Bug 874749 (CVE-2014-2894)

Summary: VUL-0: CVE-2014-2894: qemu: out of bounds buffer accesses, guest triggerable via IDE SMART
Product: [Novell Products] SUSE Security Incidents Reporter: Alexander Bergmann <abergmann>
Component: IncidentsAssignee: Andreas Färber <afaerber>
Status: RESOLVED FIXED QA Contact: Security Team bot <security-team>
Severity: Normal    
Priority: P3 - Medium CC: abergmann, brogers, meissner, smash_bz, vpereira
Version: unspecified   
Target Milestone: ---   
Hardware: Other   
OS: Other   
URL: https://smash.suse.de/issue/98066/
Whiteboard: maint:released:sle11-sp3:57584
Found By: Security Response Team Services Priority:
Business Priority: Blocker: ---
Marketing QA Status: --- IT Deployment: ---

Description Alexander Bergmann 2014-04-23 09:12:07 UTC
Via rh#1087971:

An out of bounds memory access flaw was found in Qemu's IDE device model.
It leads to Qemu's memory corruption via buffer overwrite(4 bytes). It occurs
while executing IDE SMART commands.

A privileged guest user could use this flaw to corrupt qemu process' memory on the host, which could potentially result in arbitrary code execution on the host with the privileges of the qemu process.

Upstream fix:
https://lists.nongnu.org/archive/html/qemu-devel/2014-04/msg02016.html

Upstream commit:
http://git.qemu.org/?p=qemu.git;a=commit;h=940973ae0b45c9b6817bab8e4cf4df99a9ef83d7

CVE-2014-2894 was assigned to this issue.


References:
https://bugzilla.redhat.com/show_bug.cgi?id=1087971
Comment 1 Alexander Bergmann 2014-04-23 09:34:44 UTC
Affected code streams:

SLE-11-SP3/kvm

openSUSE:12.3/qemu
openSUSE:12.3/kvm

openSUSE:13.1/qemu
Comment 2 Swamp Workflow Management 2014-04-23 22:00:35 UTC
bugbot adjusting priority
Comment 3 Marcus Meissner 2014-04-24 12:12:16 UTC
Bruce, you submitted this fix to SP3 / kvm, but without a bugzilla number.,

please resubmit with bugzilla number.
Comment 4 Andreas Färber 2014-04-24 12:15:39 UTC
I'll take care of it.

At the time there was no Bugzilla entry for the CVE yet, and I wanted to include it in the pending maintenance update.
Comment 5 Andreas Färber 2014-04-24 14:32:56 UTC
SP3 kvm: https://build.suse.de/request/show/36722
Comment 6 Swamp Workflow Management 2014-05-09 09:57:57 UTC
The SWAMPID for this issue is 57292.
This issue was rated as moderate.
Please submit fixed packages until 2014-05-23.
When done, please reassign the bug to security-team@suse.de.
Patchinfo will be handled by security team.
Comment 7 Swamp Workflow Management 2014-06-18 13:48:28 UTC
Update released for: kvm, kvm-debuginfo, kvm-debugsource
Products:
SLE-DESKTOP 11-SP3 (i386, x86_64)
SLE-SERVER 11-SP3 (i386, s390x, x86_64)
Comment 8 Swamp Workflow Management 2014-06-18 17:07:45 UTC
SUSE-SU-2014:0816-1: An update that solves two vulnerabilities and has 20 fixes is now available.

Category: security (moderate)
Bug References: 864391,864649,864650,864653,864655,864665,864671,864673,864678,864682,864769,864796,864801,864802,864804,864805,864811,864812,864814,873235,874749,874788
CVE References: CVE-2014-0150,CVE-2014-2894
Sources used:
SUSE Linux Enterprise Server 11 SP3 (src):    kvm-1.4.2-0.15.2
SUSE Linux Enterprise Desktop 11 SP3 (src):    kvm-1.4.2-0.15.2