Bug 1083292

Summary: VUL-0: CVE-2018-7550 xen: i386: multiboot OOB access while loading kernel image
Product: [Novell Products] SUSE Security Incidents Reporter: Johannes Segitz <jsegitz>
Component: IncidentsAssignee: Security Team bot <security-team>
Status: RESOLVED FIXED QA Contact: Security Team bot <security-team>
Severity: Normal    
Priority: P3 - Medium CC: carnold, smash_bz
Version: unspecified   
Target Milestone: ---   
Hardware: Other   
OS: Other   
URL: https://smash.suse.de/issue/200981/
Whiteboard:
Found By: Security Response Team Services Priority:
Business Priority: Blocker: ---
Marketing QA Status: --- IT Deployment: ---

Description Johannes Segitz 2018-02-28 12:53:30 UTC
+++ This bug was initially created as a clone of Bug #1083291 +++

Quick Emulator(QEMU) built with the PC System Emulator with multiboot feature
support is vulnerable to an OOB r/w memory access issue. It could occur while
loading a kernel image during a guest boot if muliboot head addresses
mh_load_end_addr was greater than mh_bss_end_addr.

A user/process could use this flaw to potentially achieve arbitrary code
execution on a host.

Patch: https://lists.gnu.org/archive/html/qemu-devel/2018-02/msg06890.html

SLE 11 SP{34} affected according to the code.

References:
https://bugzilla.redhat.com/show_bug.cgi?id=1549798
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2018-7550
Comment 1 Charles Arnold 2018-05-07 16:40:42 UTC
Patches for this bug have been submitted for the following distros,

SUSE:SLE-11-SP3:Update
SUSE:SLE-11-SP3:Update:Teradata
SUSE:SLE-11-SP4:Update
SUSE:SLE-12:Update
SUSE:SLE-12-SP1:Update
Comment 2 Swamp Workflow Management 2018-05-09 16:08:59 UTC
SUSE-SU-2018:1177-1: An update that solves four vulnerabilities and has 6 fixes is now available.

Category: security (important)
Bug References: 1027519,1057493,1072834,1083292,1086107,1089152,1089635,1090820,1090822,1090823
CVE References: CVE-2018-10471,CVE-2018-10472,CVE-2018-7550,CVE-2018-8897
Sources used:
SUSE Linux Enterprise Server 12-LTSS (src):    xen-4.4.4_30-22.65.1
Comment 3 Swamp Workflow Management 2018-05-09 16:17:43 UTC
SUSE-SU-2018:1181-1: An update that solves four vulnerabilities and has 7 fixes is now available.

Category: security (important)
Bug References: 1027519,1035442,1057493,1072834,1083292,1086107,1089152,1089635,1090820,1090822,1090823
CVE References: CVE-2018-10471,CVE-2018-10472,CVE-2018-7550,CVE-2018-8897
Sources used:
SUSE Linux Enterprise Software Development Kit 11-SP4 (src):    xen-4.4.4_30-61.26.1
SUSE Linux Enterprise Server 11-SP4 (src):    xen-4.4.4_30-61.26.1
SUSE Linux Enterprise Debuginfo 11-SP4 (src):    xen-4.4.4_30-61.26.1
Comment 4 Swamp Workflow Management 2018-05-10 16:07:36 UTC
SUSE-SU-2018:1202-1: An update that solves four vulnerabilities and has three fixes is now available.

Category: security (important)
Bug References: 1027519,1083292,1089152,1089635,1090820,1090822,1090823
CVE References: CVE-2018-10471,CVE-2018-10472,CVE-2018-7550,CVE-2018-8897
Sources used:
SUSE OpenStack Cloud 6 (src):    xen-4.5.5_24-22.46.1
SUSE Linux Enterprise Server for SAP 12-SP1 (src):    xen-4.5.5_24-22.46.1
SUSE Linux Enterprise Server 12-SP1-LTSS (src):    xen-4.5.5_24-22.46.1
Comment 5 Swamp Workflow Management 2018-05-10 19:07:30 UTC
SUSE-SU-2018:1203-1: An update that solves four vulnerabilities and has two fixes is now available.

Category: security (important)
Bug References: 1083292,1089152,1089635,1090820,1090822,1090823
CVE References: CVE-2018-10471,CVE-2018-10472,CVE-2018-7550,CVE-2018-8897
Sources used:
SUSE Linux Enterprise Server 11-SP3-LTSS (src):    xen-4.2.5_21-45.22.1
SUSE Linux Enterprise Point of Sale 11-SP3 (src):    xen-4.2.5_21-45.22.1
SUSE Linux Enterprise Debuginfo 11-SP3 (src):    xen-4.2.5_21-45.22.1
Comment 6 Marcus Meissner 2018-05-18 15:58:25 UTC
released