Bug 1172380 - (CVE-2020-10756) VUL-0: CVE-2020-10756: libslirp, slirp4netns, qemu: out-of-bounds read information disclosure in icmp6_send_echoreply()
(CVE-2020-10756)
VUL-0: CVE-2020-10756: libslirp, slirp4netns, qemu: out-of-bounds read inform...
Status: IN_PROGRESS
Classification: Novell Products
Product: SUSE Security Incidents
Classification: Novell Products
Component: Incidents
unspecified
Other Other
: P3 - Medium : Normal
: ---
Assigned To: E-mail List
Security Team bot
https://smash.suse.de/issue/260309/
CVSSv3.1:SUSE:CVE-2020-10756:6.5:(AV:...
:
Depends on:
Blocks:
  Show dependency treegraph
 
Reported: 2020-06-02 09:14 UTC by Wolfgang Frisch
Modified: 2021-07-14 01:17 UTC (History)
5 users (show)

See Also:
Found By: Security Response Team
Services Priority:
Business Priority:
Blocker: ---
Marketing QA Status: ---
IT Deployment: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Wolfgang Frisch 2020-06-02 09:14:20 UTC
CVE-2020-10756

An out-of-bounds read vulnerability in function icmp6_send_echoreply() in ip6_icmp.c of libslirp could allow a guest user/process to leak contents of the host memory, leading to possible information disclosure.

References:
https://bugzilla.redhat.com/show_bug.cgi?id=1835986
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2020-10756
https://access.redhat.com/security/cve/CVE-2020-10756
Comment 2 Ralf Haferkamp 2020-06-09 16:02:46 UTC
I guess this is supposed to address the issue:

https://gitlab.freedesktop.org/slirp/libslirp/-/merge_requests/42
Comment 3 Ralf Haferkamp 2020-07-08 07:12:30 UTC
(In reply to Ralf Haferkamp from comment #2)
> I guess this is supposed to address the issue:
> 
> https://gitlab.freedesktop.org/slirp/libslirp/-/merge_requests/42

As there was some push back for the above patch I submitted in alternative one:

https://gitlab.freedesktop.org/slirp/libslirp/-/merge_requests/44

This one just got merged. I'll submit fixed libslirp/slirp4netns packages asap.
Comment 4 Bruce Rogers 2020-07-08 20:11:38 UTC
This is now upstream as commit c7ede54cbd2e2b25385325600958ba0124e31cc0

I'll backport this patch to qemu versions which do not yet use libslirp.
Comment 5 Ralf Haferkamp 2020-07-09 12:41:55 UTC
Here is security advisory for slirp4netns:
https://github.com/rootless-containers/slirp4netns/security/advisories/GHSA-96c5-v27g-58vf

TLDR: It wasn't really possible to enable IPv6 in slirp4netns because of a bug. Which now got fixed. So most likely no real-life setup was affected by this. (I am going to submit packages with both issues fixed)
Comment 7 Swamp Workflow Management 2020-07-15 13:18:56 UTC
SUSE-SU-2020:1915-1: An update that fixes one vulnerability is now available.

Category: security (important)
Bug References: 1172380
CVE References: CVE-2020-10756
Sources used:
SUSE Linux Enterprise Module for Containers 15-SP2 (src):    slirp4netns-0.4.7-3.12.1
SUSE Linux Enterprise Module for Containers 15-SP1 (src):    slirp4netns-0.4.7-3.12.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
Comment 8 Swamp Workflow Management 2020-07-18 16:17:38 UTC
openSUSE-SU-2020:0987-1: An update that fixes one vulnerability is now available.

Category: security (important)
Bug References: 1172380
CVE References: CVE-2020-10756
Sources used:
openSUSE Leap 15.1 (src):    slirp4netns-0.4.7-lp151.2.12.1
Comment 9 Swamp Workflow Management 2020-07-18 22:18:18 UTC
openSUSE-SU-2020:0994-1: An update that fixes one vulnerability is now available.

Category: security (important)
Bug References: 1172380
CVE References: CVE-2020-10756
Sources used:
openSUSE Leap 15.2 (src):    slirp4netns-0.4.7-lp152.2.3.1
Comment 11 Bruce Rogers 2021-04-02 18:13:15 UTC
Thanks for pointing out that we've missed this. We'll get this submitted with next round of updates.
Comment 16 Swamp Workflow Management 2021-06-02 16:17:28 UTC
SUSE-SU-2021:1829-1: An update that solves 11 vulnerabilities and has two fixes is now available.

