Bug 1203788 – VUL-0: CVE-2022-3165: qemu,kvm: integer underflow in vnc_client_cut_text_ext() leads to CPU exhaustion

Bug 1203788 - (CVE-2022-3165) VUL-0: CVE-2022-3165: qemu,kvm: integer underflow in vnc_client_cut_text_ext() leads to CPU exhaustion

(CVE-2022-3165)
Summary:	VUL-0: CVE-2022-3165: qemu,kvm: integer underflow in vnc_client_cut_text_ext(...

Status:	RESOLVED FIXED

Classification:	Novell Products
Product:	SUSE Security Incidents
Classification:	Novell Products
Component:	Incidents
Version:	unspecified
Hardware:	Other Other

Priority:	P3 - Medium Severity: Normal
Target Milestone:	---
Assigned To:	Security Team bot
QA Contact:	Security Team bot

URL:	https://smash.suse.de/issue/343578/
Whiteboard:	CVSSv3.1:SUSE:CVE-2022-3165:6.5:(AV:N...
Keywords:

Depends on:
Blocks:
	Show dependency tree / graph

Create test case

Clone This Bug

Reported:	2022-09-27 11:12 UTC by Carlos López
Modified:	2023-03-08 12:32 UTC (History)
CC List:	5 users (show)

See Also:
Found By:	Security Response Team
Services Priority:
Business Priority:
Blocker:	---
Marketing QA Status:	---
IT Deployment:	---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Carlos López 2022-09-27 11:12:54 UTC

rh#2129739

An integer underflow issue was found in the QEMU VNC server while processing ClientCutText messages in the extended format [1]. A malicious client could use this flaw to make QEMU unresponsive by sending a specially crafted payload message, resulting in a denial of service condition.

[1] https://github.com/rfbproto/rfbproto/blob/master/rfbproto.rst#extended-clipboard-pseudo-encoding

References:
https://bugzilla.redhat.com/show_bug.cgi?id=2129739
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2022-3165

Comment 1 Carlos López 2022-09-27 11:16:47 UTC

Clipboard support was added in 0bf41cab93e5c72dcda7 ("ui/vnc: clipboard support"), which is only present in SUSE:SLE-15-SP4:Update and Factory, so only those are affected.

Proposed patch (not merged yet):
https://lists.nongnu.org/archive/html/qemu-devel/2022-09/msg03948.html

Comment 3 Carlos López 2022-10-19 12:51:46 UTC

Merged:
https://gitlab.com/qemu-project/qemu/-/commit/d307040b18bfcb1393b910f1bae753d5c12a4dc7

Comment 4 Thomas Leroy 2022-12-27 13:30:57 UTC

Any update please? :)

Comment 8 OBSbugzilla Bot 2023-02-10 19:45:05 UTC

This is an autogenerated message for OBS integration:
This bug (1203788) was mentioned in
https://build.opensuse.org/request/show/1064332 Factory / qemu

Comment 11 Dario Faggioli 2023-03-07 09:22:21 UTC

I think this is done, isn't it? Reassigning

Comment 13 Maintenance Automation 2023-03-08 12:30:01 UTC

SUSE-SU-2023:0671-1: An update that solves three vulnerabilities and has two fixes can now be installed.

Category: security (important)
Bug References: 1197653, 1202364, 1203788, 1205808, 1206527
CVE References: CVE-2022-1050, CVE-2022-3165, CVE-2022-4144
Sources used:
openSUSE Leap Micro 5.3 (src): qemu-6.2.0-150400.37.11.1
openSUSE Leap 15.4 (src): qemu-6.2.0-150400.37.11.1, qemu-linux-user-6.2.0-150400.37.11.1, qemu-testsuite-6.2.0-150400.37.11.2
SUSE Linux Enterprise Micro for Rancher 5.3 (src): qemu-6.2.0-150400.37.11.1
SUSE Linux Enterprise Micro 5.3 (src): qemu-6.2.0-150400.37.11.1
Basesystem Module 15-SP4 (src): qemu-6.2.0-150400.37.11.1
Server Applications Module 15-SP4 (src): qemu-6.2.0-150400.37.11.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.

Comment 14 Carlos López 2023-03-08 12:32:03 UTC

Done, closing.