Bugzilla – Bug 1227322
VUL-0: CVE-2024-4467: qemu: 'qemu-img info' leads to host file read/write
Last modified: 2024-07-08 14:08:47 UTC
A flaw was found in the QEMU disk image utility (qemu-img) 'info' command. A specially crafted image file containing a `json:{}` value describing block devices in QMP could cause the qemu-img process on the host to consume large amounts of memory or CPU time, leading to denial of service or read/write to an existing external file. References: http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2024-4467 https://www.cve.org/CVERecord?id=CVE-2024-4467 https://access.redhat.com/security/cve/CVE-2024-4467 https://bugzilla.redhat.com/show_bug.cgi?id=2278875 https://access.redhat.com/errata/RHSA-2024:4276 https://access.redhat.com/errata/RHSA-2024:4277 https://access.redhat.com/errata/RHSA-2024:4278
(In reply to SMASH SMASH from comment #0) > A flaw was found in the QEMU disk image utility (qemu-img) 'info' command. A > specially crafted image file containing a `json:{}` value describing block > devices in QMP could cause the qemu-img process on the host to consume large > amounts of memory or CPU time, leading to denial of service or read/write to > an existing external file. > > References: > http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2024-4467 > https://www.cve.org/CVERecord?id=CVE-2024-4467 > https://access.redhat.com/security/cve/CVE-2024-4467 > https://bugzilla.redhat.com/show_bug.cgi?id=2278875 > https://access.redhat.com/errata/RHSA-2024:4276 > https://access.redhat.com/errata/RHSA-2024:4277 > https://access.redhat.com/errata/RHSA-2024:4278 The fix (https://lore.kernel.org/qemu-devel/20240702163943.276618-1-kwolf@redhat.com/) has been queued for QEMU stable releases, so: - Factory will be fixed when 9.0.2 is released (and packaged) - SLE-15-SP6 will get it when 8.2.6 is released (and packaged) - for older code-stream, I can backport them manually... have you, by any chance, checked which ones are affected already?