Category: security (important)
Bug References: 1031692,1094725,1126455,1149813,1163019,1172380,1172382,1175534,1178935,1179477,1181933,1182846,1182975
CVE References: CVE-2019-15890,CVE-2019-8934,CVE-2020-10756,CVE-2020-13754,CVE-2020-14364,CVE-2020-25723,CVE-2020-29130,CVE-2020-8608,CVE-2021-20221,CVE-2021-20257,CVE-2021-3419
JIRA References: 
Sources used:
SUSE Linux Enterprise Server 12-SP2-BCL (src):    qemu-2.6.2-41.65.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
Comment 17 Swamp Workflow Management 2021-06-02 19:22:53 UTC
SUSE-SU-2021:1837-1: An update that solves 11 vulnerabilities and has two fixes is now available.

Category: security (important)
Bug References: 1149813,1163019,1172380,1175534,1176681,1178683,1178935,1179477,1179484,1179725,1182846,1182975,1186290
CVE References: CVE-2019-15890,CVE-2020-10756,CVE-2020-14364,CVE-2020-25085,CVE-2020-25707,CVE-2020-25723,CVE-2020-29129,CVE-2020-29130,CVE-2020-8608,CVE-2021-20257,CVE-2021-3419
JIRA References: 
Sources used:
SUSE Linux Enterprise Server 12-SP5 (src):    qemu-3.1.1.1-51.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
Comment 18 Swamp Workflow Management 2021-06-08 16:36:51 UTC
SUSE-SU-2021:1893-1: An update that solves 11 vulnerabilities, contains one feature and has two fixes is now available.

Category: security (important)
Bug References: 1149813,1163019,1172380,1175534,1176681,1178683,1178935,1179477,1179484,1182846,1182975,1183979,1186290
CVE References: CVE-2019-15890,CVE-2020-10756,CVE-2020-14364,CVE-2020-25085,CVE-2020-25707,CVE-2020-25723,CVE-2020-29129,CVE-2020-29130,CVE-2020-8608,CVE-2021-20257,CVE-2021-3419
JIRA References: SLE-17785
Sources used:
SUSE MicroOS 5.0 (src):    qemu-4.2.1-11.19.2
SUSE Linux Enterprise Module for Server Applications 15-SP2 (src):    qemu-4.2.1-11.19.2
SUSE Linux Enterprise Module for Basesystem 15-SP2 (src):    qemu-4.2.1-11.19.2

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
Comment 19 Swamp Workflow Management 2021-06-08 16:53:30 UTC
SUSE-SU-2021:1894-1: An update that solves 11 vulnerabilities and has one errata is now available.

Category: security (important)
Bug References: 1094725,1149813,1163019,1172380,1172382,1175534,1178683,1178935,1179477,1181933,1182846,1182975
CVE References: CVE-2019-15890,CVE-2020-10756,CVE-2020-13754,CVE-2020-14364,CVE-2020-25707,CVE-2020-25723,CVE-2020-29130,CVE-2020-8608,CVE-2021-20221,CVE-2021-20257,CVE-2021-3419
JIRA References: 
Sources used:
SUSE OpenStack Cloud Crowbar 8 (src):    qemu-2.9.1-6.50.1
SUSE OpenStack Cloud 8 (src):    qemu-2.9.1-6.50.1
SUSE Linux Enterprise Server for SAP 12-SP3 (src):    qemu-2.9.1-6.50.1
SUSE Linux Enterprise Server 12-SP3-LTSS (src):    qemu-2.9.1-6.50.1
SUSE Linux Enterprise Server 12-SP3-BCL (src):    qemu-2.9.1-6.50.1
HPE Helion Openstack 8 (src):    qemu-2.9.1-6.50.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
Comment 20 Swamp Workflow Management 2021-06-08 17:15:08 UTC
SUSE-SU-2021:1895-1: An update that fixes 11 vulnerabilities is now available.

