Bug 1024972 – VUL-0: CVE-2017-2620: qemu,kvm: cirrus_bitblt_cputovideo does not check if memory region is safe (XSA-209)

Bug 1024972 - VUL-0: CVE-2017-2620: qemu,kvm: cirrus_bitblt_cputovideo does not check if memory region is safe (XSA-209)


Summary:	VUL-0: CVE-2017-2620: qemu,kvm: cirrus_bitblt_cputovideo does not check if me...

Status:	RESOLVED FIXED

Classification:	Novell Products
Product:	SUSE Security Incidents
Classification:	Novell Products
Component:	Incidents
Version:	unspecified
Hardware:	Other Other

Priority:	P3 - Medium Severity: Normal
Target Milestone:	---
Assigned To:	Bruce Rogers
QA Contact:	Security Team bot

URL:
Whiteboard:	.
Keywords:

Depends on:
Blocks:
	Show dependency tree / graph

Create test case

Clone This Bug

Reported:	2017-02-13 09:50 UTC by Matthias Gerstner
Modified:	2019-02-14 14:26 UTC (History)
CC List:	5 users (show)

See Also:
Found By:	---
Services Priority:
Business Priority:
Blocker:	---
Marketing QA Status:	---
IT Deployment:	---

Attachments
cirrus-add-blit-is-unsafe-to-cirrus-bitblt-cputovideo.patch (1.84 KB, patch) 2017-02-21 12:17 UTC, Marcus Meissner	Details \| Diff
View All Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Comment 2 Swamp Workflow Management 2017-02-13 23:00:28 UTC

bugbot adjusting priority

Comment 3 Marcus Meissner 2017-02-21 12:16:23 UTC

   Hello,

Quick emulator(Qemu) built with the Cirrus CLGD 54xx VGA Emulator support is 
vulnerable to an out-of-bounds access issue. It could occur while copying VGA 
data in cirrus_bitblt_cputovideo.

A privileged user inside guest could use this flaw to crash the Qemu process 
resulting in DoS OR potentially execute arbitrary code on the host with 
privileges of Qemu process on the host.

Reference:
----------
   -> https://bugzilla.redhat.com/show_bug.cgi?id=1420460

* 'CVE-2017-2620' has been assigned to this issue by Red Hat Inc.
* Attached herein is a proposed patch to fix this issue.

Thank you.

Comment 4 Marcus Meissner 2017-02-21 12:17:49 UTC

Created attachment 714876 [details]
cirrus-add-blit-is-unsafe-to-cirrus-bitblt-cputovideo.patch

cirrus-add-blit-is-unsafe-to-cirrus-bitblt-cputovideo.patch

from email

Comment 5 Swamp Workflow Management 2017-03-07 17:13:00 UTC

SUSE-SU-2017:0625-1: An update that solves 15 vulnerabilities and has four fixes is now available.

Category: security (important)
Bug References: 1014702,1015169,1016779,1017081,1017084,1020491,1020589,1020928,1021129,1021195,1021481,1022541,1023004,1023053,1023073,1023907,1024972,1026583,977027
CVE References: CVE-2016-10028,CVE-2016-10029,CVE-2016-10155,CVE-2016-9921,CVE-2016-9922,CVE-2017-2615,CVE-2017-2620,CVE-2017-5525,CVE-2017-5526,CVE-2017-5552,CVE-2017-5578,CVE-2017-5667,CVE-2017-5856,CVE-2017-5857,CVE-2017-5898
Sources used:
SUSE Linux Enterprise Server for Raspberry Pi 12-SP2 (src):    qemu-2.6.2-41.9.1
SUSE Linux Enterprise Server 12-SP2 (src):    qemu-2.6.2-41.9.1
SUSE Linux Enterprise Desktop 12-SP2 (src):    qemu-2.6.2-41.9.1

Comment 6 Bruce Rogers 2017-03-07 23:00:01 UTC

Fixed.

Comment 7 Swamp Workflow Management 2017-03-10 20:11:10 UTC

SUSE-SU-2017:0661-1: An update that solves 11 vulnerabilities and has two fixes is now available.

Category: security (important)
Bug References: 1013285,1014109,1014111,1014702,1015048,1015169,1016779,1021129,1022541,1023004,1023053,1023907,1024972
CVE References: CVE-2016-10155,CVE-2016-9776,CVE-2016-9907,CVE-2016-9911,CVE-2016-9921,CVE-2016-9922,CVE-2017-2615,CVE-2017-2620,CVE-2017-5667,CVE-2017-5856,CVE-2017-5898
Sources used:
SUSE Linux Enterprise Server for SAP 12 (src):    qemu-2.0.2-48.31.1
SUSE Linux Enterprise Server 12-LTSS (src):    qemu-2.0.2-48.31.1

Comment 8 Swamp Workflow Management 2017-03-16 17:10:45 UTC

openSUSE-SU-2017:0707-1: An update that solves 15 vulnerabilities and has four fixes is now available.

