Bug 1056291 (CVE-2017-13711)

Summary: VUL-0: CVE-2017-13711: kvm,qemu: Slirp: use-after-free when sending response
Product: [Novell Products] SUSE Security Incidents Reporter: Marcus Meissner <meissner>
Component: IncidentsAssignee: Security Team bot <security-team>
Status: RESOLVED FIXED QA Contact: Security Team bot <security-team>
Severity: Minor    
Priority: P3 - Medium CC: brogers, fli, smash_bz
Version: unspecified   
Target Milestone: ---   
Hardware: Other   
OS: Other   
URL: https://smash.suse.de/issue/191170/
Whiteboard: CVSSv3:RedHat:CVE-2017-13711:3.4:(AV:A/AC:H/PR:N/UI:N/S:C/C:N/I:N/A:L) CVSSv2:SUSE:CVE-2017-13711:1.9:(AV:L/AC:M/Au:N/C:N/I:N/A:P) CVSSv2:RedHat:CVE-2017-13711:2.9:(AV:A/AC:M/Au:N/C:N/I:N/A:P) CVSSv3:SUSE:CVE-2017-13711:4.0:(AV:N/AC:H/PR:N/UI:N/S:C/C:N/I:N/A:L) CVSSv2:NVD:CVE-2017-13711:5.0:(AV:N/AC:L/Au:N/C:N/I:N/A:P)
Found By: Security Response Team Services Priority:
Business Priority: Blocker: ---
Marketing QA Status: --- IT Deployment: ---

Description Marcus Meissner 2017-08-30 06:14:08 UTC
Hello,

Quick emulator(Qemu) built with the Slirp networking support is vulnerable to 
an use-after-free issue. It occurs due to Socket referenced from multiple 
packets is freed while responding to a message.

A user/process could use this flaw to crash the Qemu process on the host 
resulting in DoS.

Upstream patch:
---------------
   -> https://lists.gnu.org/archive/html/qemu-devel/2017-08/msg05201.html

Reference:
----------
   -> https://bugzilla.redhat.com/show_bug.cgi?id=1486400

This issue was reported by Wjjzhang.

Thank you.
--
Prasad J Pandit / Red Hat Product Security Team
47AF CE69 3A90 54AA 9045 1053 DD13 3D32 FE5B 041F



References:
https://bugzilla.redhat.com/show_bug.cgi?id=1486400
http://seclists.org/oss-sec/2017/q3/361
https://lists.gnu.org/archive/html/qemu-devel/2017-08/msg05201.html
Comment 1 Marcus Meissner 2017-08-30 06:19:05 UTC
these if queues constructs is only in 2.9.0 here, so 12-SP3 qemu is affected, olders are not.
Comment 2 Marcus Meissner 2017-08-30 06:19:55 UTC
also XEN qemu is not affected as its too old
Comment 3 Bruce Rogers 2017-08-31 16:17:51 UTC
This is git commit id 1201d308519f1e915866d7583d5136d03cc1d384
Comment 4 Swamp Workflow Management 2017-11-02 23:08:43 UTC
SUSE-SU-2017:2924-1: An update that solves 8 vulnerabilities and has two fixes is now available.

Category: security (important)
Bug References: 1054724,1055587,1056291,1056334,1057378,1057585,1057966,1062069,1062942,1063122
CVE References: CVE-2017-10911,CVE-2017-12809,CVE-2017-13672,CVE-2017-13711,CVE-2017-14167,CVE-2017-15038,CVE-2017-15268,CVE-2017-15289
Sources used:
SUSE Linux Enterprise Server 12-SP3 (src):    qemu-2.9.1-6.6.3
SUSE Linux Enterprise Desktop 12-SP3 (src):    qemu-2.9.1-6.6.3
Comment 5 Andreas Stieger 2017-11-07 00:55:47 UTC
should be done
Comment 6 Swamp Workflow Management 2017-11-07 05:09:47 UTC
openSUSE-SU-2017:2938-1: An update that solves 8 vulnerabilities and has two fixes is now available.

Category: security (important)
Bug References: 1054724,1055587,1056291,1056334,1057378,1057585,1057966,1062069,1062942,1063122
CVE References: CVE-2017-10911,CVE-2017-12809,CVE-2017-13672,CVE-2017-13711,CVE-2017-14167,CVE-2017-15038,CVE-2017-15268,CVE-2017-15289
Sources used:
openSUSE Leap 42.3 (src):    qemu-2.9.1-35.1, qemu-linux-user-2.9.1-35.1, qemu-testsuite-2.9.1-35.1