Bug 1443441 (CVE-2017-7718) - CVE-2017-7718 Qemu: display: cirrus: OOB read access issue
Summary: CVE-2017-7718 Qemu: display: cirrus: OOB read access issue
Keywords:
Status: CLOSED ERRATA
Alias: CVE-2017-7718
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
medium
medium
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL:
Whiteboard:
Depends On: 1443443 1443444 1443447 1443448 1443449 1443450 1443451 1443452 1443453 1443454 1443456 1443457 1443459 1443460 1443461 1443463 1443464 1445557
Blocks: 1432498
TreeView+ depends on / blocked
 
Reported: 2017-04-19 09:32 UTC by Prasad Pandit
Modified: 2021-02-17 02:16 UTC (History)
40 users (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
An out-of-bounds access issue was found in QEMU's Cirrus CLGD 54xx VGA Emulator support. The vulnerability could occur while copying VGA data using bitblt functions (for example, cirrus_bitblt_rop_fwd_transp_). A privileged user inside a guest could use this flaw to crash the QEMU process, resulting in denial of service.
Clone Of:
Environment:
Last Closed: 2019-06-08 03:10:42 UTC
Embargoed:


Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Red Hat Product Errata RHSA-2017:1205 0 normal SHIPPED_LIVE Important: qemu-kvm-rhev security update 2017-05-09 15:07:02 UTC
Red Hat Product Errata RHSA-2017:1206 0 normal SHIPPED_LIVE Important: qemu-kvm security update 2017-05-09 16:29:49 UTC
Red Hat Product Errata RHSA-2017:1430 0 normal SHIPPED_LIVE Important: qemu-kvm security and bug fix update 2017-06-13 11:26:41 UTC
Red Hat Product Errata RHSA-2017:1431 0 normal SHIPPED_LIVE Important: qemu-kvm-rhev security and bug fix update 2017-06-13 11:16:36 UTC
Red Hat Product Errata RHSA-2017:1441 0 normal SHIPPED_LIVE Important: qemu-kvm-rhev security and bug fix update 2017-06-14 19:20:20 UTC

Description Prasad Pandit 2017-04-19 09:32:48 UTC
Quick emulator(Qemu) built with the Cirrus CLGD 54xx VGA Emulator support is
vulnerable to an out-of-bounds access issue. It could occur while copying
VGA data via bitblt functions cirrus_bitblt_rop_fwd_transp_ and/or
cirrus_bitblt_rop_fwd_.

A privileged user inside guest could use this flaw to crash the Qemu process
resulting in DoS.

Upstream patch
--------------
  -> http://git.qemu-project.org/?p=qemu.git;a=commitdiff;h=215902d7b6fb50c6fc216fc74f770858278ed904

Reference:
----------
  -> http://www.openwall.com/lists/oss-security/2017/04/19/4

Comment 1 Prasad Pandit 2017-04-19 09:34:31 UTC
Created xen tracking bugs for this issue:

Affects: fedora-all [bug 1443444]

Comment 2 Prasad Pandit 2017-04-19 09:34:52 UTC
Created qemu tracking bugs for this issue:

Affects: fedora-all [bug 1443443]

Comment 3 Prasad Pandit 2017-04-19 09:39:31 UTC
Acknowledgements:

Name: Jiangxin (PSIRT Huawei Inc.)

Comment 8 errata-xmlrpc 2017-05-09 11:08:31 UTC
This issue has been addressed in the following products:

  RHEV 3.X Hypervisor and Agents for RHEL-6

Via RHSA-2017:1205 https://access.redhat.com/errata/RHSA-2017:1205

Comment 9 errata-xmlrpc 2017-05-09 12:48:02 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 6

Via RHSA-2017:1206 https://access.redhat.com/errata/RHSA-2017:1206

Comment 17 errata-xmlrpc 2017-06-13 07:16:58 UTC
This issue has been addressed in the following products:

  RHEV 3.X Hypervisor and Agents for RHEL-7
  RHEV 4.X RHEV-H and Agents for RHEL-7

Via RHSA-2017:1431 https://access.redhat.com/errata/RHSA-2017:1431

Comment 18 errata-xmlrpc 2017-06-13 07:27:02 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 7

Via RHSA-2017:1430 https://access.redhat.com/errata/RHSA-2017:1430

Comment 19 errata-xmlrpc 2017-06-14 15:34:25 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux OpenStack Platform 5.0 (Icehouse) for RHEL 6

Via RHSA-2017:1441 https://access.redhat.com/errata/RHSA-2017:1441

Comment 20 Fedora Update System 2017-07-25 21:23:49 UTC
qemu-2.7.1-7.fc25 has been pushed to the Fedora 25 stable repository. If problems still persist, please make note of it in this bug report.


Note You need to log in before you can comment on or make changes to this bug.