Category: security (important)
Bug References: 1014702,1015169,1016779,1017081,1017084,1020491,1020589,1020928,1021129,1021195,1021481,1022541,1023004,1023053,1023073,1023907,1024972,1026583,977027
CVE References: CVE-2016-10028,CVE-2016-10029,CVE-2016-10155,CVE-2016-9921,CVE-2016-9922,CVE-2017-2615,CVE-2017-2620,CVE-2017-5525,CVE-2017-5526,CVE-2017-5552,CVE-2017-5578,CVE-2017-5667,CVE-2017-5856,CVE-2017-5857,CVE-2017-5898
Sources used:
openSUSE Leap 42.2 (src):    qemu-2.6.2-29.4, qemu-linux-user-2.6.2-29.1, qemu-testsuite-2.6.2-29.8

Comment 9 Swamp Workflow Management 2017-04-28 19:13:17 UTC

SUSE-SU-2017:1135-1: An update that solves 10 vulnerabilities and has two fixes is now available.

Category: security (important)
Bug References: 1013285,1014109,1014111,1014702,1015048,1015169,1016779,1021129,1023004,1023053,1023907,1024972
CVE References: CVE-2016-10155,CVE-2016-9776,CVE-2016-9907,CVE-2016-9911,CVE-2016-9921,CVE-2016-9922,CVE-2017-2615,CVE-2017-2620,CVE-2017-5856,CVE-2017-5898
Sources used:
SUSE Linux Enterprise Server 11-SP4 (src):    kvm-1.4.2-59.1

Comment 10 Swamp Workflow Management 2017-05-11 13:11:44 UTC

SUSE-SU-2017:1241-1: An update that solves 13 vulnerabilities and has four fixes is now available.

Category: security (important)
Bug References: 1013285,1014109,1014111,1014702,1015048,1015169,1016779,1020491,1020589,1020928,1021129,1022541,1023004,1023053,1023907,1024972,937125
CVE References: CVE-2016-10155,CVE-2016-9776,CVE-2016-9907,CVE-2016-9911,CVE-2016-9921,CVE-2016-9922,CVE-2017-2615,CVE-2017-2620,CVE-2017-5525,CVE-2017-5526,CVE-2017-5667,CVE-2017-5856,CVE-2017-5898
Sources used:
SUSE Linux Enterprise Server 12-SP1 (src):    qemu-2.3.1-32.11
SUSE Linux Enterprise Desktop 12-SP1 (src):    qemu-2.3.1-32.11

Comment 11 Swamp Workflow Management 2017-05-16 19:12:22 UTC

openSUSE-SU-2017:1312-1: An update that solves 13 vulnerabilities and has four fixes is now available.

Category: security (important)
Bug References: 1013285,1014109,1014111,1014702,1015048,1015169,1016779,1020491,1020589,1020928,1021129,1022541,1023004,1023053,1023907,1024972,937125
CVE References: CVE-2016-10155,CVE-2016-9776,CVE-2016-9907,CVE-2016-9911,CVE-2016-9921,CVE-2016-9922,CVE-2017-2615,CVE-2017-2620,CVE-2017-5525,CVE-2017-5526,CVE-2017-5667,CVE-2017-5856,CVE-2017-5898
Sources used:
openSUSE Leap 42.1 (src):    qemu-2.3.1-25.1, qemu-linux-user-2.3.1-25.1, qemu-testsuite-2.3.1-25.1

Comment 12 Swamp Workflow Management 2017-11-24 20:14:15 UTC

SUSE-SU-2017:3084-1: An update that solves 33 vulnerabilities and has 7 fixes is now available.

Category: security (important)
Bug References: 1013285,1014109,1014111,1014702,1015048,1016779,1020427,1021129,1021741,1023004,1023053,1023907,1024972,1025109,1028184,1028656,1030624,1031051,1034044,1034866,1034908,1035406,1035950,1037242,1038396,1039495,1042159,1042800,1042801,1043296,1045035,1046636,1047674,1048902,1049381,1049785,1056334,1057585,1062069,1063122
CVE References: CVE-2016-10155,CVE-2016-9602,CVE-2016-9603,CVE-2016-9776,CVE-2016-9907,CVE-2016-9911,CVE-2016-9921,CVE-2016-9922,CVE-2017-10664,CVE-2017-10806,CVE-2017-11334,CVE-2017-11434,CVE-2017-13672,CVE-2017-14167,CVE-2017-15038,CVE-2017-15289,CVE-2017-2615,CVE-2017-2620,CVE-2017-5579,CVE-2017-5856,CVE-2017-5898,CVE-2017-5973,CVE-2017-6505,CVE-2017-7471,CVE-2017-7493,CVE-2017-7718,CVE-2017-7980,CVE-2017-8086,CVE-2017-8309,CVE-2017-9330,CVE-2017-9373,CVE-2017-9375,CVE-2017-9503
Sources used:
SUSE Linux Enterprise Server 11-SP3-LTSS (src):    kvm-1.4.2-53.11.1
SUSE Linux Enterprise Point of Sale 11-SP3 (src):    kvm-1.4.2-53.11.1