Bug 1227322 (CVE-2024-4467)

Summary: VUL-0: CVE-2024-4467: qemu: 'qemu-img info' leads to host file read/write
Product: [Novell Products] SUSE Security Incidents Reporter: SMASH SMASH <smash_bz>
Component: IncidentsAssignee: Dario Faggioli <dfaggioli>
Status: NEW --- QA Contact: Security Team bot <security-team>
Severity: Major    
Priority: P3 - Medium CC: dfaggioli, rfrohl
Version: unspecifiedFlags: dfaggioli: needinfo? (rfrohl)
Target Milestone: ---   
Hardware: Other   
OS: Other   
URL: https://smash.suse.de/issue/412713/
Whiteboard: CVSSv3.1:SUSE:CVE-2024-4467:7.8:(AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H)
Found By: Security Response Team Services Priority:
Business Priority: Blocker: ---
Marketing QA Status: --- IT Deployment: ---

Description SMASH SMASH 2024-07-03 07:18:02 UTC 
A flaw was found in the QEMU disk image utility (qemu-img) 'info' command. A specially crafted image file containing a `json:{}` value describing block devices in QMP could cause the qemu-img process on the host to consume large amounts of memory or CPU time, leading to denial of service or read/write to an existing external file.

References:
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2024-4467
https://www.cve.org/CVERecord?id=CVE-2024-4467
https://access.redhat.com/security/cve/CVE-2024-4467
https://bugzilla.redhat.com/show_bug.cgi?id=2278875
https://access.redhat.com/errata/RHSA-2024:4276
https://access.redhat.com/errata/RHSA-2024:4277
https://access.redhat.com/errata/RHSA-2024:4278
Comment 3 Dario Faggioli 2024-07-08 14:08:38 UTC 
(In reply to SMASH SMASH from comment #0)
> A flaw was found in the QEMU disk image utility (qemu-img) 'info' command. A
> specially crafted image file containing a `json:{}` value describing block
> devices in QMP could cause the qemu-img process on the host to consume large
> amounts of memory or CPU time, leading to denial of service or read/write to
> an existing external file.
> 
> References:
> http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2024-4467
> https://www.cve.org/CVERecord?id=CVE-2024-4467
> https://access.redhat.com/security/cve/CVE-2024-4467
> https://bugzilla.redhat.com/show_bug.cgi?id=2278875
> https://access.redhat.com/errata/RHSA-2024:4276
> https://access.redhat.com/errata/RHSA-2024:4277
> https://access.redhat.com/errata/RHSA-2024:4278

The fix (https://lore.kernel.org/qemu-devel/20240702163943.276618-1-kwolf@redhat.com/) has been queued for QEMU stable releases, so:

- Factory will be fixed when 9.0.2 is released (and packaged)
- SLE-15-SP6 will get it when 8.2.6 is released (and packaged)
- for older code-stream, I can backport them manually... have you, by any chance, checked which ones are affected already?