Bug 1130675 (CVE-2018-20815) - VUL-0: CVE-2018-20815: qemu: device_tree: heap buffer overflow while loading device tree blob
Summary: VUL-0: CVE-2018-20815: qemu: device_tree: heap buffer overflow while loading ...
Status: RESOLVED FIXED
Alias: CVE-2018-20815
Product: SUSE Security Incidents
Classification: Novell Products
Component: Incidents (show other bugs)
Version: unspecified
Hardware: Other Other
: P3 - Medium : Normal
Target Milestone: ---
Assignee: Security Team bot
QA Contact: Security Team bot
URL: https://smash.suse.de/issue/227189/
Whiteboard: CVSSv3:SUSE:CVE-2018-20815:7.0:(AV:L/...
Keywords:
Depends on:
Blocks:
 
Reported: 2019-03-27 12:21 UTC by Dan Čermák
Modified: 2022-09-16 12:31 UTC (History)
5 users (show)

See Also:
Found By: ---
Services Priority:
Business Priority:
Blocker: ---
Marketing QA Status: ---
IT Deployment: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Dan Čermák 2019-03-27 12:21:53 UTC
I am forwarding a bug that was received via the oss-security mailing list (see https://seclists.org/oss-sec/2019/q1/194):

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
A heap buffer overflow issue was found in the load_device_tree() function of 
QEMU, which is invoked to load device tree blob at boot time. It occurs due to 
device tree size manipulation before buffer allocation, which could overflow a 
signed int type.

A user/process could use this flaw to potentially execute arbitrary code on a 
host system with privileges of the QEMU process.

Upstream patch:
---------------
   -> https://git.qemu.org/?p=qemu.git;a=commitdiff;h=da885fe1ee8b4589047484bd7fa05a4905b52b17

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Unless this patch was already cherry picked (it is not part of the 3.1 release of QEMU), it is not present in any QEMU release that we ship.
Comment 1 Marcus Meissner 2019-03-27 16:04:05 UTC
seems to affect all qemu / kvm versions down to SLE11.
Comment 6 Swamp Workflow Management 2019-05-14 22:41:37 UTC
SUSE-SU-2019:1238-1: An update that fixes 8 vulnerabilities is now available.

Category: security (important)
Bug References: 1111331,1125721,1126455,1129622,1129962,1130675
CVE References: CVE-2018-12126,CVE-2018-12127,CVE-2018-12130,CVE-2018-20815,CVE-2019-11091,CVE-2019-3812,CVE-2019-8934,CVE-2019-9824
Sources used:
SUSE Linux Enterprise Server 12-SP4 (src):    qemu-2.11.2-5.13.1
SUSE Linux Enterprise Desktop 12-SP4 (src):    qemu-2.11.2-5.13.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
Comment 7 Swamp Workflow Management 2019-05-15 07:09:28 UTC
SUSE-SU-2019:1239-1: An update that fixes 8 vulnerabilities is now available.

Category: security (important)
Bug References: 1111331,1125721,1126455,1129622,1130675
CVE References: CVE-2018-12126,CVE-2018-12127,CVE-2018-12130,CVE-2018-20815,CVE-2019-11091,CVE-2019-3812,CVE-2019-8934,CVE-2019-9824
Sources used:
SUSE Linux Enterprise Module for Server Applications 15 (src):    qemu-2.11.2-9.25.1
SUSE Linux Enterprise Module for Open Buildservice Development Tools 15 (src):    qemu-2.11.2-9.25.1, qemu-linux-user-2.11.2-9.25.1
SUSE Linux Enterprise Module for Basesystem 15 (src):    qemu-2.11.2-9.25.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
Comment 8 Swamp Workflow Management 2019-05-16 13:35:41 UTC
SUSE-SU-2019:1268-1: An update that fixes 6 vulnerabilities is now available.

