Bug 1221815 (CVE-2024-2494)

Summary: VUL-0: CVE-2024-2494: libvirt: negative g_new0 length can lead to unbounded memory allocation
Product: [Novell Products] SUSE Security Incidents Reporter: SMASH SMASH <smash_bz>
Component: IncidentsAssignee: Security Team bot <security-team>
Status: IN_PROGRESS --- QA Contact: Security Team bot <security-team>
Severity: Normal    
Priority: P3 - Medium CC: carlos.lopez, jfehlig
Version: unspecified   
Target Milestone: ---   
Hardware: Other   
OS: Other   
URL: https://smash.suse.de/issue/398530/
Whiteboard: CVSSv3.1:SUSE:CVE-2024-2494:5.5:(AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H)
Found By: Security Response Team Services Priority:
Business Priority: Blocker: ---
Marketing QA Status: --- IT Deployment: ---

Description SMASH SMASH 2024-03-21 12:48:11 UTC 
A flaw was found in the RPC library APIs of libvirt. The RPC server de-serialization code allocates memory for arrays before the non-negative length check is performed by the C API entry points. Passing a negative length to the g_new0 function results in a crash due to the negative length being treated as a huge positive number. A local unprivileged user could use this flaw to perform a denial of service attack by causing the libvirt daemon to crash.

References:
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2024-2494
https://bugzilla.redhat.com/show_bug.cgi?id=2270115
Comment 1 Carlos López 2024-03-21 13:03:57 UTC 
Affects all codestreams.
Comment 2 James Fehlig 2024-03-21 14:09:20 UTC 
(In reply to Carlos López from comment #1)
> Affects all codestreams.

Let's explicitly list those so I don't forget any. AFAIK, it would be

- openSUSE:Factory
- SUSE:ALP:Source:Standard:1.0
- SUSE:SLE-15-SP6:GA
- SUSE:SLE-15-SP5:Update
- SUSE:SLE-15-SP4:Update
- SUSE:SLE-15-SP3:Update
- SUSE:SLE-15-SP2:Update
- SUSE:SLE-12-SP5:Update
- SUSE:SLE-12-SP3:Update

Did I miss any?
Comment 3 Carlos López 2024-03-21 16:24:55 UTC 
(In reply to James Fehlig from comment #2)
> - openSUSE:Factory
> - SUSE:ALP:Source:Standard:1.0
> - SUSE:SLE-15-SP6:GA
> - SUSE:SLE-15-SP5:Update
> - SUSE:SLE-15-SP4:Update
> - SUSE:SLE-15-SP3:Update
> - SUSE:SLE-15-SP2:Update
> - SUSE:SLE-12-SP5:Update
> - SUSE:SLE-12-SP3:Update
> 
> Did I miss any?

No. There are other codestreams, but they are under reactive support only, so the list is complete.
Comment 5 OBSbugzilla Bot 2024-03-22 01:35:02 UTC 
This is an autogenerated message for OBS integration:
This bug (1221815) was mentioned in
https://build.opensuse.org/request/show/1160500 Factory / libvirt
Comment 10 James Fehlig 2024-03-28 22:03:08 UTC 
I've submitted an updated libvirt containing the fix to all codestreams. Passing the bug to security-team@ for continued processing.
Comment 11 Maintenance Automation 2024-04-01 16:30:02 UTC 
SUSE-SU-2024:1078-1: An update that solves one vulnerability can now be installed.

Category: security (moderate)
Bug References: 1221815
CVE References: CVE-2024-2494
Maintenance Incident: [SUSE:Maintenance:33143](https://smelt.suse.de/incident/33143/)
Sources used:
openSUSE Leap 15.3 (src):
 libvirt-7.1.0-150300.6.41.1
Server Applications Module 15-SP5 (src):
 libvirt-7.1.0-150300.6.41.1
SUSE Linux Enterprise Micro 5.1 (src):
 libvirt-7.1.0-150300.6.41.1
SUSE Linux Enterprise Micro 5.2 (src):
 libvirt-7.1.0-150300.6.41.1
SUSE Linux Enterprise Micro for Rancher 5.2 (src):
 libvirt-7.1.0-150300.6.41.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
Comment 12 Maintenance Automation 2024-04-02 08:30:02 UTC 
SUSE-SU-2024:1083-1: An update that solves one vulnerability can now be installed.

