Qemu block drivers for parallels image and formats used by Bocsh are vulnerable to a crash caused by possible division by zero error, in seek_to_sector routine. It could occur if 's->tracks' & 's->extent_size' fields are 0. These are used to derive 'index' and 'offset' values in seek_to_sector() routine. An user able to alter the Qemu disk image could use this flaw to crash the Qemu instance resulting in DoS. Upstream fixes: --------------- parallels: Sanity check for s->tracks -> http://git.qemu.org/?p=qemu.git;a=commit;h=9302e863aa8baa5d932fc078967050c055fa1a7f bochs: Check extent_size header field -> http://git.qemu.org/?p=qemu.git;a=commit;h=8e53abbc20d08ae3ec30c2054e1161314ad9501d
Statement: This issue affects the versions of kvm package as shipped with Red Hat Enterprise Linux 5. This issue affects the versions of qemu-kvm package as shipped with Red Hat Enterprise Linux 6.
Acknowledgement: These issues were discovered by Kevin Wolf of Red Hat Inc.
Created qemu tracking bugs for this issue: Affects: fedora-all [bug 1086710]
This issue has been addressed in following products: RHEV-H and Agents for RHEL-6 Via RHSA-2014:0421 https://rhn.redhat.com/errata/RHSA-2014-0421.html
This issue has been addressed in following products: Red Hat Enterprise Linux 6 Via RHSA-2014:0420 https://rhn.redhat.com/errata/RHSA-2014-0420.html
This issue has been addressed in following products: OpenStack 3 for RHEL 6 Via RHSA-2014:0435 https://rhn.redhat.com/errata/RHSA-2014-0435.html
This issue has been addressed in following products: OpenStack 4 for RHEL 6 Via RHSA-2014:0434 https://rhn.redhat.com/errata/RHSA-2014-0434.html
qemu-1.6.2-4.fc20 has been pushed to the Fedora 20 stable repository. If problems still persist, please make note of it in this bug report.
This issue has been addressed in following products: RHEV-H and Agents for RHEL-6 Via RHSA-2014:0674 https://rhn.redhat.com/errata/RHSA-2014-0674.html