Bug 870439

Summary: VUL-0: qemu: various security issues in block layer
Product: [Novell Products] SUSE Security Incidents Reporter: Marcus Meissner <meissner>
Component: IncidentsAssignee: Andreas Färber <afaerber>
Status: RESOLVED FIXED QA Contact: Security Team bot <security-team>
Severity: Major    
Priority: P3 - Medium CC: brogers, jdouglas, meissner, security-team, tyuan, vpereira
Version: unspecified   
Target Milestone: ---   
Hardware: Other   
OS: Other   
Whiteboard: maint:released:sle11-sp3:57056
Found By: --- Services Priority:
Business Priority: Blocker: ---
Marketing QA Status: --- IT Deployment: ---

Description Marcus Meissner 2014-03-26 16:55:02 UTC
via oss-sec

From: Stefan Hajnoczi <stefanha@redhat.com>
Subject: [oss-security] QEMU image format input validation fixes (multiple CVEs)
Date: Wed, 26 Mar 2014 13:37:17 +0100

Several missing input validation bugs in QEMU's disk image format code
have been fixed.

CVEs are as follows:
parallels: Sanity check for s->tracks (CVE-2014-0142)
parallels: Fix catalog size integer overflow (CVE-2014-0143)
qcow2: Check maximum L1 size in qcow2_snapshot_load_tmp() (CVE-2014-0143)
qcow2: Fix L1 allocation size in qcow2_snapshot_load_tmp() (CVE-2014-0145)
qcow2: Fix NULL dereference in qcow2_open() error path (CVE-2014-0146)
block: Limit request size (CVE-2014-0143)
dmg: prevent chunk buffer overflow (CVE-2014-0145)
dmg: sanitize chunk length and sectorcount (CVE-2014-0145)
qcow2: Fix new L1 table size check (CVE-2014-0143)
qcow2: Avoid integer overflow in get_refcount (CVE-2014-0143)
qcow2: Don't rely on free_cluster_index in alloc_refcount_block() (CVE-2014-0147)
qcow2: Validate active L1 table offset and size (CVE-2014-0144)
qcow2: Validate snapshot table offset/size (CVE-2014-0144)
qcow2: Check refcount table size (CVE-2014-0144)
qcow2: Check backing_file_offset (CVE-2014-0144)
qcow2: Check header_length (CVE-2014-0144)
curl: check data size before memcpy to local buffer.  (CVE-2014-0144)
vhdx: Bounds checking for block_size and logical_sector_size (CVE-2014-0148)
vdi: add bounds checks for blocks_in_image and disk_size header fields (CVE-2014-0144)
vpc: Validate block size (CVE-2014-0142)
vpc/vhd: add bounds check for max_table_entries and block_size (CVE-2014-0144)
bochs: Check extent_size header field (CVE-2014-0142)
bochs: Check catalog_size header field (CVE-2014-0143)
bochs: Use unsigned variables for offsets and sizes (CVE-2014-0147)
block/cloop: refuse images with bogus offsets (CVE-2014-0144)
block/cloop: refuse images with huge offsets arrays (CVE-2014-0144)
block/cloop: prevent offsets_size integer overflow (CVE-2014-0143)
block/cloop: validate block_size header field (CVE-2014-0144)

Patches are available here:

Patches will be in the upcoming QEMU 2.0 release and a QEMU 1.7.2
stable release is also planned.  You are welcome to join #qemu on
irc.oftc.net or the qemu-devel@nongnu.org mailing list if you need more

Comment 1 Marcus Meissner 2014-03-26 16:56:01 UTC
This time I opened a tracker bug. If you want seperate bugs for those, we can do that.
Comment 2 Swamp Workflow Management 2014-03-26 23:00:26 UTC
bugbot adjusting priority
Comment 4 Andreas Färber 2014-04-04 16:02:14 UTC
VHDX is not available in v1.4, so vhdx patch not applicable to SLE11 SP3.
Comment 10 Swamp Workflow Management 2014-04-10 14:35:10 UTC
The SWAMPID for this issue is 56981.
This issue was rated as important.
Please submit fixed packages until 2014-04-17.
When done, please reassign the bug to security-team@suse.de.
Patchinfo will be handled by security team.
Comment 11 SMASH SMASH 2014-04-10 14:40:12 UTC
Affected packages:

SLE-11-SP3: kvm
Comment 12 Andreas Färber 2014-04-10 15:53:44 UTC
Submitted SR#35871
Comment 16 Tony Yuan 2014-05-05 09:19:07 UTC
I am testing this update for sle11sp3. I can't find the patch for CVE-2014-0148.
Is it missing?
Comment 18 Swamp Workflow Management 2014-05-08 13:53:18 UTC
Update released for: kvm, kvm-debuginfo, kvm-debugsource
SLE-DESKTOP 11-SP3 (i386, x86_64)
SLE-SERVER 11-SP3 (i386, s390x, x86_64)
Comment 19 Swamp Workflow Management 2014-05-08 17:05:06 UTC
SUSE-SU-2014:0623-1: An update that fixes 9 vulnerabilities is now available.

Category: security (important)
Bug References: 812983,817593,842006,864802,870439
CVE References: CVE-2013-2016,CVE-2013-4344,CVE-2013-4541,CVE-2014-0142,CVE-2014-0143,CVE-2014-0144,CVE-2014-0145,CVE-2014-0146,CVE-2014-0147
Sources used:
SUSE Linux Enterprise Server 11 SP3 (src):    kvm-1.4.2-0.11.1
SUSE Linux Enterprise Desktop 11 SP3 (src):    kvm-1.4.2-0.11.1