Bug 1213001 (CVE-2023-3255)

Summary: VUL-0: CVE-2023-3255: qemu,kvm: VNC: infinite loop in inflate_buffer() leads to denial of service
Product: [Novell Products] SUSE Security Incidents Reporter: Carlos López <carlos.lopez>
Component: IncidentsAssignee: Security Team bot <security-team>
Status: RESOLVED FIXED QA Contact: Security Team bot <security-team>
Severity: Normal    
Priority: P3 - Medium CC: dfaggioli, security-team
Version: unspecified   
Target Milestone: ---   
Hardware: Other   
OS: Other   
URL: https://smash.suse.de/issue/371191/
Whiteboard: CVSSv3.1:SUSE:CVE-2023-3255:4.9:(AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H)
Found By: Security Response Team Services Priority:
Business Priority: Blocker: ---
Marketing QA Status: --- IT Deployment: ---

Description Carlos López 2023-07-05 07:48:27 UTC 
CVE-2023-3255

The `vnc_client_cut_text_ext` function in ui/vnc-clipboard.c calls `inflate_buffer` with an attacker controlled buffer (size, data). There is a wrong exit condition in `inflate_buffer` which can trigger an infinite loop. A remote authenticated client who is able to send a clipboard to the QEMU built-in VNC server can trigger this flaw and cause a denial of service.

References:
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2023-3255
https://bugzilla.redhat.com/show_bug.cgi?id=2218486
Comment 1 Carlos López 2023-07-05 07:51:53 UTC 
Proposed patch:
https://lists.nongnu.org/archive/html/qemu-devel/2023-07/msg00596.html
Comment 2 Carlos López 2023-07-05 08:15:32 UTC 
We have 0bf41cab ("ui/vnc: clipboard support") in:
- SUSE:SLE-15-SP4:Update/qemu
- SUSE:SLE-15-SP5:Update/qemu
- SUSE:ALP:Source:Standard:1.0/qemu
- openSUSE:Factory/qemu
Comment 3 Dario Faggioli 2023-07-26 11:08:10 UTC 
(In reply to Carlos López from comment #1)
> Proposed patch:
> https://lists.nongnu.org/archive/html/qemu-devel/2023-07/msg00596.html
>
Committed as d921fea338c1059a27ce7b75309d7a2e485f710b

https://gitlab.com/qemu-project/qemu/-/commit/d921fea338c1059a27ce7b75309d7a2e485f710b
Comment 5 OBSbugzilla Bot 2023-07-27 09:55:06 UTC 
This is an autogenerated message for OBS integration:
This bug (1213001) was mentioned in
https://build.opensuse.org/request/show/1101031 Factory / qemu
Comment 7 Maintenance Automation 2023-08-01 08:45:05 UTC 
SUSE-SU-2023:3082-1: An update that solves four vulnerabilities and has two fixes can now be installed.

Category: security (important)
Bug References: 1179993, 1181740, 1207205, 1212968, 1213001, 1213414
CVE References: CVE-2023-0330, CVE-2023-2861, CVE-2023-3255, CVE-2023-3301
Sources used:
Server Applications Module 15-SP5 (src): qemu-7.1.0-150500.49.6.1
openSUSE Leap 15.5 (src): qemu-linux-user-7.1.0-150500.49.6.1, qemu-7.1.0-150500.49.6.1
Basesystem Module 15-SP5 (src): qemu-7.1.0-150500.49.6.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
Comment 9 Dario Faggioli 2023-08-03 10:49:55 UTC 
This should be done, handing it back
Comment 10 Maintenance Automation 2023-08-08 20:30:44 UTC 
SUSE-SU-2023:3234-1: An update that solves three vulnerabilities can now be installed.

Category: security (important)
Bug References: 1212968, 1213001, 1213414
CVE References: CVE-2023-2861, CVE-2023-3255, CVE-2023-3301
Sources used:
openSUSE Leap 15.4 (src): qemu-linux-user-6.2.0-150400.37.20.1, qemu-6.2.0-150400.37.20.1
openSUSE Leap Micro 5.3 (src): qemu-6.2.0-150400.37.20.1
openSUSE Leap Micro 5.4 (src): qemu-6.2.0-150400.37.20.1
SUSE Linux Enterprise Micro for Rancher 5.3 (src): qemu-6.2.0-150400.37.20.1
SUSE Linux Enterprise Micro 5.3 (src): qemu-6.2.0-150400.37.20.1
SUSE Linux Enterprise Micro for Rancher 5.4 (src): qemu-6.2.0-150400.37.20.1
SUSE Linux Enterprise Micro 5.4 (src): qemu-6.2.0-150400.37.20.1
Basesystem Module 15-SP4 (src): qemu-6.2.0-150400.37.20.1
Server Applications Module 15-SP4 (src): qemu-6.2.0-150400.37.20.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
Comment 11 OBSbugzilla Bot 2023-08-09 06:55:06 UTC 
This is an autogenerated message for OBS integration:
This bug (1213001) was mentioned in
https://build.opensuse.org/request/show/1103082 Factory / qemu
Comment 13 OBSbugzilla Bot 2023-09-12 14:05:29 UTC 
This is an autogenerated message for OBS integration:
This bug (1213001) was mentioned in
https://build.opensuse.org/request/show/1110620 Factory / qemu
Comment 15 Maintenance Automation 2023-11-15 16:30:01 UTC 
SUSE-SU-2023:3082-2: An update that solves four vulnerabilities and has two security fixes can now be installed.

Category: security (important)
Bug References: 1179993, 1181740, 1207205, 1212968, 1213001, 1213414
CVE References: CVE-2023-0330, CVE-2023-2861, CVE-2023-3255, CVE-2023-3301
Sources used:
SUSE Linux Enterprise Micro 5.5 (src): qemu-7.1.0-150500.49.6.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
Comment 16 Carlos López 2024-02-22 14:37:27 UTC 
Done, closing.