Bug 1163018 (CVE-2020-8608)

Summary: VUL-0: CVE-2020-8608: kvm,qemu: potential OOB access due to unsafe snprintf() usages
Product: [Novell Products] SUSE Security Incidents Reporter: Alexandros Toptsoglou <atoptsoglou>
Component: IncidentsAssignee: Security Team bot <security-team>
Status: RESOLVED FIXED QA Contact: Security Team bot <security-team>
Severity: Normal    
Priority: P3 - Medium CC: brogers, carlos.lopez, gianluca.gabrielli, meissner, smash_bz
Version: unspecified   
Target Milestone: ---   
Hardware: Other   
OS: Other   
URL: https://smash.suse.de/issue/252463/
Whiteboard: CVSSv3.1:SUSE:CVE-2020-8608:7.0:(AV:L/AC:H/PR:L/UI:N/S:C/C:L/I:L/A:H)
Found By: Security Response Team Services Priority:
Business Priority: Blocker: ---
Marketing QA Status: --- IT Deployment: ---

Description Alexandros Toptsoglou 2020-02-06 14:47:39 UTC 
CVE-2020-8608

A out-of-bounds heap buffer access issue was found in the SLiRP networking implementation
of the QEMU emulator. It occurs in tcp_emu() routine while emulating IRC and
other protocols due to unsafe usage of snprintf(3) function.

A user/process could use this flaw to crash the Qemu process on the host
resulting in DoS or potentially execute arbitrary code with privileges of the 
QEMU process on the host.

Upstream patch:
---------------
  -> https://gitlab.freedesktop.org/slirp/libslirp/commit/68ccb8021a838066f0951d4b2817eb6b6f10a843
  -> https://gitlab.freedesktop.org/slirp/libslirp/commit/30648c03b27fb8d9611b723184216cd3174b6775

References:
https://bugzilla.redhat.com/show_bug.cgi?id=1798453
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2020-8608
http://seclists.org/oss-sec/2020/q1/64
https://gitlab.freedesktop.org/slirp/libslirp/commit/30648c03b27fb8d9611b723184216cd3174b6775
https://gitlab.freedesktop.org/slirp/libslirp/commit/68ccb8021a838066f0951d4b2817eb6b6f10a843
Comment 1 Alexandros Toptsoglou 2020-02-06 15:07:35 UTC 
Tracked as affected: 

kvm: 

11-SP1,3,4

qemu:

11
12-SP1,2,3,4,5
15
15-SP1
Comment 6 Swamp Workflow Management 2020-04-01 19:16:35 UTC 
SUSE-SU-2020:0844-1: An update that solves 6 vulnerabilities and has two fixes is now available.

Category: security (important)
Bug References: 1123156,1154790,1161066,1162729,1163018,1165776,1166240,1166379
CVE References: CVE-2019-15034,CVE-2019-20382,CVE-2019-6778,CVE-2020-1711,CVE-2020-7039,CVE-2020-8608
Sources used:
SUSE Linux Enterprise Module for Server Applications 15-SP1 (src):    qemu-3.1.1.1-9.14.1
SUSE Linux Enterprise Module for Open Buildservice Development Tools 15-SP1 (src):    qemu-3.1.1.1-9.14.1, qemu-linux-user-3.1.1.1-9.14.1, qemu-testsuite-3.1.1.1-9.14.2
SUSE Linux Enterprise Module for Basesystem 15-SP1 (src):    qemu-3.1.1.1-9.14.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
Comment 7 Swamp Workflow Management 2020-04-01 19:24:05 UTC 
SUSE-SU-2020:0845-1: An update that solves 6 vulnerabilities and has 6 fixes is now available.

Category: security (important)
Bug References: 1123156,1154790,1156642,1156794,1158880,1161066,1162161,1162729,1163018,1165776,1166240,1166379
CVE References: CVE-2019-15034,CVE-2019-20382,CVE-2019-6778,CVE-2020-1711,CVE-2020-7039,CVE-2020-8608
Sources used:
SUSE Linux Enterprise Server 12-SP5 (src):    qemu-3.1.1.1-3.9.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
Comment 8 Swamp Workflow Management 2020-04-07 04:14:11 UTC 
openSUSE-SU-2020:0468-1: An update that solves 6 vulnerabilities and has two fixes is now available.

Category: security (important)
Bug References: 1123156,1154790,1161066,1162729,1163018,1165776,1166240,1166379
CVE References: CVE-2019-15034,CVE-2019-20382,CVE-2019-6778,CVE-2020-1711,CVE-2020-7039,CVE-2020-8608
Sources used:
openSUSE Leap 15.1 (src):    qemu-3.1.1.1-lp151.7.12.1, qemu-linux-user-3.1.1.1-lp151.7.12.1
Comment 10 Swamp Workflow Management 2020-05-28 19:13:20 UTC 
SUSE-SU-2020:1501-1: An update that fixes 6 vulnerabilities is now available.

Category: security (moderate)
Bug References: 1123156,1161066,1163018,1165776,1166240,1170940
CVE References: CVE-2019-20382,CVE-2019-6778,CVE-2020-1711,CVE-2020-1983,CVE-2020-7039,CVE-2020-8608
Sources used:
SUSE Linux Enterprise Server 12-SP4 (src):    qemu-2.11.2-5.26.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
Comment 11 Swamp Workflow Management 2020-06-02 13:15:51 UTC 
SUSE-SU-2020:1514-1: An update that fixes 7 vulnerabilities is now available.

