Bugzilla – Bug 870439
VUL-0: qemu: various security issues in block layer
Last modified: 2014-07-16 08:33:09 UTC
via oss-sec From: Stefan Hajnoczi <stefanha@redhat.com> Subject: [oss-security] QEMU image format input validation fixes (multiple CVEs) Date: Wed, 26 Mar 2014 13:37:17 +0100 Hi, Several missing input validation bugs in QEMU's disk image format code have been fixed. CVEs are as follows: parallels: Sanity check for s->tracks (CVE-2014-0142) parallels: Fix catalog size integer overflow (CVE-2014-0143) qcow2: Check maximum L1 size in qcow2_snapshot_load_tmp() (CVE-2014-0143) qcow2: Fix L1 allocation size in qcow2_snapshot_load_tmp() (CVE-2014-0145) qcow2: Fix NULL dereference in qcow2_open() error path (CVE-2014-0146) block: Limit request size (CVE-2014-0143) dmg: prevent chunk buffer overflow (CVE-2014-0145) dmg: sanitize chunk length and sectorcount (CVE-2014-0145) qcow2: Fix new L1 table size check (CVE-2014-0143) qcow2: Avoid integer overflow in get_refcount (CVE-2014-0143) qcow2: Don't rely on free_cluster_index in alloc_refcount_block() (CVE-2014-0147) qcow2: Validate active L1 table offset and size (CVE-2014-0144) qcow2: Validate snapshot table offset/size (CVE-2014-0144) qcow2: Check refcount table size (CVE-2014-0144) qcow2: Check backing_file_offset (CVE-2014-0144) qcow2: Check header_length (CVE-2014-0144) curl: check data size before memcpy to local buffer. (CVE-2014-0144) vhdx: Bounds checking for block_size and logical_sector_size (CVE-2014-0148) vdi: add bounds checks for blocks_in_image and disk_size header fields (CVE-2014-0144) vpc: Validate block size (CVE-2014-0142) vpc/vhd: add bounds check for max_table_entries and block_size (CVE-2014-0144) bochs: Check extent_size header field (CVE-2014-0142) bochs: Check catalog_size header field (CVE-2014-0143) bochs: Use unsigned variables for offsets and sizes (CVE-2014-0147) block/cloop: refuse images with bogus offsets (CVE-2014-0144) block/cloop: refuse images with huge offsets arrays (CVE-2014-0144) block/cloop: prevent offsets_size integer overflow (CVE-2014-0143) block/cloop: validate block_size header field (CVE-2014-0144) Patches are available here: https://lists.gnu.org/archive/html/qemu-devel/2014-03/msg04994.html Patches will be in the upcoming QEMU 2.0 release and a QEMU 1.7.2 stable release is also planned. You are welcome to join #qemu on irc.oftc.net or the qemu-devel@nongnu.org mailing list if you need more information. Stefan
This time I opened a tracker bug. If you want seperate bugs for those, we can do that.
bugbot adjusting priority
VHDX is not available in v1.4, so vhdx patch not applicable to SLE11 SP3.
The SWAMPID for this issue is 56981. This issue was rated as important. Please submit fixed packages until 2014-04-17. When done, please reassign the bug to security-team@suse.de. Patchinfo will be handled by security team.
Affected packages: SLE-11-SP3: kvm
Submitted SR#35871
I am testing this update for sle11sp3. I can't find the patch for CVE-2014-0148. Is it missing?
QEMU v1.4.2 does not include VHDX: http://git.qemu-project.org/?p=qemu.git;a=tree;f=block;h=7db7b6e68fca4585f9ab1cd859381eaebe8a1a9b;hb=89400a80f5827ae3696e3da73df0996154965a0a It was introduced in v1.5: http://git.qemu-project.org/?p=qemu.git;a=tree;f=block;h=9c7b376a681d86d3cb89645d435aed8007ed324a;hb=c0b1a7e207094dba0b37a892b41fe4cab3195e44
Update released for: kvm, kvm-debuginfo, kvm-debugsource Products: SLE-DESKTOP 11-SP3 (i386, x86_64) SLE-SERVER 11-SP3 (i386, s390x, x86_64)
SUSE-SU-2014:0623-1: An update that fixes 9 vulnerabilities is now available. Category: security (important) Bug References: 812983,817593,842006,864802,870439 CVE References: CVE-2013-2016,CVE-2013-4344,CVE-2013-4541,CVE-2014-0142,CVE-2014-0143,CVE-2014-0144,CVE-2014-0145,CVE-2014-0146,CVE-2014-0147 Sources used: SUSE Linux Enterprise Server 11 SP3 (src): kvm-1.4.2-0.11.1 SUSE Linux Enterprise Desktop 11 SP3 (src): kvm-1.4.2-0.11.1