Bug 1525195 (CVE-2017-15124)

Summary: CVE-2017-15124 Qemu: memory exhaustion through framebuffer update request message in VNC server
Product: [Other] Security Response Reporter: Pedro Sampaio <psampaio>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED ERRATA QA Contact:
Severity: low Docs Contact:
Priority: low    
Version: unspecifiedCC: ailan, amit, apevec, areis, berrange, cfergeau, chrisw, drjones, dwmw2, imammedo, itamar, jen, jforbes, jjoyce, jschluet, kbasil, knoel, lhh, lpeer, marcandre.lureau, markmc, m.a.young, mburns, mkenneth, mrezanin, mst, pbonzini, ppandit, rbryant, rjones, rkrcmar, robinlee.sysu, sclewis, security-response-team, slinaber, srevivo, tdecacqu, virt-maint, virt-maint, vkuznets, wainersm, xen-maint
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
VNC server implementation in Quick Emulator (QEMU) was found to be vulnerable to an unbounded memory allocation issue, as it did not throttle the framebuffer updates sent to its client. If the client did not consume these updates, VNC server allocates growing memory to hold onto this data. A malicious remote VNC client could use this flaw to cause DoS to the server host.
 Story Points: ---
Clone Of: Environment:
Last Closed: 2019-06-08 03:34:08 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 1526238, 1526239, 1526240, 1526247, 1526248, 1526249, 1527385, 1527386, 1527401, 1527403, 1527404, 1527405, 1527406, 1527407, 1527408, 1527409    
Bug Blocks: 1525198    

Description Pedro Sampaio 2017-12-12 18:24:58 UTC 
VNC server implementation in Quick Emulator(QEMU) was found to be vulnerable to an unbounded memory allocation issue, as it did not throttle the framebuffer updates sent to its client. If the client did not consume these updates, VNC server allocates growing memory to hold onto this data.

A malicious VNC client could use this flaw to cause DoS on the remote server host.

Upstream fix(es):
-----------------
  -> https://lists.gnu.org/archive/html/qemu-devel/2017-12/msg03715.html
  -> https://lists.gnu.org/archive/html/qemu-devel/2017-12/msg03713.html
  -> https://lists.gnu.org/archive/html/qemu-devel/2017-12/msg03711.html

Thread:
-------
  -> https://lists.gnu.org/archive/html/qemu-devel/2017-12/msg03705.html

Reference:
----------
  -> http://www.openwall.com/lists/oss-security/2017/12/19/4
Comment 1 Pedro Sampaio 2017-12-12 18:25:14 UTC 
Acknowledgments:

Name: Daniel Berrange (Red Hat)
Comment 5 Prasad Pandit 2017-12-19 10:35:50 UTC 
Created qemu tracking bugs for this issue:

Affects: fedora-all [bug 1527386]


Created xen tracking bugs for this issue:

Affects: fedora-all [bug 1527385]
Comment 15 errata-xmlrpc 2018-04-10 08:24:32 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 7

Via RHSA-2018:0816 https://access.redhat.com/errata/RHSA-2018:0816
Comment 16 errata-xmlrpc 2018-04-10 18:59:36 UTC 
This issue has been addressed in the following products:

  Red Hat Virtualization 4 for RHEL-7

Via RHSA-2018:1104 https://access.redhat.com/errata/RHSA-2018:1104
Comment 17 errata-xmlrpc 2018-04-11 18:04:56 UTC 
This issue has been addressed in the following products:

  Red Hat OpenStack Platform 10.0 (Newton)
  Red Hat OpenStack Platform 11.0 (Ocata)
  Red Hat OpenStack Platform 8.0 (Liberty)
  Red Hat OpenStack Platform 9.0 (Mitaka)
  Red Hat OpenStack Platform 12.0 (Pike)

Via RHSA-2018:1113 https://access.redhat.com/errata/RHSA-2018:1113
Comment 18 errata-xmlrpc 2018-10-30 07:28:10 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 7

Via RHSA-2018:3062 https://access.redhat.com/errata/RHSA-2018:3062