Bug 1244332 (CVE-2015-5158)

Summary: CVE-2015-5158 Qemu: scsi stack buffer overflow
Product: [Other] Security Response Reporter: Prasad Pandit <ppandit>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED ERRATA QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: unspecifiedCC: gmollett, juzhang, security-response-team, slong, xfu
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
A flaw has been discovered in the QEMU emulator built with SCSI-device emulation support. The emulator is vulnerable to a stack buffer overflow issue, which can occur while parsing a SCSI command descriptor block with an invalid operation code. A privileged(CAP_SYS_RAWIO) user inside a guest could use this flaw to crash the QEMU instance resulting in a denial-of-service (DoS) attack.
 Story Points: ---
Clone Of: Environment:
Last Closed: 2021-10-21 00:46:09 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 1244334, 1246025    
Bug Blocks: 1243329    

Description Prasad Pandit 2015-07-17 19:33:59 UTC 
Qemu emulator built with the SCSI device emulation support is vulnerable to a
stack buffer overflow issue. It could occur while parsing SCSI command
descriptor block with an invalid operation code.

A privileged(CAP_SYS_RAWIO) user inside guest could use this flaw to crash
the Qemu instance resulting in DoS.

Upstream fix:
-------------
  -> git.qemu.org/?p=qemu.git;a=commit;h=c170aad8b057223b1139d72e5ce7acceafab4fa9

Reference:
----------
  -> http://www.openwall.com/lists/oss-security/2015/07/23/6
Comment 2 Prasad Pandit 2015-07-23 10:31:54 UTC 
Statement: 

This issue does not affect the versions of kvm and xen packages as shipped with Red Hat Enterprise Linux 5.

This issue does not affect the versions of the qemu-kvm packages as shipped with Red Hat Enterprise Linux 6 and 7.

This issue does not affect the Red Hat Enterprise Linux 6 based versions of qemu-kvm-rhev packages as shipped with Red Hat Enterprise Virtualization 3.

This issue does not affect the Red Hat Enterprise Linux 7 based versions of the qemu-kvm-rhev packages as shipped with Red Hat Enterprise Virtualization 3.
Comment 3 Prasad Pandit 2015-07-23 10:33:00 UTC 
Created qemu tracking bugs for this issue:

Affects: fedora-all [bug 1246025]
Comment 4 Prasad Pandit 2015-07-23 10:53:21 UTC 
Acknowledgements:

This issue was discovered by Donghai Zhu of Alibaba.
Comment 5 Fedora Update System 2015-08-18 05:16:46 UTC 
qemu-2.3.1-1.fc22 has been pushed to the Fedora 22 stable repository.  If problems still persist, please make note of it in this bug report.
Comment 6 Fedora Update System 2015-08-23 16:40:23 UTC 
qemu-2.4.0-1.fc23 has been pushed to the Fedora 23 stable repository. If problems still persist, please make note of it in this bug report.