Category: security (moderate)
Bug References: 1123156,1146873,1149811,1161066,1163018,1166240,1170940
CVE References: CVE-2019-12068,CVE-2019-15890,CVE-2019-6778,CVE-2020-1711,CVE-2020-1983,CVE-2020-7039,CVE-2020-8608
Sources used:
SUSE Linux Enterprise Server for SAP 12-SP1 (src):    qemu-2.3.1-33.29.1
SUSE Linux Enterprise Server 12-SP1-LTSS (src):    qemu-2.3.1-33.29.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
Comment 12 Swamp Workflow Management 2020-06-03 10:15:28 UTC 
SUSE-SU-2020:1523-1: An update that fixes 6 vulnerabilities is now available.

Category: security (moderate)
Bug References: 1123156,1161066,1163018,1165776,1166240,1170940
CVE References: CVE-2019-20382,CVE-2019-6778,CVE-2020-1711,CVE-2020-1983,CVE-2020-7039,CVE-2020-8608
Sources used:
SUSE Linux Enterprise Server for SAP 15 (src):    qemu-2.11.2-9.36.1
SUSE Linux Enterprise Server 15-LTSS (src):    qemu-2.11.2-9.36.1
SUSE Linux Enterprise High Performance Computing 15-LTSS (src):    qemu-2.11.2-9.36.1
SUSE Linux Enterprise High Performance Computing 15-ESPOS (src):    qemu-2.11.2-9.36.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
Comment 13 Swamp Workflow Management 2020-06-03 13:18:53 UTC 
SUSE-SU-2020:1526-1: An update that fixes 7 vulnerabilities is now available.

Category: security (moderate)
Bug References: 1123156,1146873,1149811,1161066,1163018,1166240,1170940
CVE References: CVE-2019-12068,CVE-2019-15890,CVE-2019-6778,CVE-2020-1711,CVE-2020-1983,CVE-2020-7039,CVE-2020-8608
Sources used:
SUSE OpenStack Cloud 7 (src):    qemu-2.6.2-41.59.1
SUSE Linux Enterprise Server for SAP 12-SP2 (src):    qemu-2.6.2-41.59.1
SUSE Linux Enterprise Server 12-SP2-LTSS (src):    qemu-2.6.2-41.59.1
SUSE Linux Enterprise Server 12-SP2-BCL (src):    qemu-2.6.2-41.59.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
Comment 14 Swamp Workflow Management 2020-06-04 16:17:39 UTC 
SUSE-SU-2020:1538-1: An update that solves 7 vulnerabilities and has one errata is now available.

Category: security (moderate)
Bug References: 1123156,1146873,1149811,1160024,1161066,1163018,1166240,1170940
CVE References: CVE-2019-12068,CVE-2019-15890,CVE-2019-6778,CVE-2020-1711,CVE-2020-1983,CVE-2020-7039,CVE-2020-8608
Sources used:
SUSE OpenStack Cloud Crowbar 8 (src):    qemu-2.9.1-6.44.1
SUSE OpenStack Cloud 8 (src):    qemu-2.9.1-6.44.1
SUSE Linux Enterprise Server for SAP 12-SP3 (src):    qemu-2.9.1-6.44.1
SUSE Linux Enterprise Server 12-SP3-LTSS (src):    qemu-2.9.1-6.44.1
SUSE Linux Enterprise Server 12-SP3-BCL (src):    qemu-2.9.1-6.44.1
SUSE Enterprise Storage 5 (src):    qemu-2.9.1-6.44.1
HPE Helion Openstack 8 (src):    qemu-2.9.1-6.44.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
Comment 15 Swamp Workflow Management 2020-06-11 19:12:49 UTC 
SUSE-SU-2020:14396-1: An update that fixes 6 vulnerabilities is now available.

Category: security (moderate)
Bug References: 1123156,1146873,1149811,1161066,1163018,1170940
CVE References: CVE-2019-12068,CVE-2019-15890,CVE-2019-6778,CVE-2020-1983,CVE-2020-7039,CVE-2020-8608
Sources used:
SUSE Linux Enterprise Server 11-SP4-LTSS (src):    kvm-1.4.2-60.31.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
Comment 18 Bruce Rogers 2021-04-07 00:42:56 UTC 
Not fixing in SLE-11-qemu or SLE-11-SP1.
Fix is included in maintenance requests for all release we intend to apply this fix. Returning to the security-team.
Comment 19 Swamp Workflow Management 2021-04-23 19:18:05 UTC 
SUSE-SU-2021:14706-1: An update that fixes 21 vulnerabilities is now available.

Category: security (important)
Bug References: 1123156,1146873,1149811,1161066,1163018,1170940,1172383,1172384,1172385,1172478,1175441,1176673,1176682,1176684,1178934,1179467,1181108,1182137,1182425,1182577
CVE References: CVE-2014-3689,CVE-2015-1779,CVE-2019-12068,CVE-2019-15890,CVE-2019-6778,CVE-2020-12829,CVE-2020-13361,CVE-2020-13362,CVE-2020-13765,CVE-2020-14364,CVE-2020-1983,CVE-2020-25084,CVE-2020-25624,CVE-2020-25625,CVE-2020-25723,CVE-2020-29130,CVE-2020-29443,CVE-2020-7039,CVE-2020-8608,CVE-2021-20181,CVE-2021-20257
JIRA References: 
Sources used:
SUSE Linux Enterprise Point of Sale 11-SP3 (src):    kvm-1.4.2-53.38.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
Comment 20 Gianluca Gabrielli 2021-05-21 14:05:21 UTC 
(In reply to Bruce Rogers from comment #18)
> Not fixing in SLE-11-qemu or SLE-11-SP1.
> Fix is included in maintenance requests for all release we intend to apply
> this fix. Returning to the security-team.

Did you mean SUSE:SLE-11-SP1:Update/kvm and SUSE:SLE-11:Update/qemu?
Comment 23 Carlos López 2022-06-10 09:34:25 UTC 
Done, closing.