Bug 1177155 (CVE-2020-25637)

Summary: VUL-0: CVE-2020-25637: libvirt: double free in qemuAgentGetInterfaces() in qemu_agent.c
Product: [Novell Products] SUSE Security Incidents Reporter: Wolfgang Frisch <wolfgang.frisch>
Component: IncidentsAssignee: Security Team bot <security-team>
Status: RESOLVED FIXED QA Contact: Security Team bot <security-team>
Severity: Normal    
Priority: P3 - Medium CC: jfehlig, meissner, smash_bz, wolfgang.frisch
Version: unspecified   
Target Milestone: ---   
Hardware: Other   
OS: Other   
URL: https://smash.suse.de/issue/268548/
Whiteboard: CVSSv3.1:SUSE:CVE-2020-25637:7.5:(AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H)
Found By: Security Response Team Services Priority:
Business Priority: Blocker: ---
Marketing QA Status: --- IT Deployment: ---

Description Wolfgang Frisch 2020-09-30 16:59:40 UTC
rh#1881037

A double free vulnerability was found in libvirt while requesting information about the network interfaces of a running domain. The flaw lies in qemuAgentGetInterfaces() in qemu/qemu_agent.c. More specifically, this function interacts with the guest agent and receives JSON data from the agent that contains network interface information. It enumerates the interfaces one by one, using a pointer to a pointers to hold a split interface name (ifname). At some point in every iteration ifname is free'd. If an error occurs right after this, there is a 'goto error', the error handler at this label will free ifname again, leading to a double free. Depending on the ability of the attacker to control and shape the heap state when the second free happens, this flaw may be exploited to achieve code execution.

References:
https://bugzilla.redhat.com/show_bug.cgi?id=1881037
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2020-25637
Comment 2 Wolfgang Frisch 2020-09-30 17:19:55 UTC
SUSE:SLE-11-SP1:Update  Not affected [1]
SUSE:SLE-11-SP3:Update  Not affected [1]
SUSE:SLE-11-SP4:Update  Not affected [1]
SUSE:SLE-12-SP2:Update  Affected
SUSE:SLE-12-SP3:Update  Affected
SUSE:SLE-12-SP4:Update  Affected
SUSE:SLE-12-SP5:Update  Affected
SUSE:SLE-15:Update      Affected
SUSE:SLE-15-SP1:Update  Affected
SUSE:SLE-15-SP2:Update  Affected

[1] The feature was introduced in libvirt-1.2.14, commit 0977b8aa071de550e1a013d35e2c72615e65d520
Comment 6 James Fehlig 2020-10-12 19:51:28 UTC
(In reply to Wolfgang Frisch from comment #2)
> SUSE:SLE-12-SP2:Update  Affected

I don't have CI or automated tests for libvirt for products older than SLE12 SP3. Is it possible to skip SLE12 SP2?

> SUSE:SLE-12-SP3:Update  Affected
> SUSE:SLE-12-SP4:Update  Affected
> SUSE:SLE-12-SP5:Update  Affected
> SUSE:SLE-15:Update      Affected
> SUSE:SLE-15-SP1:Update  Affected
> SUSE:SLE-15-SP2:Update  Affected

I've added the patches to all of these products, and in some cases have already sent the submit requests.
Comment 7 Wolfgang Frisch 2020-10-13 07:35:53 UTC
(In reply to James Fehlig from comment #6)
> (In reply to Wolfgang Frisch from comment #2)
> > SUSE:SLE-12-SP2:Update  Affected
> 
> I don't have CI or automated tests for libvirt for products older than SLE12
> SP3. Is it possible to skip SLE12 SP2?
I'm afraid updating SLE-12-SP2 is inevitable, as it appears to be affected by the double free condition. At the very least commit a63b48c5ecef077bf0f909a85f453a605600cf05 should be applied, IMHO.
QA will have to test manually if there are no automated tests available.

> > SUSE:SLE-12-SP3:Update  Affected
> > SUSE:SLE-12-SP4:Update  Affected
> > SUSE:SLE-12-SP5:Update  Affected
> > SUSE:SLE-15:Update      Affected
> > SUSE:SLE-15-SP1:Update  Affected
> > SUSE:SLE-15-SP2:Update  Affected
> 
> I've added the patches to all of these products, and in some cases have
> already sent the submit requests.
Excellent!
Comment 8 James Fehlig 2020-10-13 20:24:31 UTC
Ok, everything has been submitted now. Passing the bug to the security team...
Comment 12 Swamp Workflow Management 2020-10-20 19:18:10 UTC
SUSE-SU-2020:2969-1: An update that solves two vulnerabilities and has one errata is now available.

Category: security (important)
Bug References: 1171701,1174955,1177155
CVE References: CVE-2020-15708,CVE-2020-25637
JIRA References: 
Sources used:
SUSE Linux Enterprise Server for SAP 15 (src):    libvirt-4.0.0-9.35.1
SUSE Linux Enterprise Server 15-LTSS (src):    libvirt-4.0.0-9.35.1
SUSE Linux Enterprise High Performance Computing 15-LTSS (src):    libvirt-4.0.0-9.35.1
SUSE Linux Enterprise High Performance Computing 15-ESPOS (src):    libvirt-4.0.0-9.35.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
Comment 13 Swamp Workflow Management 2020-10-20 19:19:36 UTC
SUSE-SU-2020:2970-1: An update that solves two vulnerabilities and has four fixes is now available.

