Bug 33279 - qemu-kvm: Multiple issues (3.2)
qemu-kvm: Multiple issues (3.2)
Status: CLOSED FIXED
Product: UCS
Classification: Unclassified
Component: Security updates
UCS 3.0
Other Linux
: P1 normal (vote)
: UCS 3.2-6-errata
Assigned To: Philipp Hahn
Janek Walkenhorst
:
: 38669 (view as bug list)
Depends on:
Blocks:
  Show dependency treegraph
 
Reported: 2013-11-12 11:11 CET by Moritz Muehlenhoff
Modified: 2015-08-05 15:57 CEST (History)
2 users (show)

See Also:
What kind of report is it?: ---
What type of bug is this?: ---
Who will be affected by this bug?: ---
How will those affected feel about the bug?: ---
User Pain:
Enterprise Customer affected?:
School Customer affected?:
ISV affected?:
Waiting Support:
Ticket number:
Bug group (optional):
Max CVSS v3 score:


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Moritz Muehlenhoff univentionstaff 2013-11-12 11:11:35 CET
+++ This bug was initially created as a clone of Bug #29907 +++

Buffer overflow in the e1000 driver (CVE-2012-6075)
Comment 1 Moritz Muehlenhoff univentionstaff 2014-03-14 14:30:32 CET
There a long range of security issues which will not be backported to UCS 3.x:

CVE-2013-4148 CVE-2013-4149 CVE-2013-4150 CVE-2013-4151 CVE-2013-4526 CVE-2013-4527 CVE-2013-4529 CVE-2013-4530 CVE-2013-4531 CVE-2013-4532 CVE-2013-4533 CVE-2013-4534 CVE-2013-4535 CVE-2013-4536 CVE-2013-4537 CVE-2013-4538 CVE-2013-4539 CVE-2013-4540 CVE-2013-4541 CVE-2013-4542 CVE-2013-6399

These are all about saving/restoring the status of VMs. This would allow theoretical attacks where malformed status files of a VM are migrated to a different host and triggering code execution. In UCS all UVMM nodes are under the control of the administrator.
Comment 2 Moritz Muehlenhoff univentionstaff 2014-04-14 07:48:50 CEST
Buffer overflow in virtio-net (CVE-2014-0150)
Comment 3 Moritz Muehlenhoff univentionstaff 2014-04-22 07:47:46 CEST
Buffer overflow in processing SMART commands in the emulated IDE adaptor (CVE-2014-2894)
Comment 4 Moritz Muehlenhoff univentionstaff 2014-04-22 08:39:35 CEST
CVE-2014-0142: Denial of service through division by zero in parallels driver
CVE-2014-0143: Integer overflows in various block drivers
CVE-2014-0144: Memory corruption in various block drivers
CVE-2014-0145: Buffer overflows in block drivers
CVE-2014-0146: NULL pointer dereference in qcow driver
CVE-2014-0147: Missing input sanitising in qcow driver
Comment 5 Moritz Muehlenhoff univentionstaff 2014-04-22 09:20:45 CEST
CVE-2014-0182 virtio: out-of-bounds buffer write on state load with invalid config_len
Comment 6 Moritz Muehlenhoff univentionstaff 2014-06-06 10:34:41 CEST
Out of bounds access in parsing qcow1 images (CVE-2014-0223, CVE-2014-0222)
Comment 7 Moritz Muehlenhoff univentionstaff 2014-06-10 12:47:58 CEST
Buffer overflow in USB state handling after migration (CVE-2014-3461)
Comment 8 Moritz Muehlenhoff univentionstaff 2014-10-10 13:10:20 CEST
NULL pointer dereference in SLIRP (CVE-2014-3640)
Comment 9 Moritz Muehlenhoff univentionstaff 2014-10-31 13:08:35 CET
vmware_vga: insufficient parameter validation in rectangle functions (CVE-2014-3689)
Comment 10 Moritz Muehlenhoff univentionstaff 2014-11-07 01:01:15 CET
Missing sanitising of the bits_per_pixel value in the VNC display driver (CVE-2014-7815)
Comment 11 Moritz Muehlenhoff univentionstaff 2014-11-25 08:53:04 CET
For UCS 3.2, this leaves the following vulnerabilities to be fixed:

