Bug 1734745 (CVE-2019-14378) - CVE-2019-14378 QEMU: slirp: heap buffer overflow during packet reassembly
Summary: CVE-2019-14378 QEMU: slirp: heap buffer overflow during packet reassembly
Keywords:
Status: CLOSED ERRATA
Alias: CVE-2019-14378
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
high
high
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL:
Whiteboard:
Depends On: 1734747 1734748 1734749 1734750 1734751 1734752 1734753 1734754 1734755 1735477 1735478 1735479 1735652 1735653 1735654 1755592 1755593 1755594 1755595 1757154 1757155 1768394 1825854 1825855 1825856 1825857 1825858 1825859 1825860 1825861 1825862 1825863 1825864 1825865
Blocks: 1727851
TreeView+ depends on / blocked
 
Reported: 2019-07-31 11:07 UTC by Prasad Pandit
Modified: 2021-02-16 21:36 UTC (History)
48 users (show)

Fixed In Version:
Doc Type: If docs needed, set a value
Doc Text:
A heap buffer overflow issue was found in the SLiRP networking implementation of the QEMU emulator. This flaw occurs in the ip_reass() routine while reassembling incoming packets if the first fragment is bigger than the m->m_dat[] buffer. An attacker could use this flaw to crash the QEMU process on the host, resulting in a Denial of Service or potentially executing arbitrary code with privileges of the QEMU process.
Clone Of:
Environment:
Last Closed: 2019-10-23 12:51:12 UTC
Embargoed:


Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Red Hat Product Errata RHBA-2019:3893 0 None None None 2019-11-18 07:41:23 UTC
Red Hat Product Errata RHSA-2019:3179 0 None None None 2019-10-22 15:24:03 UTC
Red Hat Product Errata RHSA-2019:3403 0 None None None 2019-11-05 20:46:38 UTC
Red Hat Product Errata RHSA-2019:3494 0 None None None 2019-11-05 21:01:54 UTC
Red Hat Product Errata RHSA-2019:3742 0 None None None 2019-11-06 15:20:07 UTC
Red Hat Product Errata RHSA-2019:3787 0 None None None 2019-11-07 13:45:58 UTC
Red Hat Product Errata RHSA-2019:3968 0 None None None 2019-11-26 13:57:15 UTC
Red Hat Product Errata RHSA-2019:4344 0 None None None 2019-12-20 16:49:51 UTC
Red Hat Product Errata RHSA-2020:0366 0 None None None 2020-02-04 19:29:41 UTC
Red Hat Product Errata RHSA-2020:0775 0 None None None 2020-03-10 11:33:34 UTC
Red Hat Product Errata RHSA-2020:0889 0 None None None 2020-03-17 17:56:38 UTC
Red Hat Product Errata RHSA-2020:1216 0 None None None 2020-03-31 14:34:49 UTC
Red Hat Product Errata RHSA-2020:2065 0 None None None 2020-05-11 21:34:19 UTC
Red Hat Product Errata RHSA-2020:2126 0 None None None 2020-05-13 07:51:00 UTC
Red Hat Product Errata RHSA-2020:2342 0 None None None 2020-06-01 06:41:18 UTC

Description Prasad Pandit 2019-07-31 11:07:55 UTC
A heap buffer overflow issue was found in the SLiRP networking implementation
of the QEMU emulator. It occurs in ip_reass() routine while reassembling
incoming packets, if the first fragment is bigger than the m->m_dat[] buffer. 

A user/process could use this flaw to crash the Qemu process on the host
resulting in DoS or potentially execute arbitrary code with privileges of the 
QEMU process.

Upstream patch:
---------------
  -> https://gitlab.freedesktop.org/slirp/libslirp/commit/126c04acbabd7ad32c2b018fe10dfac2a3bc1210

Reference:
----------
  -> https://www.openwall.com/lists/oss-security/2019/08/01/2

Comment 1 Prasad Pandit 2019-07-31 11:08:03 UTC
Acknowledgments:

Name: Vishnu Dev

Comment 7 Prasad Pandit 2019-08-01 08:11:02 UTC
Created qemu tracking bugs for this issue:

Affects: fedora-all [bug 1735654]

Comment 10 Summer Long 2019-08-05 04:42:35 UTC
Statement:

Red Hat OpenStack Platform:                                                                                                                 
* This flaw impacts KVM user-mode or SLIRP networking, which is not used in Red Hat OpenStack Platform. Although updating is recommended for affected versions (see below), Red Hat OpenStack Platform environments are not vulnerable.
* Because the flaw's impact is Low, it will not be fixed in Red Hat OpenStack Platform 9 which is retiring within a few weeks of the flaw's public date.

