Bug 874749 - (CVE-2014-2894) VUL-0: CVE-2014-2894: qemu: out of bounds buffer accesses, guest triggerable via IDE SMART
(CVE-2014-2894)
VUL-0: CVE-2014-2894: qemu: out of bounds buffer accesses, guest triggerable ...
Status: RESOLVED FIXED
Classification: Novell Products
Product: SUSE Security Incidents
Classification: Novell Products
Component: Incidents
unspecified
Other Other
: P3 - Medium : Normal
: ---
Assigned To: Andreas Färber
Security Team bot
https://smash.suse.de/issue/98066/
maint:released:sle11-sp3:57584
:
Depends on:
Blocks:
  Show dependency treegraph
 
Reported: 2014-04-23 09:12 UTC by Alexander Bergmann
Modified: 2014-07-16 07:32 UTC (History)
5 users (show)

See Also:
Found By: Security Response Team
Services Priority:
Business Priority:
Blocker: ---
Marketing QA Status: ---
IT Deployment: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Alexander Bergmann 2014-04-23 09:12:07 UTC
Via rh#1087971:

An out of bounds memory access flaw was found in Qemu's IDE device model.
It leads to Qemu's memory corruption via buffer overwrite(4 bytes). It occurs
while executing IDE SMART commands.

A privileged guest user could use this flaw to corrupt qemu process' memory on the host, which could potentially result in arbitrary code execution on the host with the privileges of the qemu process.

Upstream fix:
https://lists.nongnu.org/archive/html/qemu-devel/2014-04/msg02016.html

Upstream commit:
http://git.qemu.org/?p=qemu.git;a=commit;h=940973ae0b45c9b6817bab8e4cf4df99a9ef83d7

CVE-2014-2894 was assigned to this issue.


References:
https://bugzilla.redhat.com/show_bug.cgi?id=1087971
Comment 1 Alexander Bergmann 2014-04-23 09:34:44 UTC
Affected code streams:

SLE-11-SP3/kvm

openSUSE:12.3/qemu
openSUSE:12.3/kvm

openSUSE:13.1/qemu
Comment 2 Swamp Workflow Management 2014-04-23 22:00:35 UTC
bugbot adjusting priority
Comment 3 Marcus Meissner 2014-04-24 12:12:16 UTC
Bruce, you submitted this fix to SP3 / kvm, but without a bugzilla number.,

please resubmit with bugzilla number.
Comment 4 Andreas Färber 2014-04-24 12:15:39 UTC
I'll take care of it.

At the time there was no Bugzilla entry for the CVE yet, and I wanted to include it in the pending maintenance update.
Comment 5 Andreas Färber 2014-04-24 14:32:56 UTC
SP3 kvm: https://build.suse.de/request/show/36722
Comment 6 Swamp Workflow Management 2014-05-09 09:57:57 UTC
The SWAMPID for this issue is 57292.
This issue was rated as moderate.
Please submit fixed packages until 2014-05-23.
When done, please reassign the bug to security-team@suse.de.
Patchinfo will be handled by security team.
Comment 7 Swamp Workflow Management 2014-06-18 13:48:28 UTC
Update released for: kvm, kvm-debuginfo, kvm-debugsource
Products:
SLE-DESKTOP 11-SP3 (i386, x86_64)
SLE-SERVER 11-SP3 (i386, s390x, x86_64)
Comment 8 Swamp Workflow Management 2014-06-18 17:07:45 UTC
SUSE-SU-2014:0816-1: An update that solves two vulnerabilities and has 20 fixes is now available.

Category: security (moderate)
Bug References: 864391,864649,864650,864653,864655,864665,864671,864673,864678,864682,864769,864796,864801,864802,864804,864805,864811,864812,864814,873235,874749,874788
CVE References: CVE-2014-0150,CVE-2014-2894
Sources used:
SUSE Linux Enterprise Server 11 SP3 (src):    kvm-1.4.2-0.15.2
SUSE Linux Enterprise Desktop 11 SP3 (src):    kvm-1.4.2-0.15.2