Bug 1098744 - VUL-0: CVE-2018-12617: xen: qemu-guest-agent: Integer overflow causes segmentation fault in qmp_guest_file_read() with g_malloc()
Summary: VUL-0: CVE-2018-12617: xen: qemu-guest-agent: Integer overflow causes segme...
Status: RESOLVED FIXED
Alias: None
Product: SUSE Security Incidents
Classification: Novell Products
Component: Incidents (show other bugs)
Version: unspecified
Hardware: Other Other
: P3 - Medium : Normal
Target Milestone: ---
Assignee: Charles Arnold
QA Contact: Security Team bot
URL: https://smash.suse.de/issue/208618/
Whiteboard: CVSSv3:SUSE:CVE-2018-12617:6.2:(AV:L/...
Keywords:
Depends on:
Blocks:
 
Reported: 2018-06-22 07:33 UTC by Marcus Meissner
Modified: 2020-06-10 16:02 UTC (History)
2 users (show)

See Also:
Found By: Security Response Team
Services Priority:
Business Priority:
Blocker: ---
Marketing QA Status: ---
IT Deployment: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Marcus Meissner 2018-06-22 07:33:19 UTC
+++ This bug was initially created as a clone of Bug #1098735 +++

rh#1594054

qmp_guest_file_read in qga/commands-posix.c and qga/commands-win32.c in qemu-ga
(aka QEMU Guest Agent) in QEMU 2.12.50 has an integer overflow causing a
g_malloc0() call to trigger a segmentation fault when trying to allocate a large
memory chunk. The vulnerability can be exploited by sending a crafted QMP
command (including guest-file-read with a large count value) to the agent via
the listening socket.

References:
https://bugzilla.redhat.com/show_bug.cgi?id=1594054
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2018-12617
http://www.cvedetails.com/cve/CVE-2018-12617/
https://lists.gnu.org/archive/html/qemu-devel/2018-06/msg03385.html
https://gist.github.com/fakhrizulkifli/c7740d28efa07dafee66d4da5d857ef6
Comment 1 Charles Arnold 2018-06-22 21:45:26 UTC
The code is only relevant in Xen's upstream qemu for SLE11-SP3/SP4 and 
SLE12/SLE12-SP1.
Comment 5 Swamp Workflow Management 2018-07-23 13:10:13 UTC
SUSE-SU-2018:2037-1: An update that solves 5 vulnerabilities and has two fixes is now available.

Category: security (moderate)
Bug References: 1027519,1079730,1095242,1096224,1097521,1097522,1098744
CVE References: CVE-2018-11806,CVE-2018-12617,CVE-2018-12891,CVE-2018-12893,CVE-2018-3665
Sources used:
SUSE Linux Enterprise Software Development Kit 11-SP4 (src):    xen-4.4.4_34-61.32.1
SUSE Linux Enterprise Server 11-SP4 (src):    xen-4.4.4_34-61.32.1
SUSE Linux Enterprise Debuginfo 11-SP4 (src):    xen-4.4.4_34-61.32.1
Comment 6 Swamp Workflow Management 2018-07-25 13:13:01 UTC
SUSE-SU-2018:2056-1: An update that solves 5 vulnerabilities and has two fixes is now available.

Category: security (moderate)
Bug References: 1027519,1079730,1095242,1096224,1097521,1097522,1098744
CVE References: CVE-2018-11806,CVE-2018-12617,CVE-2018-12891,CVE-2018-12893,CVE-2018-3665
Sources used:
SUSE Linux Enterprise Server 12-LTSS (src):    xen-4.4.4_34-22.71.2
Comment 7 Swamp Workflow Management 2018-07-26 19:12:31 UTC
SUSE-SU-2018:2069-1: An update that solves 5 vulnerabilities and has two fixes is now available.

Category: security (moderate)
Bug References: 1027519,1079730,1095242,1096224,1097521,1097522,1098744
CVE References: CVE-2018-11806,CVE-2018-12617,CVE-2018-12891,CVE-2018-12893,CVE-2018-3665
Sources used:
SUSE Linux Enterprise Server for SAP 12-SP1 (src):    xen-4.5.5_24-22.52.3
SUSE Linux Enterprise Server 12-SP1-LTSS (src):    xen-4.5.5_24-22.52.3
Comment 10 Marcus Meissner 2018-08-27 11:49:40 UTC
released
Comment 11 Swamp Workflow Management 2018-08-27 13:11:03 UTC
SUSE-SU-2018:2528-1: An update that solves 12 vulnerabilities and has one errata is now available.

Category: security (important)
Bug References: 1027519,1074562,1079730,1090822,1090823,1091107,1092631,1095242,1096224,1097206,1097521,1097522,1098744
CVE References: CVE-2017-5715,CVE-2017-5753,CVE-2017-5754,CVE-2018-10981,CVE-2018-10982,CVE-2018-11806,CVE-2018-12617,CVE-2018-12891,CVE-2018-12893,CVE-2018-3639,CVE-2018-3646,CVE-2018-3665
Sources used:
SUSE Linux Enterprise Server 11-SP3-LTSS (src):    xen-4.2.5_21-45.25.1
SUSE Linux Enterprise Point of Sale 11-SP3 (src):    xen-4.2.5_21-45.25.1
SUSE Linux Enterprise Debuginfo 11-SP3 (src):    xen-4.2.5_21-45.25.1