Category: security (important)
Bug References: 1173157,1174139,1174955,1175465,1176430,1177155
CVE References: CVE-2020-15708,CVE-2020-25637
JIRA References: 
Sources used:
SUSE Linux Enterprise Module for Server Applications 15-SP2 (src):    libvirt-6.0.0-13.8.1
SUSE Linux Enterprise Module for Basesystem 15-SP2 (src):    libvirt-6.0.0-13.8.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
Comment 14 Swamp Workflow Management 2020-10-26 20:13:59 UTC
SUSE-SU-2020:3037-1: An update that solves two vulnerabilities and has four fixes is now available.

Category: security (important)
Bug References: 1174955,1175465,1175574,1176430,1177155,1177480
CVE References: CVE-2020-15708,CVE-2020-25637
JIRA References: 
Sources used:
SUSE Linux Enterprise Module for Server Applications 15-SP1 (src):    libvirt-5.1.0-8.24.1
SUSE Linux Enterprise Module for Basesystem 15-SP1 (src):    libvirt-5.1.0-8.24.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
Comment 15 Swamp Workflow Management 2020-10-27 11:15:59 UTC
SUSE-SU-2020:3038-1: An update that solves two vulnerabilities and has one errata is now available.

Category: security (important)
Bug References: 1171701,1174955,1177155
CVE References: CVE-2020-15708,CVE-2020-25637
JIRA References: 
Sources used:
SUSE OpenStack Cloud Crowbar 9 (src):    libvirt-4.0.0-8.23.1
SUSE OpenStack Cloud 9 (src):    libvirt-4.0.0-8.23.1
SUSE Linux Enterprise Server for SAP 12-SP4 (src):    libvirt-4.0.0-8.23.1
SUSE Linux Enterprise Server 12-SP4-LTSS (src):    libvirt-4.0.0-8.23.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
Comment 16 Swamp Workflow Management 2020-10-27 11:17:15 UTC
SUSE-SU-2020:3039-1: An update that solves two vulnerabilities and has three fixes is now available.

Category: security (important)
Bug References: 1174955,1175574,1176430,1177155,1177480
CVE References: CVE-2020-15708,CVE-2020-25637
JIRA References: 
Sources used:
SUSE Linux Enterprise Software Development Kit 12-SP5 (src):    libvirt-5.1.0-13.19.1
SUSE Linux Enterprise Server 12-SP5 (src):    libvirt-5.1.0-13.19.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
Comment 17 Swamp Workflow Management 2020-10-29 20:16:32 UTC
SUSE-SU-2020:3095-1: An update that fixes two vulnerabilities is now available.

Category: security (important)
Bug References: 1174955,1177155
CVE References: CVE-2020-15708,CVE-2020-25637
JIRA References: 
Sources used:
SUSE OpenStack Cloud Crowbar 8 (src):    libvirt-3.3.0-5.46.1
SUSE OpenStack Cloud 8 (src):    libvirt-3.3.0-5.46.1
SUSE Linux Enterprise Server for SAP 12-SP3 (src):    libvirt-3.3.0-5.46.1
SUSE Linux Enterprise Server 12-SP3-LTSS (src):    libvirt-3.3.0-5.46.1
SUSE Linux Enterprise Server 12-SP3-BCL (src):    libvirt-3.3.0-5.46.1
SUSE Enterprise Storage 5 (src):    libvirt-3.3.0-5.46.1
HPE Helion Openstack 8 (src):    libvirt-3.3.0-5.46.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
Comment 18 Swamp Workflow Management 2020-10-30 23:15:17 UTC
openSUSE-SU-2020:1778-1: An update that solves two vulnerabilities and has four fixes is now available.

Category: security (important)
Bug References: 1174955,1175465,1175574,1176430,1177155,1177480
CVE References: CVE-2020-15708,CVE-2020-25637
JIRA References: 
Sources used:
openSUSE Leap 15.1 (src):    libvirt-5.1.0-lp151.7.10.1
Comment 19 Swamp Workflow Management 2020-10-30 23:16:51 UTC
openSUSE-SU-2020:1777-1: An update that solves two vulnerabilities and has four fixes is now available.

Category: security (important)
Bug References: 1173157,1174139,1174955,1175465,1176430,1177155
CVE References: CVE-2020-15708,CVE-2020-25637
JIRA References: 
Sources used:
openSUSE Leap 15.2 (src):    libvirt-6.0.0-lp152.9.6.2
Comment 20 Swamp Workflow Management 2020-11-03 20:15:00 UTC
SUSE-SU-2020:3143-1: An update that fixes two vulnerabilities is now available.

Category: security (important)
Bug References: 1174955,1177155
CVE References: CVE-2020-15708,CVE-2020-25637
JIRA References: 
Sources used:
SUSE OpenStack Cloud 7 (src):    libvirt-2.0.0-27.64.1
SUSE Linux Enterprise Server for SAP 12-SP2 (src):    libvirt-2.0.0-27.64.1
SUSE Linux Enterprise Server 12-SP2-LTSS (src):    libvirt-2.0.0-27.64.1
SUSE Linux Enterprise Server 12-SP2-BCL (src):    libvirt-2.0.0-27.64.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
Comment 21 Alexandros Toptsoglou 2021-01-27 17:05:53 UTC
DONE