Buffer overflow in the e1000 driver (CVE-2012-6075)
Buffer overflow in virtio-net (CVE-2014-0150)
Buffer overflow in processing SMART commands in the emulated IDE adaptor (CVE-2014-2894)
Denial of service through division by zero in parallels driver (CVE-2014-0142)
Integer overflows in various block drivers (CVE-2014-0143)
Memory corruption in various block drivers (CVE-2014-0144)
Buffer overflows in block drivers (CVE-2014-0145)
NULL pointer dereference in qcow driver (CVE-2014-0146)
Missing input sanitising in qcow driver (CVE-2014-0147)
Out of bounds access in parsing qcow1 images (CVE-2014-0223, CVE-2014-0222)
NULL pointer dereference in SLIRP (CVE-2014-3640)
vmware_vga: insufficient parameter validation in rectangle functions (CVE-2014-3689)
Missing sanitising of the bits_per_pixel value in the VNC display driver (CVE-2014-7815)
Comment 12 Moritz Muehlenhoff univentionstaff 2014-11-25 08:54:06 CET
CVE-2013-4148, CVE-2013-4149, CVE-2013-4150, CVE-2013-4151, CVE-2013-4526, CVE-2013-4527, CVE-2013-4529, CVE-2014-4530, CVE-2013-4531, CVE-2013-4532, CVE-2013-4533, CVE-2013-4534, CVE-2013-4535, CVE-2013-4536, CVE-2013-4537, CVE-2013-4538, CVE-2013-4539, CVE-2013-4540, CVE-2013-4541, CVE-2013-4542, CVE-2013-6399, CVE-2014-0182, CVE-2014-3461 and CVE-2014-7840 are for
various minor security vulnerabilities in loading/processing state files. Exploitation is mostly theoretical; either during live migration (but in UVMM all virtualisation nodes are part of the same trust context) or when processing a malformed memory image provided by a malicious party. The fixes are very intrusive and have been skipped in Debian since the risk of introducing data loss regressions exceeds the potential risk. For UCS 3.2 and 4.0 (which use the same version of KVM) we're doing the same  as in Debian.
Comment 13 Moritz Muehlenhoff univentionstaff 2014-12-05 15:27:52 CET
Missing access checks in the Cirrus VGA emulator may result in privilege escalation (CVE-2014-8106)
Comment 14 Moritz Muehlenhoff univentionstaff 2015-01-15 11:25:38 CET
qemu-kvm shares the same base version in 3.2 und 4.0. Once we release an update in 3.2, we need to add a similar downgrade step to the preup as we already do for Firefox. Otherwise the version in 3.2-x would be higher than the one in 4.0-0 and it would interrupt the update.
Comment 15 Arvid Requate univentionstaff 2015-03-17 18:37:32 CET
VGA emulator in QEMU allows local guest users to read host memory by setting the display to a high resolution (CVE-2014-3615)
Comment 16 Arvid Requate univentionstaff 2015-05-13 18:36:18 CEST
* Virtualized Environment Neglected Operations Manipulation (VENOM) vulnerability in QEMU's virtual Floppy Disk Controller (CVE-2015-3456)
Comment 17 Philipp Hahn univentionstaff 2015-05-22 14:27:29 CEST
$ repo_admin.py -U -p qemu-kvm -d wheezy -r 3.2-0-0 -s errata3.2-6
 All CVEs (expect those from comment #12) from this bug have been fixed Debian 6+deb7u7.
 It also fixes CVE-2013-4344, which isn't mentioned here, as it is relevant in UCS.

