Bug 1177155 - (CVE-2020-25637) VUL-0: CVE-2020-25637: libvirt: double free in qemuAgentGetInterfaces() in qemu_agent.c
(CVE-2020-25637)
VUL-0: CVE-2020-25637: libvirt: double free in qemuAgentGetInterfaces() in qe...
Status: RESOLVED FIXED
Classification: Novell Products
Product: SUSE Security Incidents
Classification: Novell Products
Component: Incidents
unspecified
Other Other
: P3 - Medium : Normal
: ---
Assigned To: Security Team bot
Security Team bot
https://smash.suse.de/issue/268548/
CVSSv3.1:SUSE:CVE-2020-25637:7.5:(AV:...
:
Depends on:
Blocks:
  Show dependency treegraph
 
Reported: 2020-09-30 16:59 UTC by Wolfgang Frisch
Modified: 2021-01-27 17:05 UTC (History)
4 users (show)

See Also:
Found By: Security Response Team
Services Priority:
Business Priority:
Blocker: ---
Marketing QA Status: ---
IT Deployment: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Wolfgang Frisch 2020-09-30 16:59:40 UTC
rh#1881037

A double free vulnerability was found in libvirt while requesting information about the network interfaces of a running domain. The flaw lies in qemuAgentGetInterfaces() in qemu/qemu_agent.c. More specifically, this function interacts with the guest agent and receives JSON data from the agent that contains network interface information. It enumerates the interfaces one by one, using a pointer to a pointers to hold a split interface name (ifname). At some point in every iteration ifname is free'd. If an error occurs right after this, there is a 'goto error', the error handler at this label will free ifname again, leading to a double free. Depending on the ability of the attacker to control and shape the heap state when the second free happens, this flaw may be exploited to achieve code execution.

References:
https://bugzilla.redhat.com/show_bug.cgi?id=1881037
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2020-25637
Comment 2 Wolfgang Frisch 2020-09-30 17:19:55 UTC
SUSE:SLE-11-SP1:Update  Not affected [1]
SUSE:SLE-11-SP3:Update  Not affected [1]
SUSE:SLE-11-SP4:Update  Not affected [1]
SUSE:SLE-12-SP2:Update  Affected
SUSE:SLE-12-SP3:Update  Affected
SUSE:SLE-12-SP4:Update  Affected
SUSE:SLE-12-SP5:Update  Affected
SUSE:SLE-15:Update      Affected
SUSE:SLE-15-SP1:Update  Affected
SUSE:SLE-15-SP2:Update  Affected

[1] The feature was introduced in libvirt-1.2.14, commit 0977b8aa071de550e1a013d35e2c72615e65d520
Comment 6 James Fehlig 2020-10-12 19:51:28 UTC
(In reply to Wolfgang Frisch from comment #2)
> SUSE:SLE-12-SP2:Update  Affected

I don't have CI or automated tests for libvirt for products older than SLE12 SP3. Is it possible to skip SLE12 SP2?

> SUSE:SLE-12-SP3:Update  Affected
> SUSE:SLE-12-SP4:Update  Affected
> SUSE:SLE-12-SP5:Update  Affected
> SUSE:SLE-15:Update      Affected
> SUSE:SLE-15-SP1:Update  Affected
> SUSE:SLE-15-SP2:Update  Affected

I've added the patches to all of these products, and in some cases have already sent the submit requests.
Comment 7 Wolfgang Frisch 2020-10-13 07:35:53 UTC
(In reply to James Fehlig from comment #6)
> (In reply to Wolfgang Frisch from comment #2)
> > SUSE:SLE-12-SP2:Update  Affected
> 
> I don't have CI or automated tests for libvirt for products older than SLE12
> SP3. Is it possible to skip SLE12 SP2?
I'm afraid updating SLE-12-SP2 is inevitable, as it appears to be affected by the double free condition. At the very least commit a63b48c5ecef077bf0f909a85f453a605600cf05 should be applied, IMHO.
QA will have to test manually if there are no automated tests available.

> > SUSE:SLE-12-SP3:Update  Affected
> > SUSE:SLE-12-SP4:Update  Affected
> > SUSE:SLE-12-SP5:Update  Affected
> > SUSE:SLE-15:Update      Affected
> > SUSE:SLE-15-SP1:Update  Affected
> > SUSE:SLE-15-SP2:Update  Affected
> 
> I've added the patches to all of these products, and in some cases have
> already sent the submit requests.
Excellent!
Comment 8 James Fehlig 2020-10-13 20:24:31 UTC
Ok, everything has been submitted now. Passing the bug to the security team...
Comment 12 Swamp Workflow Management 2020-10-20 19:18:10 UTC
SUSE-SU-2020:2969-1: An update that solves two vulnerabilities and has one errata is now available.

Category: security (important)
Bug References: 1171701,1174955,1177155
CVE References: CVE-2020-15708,CVE-2020-25637
JIRA References: 
Sources used:
SUSE Linux Enterprise Server for SAP 15 (src):    libvirt-4.0.0-9.35.1
SUSE Linux Enterprise Server 15-LTSS (src):    libvirt-4.0.0-9.35.1
SUSE Linux Enterprise High Performance Computing 15-LTSS (src):    libvirt-4.0.0-9.35.1
SUSE Linux Enterprise High Performance Computing 15-ESPOS (src):    libvirt-4.0.0-9.35.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
Comment 13 Swamp Workflow Management 2020-10-20 19:19:36 UTC
SUSE-SU-2020:2970-1: An update that solves two vulnerabilities and has four fixes is now available.

