2129739 – (CVE-2022-3165) CVE-2022-3165 QEMU: VNC: integer underflow in vnc_client_cut_text_ext leads to CPU exhaustion

Bug 2129739 (CVE-2022-3165) - CVE-2022-3165 QEMU: VNC: integer underflow in vnc_client_cut_text_ext leads to CPU exhaustion

Summary: CVE-2022-3165 QEMU: VNC: integer underflow in vnc_client_cut_text_ext leads t...

Keywords:
Status:	CLOSED ERRATA
Alias:	CVE-2022-3165
Product:	Security Response
Classification:	Other
Component:	vulnerability
Sub Component:
Version:	unspecified
Hardware:	All
OS:	Linux
Priority:	medium
Severity:	medium
Target Milestone:	---
Assignee:	Red Hat Product Security
QA Contact:
Docs Contact:
URL:
Whiteboard:
Depends On:	2129759 2129760 2129761
Blocks:	2118918
TreeView+	depends on / blocked

Reported:	2022-09-26 08:35 UTC by Mauro Matteo Cascella
Modified:	2023-06-29 10:40 UTC (History)
CC List:	25 users (show)
Fixed In Version:	qemu 7.2.0-rc0
Clone Of:
Environment:
Last Closed:	2023-05-17 01:43:09 UTC
Embargoed:

Attachments	(Terms of Use)

Links
System	ID	Private	Priority	Status	Summary	Last Updated
Red Hat Product Errata	RHSA-2023:2162	0	None	None	None	2023-05-09 07:13:07 UTC
Red Hat Product Errata	RHSA-2023:2757	0	None	None	None	2023-05-16 08:08:21 UTC

Description Mauro Matteo Cascella 2022-09-26 08:35:49 UTC

An integer underflow issue was found in the QEMU VNC server while processing ClientCutText messages in the extended format [1]. A malicious client could use this flaw to make QEMU unresponsive by sending a specially crafted payload message, resulting in a denial of service condition.

[1] https://github.com/rfbproto/rfbproto/blob/master/rfbproto.rst#extended-clipboard-pseudo-encoding

Comment 1 Mauro Matteo Cascella 2022-09-26 08:37:56 UTC

Proposed patch:
https://lists.nongnu.org/archive/html/qemu-devel/2022-09/msg03948.html

Comment 2 Mauro Matteo Cascella 2022-09-26 09:26:17 UTC

Created qemu tracking bugs for this issue:

Affects: fedora-all [bug 2129759]

Comment 4 Mauro Matteo Cascella 2022-10-17 08:04:23 UTC

Upstream commit:
https://gitlab.com/qemu-project/qemu/-/commit/d307040b18

Comment 6 errata-xmlrpc 2023-05-09 07:13:05 UTC

This issue has been addressed in the following products:

  Red Hat Enterprise Linux 9

Via RHSA-2023:2162 https://access.redhat.com/errata/RHSA-2023:2162

Comment 7 errata-xmlrpc 2023-05-16 08:08:18 UTC

This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8

Via RHSA-2023:2757 https://access.redhat.com/errata/RHSA-2023:2757

Comment 8 Product Security DevOps Team 2023-05-17 01:43:06 UTC

This bug is now closed. Further updates for individual products will be reflected on the CVE page(s):

https://access.redhat.com/security/cve/cve-2022-3165

Note You need to log in before you can comment on or make changes to this bug.

berrange
cfergeau
crobinso
ddepaula
eglynn
jen
jferlan
jjoyce
jmaloy
knoel
lhh
lkundrak
mburns
mcascell
mgarciac
mkenneth
mrezanin
mst
ondrejj
pbonzini
philmd
rjones
spower
virt-maint
virt-maint