r14773 | Bug #33279 qemu-kvm: debian/changelog
 quilt refresh
r14774 | Bug #33279 qemu-kvm: debian/changelog
 $ (cd /var/univention/buildsystem2/mirror/ftp/;find {3.2,4.0}/maintained/ -name qemu-kvm_\* -printf '%f\t%h\n')|sort -V
 qemu-kvm_1.1.2+dfsg-6.28.201307262155_amd64.deb 3.2/maintained/3.2-0/amd64
 qemu-kvm_1.1.2+dfsg-6.28.201307262155_i386.deb  3.2/maintained/3.2-0/i386
 qemu-kvm_1.1.2+dfsg-6.36.201411131534_amd64.deb 4.0/maintained/4.0-0/amd64
 qemu-kvm_1.1.2+dfsg-6.36.201411131534_i386.deb  4.0/maintained/4.0-0/i386
 qemu-kvm_1.1.2+dfsg-6.43.201501191249_amd64.deb 4.0/maintained/4.0-1/amd64
 qemu-kvm_1.1.2+dfsg-6.43.201501191249_amd64.deb 4.0/maintained/component/4.0-0-errata/amd64
 qemu-kvm_1.1.2+dfsg-6.43.201501191249_i386.deb  4.0/maintained/4.0-1/i386
 qemu-kvm_1.1.2+dfsg-6.43.201501191249_i386.deb  4.0/maintained/component/4.0-0-errata/i386
 qemu-kvm_1.1.2+dfsg-6.44.201505131916_amd64.deb 4.0/maintained/component/4.0-1-errata/amd64
 qemu-kvm_1.1.2+dfsg-6.44.201505131916_amd64.deb 4.0/maintained/component/4.0-2-errata/amd64
 qemu-kvm_1.1.2+dfsg-6.44.201505131916_i386.deb  4.0/maintained/component/4.0-1-errata/i386
 qemu-kvm_1.1.2+dfsg-6.44.201505131916_i386.deb  4.0/maintained/component/4.0-2-errata/i386

$ dpkg --compare-versions 1.1.2+dfsg-6.28.201307262155 lt 1.1.2+dfsg-6.29.45.201505221302 ; echo $?
0
$ dpkg --compare-versions 1.1.2+dfsg-6.29.45.201505221302 lt 1.1.2+dfsg-6.36.201411131534 ; echo $?
0

$ b32-scope errata3.2-6 qemu-kvm

Successful build
Package: qemu-kvm
Version: 1.1.2+dfsg-6.29.45.201505221302
Branch: ucs_3.2-0
Scope: errata3.2-6

r60850 | Bug #33279: qemu-kvm errata3.1-6 YAML
 2015-05-22-qemu-kvm.yaml
Comment 18 Arvid Requate univentionstaff 2015-06-22 20:49:56 CEST
*** Bug 38669 has been marked as a duplicate of this bug. ***
Comment 19 Arvid Requate univentionstaff 2015-06-22 20:51:53 CEST
wheezy-security package version 1.1.2+dfsg-6+deb7u8 fixes these additional issues:

* Denial of service due to insecure temporary file use in /net/slirp.c (CVE-2015-4037) [minor]

* A privileged guest user in a guest with an AMD PCNet ethernet card enabled can potentially use this flaw to execute arbitrary code on the host with the privileges of the hosting QEMU process (CVE-2015-3209)
Comment 20 Philipp Hahn univentionstaff 2015-06-23 16:23:58 CEST
repo_admin.py --cherrypick -r 4.0 -s errata4.0-2 --releasedest 3.2 --dest errata3.2-6 -p qemu-kvm
build-package-ng -r 3.2-0-0 -P ucs -s errata3.2-6 --no-pbuilder-update -p qemu-kvm

Package: qemu-kvm
Version: 1.1.2+dfsg-6.29.46.201506231342
Branch: ucs_3.2-0
Scope: errata3.2-6

r61418 | Bug #33279: qemu-kvm errata3.2-6 YAML
 2015-05-22-qemu-kvm.yaml

OK: apt-cache policy qemu-kvm
OK: deb-ver-comp 1.1.2+dfsg-6.28.201307262155 1.1.2+dfsg-6.29.45.201505221302 1.1.2+dfsg-6.44.201505131916
OK: zless /usr/share/doc/qemu-kvm/changelog.Debian.gz
OK: univention-install qemu-kvm=1.1.2+dfsg-6.28.201307262155
OK: univention-install qemu-kvm=1.1.2+dfsg-6.29.45.201505221302
OK: apt-get remove qemu-kvm
OK: univention-install qemu-kvm
OK: apt-get purge qemu-kvm
OK: univention-install qemu-kvm
OK: apt-get remove qemu-kvm
OK: apt-get purge qemu-kvm
OK: amd64 i386
Comment 21 Janek Walkenhorst univentionstaff 2015-07-29 12:53:49 CEST
Tests (amd64): OK
Advisory: OK
Comment 22 Janek Walkenhorst univentionstaff 2015-08-05 15:57:16 CEST
<http://errata.univention.de/ucs/3.2/349.html>