Bug 870439

Summary:	VUL-0: qemu: various security issues in block layer
Product:	[Novell Products] SUSE Security Incidents	Reporter:	Marcus Meissner <meissner>
Component:	Incidents	Assignee:	Andreas Färber <afaerber>
Status:	RESOLVED FIXED	QA Contact:	Security Team bot <security-team>
Severity:	Major
Priority:	P3 - Medium	CC:	brogers, jdouglas, meissner, security-team, tyuan, vpereira
Version:	unspecified
Target Milestone:	---
Hardware:	Other
OS:	Other
Whiteboard:	maint:released:sle11-sp3:57056
Found By:	---	Services Priority:
Business Priority:		Blocker:	---
Marketing QA Status:	---	IT Deployment:	---

Description Marcus Meissner 2014-03-26 16:55:02 UTC

via oss-sec

From: Stefan Hajnoczi <stefanha@redhat.com>
Subject: [oss-security] QEMU image format input validation fixes (multiple CVEs)
Date: Wed, 26 Mar 2014 13:37:17 +0100

Hi,
Several missing input validation bugs in QEMU's disk image format code
have been fixed.

CVEs are as follows:
parallels: Sanity check for s->tracks (CVE-2014-0142)
parallels: Fix catalog size integer overflow (CVE-2014-0143)
qcow2: Check maximum L1 size in qcow2_snapshot_load_tmp() (CVE-2014-0143)
qcow2: Fix L1 allocation size in qcow2_snapshot_load_tmp() (CVE-2014-0145)
qcow2: Fix NULL dereference in qcow2_open() error path (CVE-2014-0146)
block: Limit request size (CVE-2014-0143)
dmg: prevent chunk buffer overflow (CVE-2014-0145)
dmg: sanitize chunk length and sectorcount (CVE-2014-0145)
qcow2: Fix new L1 table size check (CVE-2014-0143)
qcow2: Avoid integer overflow in get_refcount (CVE-2014-0143)
qcow2: Don't rely on free_cluster_index in alloc_refcount_block() (CVE-2014-0147)
qcow2: Validate active L1 table offset and size (CVE-2014-0144)
qcow2: Validate snapshot table offset/size (CVE-2014-0144)
qcow2: Check refcount table size (CVE-2014-0144)
qcow2: Check backing_file_offset (CVE-2014-0144)
qcow2: Check header_length (CVE-2014-0144)
curl: check data size before memcpy to local buffer.  (CVE-2014-0144)
vhdx: Bounds checking for block_size and logical_sector_size (CVE-2014-0148)
vdi: add bounds checks for blocks_in_image and disk_size header fields (CVE-2014-0144)
vpc: Validate block size (CVE-2014-0142)
vpc/vhd: add bounds check for max_table_entries and block_size (CVE-2014-0144)
bochs: Check extent_size header field (CVE-2014-0142)
bochs: Check catalog_size header field (CVE-2014-0143)
bochs: Use unsigned variables for offsets and sizes (CVE-2014-0147)
block/cloop: refuse images with bogus offsets (CVE-2014-0144)
block/cloop: refuse images with huge offsets arrays (CVE-2014-0144)
block/cloop: prevent offsets_size integer overflow (CVE-2014-0143)
block/cloop: validate block_size header field (CVE-2014-0144)

Patches are available here:
https://lists.gnu.org/archive/html/qemu-devel/2014-03/msg04994.html

Patches will be in the upcoming QEMU 2.0 release and a QEMU 1.7.2
stable release is also planned.  You are welcome to join #qemu on
irc.oftc.net or the qemu-devel@nongnu.org mailing list if you need more
information.

Stefan

Comment 1 Marcus Meissner 2014-03-26 16:56:01 UTC

This time I opened a tracker bug. If you want seperate bugs for those, we can do that.

Comment 2 Swamp Workflow Management 2014-03-26 23:00:26 UTC

bugbot adjusting priority

Comment 4 Andreas Färber 2014-04-04 16:02:14 UTC

VHDX is not available in v1.4, so vhdx patch not applicable to SLE11 SP3.

Comment 10 Swamp Workflow Management 2014-04-10 14:35:10 UTC

The SWAMPID for this issue is 56981.
This issue was rated as important.
Please submit fixed packages until 2014-04-17.
When done, please reassign the bug to security-team@suse.de.
Patchinfo will be handled by security team.

Comment 11 SMASH SMASH 2014-04-10 14:40:12 UTC

Affected packages:

SLE-11-SP3: kvm

Comment 12 Andreas Färber 2014-04-10 15:53:44 UTC

Submitted SR#35871

Comment 16 Tony Yuan 2014-05-05 09:19:07 UTC

I am testing this update for sle11sp3. I can't find the patch for CVE-2014-0148.
Is it missing?

Comment 17 Andreas Färber 2014-05-05 09:46:23 UTC

QEMU v1.4.2 does not include VHDX:
http://git.qemu-project.org/?p=qemu.git;a=tree;f=block;h=7db7b6e68fca4585f9ab1cd859381eaebe8a1a9b;hb=89400a80f5827ae3696e3da73df0996154965a0a

It was introduced in v1.5:
http://git.qemu-project.org/?p=qemu.git;a=tree;f=block;h=9c7b376a681d86d3cb89645d435aed8007ed324a;hb=c0b1a7e207094dba0b37a892b41fe4cab3195e44

Comment 18 Swamp Workflow Management 2014-05-08 13:53:18 UTC

Update released for: kvm, kvm-debuginfo, kvm-debugsource
Products:
SLE-DESKTOP 11-SP3 (i386, x86_64)
SLE-SERVER 11-SP3 (i386, s390x, x86_64)

Comment 19 Swamp Workflow Management 2014-05-08 17:05:06 UTC

SUSE-SU-2014:0623-1: An update that fixes 9 vulnerabilities is now available.

Category: security (important)
Bug References: 812983,817593,842006,864802,870439
CVE References: CVE-2013-2016,CVE-2013-4344,CVE-2013-4541,CVE-2014-0142,CVE-2014-0143,CVE-2014-0144,CVE-2014-0145,CVE-2014-0146,CVE-2014-0147
Sources used:
SUSE Linux Enterprise Server 11 SP3 (src):    kvm-1.4.2-0.11.1
SUSE Linux Enterprise Desktop 11 SP3 (src):    kvm-1.4.2-0.11.1