Bug 1430056 (CVE-2016-9603)

Summary: CVE-2016-9603 Qemu: cirrus: heap buffer overflow via vnc connection
Product: [Other] Security Response Reporter: Prasad Pandit <ppandit>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED ERRATA QA Contact:
Severity: high Docs Contact:
Priority: high    
Version: unspecifiedCC: ailan, amit, apevec, areis, berrange, cfergeau, chrisw, crobinso, cvsbot-xmlrpc, drjones, dwmw2, gmollett, imammedo, itamar, jen, jjoyce, jschluet, kbasil, knoel, kraxel, lhh, lpeer, markmc, m.a.young, mkenneth, mrezanin, mst, pbonzini, rbryant, rjones, rkrcmar, sclewis, security-response-team, srevivo, tdecacqu, virt-maint, virt-maint, vkuznets, xen-maint
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: qemu 2.9 Doc Type: If docs needed, set a value
Doc Text:
A heap buffer overflow flaw was found in QEMU's Cirrus CLGD 54xx VGA emulator's VNC display driver support; the issue could occur when a VNC client attempted to update its display after a VGA operation is performed by a guest. A privileged user/process inside a guest could use this flaw to crash the QEMU process or, potentially, execute arbitrary code on the host with privileges of the QEMU process.
 Story Points: ---
Clone Of: Environment:
Last Closed: 2019-06-08 03:08:50 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 1430059, 1430060, 1430061, 1430062, 1430063, 1430064, 1430065, 1430066, 1430067, 1430068, 1430069, 1432040, 1432041, 1436466, 1447540, 1447542, 1447544, 1447545    
Bug Blocks: 1395719    
Attachments:
Description Flags
Proposed upstream patch none

Description Prasad Pandit 2017-03-07 19:02:52 UTC 
Quick Emulator(Qemu) built with the Cirrus CLGD 54xx VGA Emulator and the
VNC display driver support is vulnerable to a heap buffer overflow issue.
It could occur when Vnc client attempts to update its display after a vga
operation is performed by a guest.

A privileged user/process inside guest could use this flaw to crash the Qemu
process resulting in DoS  OR  potentially leverage it to execute arbitrary code
on the host with privileges of the Qemu process.

Reference:
----------
  -> http://www.openwall.com/lists/oss-security/2017/03/14/2
Comment 2 Prasad Pandit 2017-03-07 19:04:45 UTC 
Created attachment 1260925 [details]
Proposed upstream patch
Comment 6 Prasad Pandit 2017-03-14 12:03:56 UTC 
Created xen tracking bugs for this issue:

Affects: fedora-all [bug 1432041]
Comment 7 Prasad Pandit 2017-03-14 12:04:09 UTC 
Created qemu tracking bugs for this issue:

Affects: fedora-all [bug 1432040]
Comment 8 Cole Robinson 2017-03-14 20:06:18 UTC 
Patch posting: https://www.mail-archive.com/qemu-devel@nongnu.org/msg437188.html
Comment 9 Gerd Hoffmann 2017-03-16 09:34:43 UTC 
upstream pull request sent is on the way.
Comment 10 Gerd Hoffmann 2017-03-21 10:01:44 UTC 
merged now, next 2.8.x stable should have it too.
Comment 12 errata-xmlrpc 2017-04-18 04:57:09 UTC 
This issue has been addressed in the following products:

  Red Hat OpenStack Platform 9.0 (Mitaka)

Via RHSA-2017:0984 https://access.redhat.com/errata/RHSA-2017:0984
Comment 13 errata-xmlrpc 2017-04-18 04:57:56 UTC 
This issue has been addressed in the following products:

  Red Hat OpenStack Platform 8.0 (Liberty)

Via RHSA-2017:0983 https://access.redhat.com/errata/RHSA-2017:0983
Comment 14 errata-xmlrpc 2017-04-18 04:58:43 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux OpenStack Platform 7.0 (Kilo) for RHEL 7

Via RHSA-2017:0982 https://access.redhat.com/errata/RHSA-2017:0982
Comment 15 errata-xmlrpc 2017-04-18 04:59:26 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux OpenStack Platform 6.0 (Juno) for RHEL 7

Via RHSA-2017:0981 https://access.redhat.com/errata/RHSA-2017:0981
Comment 16 errata-xmlrpc 2017-04-18 05:00:09 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux OpenStack Platform 5.0 (Icehouse) for RHEL 7

Via RHSA-2017:0980 https://access.redhat.com/errata/RHSA-2017:0980
Comment 17 errata-xmlrpc 2017-04-18 06:07:30 UTC 
This issue has been addressed in the following products:

  RHEV 3.X Hypervisor and Agents for RHEL-7
  RHEV 4.X RHEV-H and Agents for RHEL-7

Via RHSA-2017:0985 https://access.redhat.com/errata/RHSA-2017:0985
Comment 18 errata-xmlrpc 2017-04-18 12:33:04 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 7

Via RHSA-2017:0987 https://access.redhat.com/errata/RHSA-2017:0987
Comment 19 errata-xmlrpc 2017-04-18 13:56:06 UTC 
This issue has been addressed in the following products:

  Red Hat OpenStack Platform 10.0 (Newton)

Via RHSA-2017:0988 https://access.redhat.com/errata/RHSA-2017:0988
Comment 22 errata-xmlrpc 2017-05-09 11:08:07 UTC 
This issue has been addressed in the following products:

  RHEV 3.X Hypervisor and Agents for RHEL-6

Via RHSA-2017:1205 https://access.redhat.com/errata/RHSA-2017:1205
Comment 23 errata-xmlrpc 2017-05-09 12:47:02 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 6

Via RHSA-2017:1206 https://access.redhat.com/errata/RHSA-2017:1206
Comment 24 errata-xmlrpc 2017-06-14 15:33:36 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux OpenStack Platform 5.0 (Icehouse) for RHEL 6

Via RHSA-2017:1441 https://access.redhat.com/errata/RHSA-2017:1441
Comment 25 Fedora Update System 2017-07-25 21:24:10 UTC 
qemu-2.7.1-7.fc25 has been pushed to the Fedora 25 stable repository. If problems still persist, please make note of it in this bug report.