Bug 897783 (CVE-2014-3633)

Summary: VUL-1: CVE-2014-3633: libvirt: qemu: out-of-bounds read access in qemuDomainGetBlockIoTune() due to invalid index
Product: [Novell Products] SUSE Security Incidents Reporter: Marcus Meissner <meissner>
Component: IncidentsAssignee: Security Team bot <security-team>
Status: RESOLVED FIXED QA Contact: Security Team bot <security-team>
Severity: Minor    
Priority: P5 - None CC: jdouglas, jfehlig, jsegitz, smash_bz
Version: unspecified   
Target Milestone: ---   
Hardware: Other   
OS: Other   
URL: https://smash.suse.de/issue/106304/
Whiteboard: maint:released:sle11-sp3:60370
Found By: Security Response Team Services Priority:
Business Priority: Blocker: ---
Marketing QA Status: --- IT Deployment: ---

Description Marcus Meissner 2014-09-22 15:18:14 UTC
via rh bugzilla and libvirt


It was found that when a disk is attached to a disk "live" (thus not
written into the persistent configuration) and then the statistics for
the disks are requested from the persistent configuration, index to
the array is determined from the live configuration but used in the
persistent.

A remote attacker able to establish a read-only connection to libvirtd
could use this flaw to crash libvirtd or, potentially, leak memory from
the libvirtd process.

Acknowledgements:

This issue was discovered by Luyao Huang of Red Hat.

http://libvirt.org/git/?p=libvirt.git;a=commitdiff;h=3e745e8f775dfe6f64f18b5c2fe4791b35d3546b;hp=281f70013e9d6fff7f2d4b55f5133a837f023190


https://bugzilla.redhat.com/show_bug.cgi?id=1141131
Comment 1 James Fehlig 2014-09-22 21:57:34 UTC
I've already fixed this in SLE12 RC4/GMC (SR#44409), SLE11 SP3, Factory (SR#251486), 13.1, and even 12.3!
Comment 3 Bernhard Wiedemann 2014-09-22 22:00:35 UTC
This is an autogenerated message for OBS integration:
This bug (897783) was mentioned in
https://build.opensuse.org/request/show/251486 Factory / libvirt
Comment 4 Marcus Meissner 2014-09-23 05:38:47 UTC
thanks jim, than we can just close this again. :)
Comment 5 James Fehlig 2014-09-23 17:12:19 UTC
What about SLES11 SP3?  Should I just queue the fix for a future virt tools update?

WRT openSUSE12.3 and 13.1, IMO it is fine to wait until the embargo lifts on the newest issue (CVE-2014-3657), and submit updates that include fixes for both CVEs.
Comment 6 Marcus Meissner 2014-09-24 09:08:18 UTC
You wrote "I already fixed this for SLES 11 SP3..." ? what did that mean?

We have not published updates, or did we?
Comment 7 SMASH SMASH 2014-09-24 09:30:10 UTC
Affected packages:

SLE-11-SP3: libvirt
SLE-11-SP3-PRODUCTS: libvirt
SLE-11-SP3-UPTU: libvirt
SLE-12: libvirt
Comment 8 James Fehlig 2014-09-24 15:48:09 UTC
Sorry for the confusion.  By fixed, I meant the fix has been applied to the libvirt package in the various devel projects, e.g. IBS Devel:Virt:{SLE-12,SLE-11-SP3}, OBS Virtualization:openSUSE13.1, etc.  But only the SLE12 and Factory packages have been submitted.
Comment 9 James Fehlig 2014-09-24 15:51:54 UTC
> We have not published updates, or did we?

No, updates have not been published.  And as I wrote in #5, we should wait for CVE-2014-3657 embargo to lift before doing so.
Comment 10 James Fehlig 2014-10-02 16:38:10 UTC
Ok, CVE-2014-3657 is now public.  I've added a fix for it, and this CVE, to all affected libvirt packages.

For openSUSE12.3, started maintenancereq #253679
For openSUSE13.1, started maintenancereq #253680
For SLE11 SP3, have the fix queued for a future maintenance update
Fix is already included in SLE12 GA
Factory is not affected since the fix is included in libvirt 1.2.9

AFAIK, I'm done here.  Passing bug to security...
Comment 13 Swamp Workflow Management 2015-02-23 23:07:23 UTC
SUSE-SU-2015:0357-1: An update that solves 6 vulnerabilities and has 9 fixes is now available.

Category: security (moderate)
Bug References: 843074,852397,878350,879665,897654,897783,899144,899484,900084,904176,905097,907805,908381,910145,911742
CVE References: CVE-2014-3633,CVE-2014-3640,CVE-2014-3657,CVE-2014-7823,CVE-2014-7840,CVE-2014-8106
Sources used:
SUSE Linux Enterprise Software Development Kit 11 SP3 (src):    libvirt-1.0.5.9-0.19.3, libvirt-1.0.5.9-0.19.6
SUSE Linux Enterprise Server 11 SP3 (src):    kvm-1.4.2-0.21.4, kvm-1.4.2-0.21.5, libvirt-1.0.5.9-0.19.3, libvirt-1.0.5.9-0.19.5, libvirt-1.0.5.9-0.19.6
SUSE Linux Enterprise Desktop 11 SP3 (src):    kvm-1.4.2-0.21.4, libvirt-1.0.5.9-0.19.3
Comment 14 Johannes Segitz 2015-03-25 15:58:58 UTC
openSUSE update didn't show up here for some reason, but they were release. SLES is also fixed