|
Bugzilla – Full Text Bug Listing |
| Summary: | VUL-1: CVE-2019-13164: kvm,qemu: qemu-bridge-helper ACL can be bypassed when names are too long | ||
|---|---|---|---|
| Product: | [Novell Products] SUSE Security Incidents | Reporter: | Alexandros Toptsoglou <atoptsoglou> |
| Component: | Incidents | Assignee: | Security Team bot <security-team> |
| Status: | IN_PROGRESS --- | QA Contact: | Security Team bot <security-team> |
| Severity: | Normal | ||
| Priority: | P4 - Low | CC: | lyan, meissner, smash_bz, wolfgang.frisch |
| Version: | unspecified | ||
| Target Milestone: | --- | ||
| Hardware: | Other | ||
| OS: | Other | ||
| URL: | https://smash.suse.de/issue/236075/ | ||
| Whiteboard: | CVSSv3:SUSE:CVE-2019-13164:4.7:(AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:N/A:N) | ||
| Found By: | Security Response Team | Services Priority: | |
| Business Priority: | Blocker: | --- | |
| Marketing QA Status: | --- | IT Deployment: | --- |
|
Description
Alexandros Toptsoglou
2019-07-04 13:08:31 UTC
The fix for this issue can be found in comment 0. It consists of 3 patches. It seems that the issue introduced with the commit at [1]. Based on this all the versions of qemu from version 1.1 are affected. Tracked the following codestreams as affected: KVM: SLE11-SP3 and SLE11-SP4 QEMU: SLE12-GA,SP1,SP2,SP3,SP4 SLE15-GA,SP1 [1] https://github.com/qemu/qemu/commit/bdef79a2994d6f0383e07e9597675711662b3031 Steps to reproduce on openSUSE Tumbleweed: 1. Add network bridges: brctl addbr testbridge brctl addbr verylongbridgename 2. /etc/qemu/bridge.conf allow all deny testbridge deny verylongbridgename 3. As a user in the group "kvm", launch qemu 3.1. qemu-kvm -net bridge,br=testbridge [...] OKAY. This fails, as it should. 3.2. qemu-kvm -net bridge,br=verylongbridgename [...] BAD. This succeeds, but it shouldn't. The user now has a VM attached to the bridge "verylongbridgename" and can listen in on traffic. The fix is not merged into upstream yet, but I will start a downstream backport since the fix code is minimum and quite independent with other parts. Backport have been merged into our SLE11 SP3-SP4
SLE12 GA-SP4
SLE15 GA-SP1
Virt
Still waiting for upstream version though.
SUSE-SU-2019:2192-1: An update that solves four vulnerabilities and has 7 fixes is now available. Category: security (important) Bug References: 1128106,1133031,1134883,1135210,1135902,1136540,1136778,1138534,1140402,1143794,1144087 CVE References: CVE-2019-12155,CVE-2019-13164,CVE-2019-14378,CVE-2019-5008 Sources used: SUSE Linux Enterprise Module for Server Applications 15-SP1 (src): qemu-3.1.1-9.3.3 SUSE Linux Enterprise Module for Open Buildservice Development Tools 15-SP1 (src): qemu-3.1.1-9.3.3, qemu-linux-user-3.1.1-9.3.2, qemu-testsuite-3.1.1-9.3.4 SUSE Linux Enterprise Module for Basesystem 15-SP1 (src): qemu-3.1.1-9.3.3 NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination. SUSE-SU-2019:14151-1: An update that fixes three vulnerabilities is now available. Category: security (important) Bug References: 1135902,1140402,1143794 CVE References: CVE-2019-12155,CVE-2019-13164,CVE-2019-14378 Sources used: SUSE Linux Enterprise Server 11-SP4-LTSS (src): kvm-1.4.2-60.27.1 NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination. Fix is merged into upstream now, same as the fix I used in our branch, so move it to seurity team. commit 6f5d8671225dc77190647f18a27a0d156d4ca97a Author: Prasad J Pandit <pjp@fedoraproject.org> Date: Tue Jul 23 16:17:52 2019 +0530 qemu-bridge-helper: restrict interface name to IFNAMSIZ The network interface name in Linux is defined to be of size IFNAMSIZ(=16), including