Bug 1791551 (CVE-2020-7039)

Summary: CVE-2020-7039 QEMU: slirp: OOB buffer access while emulating tcp protocols in tcp_emu()
Product: [Other] Security Response Reporter: Prasad Pandit <ppandit>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED ERRATA QA Contact:
Severity: high Docs Contact:
Priority: high    
Version: unspecifiedCC: ailan, amit, areis, berrange, bmontgom, cfergeau, dbecker, drjones, dwmw2, eparis, imammedo, itamar, jburrell, jen, jferlan, jforbes, jjoyce, jnovy, jokerman, jschluet, kbasil, knoel, lhh, lpeer, lsm5, marcandre.lureau, m.a.young, mburns, mkenneth, mrezanin, mst, nstielau, pbonzini, pmatouse, rbalakri, ribarry, rjones, robinlee.sysu, sclewis, security-response-team, slinaber, sponnaga, virt-maint, virt-maint, vkuznets, xen-maint
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: libslirp-4.2.0 Doc Type: If docs needed, set a value
Doc Text:
A heap buffer overflow issue was found in the SLiRP networking implementation of the QEMU emulator. This flaw occurs in the tcp_emu() routine while emulating IRC and other protocols. An attacker could use this flaw to crash the QEMU process on the host, resulting in a denial of service or potential execution of arbitrary code with privileges of the QEMU process.
 Story Points: ---
Clone Of: Environment:
Last Closed: 2020-02-04 14:10:20 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 1791552, 1791558, 1791559, 1791560, 1791561, 1791562, 1791563, 1791564, 1791565, 1791566, 1791567, 1791568, 1791569, 1791570, 1791571, 1791572, 1791573, 1791574, 1791575, 1791576, 1791577, 1791578, 1791579, 1791580, 1793211, 1793944, 1796090, 1797568, 1797569, 1797570, 1797571, 1805591, 1856568    
Bug Blocks: 1737413    

Description Prasad Pandit 2020-01-16 07:51:49 UTC 
A heap buffer overflow issue was found in the SLiRP networking implementation
of the QEMU emulator. It occurs in tcp_emu() routine while emulating IRC and
other protocols.

A user/process could use this flaw to crash the Qemu process on the host
resulting in DoS or potentially execute arbitrary code with privileges of the 
QEMU process.

Upstream patch(es):
-------------------
  -> https://gitlab.freedesktop.org/slirp/libslirp/commit/2655fffed7a9e765bcb4701dd876e9dab975f289
  -> https://gitlab.freedesktop.org/slirp/libslirp/commit/ce131029d6d4a405cb7d3ac6716d03e58fb4a5d9
  -> https://gitlab.freedesktop.org/slirp/libslirp/commit/82ebe9c370a0e2970fb5695aa19aa5214a6a1c80

Reference:
----------
  -> https://www.openwall.com/lists/oss-security/2020/01/16/2
Comment 1 Prasad Pandit 2020-01-16 07:51:55 UTC 
Acknowledgments:

Name: Vishnu Dev TJ
Comment 2 Prasad Pandit 2020-01-16 07:52:29 UTC 
Created qemu tracking bugs for this issue:

Affects: fedora-all [bug 1791552]
Comment 6 Prasad Pandit 2020-01-16 09:11:03 UTC 
Mitigation:

This issue can only be resolved by applying updates.

Mitigation for this issue is either not available or the currently available options don't meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base or stability.
Comment 9 Joshua Padman 2020-01-17 01:13:49 UTC 
Statement:

This issue affects user-mode or SLiRP networking implementation of the QEMU emulator. Though qemu-kvm package is built with SLiRP networking support, due to its limitations, it is not used by the virtual machine guests by default.

This issue affects versions of the qemu-kvm package as shipped with Red Hat Enterprise Linux 5, 6, 7, 8 and Red Hat Enterprise Linux Advanced Virtualization 8. Future qemu-kvm package updates for Red Hat Enterprise Linux 6, 7, 8 and Red Hat Enterprise Linux Advanced Virtualization 8 may address this issue.

