Bug 1043808 - (CVE-2017-9524) VUL-0: CVE-2017-9524: qemu: nbd: segmentation fault due to client non-negotiation
(CVE-2017-9524)
VUL-0: CVE-2017-9524: qemu: nbd: segmentation fault due to client non-negotia...
Status: RESOLVED FIXED
Classification: Novell Products
Product: SUSE Security Incidents
Classification: Novell Products
Component: Incidents
unspecified
Other Other
: P3 - Medium : Normal
: ---
Assigned To: Fei Li
Security Team bot
https://smash.suse.de/issue/186600/
CVSSv3:SUSE:CVE-2017-9524:5.8:(AV:N/A...
:
Depends on:
Blocks:
  Show dependency treegraph
 
Reported: 2017-06-12 09:51 UTC by Johannes Segitz
Modified: 2017-11-07 07:36 UTC (History)
3 users (show)

See Also:
Found By: Security Response Team
Services Priority:
Business Priority:
Blocker: ---
Marketing QA Status: ---
IT Deployment: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Johannes Segitz 2017-06-12 09:51:40 UTC
rh#1460170

Quick Emulator(Qemu) built with the Network Block Device(NBD) Server support
is vulnerable to a null pointer dereference issue. It could occur while
releasing a client, which was not initialised due to failed negotiation.

A remote user/process could use this flaw to crash the qemu-nbd server
resulting in DoS.

Upstream patch:
---------------
  -> https://lists.gnu.org/archive/html/qemu-devel/2017-05/msg06240.html
  -> https://lists.gnu.org/archive/html/qemu-devel/2017-06/msg02321.html

See also c6 in the RH bug

References:
https://bugzilla.redhat.com/show_bug.cgi?id=1460170
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2017-9524
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-9524
Comment 1 Bruce Rogers 2017-06-12 11:58:08 UTC
The first patch mentioned is now commit id df8ad9f128c15aa0a0ebc7b24e9a22c9775b67af.
The second patch is being discussed further.
Comment 2 Bruce Rogers 2017-07-11 01:42:28 UTC
The second patch is now upstream: commit id 0c9390d978cbf61e8f16c9f580fa96b305c43568.
Comment 3 Bruce Rogers 2017-07-12 16:57:21 UTC
Due to multiple other issues with the older versions of qemu-nbd, the fact that the code has morphed a fair amount over time, and the relative difficulty in exploiting this issue, I will only apply this fix to SLE12-SP3 and newer.
Comment 4 Bruce Rogers 2017-07-12 16:58:26 UTC
(In reply to Bruce Rogers from comment #3)
> Due to multiple other issues with the older versions of qemu-nbd, the fact
> that the code has morphed a fair amount over time, and the relative
> difficulty in exploiting this issue, I will only apply this fix to SLE12-SP3
> and newer.

Correction: SLE12-SP2 and newer.
Comment 5 Swamp Workflow Management 2017-11-06 20:08:22 UTC
SUSE-SU-2017:2936-1: An update that solves 12 vulnerabilities and has four fixes is now available.

Category: security (important)
Bug References: 1043176,1043808,1046636,1047674,1048902,1049381,1054724,1056334,1057378,1057585,1057966,1059369,1062069,1062942,1063122,997358
CVE References: CVE-2017-10664,CVE-2017-10806,CVE-2017-10911,CVE-2017-11334,CVE-2017-11434,CVE-2017-12809,CVE-2017-13672,CVE-2017-14167,CVE-2017-15038,CVE-2017-15268,CVE-2017-15289,CVE-2017-9524
Sources used:
SUSE Linux Enterprise Server for Raspberry Pi 12-SP2 (src):    qemu-2.6.2-41.22.2
SUSE Linux Enterprise Server 12-SP2 (src):    qemu-2.6.2-41.22.2
SUSE Linux Enterprise Desktop 12-SP2 (src):    qemu-2.6.2-41.22.2
Comment 6 Andreas Stieger 2017-11-07 00:57:53 UTC
done
Comment 7 Swamp Workflow Management 2017-11-07 05:12:26 UTC
openSUSE-SU-2017:2941-1: An update that solves 12 vulnerabilities and has four fixes is now available.

Category: security (important)
Bug References: 1043176,1043808,1046636,1047674,1048902,1049381,1054724,1056334,1057378,1057585,1057966,1059369,1062069,1062942,1063122,997358
CVE References: CVE-2017-10664,CVE-2017-10806,CVE-2017-10911,CVE-2017-11334,CVE-2017-11434,CVE-2017-12809,CVE-2017-13672,CVE-2017-14167,CVE-2017-15038,CVE-2017-15268,CVE-2017-15289,CVE-2017-9524
Sources used:
openSUSE Leap 42.2 (src):    qemu-2.6.2-31.9.1, qemu-linux-user-2.6.2-31.9.1, qemu-testsuite-2.6.2-31.9.2