Bug 1318712 (CVE-2016-3712)
| Summary: | CVE-2016-3712 qemu-kvm: Out-of-bounds read when creating weird vga screen surface | ||||||
|---|---|---|---|---|---|---|---|
| Product: | [Other] Security Response | Reporter: | Adam Mariš <amaris> | ||||
| Component: | vulnerability | Assignee: | Red Hat Product Security <security-response-team> | ||||
| Status: | CLOSED ERRATA | QA Contact: | |||||
| Severity: | medium | Docs Contact: | |||||
| Priority: | medium | ||||||
| Version: | unspecified | CC: | abaron, ailan, alonbl, aortega, apevec, areis, ayoung, bmcclain, chrisw, dallan, dblechte, drjones, gklein, gkotton, hkim, imammedo, jen, jschluet, knoel, kraxel, lhh, lpeer, markmc, mgoldboi, michal.skrivanek, mkenneth, mrezanin, mst, pbonzini, ppandit, rbalakri, rbryant, rkrcmar, sclewis, security-response-team, sherold, srevivo, tdecacqu, vkuznets, ykaul, ylavi | ||||
| Target Milestone: | --- | Keywords: | Security | ||||
| Target Release: | --- | ||||||
| Hardware: | All | ||||||
| OS: | Linux | ||||||
| Whiteboard: | |||||||
| Fixed In Version: | Doc Type: | Bug Fix | |||||
| Doc Text: |
An integer overflow flaw and an out-of-bounds read flaw were found in the way QEMU's VGA emulator set certain VGA registers while in VBE mode. A privileged guest user could use this flaw to crash the QEMU process instance.
|
Story Points: | --- | ||||
| Clone Of: | Environment: | ||||||
| Last Closed: | 2017-03-21 09:56:14 UTC | Type: | --- | ||||
| Regression: | --- | Mount Type: | --- | ||||
| Documentation: | --- | CRM: | |||||
| Verified Versions: | Category: | --- | |||||
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |||||
| Cloudforms Team: | --- | Target Upstream Version: | |||||
| Embargoed: | |||||||
| Bug Depends On: | 1332282, 1332284, 1334342, 1334343 | ||||||
| Bug Blocks: | 1318730 | ||||||
| Attachments: |
|
||||||
|
Description
Adam Mariš
2016-03-17 15:00:16 UTC
Acknowledgments: Name: Zuozhi Fzz (Alibaba Inc.) Created attachment 1137419 [details]
Backtrace report
Statement: (none) Public via: http://xenbits.xen.org/xsa/advisory-179.html Created xen tracking bugs for this issue: Affects: fedora-all [bug 1334343] Created qemu tracking bugs for this issue: Affects: fedora-all [bug 1334342] xen-4.5.3-3.fc23 has been pushed to the Fedora 23 stable repository. If problems still persist, please make note of it in this bug report. qemu-2.4.1-9.fc23 has been pushed to the Fedora 23 stable repository. If problems still persist, please make note of it in this bug report. xen-4.6.1-8.fc24 has been pushed to the Fedora 24 stable repository. If problems still persist, please make note of it in this bug report. qemu-2.3.1-14.fc22 has been pushed to the Fedora 22 stable repository. If problems still persist, please make note of it in this bug report. This one caused a regression. How do we handle these? upstream patch (merged in master, queued for 2.6.1 steable update): https://lists.nongnu.org/archive/html/qemu-devel/2016-05/msg03790.html fedora bugs: bug 1339268, bug 1339267 > This one caused a regression. How do we handle these?
Does the regression introduce a new security issue?
I'd suggest tracking the regression as a separate issue in a new set of BZs for RHEL-6.9 and RHEL-7.3. Whether or not we backport the fix to the respective Z-streams depends on whether or not a customer hits the regression.
Setting NEEDINFO to areis for additional review/feedback.
(In reply to Jeff Nelson from comment #14) > > This one caused a regression. How do we handle these? > > Does the regression introduce a new security issue? No. (In reply to Jeff Nelson from comment #14) > > This one caused a regression. How do we handle these? > > Does the regression introduce a new security issue? > > I'd suggest tracking the regression as a separate issue in a new set of BZs > for RHEL-6.9 and RHEL-7.3. Whether or not we backport the fix to the > respective Z-streams depends on whether or not a customer hits the > regression. My understanding is that this particular security issue is not being backported to z-streams. If that's indeed the case, then given the patches are being reviewed (BZs are POST), there's no need for a new BZ for the regression. We can simply respin the patches. xen-4.5.3-5.fc22 has been pushed to the Fedora 22 stable repository. If problems still persist, please make note of it in this bug report. (In reply to Ademar Reis from comment #16) > (In reply to Jeff Nelson from comment #14) > > > This one caused a regression. How do we handle these? > > > > Does the regression introduce a new security issue? > > > > I'd suggest tracking the regression as a separate issue in a new set of BZs > > for RHEL-6.9 and RHEL-7.3. Whether or not we backport the fix to the > > respective Z-streams depends on whether or not a customer hits the > > regression. > > My understanding is that this particular security issue is not being > backported to z-streams. > > If that's indeed the case, then given the patches are being reviewed (BZs > are POST), there's no need for a new BZ for the regression. We can simply > respin the patches. Both CVE-2016-3710 and CVE-2016-3712 are fixed together in one series (RHEL-6 + RHEL-7). RHEL-5 gets the CVE-2016-3710 fix only so no regression there. Patches are out for 6.8 and 7.2.z. This issue has been addressed in the following products: Red Hat Enterprise Linux 7 Via RHSA-2016:2585 https://rhn.redhat.com/errata/RHSA-2016-2585.html This issue has been addressed in the following products: Red Hat Enterprise Linux 6 Via RHSA-2017:0621 https://rhn.redhat.com/errata/RHSA-2017-0621.html |