the terminating null('\0') byte. The same is applied to interface names read from 'bridge.conf' file to form ACL rules. If user supplied '--br=bridge' name is not restricted to the same length, it could lead to ACL bypass issue. Restrict interface name to IFNAMSIZ, including null byte. SUSE-SU-2019:2221-1: An update that fixes three vulnerabilities is now available. Category: security (important) Bug References: 1135902,1140402,1143794 CVE References: CVE-2019-12155,CVE-2019-13164,CVE-2019-14378 Sources used: SUSE Linux Enterprise Server for SAP 12-SP1 (src): qemu-2.3.1-33.26.1 SUSE Linux Enterprise Server 12-SP1-LTSS (src): qemu-2.3.1-33.26.1 NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination. SUSE-SU-2019:2246-1: An update that solves three vulnerabilities and has 7 fixes is now available. Category: security (important) Bug References: 1079730,1098403,1111025,1119115,1134883,1135902,1136540,1136778,1140402,1143794 CVE References: CVE-2019-12155,CVE-2019-13164,CVE-2019-14378 Sources used: SUSE Linux Enterprise Module for Server Applications 15 (src): qemu-2.11.2-9.28.3 SUSE Linux Enterprise Module for Open Buildservice Development Tools 15 (src): qemu-2.11.2-9.28.3, qemu-linux-user-2.11.2-9.28.2 SUSE Linux Enterprise Module for Basesystem 15 (src): qemu-2.11.2-9.28.3 NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination. openSUSE-SU-2019:2041-1: An update that solves four vulnerabilities and has 7 fixes is now available. Category: security (important) Bug References: 1128106,1133031,1134883,1135210,1135902,1136540,1136778,1138534,1140402,1143794,1144087 CVE References: CVE-2019-12155,CVE-2019-13164,CVE-2019-14378,CVE-2019-5008 Sources used: openSUSE Leap 15.1 (src): qemu-3.1.1-lp151.7.3.3, qemu-linux-user-3.1.1-lp151.7.3.2, qemu-testsuite-3.1.1-lp151.7.3.3 openSUSE-SU-2019:2059-1: An update that solves three vulnerabilities and has 7 fixes is now available. Category: security (important) Bug References: 1079730,1098403,1111025,1119115,1134883,1135902,1136540,1136778,1140402,1143794 CVE References: CVE-2019-12155,CVE-2019-13164,CVE-2019-14378 Sources used: openSUSE Leap 15.0 (src): qemu-2.11.2-lp150.7.25.1 SUSE-SU-2019:2278-1: An update that solves three vulnerabilities and has two fixes is now available. Category: security (moderate) Bug References: 1127077,1135902,1139926,1140402,1143794 CVE References: CVE-2019-12155,CVE-2019-13164,CVE-2019-14378 Sources used: SUSE CaaS Platform 3.0 (src): qemu-2.9.1-6.41.1 NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination. SUSE-SU-2019:2157-1: An update that fixes three vulnerabilities is now available. Category: security (important) Bug References: 1135902,1140402,1143794 CVE References: CVE-2019-12155,CVE-2019-13164,CVE-2019-14378 Sources used: SUSE OpenStack Cloud 7 (src): qemu-2.6.2-41.55.1 SUSE Linux Enterprise Server for SAP 12-SP2 (src): qemu-2.6.2-41.55.1 SUSE Linux Enterprise Server 12-SP2-LTSS (src): qemu-2.6.2-41.55.1 SUSE Linux Enterprise Server 12-SP2-BCL (src): qemu-2.6.2-41.55.1 SUSE Enterprise Storage 4 (src): qemu-2.6.2-41.55.1 NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination. SUSE-SU-2019:2353-1: An update that solves three vulnerabilities and has 9 fixes is now available. Category: security (important) Bug References: 1079730,1098403,1111025,1127077,1134880,1135902,1136528,1136777,1139926,1140402,1141043,1143794 CVE References: CVE-2019-12155,CVE-2019-13164,CVE-2019-14378 Sources used: SUSE Linux Enterprise Server 12-SP4 (src): qemu-2.11.2-5.18.1 SUSE Linux Enterprise Desktop 12-SP4 (src): qemu-2.11.2-5.18.1 NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination. |