Bug 897783 - (CVE-2014-3633) VUL-1: CVE-2014-3633: libvirt: qemu: out-of-bounds read access in qemuDomainGetBlockIoTune() due to invalid index
(CVE-2014-3633)
VUL-1: CVE-2014-3633: libvirt: qemu: out-of-bounds read access in qemuDomainG...
Status: RESOLVED FIXED
Classification: Novell Products
Product: SUSE Security Incidents
Classification: Novell Products
Component: Incidents
unspecified
Other Other
: P5 - None : Minor
: ---
Assigned To: Security Team bot
Security Team bot
https://smash.suse.de/issue/106304/
maint:released:sle11-sp3:60370
:
Depends on:
Blocks:
  Show dependency treegraph
 
Reported: 2014-09-22 15:18 UTC by Marcus Meissner
Modified: 2015-03-25 15:58 UTC (History)
4 users (show)

See Also:
Found By: Security Response Team
Services Priority:
Business Priority:
Blocker: ---
Marketing QA Status: ---
IT Deployment: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Marcus Meissner 2014-09-22 15:18:14 UTC
via rh bugzilla and libvirt


It was found that when a disk is attached to a disk "live" (thus not
written into the persistent configuration) and then the statistics for
the disks are requested from the persistent configuration, index to
the array is determined from the live configuration but used in the
persistent.

A remote attacker able to establish a read-only connection to libvirtd
could use this flaw to crash libvirtd or, potentially, leak memory from
the libvirtd process.

Acknowledgements:

This issue was discovered by Luyao Huang of Red Hat.

http://libvirt.org/git/?p=libvirt.git;a=commitdiff;h=3e745e8f775dfe6f64f18b5c2fe4791b35d3546b;hp=281f70013e9d6fff7f2d4b55f5133a837f023190


https://bugzilla.redhat.com/show_bug.cgi?id=1141131
Comment 1 James Fehlig 2014-09-22 21:57:34 UTC
I've already fixed this in SLE12 RC4/GMC (SR#44409), SLE11 SP3, Factory (SR#251486), 13.1, and even 12.3!
Comment 3 Bernhard Wiedemann 2014-09-22 22:00:35 UTC
This is an autogenerated message for OBS integration:
This bug (897783) was mentioned in
https://build.opensuse.org/request/show/251486 Factory / libvirt
Comment 4 Marcus Meissner 2014-09-23 05:38:47 UTC
thanks jim, than we can just close this again. :)
Comment 5 James Fehlig 2014-09-23 17:12:19 UTC
What about SLES11 SP3?  Should I just queue the fix for a future virt tools update?

WRT openSUSE12.3 and 13.1, IMO it is fine to wait until the embargo lifts on the newest issue (CVE-2014-3657), and submit updates that include fixes for both CVEs.
Comment 6 Marcus Meissner 2014-09-24 09:08:18 UTC
You wrote "I already fixed this for SLES 11 SP3..." ? what did that mean?

We have not published updates, or did we?
Comment 7 SMASH SMASH 2014-09-24 09:30:10 UTC
Affected packages:

SLE-11-SP3: libvirt
SLE-11-SP3-PRODUCTS: libvirt
SLE-11-SP3-UPTU: libvirt
SLE-12: libvirt
Comment 8 James Fehlig 2014-09-24 15:48:09 UTC
Sorry for the confusion.  By fixed, I meant the fix has been applied to the libvirt package in the various devel projects, e.g. IBS Devel:Virt:{SLE-12,SLE-11-SP3}, OBS Virtualization:openSUSE13.1, etc.  But only the SLE12 and Factory packages have been submitted.
Comment 9 James Fehlig 2014-09-24 15:51:54 UTC
> We have not published updates, or did we?

No, updates have not been published.  And as I wrote in #5, we should wait for CVE-2014-3657 embargo to lift before doing so.
Comment 10 James Fehlig 2014-10-02 16:38:10 UTC
Ok, CVE-2014-3657 is now public.  I've added a fix for it, and this CVE, to all affected libvirt packages.

For openSUSE12.3, started maintenancereq #253679
For openSUSE13.1, started maintenancereq #253680
For SLE11 SP3, have the fix queued for a future maintenance update
Fix is already included in SLE12 GA
Factory is not affected since the fix is included in libvirt 1.2.9

AFAIK, I'm done here.  Passing bug to security...
Comment 13 Swamp Workflow Management 2015-02-23 23:07:23 UTC
SUSE-SU-2015:0357-1: An update that solves 6 vulnerabilities and has 9 fixes is now available.

Category: security (moderate)
Bug References: 843074,852397,878350,879665,897654,897783,899144,899484,900084,904176,905097,907805,908381,910145,911742
CVE References: CVE-2014-3633,CVE-2014-3640,CVE-2014-3657,CVE-2014-7823,CVE-2014-7840,CVE-2014-8106
Sources used:
SUSE Linux Enterprise Software Development Kit 11 SP3 (src):    libvirt-1.0.5.9-0.19.3, libvirt-1.0.5.9-0.19.6
SUSE Linux Enterprise Server 11 SP3 (src):    kvm-1.4.2-0.21.4, kvm-1.4.2-0.21.5, libvirt-1.0.5.9-0.19.3, libvirt-1.0.5.9-0.19.5, libvirt-1.0.5.9-0.19.6
SUSE Linux Enterprise Desktop 11 SP3 (src):    kvm-1.4.2-0.21.4, libvirt-1.0.5.9-0.19.3
Comment 14 Johannes Segitz 2015-03-25 15:58:58 UTC
openSUSE update didn't show up here for some reason, but they were release. SLES is also fixed