Bug 17260

Summary: qemu new security issues (too many CVEs to mention)
Product: Mageia Reporter: David Walser <luigiwalser>
Component: SecurityAssignee: QA Team <qa-bugs>
Status: RESOLVED FIXED QA Contact: Sec team <security>
Severity: major    
Priority: Normal CC: brtians1, davidwhodgins, sysadmin-bugs, tmb, wilcal.int
Version: 5Keywords: validated_update
Target Milestone: ---   
Hardware: All   
OS: Linux   
URL: http://lwn.net/Vulnerabilities/666755/
Whiteboard: has_procedure MGA5-32-OK MGA5-64-OK advisory
Source RPM: qemu-2.1.3-2.7.mga5.src.rpm CVE:
Status comment:

Description David Walser 2015-11-30 13:00:42 CET 
Two security issues in Qemu have been announced with CVEs:
http://openwall.com/lists/oss-security/2015/11/30/2
http://openwall.com/lists/oss-security/2015/11/30/3

There was also a CVE request for a third issue:
http://openwall.com/lists/oss-security/2015/11/25/3

All three messages contains links to upstream fixes.

Reproducible: 

Steps to Reproduce:
Comment 1 David Walser 2015-12-03 16:45:25 CET 
Ubuntu has issued an advisory for this today (December 3):
http://www.ubuntu.com/usn/usn-2828-1/

(In reply to David Walser from comment #0)
> There was also a CVE request for a third issue:
> http://openwall.com/lists/oss-security/2015/11/25/3

This one is CVE-2015-8345.

URL: (none) => http://lwn.net/Vulnerabilities/666755/
Summary: qemu new security issues CVE-2015-7504 and CVE-2015-7512 => qemu new security issues CVE-2015-7504, CVE-2015-7512, and CVE-2015-8345

Comment 2 David Walser 2015-12-08 15:05:42 CET 
CVE request for another issue:
http://openwall.com/lists/oss-security/2015/12/08/4
Comment 3 David Walser 2015-12-08 19:44:16 CET 
(In reply to David Walser from comment #2)
> CVE request for another issue:
> http://openwall.com/lists/oss-security/2015/12/08/4

This is CVE-2015-8504:
http://openwall.com/lists/oss-security/2015/12/08/7

Summary: qemu new security issues CVE-2015-7504, CVE-2015-7512, and CVE-2015-8345 => qemu new security issues CVE-2015-7504, CVE-2015-7512, CVE-2015-8345, CVE-2015-8504

Comment 4 David Walser 2015-12-14 17:24:01 CET 
Another issue, CVE-2015-7549 has been announced:
http://openwall.com/lists/oss-security/2015/12/14/2

CVE request for yet another issue:
http://openwall.com/lists/oss-security/2015/12/14/9

Summary: qemu new security issues CVE-2015-7504, CVE-2015-7512, CVE-2015-8345, CVE-2015-8504 => qemu new security issues CVE-2015-7504, CVE-2015-7512, CVE-2015-7549, CVE-2015-8345, CVE-2015-8504

Comment 5 David Walser 2015-12-14 22:47:08 CET 
(In reply to David Walser from comment #4)
> CVE request for yet another issue:
> http://openwall.com/lists/oss-security/2015/12/14/9

This is CVE-2015-8558:
http://openwall.com/lists/oss-security/2015/12/14/16

Summary: qemu new security issues CVE-2015-7504, CVE-2015-7512, CVE-2015-7549, CVE-2015-8345, CVE-2015-8504 => qemu new security issues CVE-2015-7504, CVE-2015-7512, CVE-2015-7549, CVE-2015-8345, CVE-2015-8504, CVE-2015-8558

Comment 6 David Walser 2015-12-14 23:59:45 CET 
(In reply to David Walser from comment #3)
> (In reply to David Walser from comment #2)
> > CVE request for another issue:
> > http://openwall.com/lists/oss-security/2015/12/08/4
> 
> This is CVE-2015-8504:
> http://openwall.com/lists/oss-security/2015/12/08/7

LWN reference:
http://lwn.net/Vulnerabilities/667759/

Fedora has issued an advisory for this today (December 14):
https://lists.fedoraproject.org/pipermail/package-announce/2015-December/173749.html

Severity: normal => major

Comment 7 David Walser 2015-12-15 15:59:10 CET 
CVE request for yet another issue:
http://openwall.com/lists/oss-security/2015/12/15/4
Comment 8 David Walser 2015-12-15 19:41:23 CET 
(In reply to David Walser from comment #7)
> CVE request for yet another issue:
> http://openwall.com/lists/oss-security/2015/12/15/4