Category: security (moderate)
Bug References: 1221815
CVE References: CVE-2024-2494
Maintenance Incident: [SUSE:Maintenance:33153](https://smelt.suse.de/incident/33153/)
Sources used:
SUSE Linux Enterprise High Performance Computing 12 SP5 (src):
 libvirt-5.1.0-13.42.1
SUSE Linux Enterprise Server 12 SP5 (src):
 libvirt-5.1.0-13.42.1
SUSE Linux Enterprise Server for SAP Applications 12 SP5 (src):
 libvirt-5.1.0-13.42.1
SUSE Linux Enterprise Software Development Kit 12 SP5 (src):
 libvirt-5.1.0-13.42.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
Comment 13 Maintenance Automation 2024-04-08 12:31:30 UTC 
SUSE-SU-2024:1100-1: An update that solves one vulnerability and has one security fix can now be installed.

Category: security (moderate)
Bug References: 1221749, 1221815
CVE References: CVE-2024-2494
Maintenance Incident: [SUSE:Maintenance:33033](https://smelt.suse.de/incident/33033/)
Sources used:
openSUSE Leap 15.4 (src):
 libvirt-8.0.0-150400.7.11.2
openSUSE Leap Micro 5.3 (src):
 libvirt-8.0.0-150400.7.11.2
openSUSE Leap Micro 5.4 (src):
 libvirt-8.0.0-150400.7.11.2
SUSE Linux Enterprise Micro for Rancher 5.3 (src):
 libvirt-8.0.0-150400.7.11.2
SUSE Linux Enterprise Micro 5.3 (src):
 libvirt-8.0.0-150400.7.11.2
SUSE Linux Enterprise Micro for Rancher 5.4 (src):
 libvirt-8.0.0-150400.7.11.2
SUSE Linux Enterprise Micro 5.4 (src):
 libvirt-8.0.0-150400.7.11.2
SUSE Linux Enterprise High Performance Computing ESPOS 15 SP4 (src):
 libvirt-8.0.0-150400.7.11.2
SUSE Linux Enterprise High Performance Computing LTSS 15 SP4 (src):
 libvirt-8.0.0-150400.7.11.2
SUSE Linux Enterprise Desktop 15 SP4 LTSS 15-SP4 (src):
 libvirt-8.0.0-150400.7.11.2
SUSE Linux Enterprise Server 15 SP4 LTSS 15-SP4 (src):
 libvirt-8.0.0-150400.7.11.2
SUSE Linux Enterprise Server for SAP Applications 15 SP4 (src):
 libvirt-8.0.0-150400.7.11.2
SUSE Manager Proxy 4.3 (src):
 libvirt-8.0.0-150400.7.11.2
SUSE Manager Retail Branch Server 4.3 (src):
 libvirt-8.0.0-150400.7.11.2
SUSE Manager Server 4.3 (src):
 libvirt-8.0.0-150400.7.11.2

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
Comment 14 Maintenance Automation 2024-04-08 12:31:33 UTC 
SUSE-SU-2024:1099-1: An update that solves three vulnerabilities and has three security fixes can now be installed.

Category: security (moderate)
Bug References: 1214223, 1216980, 1220512, 1221237, 1221468, 1221815
CVE References: CVE-2024-1441, CVE-2024-2494, CVE-2024-2496
Maintenance Incident: [SUSE:Maintenance:32869](https://smelt.suse.de/incident/32869/)
Sources used:
openSUSE Leap 15.5 (src):
 libvirt-9.0.0-150500.6.20.1
SUSE Linux Enterprise Micro 5.5 (src):
 libvirt-9.0.0-150500.6.20.1
Basesystem Module 15-SP5 (src):
 libvirt-9.0.0-150500.6.20.1
Server Applications Module 15-SP5 (src):
 libvirt-9.0.0-150500.6.20.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.