Bug 1607652 (CVE-2018-19665)

Summary: CVE-2018-19665 Qemu: bt: Integer overflow in Bluetooth routines allows memory corruption
Product: [Other] Security Response Reporter: Sam Fowler <sfowler>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED NOTABUG QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: unspecifiedCC: amit, apevec, areis, berrange, cfergeau, chrisw, dbecker, dwmw2, itamar, jen, jforbes, jjoyce, jschluet, kbasil, knoel, lhh, lpeer, markmc, m.a.young, mburns, mkenneth, mrezanin, mst, pbonzini, ppandit, rbalakri, rbryant, rjones, robinlee.sysu, sclewis, security-response-team, sfowler, slinaber, srevivo, tburke, tdecacqu, tohidi.arash, virt-maint, virt-maint
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2019-06-10 10:34:08 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 1640543, 1640544, 1640545, 1640546, 1640547, 1640548, 1640549, 1640550, 1640551, 1640552, 1640553, 1640554    
Bug Blocks: 1607659    

Description Sam Fowler 2018-07-24 00:18:20 UTC 
An integer overflow resulting in memory corruption issue was found in various Bluetooth functions. It could occur in routines wherein 'len' parameter is a 'signed int' which subsequently converts to an unsigned integer resulting in memcpy() copying large amounts of memory.

A user inside guest could use this flaw to crash the Qemu process resulting in DoS.

Upstream patch:
---------------
  -> https://lists.gnu.org/archive/html/qemu-devel/2018-11/msg03570.html

Reference:
----------
  -> https://www.openwall.com/lists/oss-security/2018/11/29/1
Comment 1 Sam Fowler 2018-07-24 05:14:35 UTC 
Acknowledgments:

Name: Arash Tohidi
Comment 2 Prasad Pandit 2018-10-18 10:11:06 UTC 
Created qemu tracking bugs for this issue:

Affects: fedora-all [bug 1640543]
Comment 6 Prasad Pandit 2018-11-29 08:53:14 UTC 
*** Bug 1607666 has been marked as a duplicate of this bug. ***
Comment 7 Prasad Pandit 2018-11-29 08:53:55 UTC 
*** Bug 1608611 has been marked as a duplicate of this bug. ***
Comment 8 Prasad Pandit 2018-11-29 08:54:08 UTC 
*** Bug 1608610 has been marked as a duplicate of this bug. ***