Bug 877645 – VUL-0: CVE-2014-0223: qemu: qcow1: validate image size to avoid out-of-bounds memory access

Bug 877645 - (CVE-2014-0223) VUL-0: CVE-2014-0223: qemu: qcow1: validate image size to avoid out-of-bounds memory access

(CVE-2014-0223)
Summary:	VUL-0: CVE-2014-0223: qemu: qcow1: validate image size to avoid out-of-bounds...

Status:	RESOLVED FIXED

Classification:	Novell Products
Product:	SUSE Security Incidents
Classification:	Novell Products
Component:	Incidents
Version:	unspecified
Hardware:	Other Other

Priority:	P2 - High Severity: Major
Target Milestone:	---
Assigned To:	Andreas Färber
QA Contact:	Security Team bot

URL:	https://smash.suse.de/issue/98726/
Whiteboard:	CVSSv2:SUSE:CVE-2013-4535:4.3:(AV:A/A...
Keywords:	DSLA_REQUIRED, DSLA_SOLUTION_PROVIDED

Depends on:
Blocks:
	Show dependency tree / graph

Create test case

Clone This Bug

Reported:	2014-05-14 07:44 UTC by Sebastian Krahmer
Modified:	2022-01-18 14:39 UTC (History)
CC List:	8 users (show)

See Also:
Found By:	Security Response Team
Services Priority:
Business Priority:
Blocker:	---
Marketing QA Status:	---
IT Deployment:	---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Sebastian Krahmer 2014-05-14 07:44:54 UTC

rh#1097222



References:
https://bugzilla.redhat.com/show_bug.cgi?id=1097222
http://people.canonical.com/~ubuntu-security/cve/2014/CVE-2014-0223.html
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-0223

Comment 1 Swamp Workflow Management 2014-05-14 22:00:19 UTC

bugbot adjusting priority

Comment 2 Sebastian Krahmer 2014-06-25 09:08:57 UTC

ping?

Comment 5 Swamp Workflow Management 2014-08-29 08:47:14 UTC

An update workflow for this issue was started.
This issue was rated as moderate.
Please submit fixed packages until 2014-09-12.
When done, reassign the bug to security-team@suse.de.
https://swamp.suse.de/webswamp/wf/58784

Comment 6 Swamp Workflow Management 2014-10-08 22:05:21 UTC

SUSE-SU-2014:1278-1: An update that solves three vulnerabilities and has two fixes is now available.

Category: security (moderate)
Bug References: 876842,877642,877645,878541,886535
CVE References: CVE-2014-0222,CVE-2014-0223,CVE-2014-3461
Sources used:
SUSE Linux Enterprise Server 11 SP3 (src):    kvm-1.4.2-0.17.1
SUSE Linux Enterprise Desktop 11 SP3 (src):    kvm-1.4.2-0.17.1

Comment 11 Herbert Li 2015-01-20 05:35:26 UTC

Here is the PTF for sles11sp1. Please get the feedback from customer.

https://ptf.suse.com/b27a428a0750dc195e58933ba4411674/sles11-sp1/7872/x86_64/20150120

Comment 15 Thomas Abraham 2015-02-06 17:59:05 UTC

@Nan

Can you answer my question from comment #14?

Comment 16 Herbert Li 2015-02-12 05:38:29 UTC

(In reply to Tom Abraham from comment #15)
> @Nan
> 
> Can you answer my question from comment #14?

Sorry for the delay, since I just come back from holiday. 
PTF in comment#11 has applied the patch about CVE-2014-0223, so we don't need an updated PTF.

Comment 17 Thomas Abraham 2015-02-12 14:59:41 UTC

We're good to close. Thank you!

Comment 19 Swamp Workflow Management 2015-05-21 22:09:12 UTC

SUSE-SU-2015:0929-1: An update that fixes three vulnerabilities is now available.

Category: security (important)
Bug References: 877642,877645,929339
CVE References: CVE-2014-0222,CVE-2014-0223,CVE-2015-3456
Sources used:
SUSE Linux Enterprise Server 11 SP1 LTSS (src):    kvm-0.12.5-1.26.1