Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 646814 (CVE-2017-15124, CVE-2017-17381, CVE-2017-18030, CVE-2017-18043, CVE-2018-5683) - <app-emulation/qemu-2.11.0: Multiple vulnerabilities
Summary: <app-emulation/qemu-2.11.0: Multiple vulnerabilities
Status: RESOLVED FIXED
Alias: CVE-2017-15124, CVE-2017-17381, CVE-2017-18030, CVE-2017-18043, CVE-2018-5683
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal minor (vote)
Assignee: Gentoo Security
URL:
Whiteboard: B3 [glsa+ cve]
Keywords:
Depends on:
Blocks:
 
Reported: 2018-02-06 18:31 UTC by GLSAMaker/CVETool Bot
Modified: 2018-04-08 23:32 UTC (History)
1 user (show)

See Also:
Package list:
app-emulation/qemu-2.11.0
Runtime testing required: ---
stable-bot: sanity-check+


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description GLSAMaker/CVETool Bot gentoo-dev 2018-02-06 18:31:11 UTC
CVE-2018-5748 (https://nvd.nist.gov/vuln/detail/CVE-2018-5748):
  qemu/qemu_monitor.c in libvirt allows attackers to cause a denial of service
  (memory consumption) via a large QEMU reply.

CVE-2018-5683 (https://nvd.nist.gov/vuln/detail/CVE-2018-5683):
  The vga_draw_text function in Qemu allows local OS guest privileged users to
  cause a denial of service (out-of-bounds read and QEMU process crash) by
  leveraging improper memory address validation.

CVE-2017-18043 (https://nvd.nist.gov/vuln/detail/CVE-2017-18043):
  Integer overflow in the macro ROUND_UP (n, d) in Quick Emulator (Qemu)
  allows a user to cause a denial of service (Qemu process crash).

CVE-2017-18030 (https://nvd.nist.gov/vuln/detail/CVE-2017-18030):
  The cirrus_invalidate_region function in hw/display/cirrus_vga.c in Qemu
  allows local OS guest privileged users to cause a denial of service
  (out-of-bounds array access and QEMU process crash) via vectors related to
  negative pitch.

CVE-2017-17381 (https://nvd.nist.gov/vuln/detail/CVE-2017-17381):
  The Virtio Vring implementation in QEMU allows local OS guest users to cause
  a denial of service (divide-by-zero error and QEMU process crash) by
  unsetting vring alignment while updating Virtio rings.

CVE-2017-15124 (https://nvd.nist.gov/vuln/detail/CVE-2017-15124):
  VNC server implementation in Quick Emulator (QEMU) 2.11.0 and older was
  found to be vulnerable to an unbounded memory allocation issue, as it did
  not throttle the framebuffer updates sent to its client. If the client did
  not consume these updates, VNC server allocates growing memory to hold onto
  this data. A malicious remote VNC client could use this flaw to cause DoS to
  the server host.
Comment 1 Matthias Maier gentoo-dev 2018-02-11 20:02:37 UTC
Security,

CVE-2018-5748 is a libvirt issue, it has nothing to do with qemu. Please open a new security bug for this one.
Comment 2 Larry the Git Cow gentoo-dev 2018-02-11 20:27:22 UTC
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=725631c3eee62d147ea634c969ab90d1c70f5612

commit 725631c3eee62d147ea634c969ab90d1c70f5612
Author:     Matthias Maier <tamiko@gentoo.org>
AuthorDate: 2018-02-11 20:16:02 +0000
Commit:     Matthias Maier <tamiko@gentoo.org>
CommitDate: 2018-02-11 20:27:01 +0000

    app-emulation/qemu: version bump to 2.11.0, important security fixes
    
     - Added slot operator for libnfs
    
     - Added patch for glibc-2.27 compatibility
    
     - Added patch for CVE-2017-16845
    
     - Backported upstream msr / spec ctrl patches:
    
       6cfbc54e89  i386: Add EPYC-IBPB CPU model
       ac96c41354  i386: Add new -IBRS versions of Intel CPU models
       1b3420e1c4  i386: Add FEAT_8000_0008_EBX CPUID feature word
       a2381f0934  i386: Add spec-ctrl CPUID bit
       a33a2cfe2f  i386: Add support for SPEC_CTRL MSR
    
     - CVEs addressed by bump:
    
       CVE-2017-17381
       CVE-2017-18030
       CVE-2017-18043
    
     - CVEs addressed by patchset:
    
       CVE-2017-15124
       CVE-2017-16845
       CVE-2018-5683
    
     - CVE-2018-5748 is a libvirt vulnerability, not a qemu issue...
    
    Bug:    https://bugs.gentoo.org/638506
    Bug:    https://bugs.gentoo.org/643432
    Bug:    https://bugs.gentoo.org/646814
    Closes: https://bugs.gentoo.org/641100
    Closes: https://bugs.gentoo.org/646568
    Closes: https://bugs.gentoo.org/646710
    Package-Manager: Portage-2.3.24, Repoman-2.3.6

 app-emulation/qemu/Manifest                        |   2 +
 .../qemu/files/qemu-2.11.0-glibc-2.27.patch        |  54 ++
 app-emulation/qemu/qemu-2.11.0.ebuild              | 803 +++++++++++++++++++++
 3 files changed, 859 insertions(+)}
Comment 3 Christopher Díaz Riveros (RETIRED) gentoo-dev Security 2018-02-11 20:47:19 UTC
(In reply to Matthias Maier from comment #1)
> Security,
> 
> CVE-2018-5748 is a libvirt issue, it has nothing to do with qemu. Please
> open a new security bug for this one.


Thank you Matthias, bug 647338 was created for libvirt.

Please confirm stabilization call by CCing arches when ready.
Comment 4 Matthias Maier gentoo-dev 2018-02-12 01:07:10 UTC
Arches, please stabilize
  =app-emulation/qemu-2.11.0

Target-keywords: amd64 x86
Comment 5 Agostino Sarubbo gentoo-dev 2018-02-12 11:48:05 UTC
amd64 stable
Comment 6 Thomas Deutschmann (RETIRED) gentoo-dev 2018-02-12 21:39:07 UTC
x86 stable
Comment 7 Larry the Git Cow gentoo-dev 2018-02-12 22:48:38 UTC
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=f1930d8b843ff1fd0296c6757b540f0ab5e27044

commit f1930d8b843ff1fd0296c6757b540f0ab5e27044
Author:     Matthias Maier <tamiko@gentoo.org>
AuthorDate: 2018-02-12 22:47:34 +0000
Commit:     Matthias Maier <tamiko@gentoo.org>
CommitDate: 2018-02-12 22:48:29 +0000

    app-emulation/qemu: drop vulnerable version
    
    Bug: https://bugs.gentoo.org/646814
    Package-Manager: Portage-2.3.24, Repoman-2.3.6

 app-emulation/qemu/Manifest                        |   1 -
 .../qemu/files/qemu-2.10.1-CVE-2017-15268.patch    |  54 --
 .../qemu/files/qemu-2.10.1-CVE-2017-15289.patch    |  58 --
 app-emulation/qemu/qemu-2.10.1-r1.ebuild           | 800 ---------------------
 4 files changed, 913 deletions(-)}
Comment 8 GLSAMaker/CVETool Bot gentoo-dev 2018-04-08 23:32:25 UTC
This issue was resolved and addressed in
 GLSA 201804-08 at https://security.gentoo.org/glsa/201804-08
by GLSA coordinator Aaron Bauman (b-man).