Bug 1609015 (CVE-2018-18438)
Summary: | CVE-2018-18438 Qemu: Integer overflow in ccid_card_vscard_read() allows memory corruption | ||
---|---|---|---|
Product: | [Other] Security Response | Reporter: | Laura Pardo <lpardo> |
Component: | vulnerability | Assignee: | Red Hat Product Security <security-response-team> |
Status: | CLOSED NOTABUG | QA Contact: | |
Severity: | medium | Docs Contact: | |
Priority: | medium | ||
Version: | unspecified | CC: | amit, apevec, areis, berrange, cfergeau, chrisw, dwmw2, itamar, jen, jforbes, jjoyce, jschluet, kbasil, knoel, lhh, lpeer, markmc, m.a.young, mburns, mkenneth, mrezanin, mst, pbonzini, philmd, ppandit, rbalakri, rbryant, rjones, robinlee.sysu, sclewis, security-response-team, slinaber, srevivo, tburke, tdecacqu, tohidi.arash, virt-maint, virt-maint |
Target Milestone: | --- | Keywords: | Security |
Target Release: | --- | ||
Hardware: | All | ||
OS: | Linux | ||
Whiteboard: | |||
Fixed In Version: | Doc Type: | If docs needed, set a value | |
Doc Text: | Story Points: | --- | |
Clone Of: | Environment: | ||
Last Closed: | 2019-05-03 16:26:09 UTC | Type: | --- |
Regression: | --- | Mount Type: | --- |
Documentation: | --- | CRM: | |
Verified Versions: | Category: | --- | |
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
Cloudforms Team: | --- | Target Upstream Version: | |
Embargoed: | |||
Bug Depends On: | 1640005, 1640006, 1640007, 1640008, 1640009, 1640010, 1640011, 1640012, 1640013, 1640019, 1640020 | ||
Bug Blocks: | 1613564 |
Description
Laura Pardo
2018-07-26 18:06:38 UTC
Acknowledgments: Name: Arash Tohidi The overflowed argument in ccid_card_vscard_read() is "int size". Another memory corruption may happen if a specially crafted buffer is fed to buf which will be passed to ccid_card_vscard_handle_message() and eventually will result in another memory overwrite by calling memcpy(). External References: https://lists.gnu.org/archive/html/qemu-devel/2018-10/msg02396.html Created qemu tracking bugs for this issue: Affects: fedora-all [bug 1640019] The maintainer audited the code and can not find that memory corruption happens (see bug 1640020#c9). Since there is no known reproducer (see bug 1640020#c7), all those issues have been closed as NOTABUG. Statement: The maintainer audited the code and determined that no memory corruption is possible using this flaw. Patches were applied upstream to prevent future changes introducing such flaws, but the issues identified by this CVE were determined to not constitute a vulnerability. |