Red Hat Enterprise Linux 5 is now in Maintenance Support 2 Phase of the support and maintenance life cycle. This issue is currently not planned to be addressed in its future updates. For additional information, refer to the Red Hat Enterprise Linux Life Cycle: https://access.redhat.com/support/policy/updates/errata/.

Red Hat OpenStack Platform:                                                                                                                 
* This flaw impacts KVM user-mode or SLIRP networking, which is not used in Red Hat OpenStack Platform. Although updating is recommended for affected versions (see below), Red Hat OpenStack Platform environments are not vulnerable.
Comment 19 errata-xmlrpc 2020-02-04 12:26:19 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8

Via RHSA-2020:0348 https://access.redhat.com/errata/RHSA-2020:0348
Comment 20 Product Security DevOps Team 2020-02-04 14:10:20 UTC 
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s):

https://access.redhat.com/security/cve/cve-2020-7039
Comment 26 errata-xmlrpc 2020-03-10 11:33:42 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 6

Via RHSA-2020:0775 https://access.redhat.com/errata/RHSA-2020:0775
Comment 27 errata-xmlrpc 2020-03-17 17:56:35 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 7 Extras

Via RHSA-2020:0889 https://access.redhat.com/errata/RHSA-2020:0889
Comment 30 errata-xmlrpc 2020-03-31 19:23:50 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 7

Via RHSA-2020:1116 https://access.redhat.com/errata/RHSA-2020:1116
Comment 31 errata-xmlrpc 2020-03-31 19:28:14 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 7

Via RHSA-2020:1150 https://access.redhat.com/errata/RHSA-2020:1150
Comment 32 errata-xmlrpc 2020-04-01 07:44:51 UTC 
This issue has been addressed in the following products:

  Advanced Virtualization for RHEL 8.1.1

Via RHSA-2020:1261 https://access.redhat.com/errata/RHSA-2020:1261
Comment 34 errata-xmlrpc 2020-04-02 10:01:53 UTC 
This issue has been addressed in the following products:

  Red Hat OpenStack Platform 13.0 (Queens)

Via RHSA-2020:1296 https://access.redhat.com/errata/RHSA-2020:1296
Comment 35 errata-xmlrpc 2020-04-02 10:26:23 UTC 
This issue has been addressed in the following products:

  Red Hat OpenStack Platform 10.0 (Newton)

Via RHSA-2020:1300 https://access.redhat.com/errata/RHSA-2020:1300
Comment 36 errata-xmlrpc 2020-04-07 07:41:07 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8.0 Update Services for SAP Solutions

Via RHSA-2020:1344 https://access.redhat.com/errata/RHSA-2020:1344
Comment 37 errata-xmlrpc 2020-04-07 09:43:38 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 7.7 Extended Update Support

Via RHSA-2020:1351 https://access.redhat.com/errata/RHSA-2020:1351
Comment 38 errata-xmlrpc 2020-04-07 10:27:55 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 7.7 Extended Update Support

Via RHSA-2020:1352 https://access.redhat.com/errata/RHSA-2020:1352
Comment 39 errata-xmlrpc 2020-04-07 14:11:28 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8

Via RHSA-2020:1358 https://access.redhat.com/errata/RHSA-2020:1358
Comment 40 errata-xmlrpc 2020-04-07 14:11:49 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8

Via RHSA-2020:1360 https://access.redhat.com/errata/RHSA-2020:1360
Comment 44 errata-xmlrpc 2020-06-01 06:41:20 UTC 
This issue has been addressed in the following products:

  Red Hat Virtualization Engine 4.2

Via RHSA-2020:2342 https://access.redhat.com/errata/RHSA-2020:2342
Comment 45 errata-xmlrpc 2020-06-24 12:24:51 UTC 
This issue has been addressed in the following products:

  Red Hat OpenStack Platform 13.0 (Queens)
  Red Hat OpenStack Platform 13.0 (Queens) for RHEL 7.6 EUS

Via RHSA-2020:2730 https://access.redhat.com/errata/RHSA-2020:2730