Category: security (important)
Bug References: 1149813,1163019,1172380,1172382,1175534,1178683,1178935,1179477,1179484,1182846,1182975
CVE References: CVE-2019-15890,CVE-2020-10756,CVE-2020-13754,CVE-2020-14364,CVE-2020-25707,CVE-2020-25723,CVE-2020-29129,CVE-2020-29130,CVE-2020-8608,CVE-2021-20257,CVE-2021-3419
JIRA References: 
Sources used:
SUSE Linux Enterprise Server for SAP 15 (src):    qemu-2.11.2-9.46.1
SUSE Linux Enterprise Server 15-LTSS (src):    qemu-2.11.2-9.46.1
SUSE Linux Enterprise High Performance Computing 15-LTSS (src):    qemu-2.11.2-9.46.1
SUSE Linux Enterprise High Performance Computing 15-ESPOS (src):    qemu-2.11.2-9.46.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
Comment 21 Swamp Workflow Management 2021-06-09 16:27:52 UTC
SUSE-SU-2021:1918-1: An update that fixes 10 vulnerabilities is now available.

Category: security (important)
Bug References: 1149813,1163019,1172380,1175534,1178683,1178935,1179477,1179484,1182846,1182975
CVE References: CVE-2019-15890,CVE-2020-10756,CVE-2020-14364,CVE-2020-25707,CVE-2020-25723,CVE-2020-29129,CVE-2020-29130,CVE-2020-8608,CVE-2021-20257,CVE-2021-3419
JIRA References: 
Sources used:
SUSE Manager Server 4.0 (src):    qemu-3.1.1.1-9.27.2
SUSE Manager Retail Branch Server 4.0 (src):    qemu-3.1.1.1-9.27.2
SUSE Manager Proxy 4.0 (src):    qemu-3.1.1.1-9.27.2
SUSE Linux Enterprise Server for SAP 15-SP1 (src):    qemu-3.1.1.1-9.27.2
SUSE Linux Enterprise Server 15-SP1-LTSS (src):    qemu-3.1.1.1-9.27.2
SUSE Linux Enterprise Server 15-SP1-BCL (src):    qemu-3.1.1.1-9.27.2
SUSE Linux Enterprise Module for Server Applications 15-SP2 (src):    qemu-3.1.1.1-9.27.2
SUSE Linux Enterprise High Performance Computing 15-SP1-LTSS (src):    qemu-3.1.1.1-9.27.2
SUSE Linux Enterprise High Performance Computing 15-SP1-ESPOS (src):    qemu-3.1.1.1-9.27.2
SUSE Enterprise Storage 6 (src):    qemu-3.1.1.1-9.27.2
SUSE CaaS Platform 4.0 (src):    qemu-3.1.1.1-9.27.2

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
Comment 22 Swamp Workflow Management 2021-06-10 13:47:15 UTC
SUSE-SU-2021:1947-1: An update that fixes 11 vulnerabilities is now available.

Category: security (important)
Bug References: 1149813,1163019,1172380,1172382,1175534,1178683,1178935,1179477,1179484,1182846,1182975
CVE References: CVE-2019-15890,CVE-2020-10756,CVE-2020-13754,CVE-2020-14364,CVE-2020-25707,CVE-2020-25723,CVE-2020-29129,CVE-2020-29130,CVE-2020-8608,CVE-2021-20257,CVE-2021-3419
JIRA References: 
Sources used:
SUSE OpenStack Cloud Crowbar 9 (src):    qemu-2.11.2-5.32.1
SUSE OpenStack Cloud 9 (src):    qemu-2.11.2-5.32.1
SUSE Linux Enterprise Server for SAP 12-SP4 (src):    qemu-2.11.2-5.32.1
SUSE Linux Enterprise Server 12-SP4-LTSS (src):    qemu-2.11.2-5.32.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
Comment 23 Swamp Workflow Management 2021-07-14 01:17:57 UTC
openSUSE-SU-2021:1043-1: An update that solves 14 vulnerabilities, contains one feature and has 5 fixes is now available.

Category: security (moderate)
Bug References: 1149813,1163019,1172380,1175534,1176681,1178683,1178935,1179477,1179484,1182846,1182975,1183979,1184574,1185591,1185981,1185990,1186010,1186290,1187013
CVE References: CVE-2019-15890,CVE-2020-10756,CVE-2020-14364,CVE-2020-25085,CVE-2020-25707,CVE-2020-25723,CVE-2020-29129,CVE-2020-29130,CVE-2020-8608,CVE-2021-20257,CVE-2021-3419,CVE-2021-3544,CVE-2021-3545,CVE-2021-3546
JIRA References: SLE-17785
Sources used:
openSUSE Leap 15.2 (src):    qemu-4.2.1-lp152.9.16.2, qemu-linux-user-4.2.1-lp152.9.16.1, qemu-testsuite-4.2.1-lp152.9.16.7