Bug 1248997 (CVE-2015-5166, xsa139)

Summary: CVE-2015-5166 Qemu: BlockBackend object use after free issue (XSA-139)
Product: [Other] Security Response Reporter: Prasad Pandit <ppandit>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED NOTABUG QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: unspecifiedCC: abaron, apevec, areis, ayoung, carnil, chrisw, dallan, gkotton, gmollett, jen, knoel, lhh, lpeer, markmc, mrezanin, mst, pbonzini, ppandit, rbryant, sclewis, security-response-team, slong, srevivo, tdecacqu, virt-maint
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
A flaw has been found in the QEMU emulator built with IDE Emulation PCI PIIX3/4 support; the emulator is vulnerable to a use-after-free flaw, while writing data to an I/O port inside a guest. This issue is specific to the Xen platform. A privileged(CAP_SYS_RAWIO) guest user on the Xen platform could use this flaw to crash the QEMU instance or attempt to make a guest escape to QEMU-process privileges.
Story Points: ---
Clone Of: Environment:
Last Closed: 2019-06-08 02:42:58 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 1249000, 1249001, 1249002, 1249003, 1249757, 1249758    
Bug Blocks: 1243299    

Description Prasad Pandit 2015-07-31 09:59:27 UTC
Qemu emulator built with the IDE Emulation PCI PIIX3/4 support is vulnerable
to a use-after-free flaw. It could occur when trying to write data to an I/O
port inside guest. This issue is specific to the Xen platform.

A privileged(CAP_SYS_RAWIO) guest user on the Xen platform could use this flaw
to crash the Qemu instance or probably attempt to make a guest escape.

Upstream fix:
-------------
  -> git.qemu.org/?p=qemu.git;a=commit;h=6cd387833d05e8ad31829d97e474dc420625aed9

Reference:
----------
  -> http://www.openwall.com/lists/oss-security/2015/08/03/3

Comment 3 Prasad Pandit 2015-07-31 10:09:12 UTC
Statement: 

This issue does not affect the versions of kvm and xen packages as shipped with Red Hat Enterprise Linux 5.

This issue does not affect the versions of the qemu-kvm packages as shipped with Red Hat Enterprise Linux 6.

This issue does not affect the Red Hat Enterprise Linux 6 based versions of qemu-kvm-rhev packages as shipped with Red Hat Enterprise Virtualization 3.

This issue does not affect the versions of the qemu-kvm packages as shipped with Red Hat Enterprise Linux 7.

This issue does not affect the Red Hat Enterprise Linux 7 based versions of the qemu-kvm-rhev packages as shipped with Red Hat Enterprise Virtualization 3.

This issue does not affect the qemu-kvm-rhev packages as shipped with any currently supported versions of Red Hat Enterprise Linux OpenStack Platform.

Comment 6 Prasad Pandit 2015-08-03 17:35:27 UTC
Created xen tracking bugs for this issue:

Affects: fedora-all [bug 1249757]

Comment 7 Prasad Pandit 2015-08-03 17:35:30 UTC
Created qemu tracking bugs for this issue:

Affects: fedora-all [bug 1249758]

Comment 8 Martin Prpič 2015-08-04 08:09:55 UTC
External References:

http://xenbits.xen.org/xsa/advisory-139.html

Comment 9 Martin Prpič 2015-08-04 08:11:54 UTC
Acknowledgement:

Red Hat would like to thank the Xen project for reporting this issue. Upstream acknowledges Donghai Zhu of Alibaba as the original reporter.

Comment 10 Fedora Update System 2015-08-18 05:16:55 UTC
qemu-2.3.1-1.fc22 has been pushed to the Fedora 22 stable repository.  If problems still persist, please make note of it in this bug report.

Comment 11 Fedora Update System 2015-08-23 16:40:25 UTC
qemu-2.4.0-1.fc23 has been pushed to the Fedora 23 stable repository. If problems still persist, please make note of it in this bug report.

Comment 12 Fedora Update System 2015-08-26 21:08:38 UTC
xen-4.5.1-6.fc23 has been submitted as an update to Fedora 23. https://bodhi.fedoraproject.org/updates/FEDORA-2015-14361

Comment 13 Fedora Update System 2015-08-26 21:13:03 UTC
xen-4.5.1-6.fc22 has been submitted as an update to Fedora 22. https://bodhi.fedoraproject.org/updates/FEDORA-2015-14362

Comment 14 Fedora Update System 2015-08-26 21:16:08 UTC
xen-4.4.3-1.fc21 has been submitted as an update to Fedora 21. https://bodhi.fedoraproject.org/updates/FEDORA-2015-14363

Comment 15 Fedora Update System 2015-09-01 18:31:14 UTC
xen-4.5.1-6.fc23 has been pushed to the Fedora 23 stable repository. If problems still persist, please make note of it in this bug report.

Comment 16 Fedora Update System 2015-09-26 21:49:43 UTC
xen-4.4.3-3.fc21 has been pushed to the Fedora 21 stable repository. If problems still persist, please make note of it in this bug report.

Comment 17 Fedora Update System 2015-09-27 03:22:11 UTC
xen-4.5.1-8.fc22 has been pushed to the Fedora 22 stable repository. If problems still persist, please make note of it in this bug report.