This is CVE-2015-8567 and CVE-2015-8568:
http://openwall.com/lists/oss-security/2015/12/15/10

Summary: qemu new security issues CVE-2015-7504, CVE-2015-7512, CVE-2015-7549, CVE-2015-8345, CVE-2015-8504, CVE-2015-8558 => qemu new security issues CVE-2015-7504, CVE-2015-7512, CVE-2015-7549, CVE-2015-8345, CVE-2015-8504, CVE-2015-8558, CVE-2015-856[78]

Comment 9 Thomas Backlund 2015-12-15 19:53:14 CET 
yeah, and maybe some more are coming in a few days...

I will fix it up this weekend along with xen and kernel

CC: (none) => tmb

Comment 10 David Walser 2015-12-21 21:30:28 CET 
CVE request for yet another issue:
http://openwall.com/lists/oss-security/2015/12/21/7
Comment 11 David Walser 2015-12-22 17:06:11 CET 
(In reply to David Walser from comment #10)
> CVE request for yet another issue:
> http://openwall.com/lists/oss-security/2015/12/21/7

This is CVE-2015-8613:
http://openwall.com/lists/oss-security/2015/12/22/1

Summary: qemu new security issues CVE-2015-7504, CVE-2015-7512, CVE-2015-7549, CVE-2015-8345, CVE-2015-8504, CVE-2015-8558, CVE-2015-856[78] => qemu new security issues CVE-2015-7504, CVE-2015-7512, CVE-2015-7549, CVE-2015-8345, CVE-2015-8504, CVE-2015-8558, CVE-2015-856[78], CVE-2015-8613

Comment 12 David Walser 2015-12-22 22:18:33 CET 
CVE request for yet another issue:
http://openwall.com/lists/oss-security/2015/12/22/8
Comment 13 David Walser 2015-12-23 14:40:30 CET 
(In reply to David Walser from comment #12)
> CVE request for yet another issue:
> http://openwall.com/lists/oss-security/2015/12/22/8

This is CVE-2015-8619:
http://openwall.com/lists/oss-security/2015/12/23/1

Summary: qemu new security issues CVE-2015-7504, CVE-2015-7512, CVE-2015-7549, CVE-2015-8345, CVE-2015-8504, CVE-2015-8558, CVE-2015-856[78], CVE-2015-8613 => qemu new security issues CVE-2015-7504, CVE-2015-7512, CVE-2015-7549, CVE-2015-8345, CVE-2015-8504, CVE-2015-8558, CVE-2015-856[78], CVE-2015-861[39]

Comment 14 Thomas Backlund 2015-12-23 21:53:11 CET 
heh, the CVEs keeps coming :)

and xen project forgot their own embargo rules... a fun week... but hopefully it now slows up so I can finish the updates :)
Comment 15 Thomas Backlund 2015-12-24 02:31:20 CET 
Cauldron updated to 2.5.0 that fixed:
- net: pcnet: add check to validate receive data size (CVE-2015-7504)
- net: pcnet: fix rx buffer overflow (CVE-2015-7512)
- net: eepro100: Prevent two endless loops (CVE-2015-8345)
- ui: vnc: avoid floating point exception (CVE-2015-8504)
- pci: msix: implement pba write (but read-only) (CVE-2015-7549)
- ehci: make idt processing more robust (CVE-2015-8558)

and added patches for:
- net: vmxnet3: memory leakage issue (CVE-2015-8567, CVE-2015-8568)
- scsi: initialise info object with appropriate size (CVE-2015-8613)
- hmp: avoid redundant null termination of buffer (CVE-2015-8619)


For mga5, all the above CVE fixes added as patches to:


SRPM:
qemu-2.1.3-2.8.mga5.src.rpm


i586:
qemu-2.1.3-2.8.mga5.i586.rpm
qemu-img-2.1.3-2.8.mga5.i586.rpm


x86_64:
qemu-2.1.3-2.8.mga5.x86_64.rpm
qemu-img-2.1.3-2.8.mga5.x86_64.rpm

Hardware: i586 => All
Assignee: bugsquad => qa-bugs

Comment 16 claire robinson 2015-12-24 10:23:26 CET 
Testing procedures:
https://bugs.mageia.org/show_bug.cgi?id=13096#c34
https://bugs.mageia.org/show_bug.cgi?id=6694#c3

Whiteboard: (none) => has_procedure

Comment 17 Thomas Backlund 2015-12-24 15:17:14 CET 
Of course as soon as I pushed a build, a new security issue was posted...

