Bugzilla will be upgraded to version 5.0. The upgrade date is tentatively scheduled for 2 December 2018, pending final testing and feedback.
First Last Prev Next    This bug is not in your last search results.
Bug 1422415 - (CVE-2017-2630) CVE-2017-2630 Qemu: nbd: oob stack write in client routine drop_sync
CVE-2017-2630 Qemu: nbd: oob stack write in client routine drop_sync
Status: NEW
Product: Security Response
Classification: Other
Component: vulnerability (Show other bugs)
unspecified
All Linux
high Severity high
: ---
: ---
Assigned To: Red Hat Product Security
impact=important,public=20170203,repo...
: Security
Depends On: 1425302
Blocks: 1420238
  Show dependency treegraph
 
Reported: 2017-02-15 04:47 EST by Prasad J Pandit
Modified: 2018-07-27 05:44 EDT (History)
38 users (show)

See Also:
Fixed In Version: qemu 2.9
Doc Type: Bug Fix
Doc Text:
A stack buffer overflow flaw was found in the Quick Emulator (QEMU) built with the Network Block Device (NBD) client support. The flaw could occur while processing server's response to a 'NBD_OPT_LIST' request. A malicious NBD server could use this issue to crash a remote NBD client resulting in DoS or potentially execute arbitrary code on client host with privileges of the QEMU process.
Story Points: ---
Clone Of:
Environment:
Last Closed:
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---

Attachments (Terms of Use)
Add an attachment (proposed patch, testcase, etc.)


External Trackers
Tracker ID Priority Status Summary Last Updated
Red Hat Product Errata RHSA-2017:2392 normal SHIPPED_LIVE Important: qemu-kvm-rhev security, bug fix, and enhancement update 2017-08-01 16:04:36 EDT

  None (edit)
Description Prasad J Pandit 2017-02-15 04:47:11 EST 
Quick Emulator(Qemu) built with the Network Block Device(NBD) client support is
vulnerable to a stack buffer overflow issue. It could occur while processing
server's response to a 'NBD_OPT_LIST' request.

A malicious NBD server could use this issue to crash remote NBD client
resulting in DoS or potentially execute arbitrary code on client host with
privileges of the Qemu process.

Upstream patch:
---------------
  -> https://lists.gnu.org/archive/html/qemu-devel/2017-02/msg01246.html

Reference:
----------
  -> http://www.openwall.com/lists/oss-security/2017/02/15/2
Comment 5 Eric Blake 2017-03-07 11:51:32 EST 
Latest upstream patch - hoping it will be merged for the release candidates
https://lists.gnu.org/archive/html/qemu-devel/2017-03/msg01455.html
Comment 6 Eric Blake 2017-03-15 16:50:30 EDT 
Will be in qemu 2.9:

commit 2563c9c6b8670400c48e562034b321a7cf3d9a85
Author: Vladimir Sementsov-Ogievskiy <vsementsov@virtuozzo.com>
Date:   Tue Mar 7 09:16:27 2017 -0600

    nbd/client: fix drop_sync [CVE-2017-2630]
    
    Comparison symbol is misused. It may lead to memory corruption.
    Introduced in commit 7d3123e.
    
    Signed-off-by: Vladimir Sementsov-Ogievskiy <vsementsov@virtuozzo.com>
    Message-Id: <20170203154757.36140-6-vsementsov@virtuozzo.com>
    [eblake: add CVE details, update conditional]
    Signed-off-by: Eric Blake <eblake@redhat.com>
    Reviewed-by: Marc-André Lureau <marcandre.lureau@redhat.com>
    Message-Id: <20170307151627.27212-1-eblake@redhat.com>
    Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
Comment 9 errata-xmlrpc 2017-08-02 00:49:28 EDT 
This issue has been addressed in the following products:

  RHEV 4.X RHEV-H and Agents for RHEL-7

Via RHSA-2017:2392 https://access.redhat.com/errata/RHSA-2017:2392
Note You need to log in before you can comment on or make changes to this bug.
First Last Prev Next    This bug is not in your last search results.