Category: security (important)
Bug References: 1111331,1129622,1130675
CVE References: CVE-2018-12126,CVE-2018-12127,CVE-2018-12130,CVE-2018-20815,CVE-2019-11091,CVE-2019-9824
Sources used:
SUSE OpenStack Cloud 7 (src):    qemu-2.6.2-41.52.1
SUSE Linux Enterprise Server for SAP 12-SP2 (src):    qemu-2.6.2-41.52.1
SUSE Linux Enterprise Server 12-SP2-LTSS (src):    qemu-2.6.2-41.52.1
SUSE Linux Enterprise Server 12-SP2-BCL (src):    qemu-2.6.2-41.52.1
SUSE Enterprise Storage 4 (src):    qemu-2.6.2-41.52.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
Comment 9 Swamp Workflow Management 2019-05-16 16:12:48 UTC
SUSE-SU-2019:1269-1: An update that fixes 6 vulnerabilities is now available.

Category: security (important)
Bug References: 1111331,1129622,1130675
CVE References: CVE-2018-12126,CVE-2018-12127,CVE-2018-12130,CVE-2018-20815,CVE-2019-11091,CVE-2019-9824
Sources used:
SUSE Linux Enterprise Server for SAP 12-SP1 (src):    qemu-2.3.1-33.23.1
SUSE Linux Enterprise Server 12-SP1-LTSS (src):    qemu-2.3.1-33.23.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
Comment 10 Swamp Workflow Management 2019-05-16 19:09:47 UTC
SUSE-SU-2019:1272-1: An update that fixes 6 vulnerabilities is now available.

Category: security (important)
Bug References: 1111331,1129622,1130675
CVE References: CVE-2018-12126,CVE-2018-12127,CVE-2018-12130,CVE-2018-20815,CVE-2019-11091,CVE-2019-9824
Sources used:
SUSE Linux Enterprise Server 12-LTSS (src):    qemu-2.0.2-48.52.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
Comment 11 Swamp Workflow Management 2019-05-17 10:11:03 UTC
openSUSE-SU-2019:1405-1: An update that fixes 8 vulnerabilities is now available.

Category: security (important)
Bug References: 1111331,1125721,1126455,1129622,1130675
CVE References: CVE-2018-12126,CVE-2018-12127,CVE-2018-12130,CVE-2018-20815,CVE-2019-11091,CVE-2019-3812,CVE-2019-8934,CVE-2019-9824
Sources used:
openSUSE Leap 15.0 (src):    qemu-2.11.2-lp150.7.22.1
Comment 12 Swamp Workflow Management 2019-05-17 16:13:25 UTC
SUSE-SU-2019:14052-1: An update that fixes 6 vulnerabilities is now available.

Category: security (important)
Bug References: 1111331,1129622,1130675
CVE References: CVE-2018-12126,CVE-2018-12127,CVE-2018-12130,CVE-2018-20815,CVE-2019-11091,CVE-2019-9824
Sources used:
SUSE Linux Enterprise Server 11-SP4-LTSS (src):    kvm-1.4.2-60.24.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
Comment 13 Swamp Workflow Management 2019-05-21 06:16:56 UTC
openSUSE-SU-2019:1274-1: An update that solves four vulnerabilities and has two fixes is now available.

Category: security (important)
Bug References: 1118900,1125721,1126455,1129622,1130675,1131955
CVE References: CVE-2018-20815,CVE-2019-3812,CVE-2019-8934,CVE-2019-9824
Sources used:
openSUSE Leap 42.3 (src):    qemu-2.9.1-59.1, qemu-linux-user-2.9.1-59.1, qemu-testsuite-2.9.1-59.2
Comment 14 Swamp Workflow Management 2019-05-21 10:14:04 UTC
SUSE-SU-2019:14053-1: An update that fixes 6 vulnerabilities is now available.

Category: security (important)
Bug References: 1111331,1129622,1130675
CVE References: CVE-2018-12126,CVE-2018-12127,CVE-2018-12130,CVE-2018-20815,CVE-2019-11091,CVE-2019-9824
Sources used:
SUSE Linux Enterprise Point of Sale 11-SP3 (src):    kvm-1.4.2-53.32.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
Comment 16 Bruce Rogers 2021-04-06 23:55:44 UTC
Fixes are submitted via maintenance submission everywhere we need to. Returning back to security team.
Comment 18 Carlos López 2022-09-16 12:31:37 UTC
Released, closing.