So I pulled in that fix too:
- acpi: fix buffer overrun on migration (CVE pending)


So packages to test now are:
SRPM:
qemu-2.1.3-2.9.mga5.src.rpm


i586:
qemu-2.1.3-2.9.mga5.i586.rpm
qemu-img-2.1.3-2.9.mga5.i586.rpm


x86_64:
qemu-2.1.3-2.9.mga5.x86_64.rpm
qemu-img-2.1.3-2.9.mga5.x86_64.rpm
Comment 18 David Walser 2015-12-24 17:18:01 CET 
CVE request for the new issue tmb just mentioned:
http://openwall.com/lists/oss-security/2015/12/24/1
Comment 19 David Walser 2015-12-24 19:32:05 CET 
(In reply to David Walser from comment #18)
> CVE request for the new issue tmb just mentioned:
> http://openwall.com/lists/oss-security/2015/12/24/1

CVE-2015-8666:
http://openwall.com/lists/oss-security/2015/12/24/3

Summary: qemu new security issues CVE-2015-7504, CVE-2015-7512, CVE-2015-7549, CVE-2015-8345, CVE-2015-8504, CVE-2015-8558, CVE-2015-856[78], CVE-2015-861[39] => qemu new security issues CVE-2015-7504, CVE-2015-7512, CVE-2015-7549, CVE-2015-8345, CVE-2015-8504, CVE-2015-8558, CVE-2015-856[78], CVE-2015-861[39], CVE-2015-8666

Comment 20 David Walser 2015-12-28 19:23:22 CET 
CVE request for yet another issue:
http://openwall.com/lists/oss-security/2015/12/28/6

I don't if we have Rocker support in our build.  It doesn't say how to tell.
Comment 21 David Walser 2015-12-29 18:54:58 CET 
(In reply to David Walser from comment #20)
> CVE request for yet another issue:
> http://openwall.com/lists/oss-security/2015/12/28/6
> 
> I don't if we have Rocker support in our build.  It doesn't say how to tell.

CVE-2015-8701:
http://openwall.com/lists/oss-security/2015/12/29/1
Comment 22 David Walser 2016-01-04 22:02:14 CET 
Three more CVEs have been assigned.  Since this hasn't been tested yet, it would be a good time to add the last four patches.

CVE-2015-8743:
http://openwall.com/lists/oss-security/2016/01/04/2

CVE-2015-8744:
http://openwall.com/lists/oss-security/2016/01/04/6

CVE-2015-8745:
http://openwall.com/lists/oss-security/2016/01/04/7
Thomas Backlund 2016-01-05 10:44:25 CET

Whiteboard: has_procedure => has_procedure feedback

Comment 23 Thomas Backlund 2016-01-05 10:45:08 CET 
Yep, saw them last night... will fix today
Comment 24 David Walser 2016-01-11 16:02:02 CET 
And another one, CVE-2016-1568:
http://openwall.com/lists/oss-security/2016/01/09/2
Comment 25 David Walser 2016-01-11 19:50:49 CET 
CVE request for yet another issue:
http://openwall.com/lists/oss-security/2016/01/11/7
Comment 26 Thomas Backlund 2016-01-12 20:50:32 CET 
(In reply to David Walser from comment #25)
> CVE request for yet another issue:
> http://openwall.com/lists/oss-security/2016/01/11/7

CVE-2016-1714:
http://openwall.com/lists/oss-security/2016/01/12/10
Comment 27 David Walser 2016-01-12 20:52:32 CET 
(In reply to Thomas Backlund from comment #26)
> (In reply to David Walser from comment #25)
> > CVE request for yet another issue:
> > http://openwall.com/lists/oss-security/2016/01/11/7
> 
> CVE-2016-1714:
> http://openwall.com/lists/oss-security/2016/01/12/10

This one only affects Mageia 5, not Cauldron.
Comment 28 Thomas Backlund 2016-01-12 20:54:25 CET 
rocker cve is cauldron only, and vmxnet3 and fw_cfg cve's are mga5 only, so:

Caouldron patched for:
- net: rocker: fix an incorrect array bounds check (CVE-2015-8701)
- net: ne2000: fix bounds check in ioport operations (CVE-2015-8743)
- ide: ahci: reset ncq object to unused on error (CVE-2016-1568)


And Mga5 is patched for:
- net/ne2000: fix bounds check in ioport operations (CVE-2015-8743)
- net/vmxnet3: Refine l2 header validation (CVE-2015-8744)
- net/vmxnet3: Support reading IMR registers on bar0 (CVE-2015-8745)
- ide: ahci: reset ncq object to unused on error (CVE-2016-1568)
- fw_cfg: add check to validate current (CVE-2016-1714)