Comment 12 Prasad Pandit 2019-08-07 04:11:22 UTC
Mitigation:

There is no external mitigation to prevent this out-of-bounds heap memory access.

Comment 25 errata-xmlrpc 2019-10-22 15:24:00 UTC
This issue has been addressed in the following products:

  Red Hat Virtualization 4 for Red Hat Enterprise Linux 7
  Red Hat Virtualization Engine 4.3

Via RHSA-2019:3179 https://access.redhat.com/errata/RHSA-2019:3179

Comment 26 Product Security DevOps Team 2019-10-23 12:51:12 UTC
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s):

https://access.redhat.com/security/cve/cve-2019-14378

Comment 29 errata-xmlrpc 2019-11-05 20:46:35 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8

Via RHSA-2019:3403 https://access.redhat.com/errata/RHSA-2019:3403

Comment 30 errata-xmlrpc 2019-11-05 21:01:51 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8

Via RHSA-2019:3494 https://access.redhat.com/errata/RHSA-2019:3494

Comment 31 errata-xmlrpc 2019-11-06 15:20:04 UTC
This issue has been addressed in the following products:

  Red Hat OpenStack Platform 14.0 (Rocky)

Via RHSA-2019:3742 https://access.redhat.com/errata/RHSA-2019:3742

Comment 32 errata-xmlrpc 2019-11-07 13:45:56 UTC
This issue has been addressed in the following products:

  Red Hat OpenStack Platform 13.0 (Queens)

Via RHSA-2019:3787 https://access.redhat.com/errata/RHSA-2019:3787

Comment 34 errata-xmlrpc 2019-11-26 13:57:12 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 7

Via RHSA-2019:3968 https://access.redhat.com/errata/RHSA-2019:3968

Comment 37 errata-xmlrpc 2019-12-20 16:49:48 UTC
This issue has been addressed in the following products:

  Red Hat OpenStack Platform 10.0 (Newton)

Via RHSA-2019:4344 https://access.redhat.com/errata/RHSA-2019:4344

Comment 38 errata-xmlrpc 2020-02-04 19:29:37 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 7

Via RHSA-2020:0366 https://access.redhat.com/errata/RHSA-2020:0366

Comment 39 errata-xmlrpc 2020-03-10 11:33:29 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 6

Via RHSA-2020:0775 https://access.redhat.com/errata/RHSA-2020:0775

Comment 40 errata-xmlrpc 2020-03-17 17:56:34 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 7 Extras

Via RHSA-2020:0889 https://access.redhat.com/errata/RHSA-2020:0889

Comment 42 errata-xmlrpc 2020-03-31 14:34:41 UTC
This issue has been addressed in the following products:

  Red Hat Virtualization 4 for Red Hat Enterprise Linux 7
  Red Hat Virtualization Engine 4.3

Via RHSA-2020:1216 https://access.redhat.com/errata/RHSA-2020:1216

Comment 44 errata-xmlrpc 2020-05-11 21:34:17 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 7.6 Extended Update Support

Via RHSA-2020:2065 https://access.redhat.com/errata/RHSA-2020:2065

Comment 45 errata-xmlrpc 2020-05-13 07:50:57 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 7.6 Extended Update Support

Via RHSA-2020:2126 https://access.redhat.com/errata/RHSA-2020:2126

Comment 46 errata-xmlrpc 2020-06-01 06:41:16 UTC
This issue has been addressed in the following products:

  Red Hat Virtualization Engine 4.2

Via RHSA-2020:2342 https://access.redhat.com/errata/RHSA-2020:2342


Note You need to log in before you can comment on or make changes to this bug.