Bug 1026612 - (CVE-2017-2633) VUL-0: CVE-2017-2633: kvm,qemu: VNC: memory corruption due to unchecked resolution limit
(CVE-2017-2633)
VUL-0: CVE-2017-2633: kvm,qemu: VNC: memory corruption due to unchecked res...
Status: RESOLVED FIXED
Classification: Novell Products
Product: SUSE Security Incidents
Classification: Novell Products
Component: Incidents
unspecified
Other Other
: P3 - Medium : Minor
: ---
Assigned To: Lin Ma
Security Team bot
https://smash.suse.de/issue/180852/
CVSSv2:SUSE:CVE-2017-2633:3.0:(AV:L/A...
:
Depends on:
Blocks:
  Show dependency treegraph
 
Reported: 2017-02-23 10:07 UTC by Marcus Meissner
Modified: 2022-02-13 11:24 UTC (History)
6 users (show)

See Also:
Found By: Security Response Team
Services Priority:
Business Priority:
Blocker: ---
Marketing QA Status: ---
IT Deployment: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Marcus Meissner 2017-02-23 10:07:33 UTC
From: P J P <ppandit () redhat com>
Date: Thu, 23 Feb 2017 09:59:13 +0530 (IST)

  Hello,

Quick Emulator(Qemu) built with the VNC display driver support is vulnerable to an out-of-bounds memory access issue. It could occur while refreshing the vnc display surface area in 'vnc_refresh_server_surface'.


A user/process inside guest could use this flaw to crash the Qemu process resulting in DoS.


Upstream patch:
---------------
  -> http://git.qemu-project.org/?p=qemu.git;a=commitdiff;h=bea60dd7679364493a0d7f5b54316c767cf894ef
  -> http://git.qemu-project.org/?p=qemu.git;a=commitdiff;h=9f64916da20eea67121d544698676295bbb105a7

Older versions of Qemu are affected, latest upstream releases are not.

'CVE-2017-2633' has been assigned to this issue by Red Hat Inc.

Thank you.




References:
http://seclists.org/oss-sec/2017/q1/473
http://git.qemu-project.org/?p=qemu.git;a=commitdiff;h=9f64916da20eea67121d544698676295bbb105a7
http://git.qemu-project.org/?p=qemu.git;a=commitdiff;h=bea60dd7679364493a0d7f5b54316c767cf894ef
Comment 1 Marcus Meissner 2017-02-23 11:24:03 UTC
9f64916da20eea67121d544698676295bbb105a7 - in 1.3.0
bea60dd7679364493a0d7f5b54316c767cf894ef - in 2.1.0
Comment 2 Swamp Workflow Management 2017-02-23 23:00:17 UTC
bugbot adjusting priority
Comment 3 Bruce Rogers 2017-04-28 18:19:08 UTC
So kvm packages for SLE11-SP3/4 need bea60dd commit based fix as does SLE12 qemu. The 9f64916 fix is not needed for any of our supported products.
Comment 4 Bruce Rogers 2017-10-19 14:22:59 UTC
One more note: a later commit, eebe0b7, indicates that the bea60dd commit fix was incomplete, and provides the added fix. So we need this as well.
Comment 5 Bruce Rogers 2017-10-19 14:27:35 UTC
And another commit, eb8934b, indicates another issue with bea60dd, and provides the fix for that.So that commit is needed as well.
Comment 6 Swamp Workflow Management 2017-11-10 08:20:40 UTC
SUSE-SU-2017:2969-1: An update that solves 29 vulnerabilities and has two fixes is now available.

Category: security (important)
Bug References: 1020427,1021741,1025109,1025311,1026612,1028184,1028656,1030624,1032075,1034866,1034908,1035406,1035950,1036211,1037242,1039495,1042159,1042800,1042801,1043296,1045035,1046636,1047674,1048902,1049381,1056334,1057585,1062069,1063122,994418,994605
CVE References: CVE-2016-6834,CVE-2016-6835,CVE-2016-9602,CVE-2016-9603,CVE-2017-10664,CVE-2017-10806,CVE-2017-11334,CVE-2017-11434,CVE-2017-13672,CVE-2017-14167,CVE-2017-15038,CVE-2017-15289,CVE-2017-2633,CVE-2017-5579,CVE-2017-5973,CVE-2017-5987,CVE-2017-6505,CVE-2017-7377,CVE-2017-7471,CVE-2017-7493,CVE-2017-7718,CVE-2017-7980,CVE-2017-8086,CVE-2017-8112,CVE-2017-8309,CVE-2017-9330,CVE-2017-9373,CVE-2017-9375,CVE-2017-9503
Sources used:
SUSE Linux Enterprise Server 12-LTSS (src):    qemu-2.0.2-48.34.3
Comment 7 Swamp Workflow Management 2018-01-04 17:10:20 UTC
SUSE-SU-2018:0019-1: An update that fixes two vulnerabilities is now available.

Category: security (important)
Bug References: 1026612,1068032
CVE References: CVE-2017-2633,CVE-2017-5715
Sources used:
SUSE Linux Enterprise Server 11-SP4 (src):    kvm-1.4.2-60.6.1
Comment 8 Sebastian Parschauer 2018-01-08 12:57:20 UTC
@Bruce: I need a backport to SLES11-SP1 for bsc#1074701. Can you please provide it? TIA
Comment 9 Bruce Rogers 2018-01-08 15:37:06 UTC
(In reply to Sebastian Parschauer from comment #8)
> @Bruce: I need a backport to SLES11-SP1 for bsc#1074701. Can you please
> provide it? TIA

Overloading this bug report with communications about another unrelated bug is bad practice. Please communicate with me within the other bug report or in some other way. 

But to respond to the open question, yes, I will.
Comment 10 Swamp Workflow Management 2018-01-08 17:08:36 UTC
SUSE-SU-2018:0039-1: An update that fixes two vulnerabilities is now available.

Category: security (important)
Bug References: 1026612,1068032
CVE References: CVE-2017-2633,CVE-2017-5715
Sources used:
SUSE Linux Enterprise Server 11-SP3-LTSS (src):    kvm-1.4.2-53.14.1
SUSE Linux Enterprise Point of Sale 11-SP3 (src):    kvm-1.4.2-53.14.1
Comment 11 Bruce Rogers 2018-01-23 02:49:07 UTC
(In reply to Bruce Rogers from comment #9)
> (In reply to Sebastian Parschauer from comment #8)
> > @Bruce: I need a backport to SLES11-SP1 for bsc#1074701. Can you please
> > provide it? TIA
> 
> Overloading this bug report with communications about another unrelated bug
> is bad practice. Please communicate with me within the other bug report or
> in some other way. 
> 
> But to respond to the open question, yes, I will.

And as I now look at this in detail, this is not going to be a simple backport. So contrary to my previous thought, this will not get done in a few more days, especially considering that I also have some other urgent type activities queued up.

I'll see if someone else can also help with this.
Comment 12 Lin Ma 2018-02-06 08:14:21 UTC
Total 32 patches were backported to kvm package and 1 patch was backported to pixman package, waiting for L3 or customer's feedback.
Comment 13 Johannes Segitz 2018-02-15 11:18:04 UTC
fixed
Comment 14 Bruce Rogers 2018-03-06 15:45:36 UTC
What's the status here. I don't see where an actual package includes these patches (other than in Lin's home branch.) Was a maintenance submission done from other than our Devel project?

Liang is also working on a vnc bug in old kvm releases which may benefit from these backports.
Comment 15 Lin Ma 2018-03-07 12:20:51 UTC
Just sent sr. https://build.suse.de/request/show/157389

Sorry for the delay