Category: security (important)
Bug References: 1173157,1174139,1174955,1175465,1176430,1177155
CVE References: CVE-2020-15708,CVE-2020-25637
JIRA References: 
Sources used:
SUSE Linux Enterprise Module for Server Applications 15-SP2 (src):    libvirt-6.0.0-13.8.1
SUSE Linux Enterprise Module for Basesystem 15-SP2 (src):    libvirt-6.0.0-13.8.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
Comment 14 Swamp Workflow Management 2020-10-26 20:13:59 UTC
SUSE-SU-2020:3037-1: An update that solves two vulnerabilities and has four fixes is now available.

Category: security (important)
Bug References: 1174955,1175465,1175574,1176430,1177155,1177480
CVE References: CVE-2020-15708,CVE-2020-25637
JIRA References: 
Sources used:
SUSE Linux Enterprise Module for Server Applications 15-SP1 (src):    libvirt-5.1.0-8.24.1
SUSE Linux Enterprise Module for Basesystem 15-SP1 (src):    libvirt-5.1.0-8.24.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
Comment 15 Swamp Workflow Management 2020-10-27 11:15:59 UTC
SUSE-SU-2020:3038-1: An update that solves two vulnerabilities and has one errata is now available.

Category: security (important)
Bug References: 1171701,1174955,1177155
CVE References: CVE-2020-15708,CVE-2020-25637
JIRA References: 
Sources used:
SUSE OpenStack Cloud Crowbar 9 (src):    libvirt-4.0.0-8.23.1
SUSE OpenStack Cloud 9 (src):    libvirt-4.0.0-8.23.1
SUSE Linux Enterprise Server for SAP 12-SP4 (src):    libvirt-4.0.0-8.23.1
SUSE Linux Enterprise Server 12-SP4-LTSS (src):    libvirt-4.0.0-8.23.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
Comment 16 Swamp Workflow Management 2020-10-27 11:17:15 UTC
SUSE-SU-2020:3039-1: An update that solves two vulnerabilities and has three fixes is now available.

Category: security (important)
Bug References: 1174955,1175574,1176430,1177155,1177480
CVE References: CVE-2020-15708,CVE-2020-25637
JIRA References: 
Sources used:
SUSE Linux Enterprise Software Development Kit 12-SP5 (src):    libvirt-5.1.0-13.19.1
SUSE Linux Enterprise Server 12-SP5 (src):    libvirt-5.1.0-13.19.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
Comment 17 Swamp Workflow Management 2020-10-29 20:16:32 UTC
SUSE-SU-2020:3095-1: An update that fixes two vulnerabilities is now available.

Category: security (important)
Bug References: 1174955,1177155
CVE References: CVE-2020-15708,CVE-2020-25637
JIRA References: 
Sources used:
SUSE OpenStack Cloud Crowbar 8 (src):    libvirt-3.3.0-5.46.1
SUSE OpenStack Cloud 8 (src):    libvirt-3.3.0-5.46.1
SUSE Linux Enterprise Server for SAP 12-SP3 (src):    libvirt-3.3.0-5.46.1
SUSE Linux Enterprise Server 12-SP3-LTSS (src):    libvirt-3.3.0-5.46.1
SUSE Linux Enterprise Server 12-SP3-BCL (src):    libvirt-3.3.0-5.46.1
SUSE Enterprise Storage 5 (src):    libvirt-3.3.0-5.46.1
HPE Helion Openstack 8 (src):    libvirt-3.3.0-5.46.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
Comment 18 Swamp Workflow Management 2020-10-30 23:15:17 UTC
openSUSE-SU-2020:1778-1: An update that solves two vulnerabilities and has four fixes is now available.

Category: security (important)
Bug References: 1174955,1175465,1175574,1176430,1177155,1177480
CVE References: CVE-2020-15708,CVE-2020-25637
JIRA References: 
Sources used:
openSUSE Leap 15.1 (src):    libvirt-5.1.0-lp151.7.10.1
Comment 19 Swamp Workflow Management 2020-10-30 23:16:51 UTC
openSUSE-SU-2020:1777-1: An update that solves two vulnerabilities and has four fixes is now available.

Category: security (important)
Bug References: 1173157,1174139,1174955,1175465,1176430,1177155
CVE References: CVE-2020-15708,CVE-2020-25637
JIRA References: 
Sources used:
openSUSE Leap 15.2 (src):    libvirt-6.0.0-lp152.9.6.2
Comment 20 Swamp Workflow Management 2020-11-03 20:15:00 UTC
SUSE-SU-2020:3143-1: An update that fixes two vulnerabilities is now available.

Category: security (important)
Bug References: 1174955,1177155
CVE References: CVE-2020-15708,CVE-2020-25637
JIRA References: 
Sources used:
SUSE OpenStack Cloud 7 (src):    libvirt-2.0.0-27.64.1
SUSE Linux Enterprise Server for SAP 12-SP2 (src):    libvirt-2.0.0-27.64.1
SUSE Linux Enterprise Server 12-SP2-LTSS (src):    libvirt-2.0.0-27.64.1
SUSE Linux Enterprise Server 12-SP2-BCL (src):    libvirt-2.0.0-27.64.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
Comment 21 Alexandros Toptsoglou 2021-01-27 17:05:53 UTC
DONE