Bug 11422

Summary: qemu new security issue CVE-2013-4344
Product: Mageia Reporter: David Walser <luigiwalser>
Component: SecurityAssignee: QA Team <qa-bugs>
Status: RESOLVED FIXED QA Contact: Sec team <security>
Severity: critical    
Priority: Normal CC: davidwhodgins, sysadmin-bugs, tmb
Version: 3Keywords: validated_update
Target Milestone: ---   
Hardware: i586   
OS: Linux   
URL: http://lwn.net/Vulnerabilities/570339/
Whiteboard: MGA2TOO advisory MGA3-64-OK MGA3-32-OK MGA2-64-OK MGA2-32-OK
Source RPM: qemu-1.2.0-8.2.mga3.src.rpm CVE:
Status comment:

Description David Walser 2013-10-10 04:38:50 CEST 
qemu 1.6.1 has been released, fixing a security issue with SCSI disk emulation:
http://lists.nongnu.org/archive/html/qemu-stable/2013-10/msg00022.html

According to RedHat, this also affects older versions of qemu and qemu-kvm:
https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2013-4344

qemu-1.6.1-1.mga4 has fixed this for Cauldron.

Mageia 2 and Mageia 3 are affected, but no patches are available for those qemu versions at this time.

Reproducible: 

Steps to Reproduce:
David Walser 2013-10-10 04:38:59 CEST

Whiteboard: (none) => MGA2TOO

Comment 1 David Walser 2013-10-14 18:59:40 CEST 
Fedora has issued an advisory for this on October 8:
https://lists.fedoraproject.org/pipermail/package-announce/2013-October/119033.html

URL: (none) => http://lwn.net/Vulnerabilities/570339/

Comment 2 David Walser 2013-11-21 15:51:23 CET 
RedHat has issued an advisory for this today (November 21):
https://rhn.redhat.com/errata/RHSA-2013-1553.html

Patched packages uploaded for Mageia 2 and Mageia 3.

Please note that this is a high-severity security issue :o)

Advisory:
========================

Updated qemu packages fix security vulnerability:

A buffer overflow flaw was found in the way QEMU processed the SCSI "REPORT
LUNS" command when more than 256 LUNs were specified for a single SCSI
target. A privileged guest user could use this flaw to corrupt QEMU process
memory on the host, which could potentially result in arbitrary code
execution on the host with the privileges of the QEMU process
(CVE-2013-4344).

References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-4344
https://rhn.redhat.com/errata/RHSA-2013-1553.html
========================

Updated packages in core/updates_testing:
========================
qemu-1.0-6.6.mga2
qemu-img-1.0-6.6.mga2
qemu-1.2.0-8.3.mga3
qemu-img-1.2.0-8.3.mga3

from SRPMS:
qemu-1.0-6.6.mga2.src.rpm
qemu-1.2.0-8.3.mga3.src.rpm

Assignee: bugsquad => qa-bugs

Dave Hodgins 2013-11-21 20:54:59 CET

CC: (none) => davidwhodgins
Whiteboard: MGA2TOO => MGA2TOO advisory

Comment 3 Dave Hodgins 2013-11-22 12:45:53 CET 
Testing complete using virt-manager, on Mageia 2 and 3, i586 and x86_64.

Could someone from the sysadmin team push 11422.adv to updates.

Keywords: (none) => validated_update
Whiteboard: MGA2TOO advisory => MGA2TOO advisory MGA3-64-OK MGA3-32-OK MGA2-64-OK MGA2-32-OK
CC: (none) => sysadmin-bugs

Comment 4 Thomas Backlund 2013-11-22 20:22:44 CET 
Update pushed:
http://advisories.mageia.org/MGASA-2013-0341.html

Status: NEW => RESOLVED
CC: (none) => tmb
Resolution: (none) => FIXED