUL-0: CVE-2017-2633: kvm,qemu: VNC: memory corruption due to unchecked resolution limit
Product: [Novell Products] SUSE Security Incidents Reporter: Marcus Meissner <meissner>
Component: IncidentsAssignee: Lin Ma <lma>
Status: RESOLVED FIXED QA Contact: Security Team bot <security-team>
Severity: Minor    
Priority: P3 - Medium CC: brogers, jsegitz, lma, lyan, sebastian.parschauer, smash_bz
Version: unspecified   
Target Milestone: ---   
Hardware: Other   
OS: Other   
URL: https://smash.suse.de/issue/180852/
Whiteboard: CVSSv2:SUSE:CVE-2017-2633:3.0:(AV:L/AC:M/Au:S/C:N/I:P/A:P) maint:planned:update maint:released:oes11-sp2:63938
Found By: Security Response Team Services Priority:
Business Priority: Blocker: ---
Marketing QA Status: --- IT Deployment: ---

Description Marcus Meissner 2017-02-23 10:07:33 UTC 
From: P J P <ppandit () redhat com>
Date: Thu, 23 Feb 2017 09:59:13 +0530 (IST)

  Hello,

Quick Emulator(Qemu) built with the VNC display driver support is vulnerable to an out-of-bounds memory access issue. It could occur while refreshing the vnc display surface area in 'vnc_refresh_server_surface'.


A user/process inside guest could use this flaw to crash the Qemu process resulting in DoS.


Upstream patch:
---------------
  -> http://git.qemu-project.org/?p=qemu.git;a=commitdiff;h=bea60dd7679364493a0d7f5b54316c767cf894ef
  -> http://git.qemu-project.org/?p=qemu.git;a=commitdiff;h=9f64916da20eea67121d544698676295bbb105a7

Older versions of Qemu are affected, latest upstream releases are not.

'CVE-2017-2633' has been assigned to this issue by Red Hat Inc.

Thank you.




References:
http://seclists.org/oss-sec/2017/q1/473
http://git.qemu-project.org/?p=qemu.git;a=commitdiff;h=9f64916da20eea67121d544698676295bbb105a7
http://git.qemu-project.org/?p=qemu.git;a=commitdiff;h=bea60dd7679364493a0d7f5b54316c767cf894ef
Comment 1 Marcus Meissner 2017-02-23 11:24:03 UTC 
9f64916da20eea67121d544698676295bbb105a7 - in 1.3.0
bea60dd7679364493a0d7f5b54316c767cf894ef - in 2.1.0
Comment 2 Swamp Workflow Management 2017-02-23 23:00:17 UTC 
bugbot adjusting priority
Comment 3 Bruce Rogers 2017-04-28 18:19:08 UTC 
So kvm packages for SLE11-SP3/4 need bea60dd commit based fix as does SLE12 qemu. The 9f64916 fix is not needed for any of our supported products.
Comment 4 Bruce Rogers 2017-10-19 14:22:59 UTC 
One more note: a later commit, eebe0b7, indicates that the bea60dd commit fix was incomplete, and provides the added fix. So we need this as well.
Comment 5 Bruce Rogers 2017-10-19 14:27:35 UTC 
And another commit, eb8934b, indicates another issue with bea60dd, and provides the fix for that.So that commit is needed as well.
Comment 6 Swamp Workflow Management 2017-11-10 08:20:40 UTC 
SUSE-SU-2017:2969-1: An update that solves 29 vulnerabilities and has two fixes is now available.

Category: security (important)
Bug References: 1020427,1021741,1025109,1025311,1026612,1028184,1028656,1030624,1032075,1034866,1034908,1035406,1035950,1036211,1037242,1039495,1042159,1042800,1042801,1043296,1045035,1046636,1047674,1048902,1049381,1056334,1057585,1062069,1063122,994418,994605
CVE References: CVE-2016-6834,CVE-2016-6835,CVE-2016-9602,CVE-2016-9603,CVE-2017-10664,CVE-2017-10806,CVE-2017-11334,CVE-2017-11434,CVE-2017-13672,CVE-2017-14167,CVE-2017-15038,CVE-2017-15289,CVE-2017-2633,CVE-2017-5579,CVE-2017-5973,CVE-2017-5987,CVE-2017-6505,CVE-2017-7377,CVE-2017-7471,CVE-2017-7493,CVE-2017-7718,CVE-2017-7980,CVE-2017-8086,CVE-2017-8112,CVE-2017-8309,CVE-2017-9330,CVE-2017-9373,CVE-2017-9375,CVE-2017-9503
Sources used:
SUSE Linux Enterprise Server 12-LTSS (src):    qemu-2.0.2-48.34.3
Comment 7 Swamp Workflow Management 2018-01-04 17:10:20 UTC 
SUSE-SU-2018:0019-1: An update that fixes two vulnerabilities is now available.

Category: security (important)
Bug References: 1026612,1068032
CVE References: CVE-2017-2633,CVE-2017-5715
Sources used:
SUSE Linux Enterprise Server 11-SP4 (src):    kvm-1.4.2-60.6.1
Comment 8 Sebastian Parschauer 2018-01-08 12:57:20 UTC 
@Bruce: I need a backport to SLES11-SP1 for bsc#1074701. Can you please provide it? TIA
Comment 9 Bruce Rogers 2018-01-08 15:37:06 UTC 
(In reply to Sebastian Parschauer from comment #8)
> @Bruce: I need a backport to SLES11-SP1 for bsc#1074701. Can you please
> provide it? TIA

Overloading this bug report with communications about another unrelated bug is bad practice. Please communicate with me within the other bug report or in some other way. 

But to respond to the open question, yes, I will.
Comment 10 Swamp Workflow Management 2018-01-08 17:08:36 UTC 
SUSE-SU-2018:0039-1: An update that fixes two vulnerabilities is now available.

Category: security (important)
Bug References: 1026612,1068032
CVE References: CVE-2017-2633,CVE-2017-5715
Sources used:
SUSE Linux Enterprise Server 11-SP3-LTSS (src):    kvm-1.4.2-53.14.1
SUSE Linux Enterprise Point of Sale 11-SP3 (src):    kvm-1.4.2-53.14.1
Comment 11 Bruce Rogers 2018-01-23 02:49:07 UTC 
(In reply to Bruce Rogers from comment #9)
> (In reply to Sebastian Parschauer from comment #8)
> > @Bruce: I need a backport to SLES11-SP1 for bsc#1074701. Can you please
> > provide it? TIA
> 
> Overloading this bug report with communications about another unrelated bug
> is bad practice. Please communicate with me within the other bug report or
> in some other way. 
> 
> But to respond to the open question, yes, I will.

And as I now look at this in detail, this is not going to be a simple backport. So contrary to my previous thought, this will not get done in a few more days, especially considering that I also have some other urgent type activities queued up.

I'll see if someone else can also help with this.
Comment 12 Lin Ma 2018-02-06 08:14:21 UTC 
Total 32 patches were backported to kvm package and 1 patch was backported to pixman package, waiting for L3 or customer's feedback.
Comment 13 Johannes Segitz 2018-02-15 11:18:04 UTC 
fixed
Comment 14 Bruce Rogers 2018-03-06 15:45:36 UTC 
What's the status here. I don't see where an actual package includes these patches (other than in Lin's home branch.) Was a maintenance submission done from other than our Devel project?

Liang is also working on a vnc bug in old kvm releases which may benefit from these backports.
Comment 15 Lin Ma 2018-03-07 12:20:51 UTC 
Just sent sr. https://build.suse.de/request/show/157389

Sorry for the delay