Bug 29907

Summary: qemu-kvm: Buffer overflows (3.1)
Product: UCS Reporter: Moritz Muehlenhoff <jmm>
Component: Security updatesAssignee: Security maintainers <security-maintainers>
Status: CLOSED WONTFIX QA Contact:
Severity: normal    
Priority: P3    
Version: UCS 3.0   
Target Milestone: UCS 3.1-x-errata   
Hardware: Other   
OS: Linux   
What kind of report is it?: --- What type of bug is this?: ---
Who will be affected by this bug?: --- How will those affected feel about the bug?: ---
User Pain: Enterprise Customer affected?:
School Customer affected?: ISV affected?:
Waiting Support: Flags outvoted (downgraded) after PO Review:
Ticket number: Bug group (optional):
Max CVSS v3 score:

Description Moritz Muehlenhoff univentionstaff 2013-01-02 17:12:44 CET 
Buffer overflow in the e1000 driver (CVE-2012-6075)
Comment 1 Moritz Muehlenhoff univentionstaff 2014-03-14 14:30:25 CET 
There a long range of security issues which will not be backported to UCS 3.x:

CVE-2013-4148 CVE-2013-4149 CVE-2013-4150 CVE-2013-4151 CVE-2013-4526 CVE-2013-4527 CVE-2013-4529 CVE-2013-4530 CVE-2013-4531 CVE-2013-4532 CVE-2013-4533 CVE-2013-4534 CVE-2013-4535 CVE-2013-4536 CVE-2013-4537 CVE-2013-4538 CVE-2013-4539 CVE-2013-4540 CVE-2013-4541 CVE-2013-4542 CVE-2013-6399

These are all about saving/restoring the status of VMs. This would allow theoretical attacks where malformed status files of a VM are migrated to a different host and triggering code execution. In UCS all UVMM nodes are under the control of the administrator.
Comment 2 Moritz Muehlenhoff univentionstaff 2014-04-14 07:48:14 CEST 
Buffer overflow in virtio-net (CVE-2014-0150)
Comment 3 Moritz Muehlenhoff univentionstaff 2014-04-22 07:47:26 CEST 
Buffer overflow in processing SMART commands in the emulated IDE adaptor (CVE-2014-2894)
Comment 4 Moritz Muehlenhoff univentionstaff 2014-04-22 08:39:52 CEST 
CVE-2014-0142: Denial of service through division by zero in parallels driver
CVE-2014-0143: Integer overflows in various block drivers
CVE-2014-0144: Memory corruption in various block drivers
CVE-2014-0145: Buffer overflows in block drivers
CVE-2014-0146: NULL pointer dereference in qcow driver
CVE-2014-0147: Missing input sanitising in qcow driver
Comment 5 Moritz Muehlenhoff univentionstaff 2014-04-22 09:20:56 CEST 
CVE-2014-0182 virtio: out-of-bounds buffer write on state load with invalid config_len
Comment 6 Moritz Muehlenhoff univentionstaff 2014-06-02 07:59:18 CEST 
The maintenance with bug and security fixes for UCS 3.1-x has ended on 31st of May 2014.

The maintenance of the UCS 3.x major series is continued by UCS 3.2-x that is supplied with bug and security fixes.

Customers still on UCS 3.1-x are encouraged to update to UCS 3.2. Please contact your partner or Univention for any questions.