Bug 864797 - (CVE-2013-4532) VUL-0: CVE-2013-4532: qemu: stellaris_enet: buffer overrun on incoming migration
(CVE-2013-4532)
VUL-0: CVE-2013-4532: qemu: stellaris_enet: buffer overrun on incoming migration
Status: RESOLVED FIXED
Classification: Novell Products
Product: SUSE Security Incidents
Classification: Novell Products
Component: Incidents
unspecified
Other openSUSE 13.1
: P3 - Medium : Normal
: ---
Assigned To: Bruce Rogers
Security Team bot
https://smash.suse.de/issue/96373/
:
Depends on:
Blocks:
  Show dependency treegraph
 
Reported: 2014-02-20 08:52 UTC by Victor Pereira
Modified: 2017-08-03 14:17 UTC (History)
4 users (show)

See Also:
Found By: Security Response Team
Services Priority:
Business Priority:
Blocker: ---
Marketing QA Status: ---
IT Deployment: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Victor Pereira 2014-02-20 08:52:14 UTC
CVE-2013-4532

Three issues were found:
 * s->next_packet is read from wire as an index into s->rx[].
 * s->tx_fifo_len is read from the wire and later used as an index into
     s->tx_fifo[] when a DATA command is issued by the guest.
 * s->tx_frame_len is read from the wire and can later used as an index
     into s->tx_fifo[] for memset() when a DATA command is issued by the
     guest.

An user able to alter the savevm data (either on the disk or over the wire
during migration) could use this flaw to to corrupt QEMU process memory on
the (destination) host, which could potentially result in arbitrary code
execution on the host with the privileges of the QEMU process.


References:
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2013-4532
https://bugzilla.redhat.com/show_bug.cgi?id=1066358
Comment 1 Swamp Workflow Management 2014-02-20 23:00:21 UTC
bugbot adjusting priority