SRPM:
qemu-2.1.3-2.10.mga5.src.rpm


i586:
qemu-2.1.3-2.10.mga5.i586.rpm
qemu-img-2.1.3-2.10.mga5.i586.rpm


x86_64:
qemu-2.1.3-2.10.mga5.x86_64.rpm
qemu-img-2.1.3-2.10.mga5.x86_64.rpm

Whiteboard: has_procedure feedback => has_procedure

Comment 29 David Walser 2016-01-12 21:00:31 CET 
Full list of CVEs mentioned in this bug (now removed from subject):
CVE-2015-7504
CVE-2015-7512
CVE-2015-7549
CVE-2015-8345
CVE-2015-8504
CVE-2015-8558
CVE-2015-856[78]
CVE-2015-861[39]
CVE-2015-8666
CVE-2015-8701 (Cauldron only)
CVE-2015-874[3-5] (CVE-2015-8744 and CVE-2015-8745, Mageia 5 only)
CVE-2016-1568
CVE-2016-1714 (Mageia 5 only)

Summary: qemu new security issues CVE-2015-7504, CVE-2015-7512, CVE-2015-7549, CVE-2015-8345, CVE-2015-8504, CVE-2015-8558, CVE-2015-856[78], CVE-2015-861[39], CVE-2015-8666 => qemu new security issues (too many CVEs to mention)

Comment 30 David Walser 2016-01-12 21:42:18 CET 
LWN reference for...
CVE-2015-7549 CVE-2015-8558 CVE-2015-8666 CVE-2015-8744 CVE-2015-8745:
http://lwn.net/Vulnerabilities/671631/

Fedora has issued an advisory for this today (January 12):
https://lists.fedoraproject.org/pipermail/package-announce/2016-January/175380.html
Comment 31 Brian Rockwell 2016-01-15 16:15:28 CET 
Hi David - I wasn't able to find qemu-2.1.3.2.10 in my testing mirror.  Can you try triggering it again, I'll snag it over the weekend.

tested prior version - it worked with test linux image.

CC: (none) => brtians1

Comment 32 David Walser 2016-01-15 16:24:17 CET 
Resubmitted.

SRPM:
qemu-2.1.3-2.11.mga5.src.rpm


i586:
qemu-2.1.3-2.11.mga5.i586.rpm
qemu-img-2.1.3-2.11.mga5.i586.rpm


x86_64:
qemu-2.1.3-2.11.mga5.x86_64.rpm
qemu-img-2.1.3-2.11.mga5.x86_64.rpm
Comment 33 Brian Rockwell 2016-01-16 15:52:01 CET 
AMD Athlon(tm) 64 X2 Dual Core Processor 3800+

[root@localhost Downloads]# urpmi qemu
Package qemu-2.1.3-2.11.mga5.i586 is already installed

$ qemu-kvm slacko-5.7.0-PAE.iso

20 minutes later I get the screen.


"Welcome to Slacko Puppy 5.7.0!"

Seems to work as designed.

Calling other modules gets a response I'd expect

[brian@localhost ~]$ qemu-alpha
usage: qemu-alpha [options] program [arguments...]
Linux CPU emulator (compiled for alpha emulation)

Options and associated environment variables:

Argument      Env-variable      Description
-h                              print this help
-g port       QEMU_GDB          wait gdb connection to 'port'
-L path       QEMU_LD_PREFIX    set the elf interpreter prefix to 'path'
-s size       QEMU_STACK_SIZE   set the stack size to 'size' bytes
-cpu model    QEMU_CPU          select CPU (-cpu help for list)
-E var=value  QEMU_SET_ENV      sets targets environment variable (see below)
-U var        QEMU_UNSET_ENV    unsets targets environment variable (see below)
-0 argv0      QEMU_ARGV0        forces target process argv[0] to be 'argv0'
-r uname      QEMU_UNAME        set qemu uname release string to 'uname'
-B address    QEMU_GUEST_BASE   set guest_base address to 'address'
-R size       QEMU_RESERVED_VA  reserve 'size' bytes for guest virtual address space
-d item[,...] QEMU_LOG          enable logging of specified items (use '-d help' for a list of items)
-D logfile    QEMU_LOG_FILENAME write logs to 'logfile' (default stderr)
-p pagesize   QEMU_PAGESIZE     set the host page size to 'pagesize'
-singlestep   QEMU_SINGLESTEP   run in singlestep mode
-strace       QEMU_STRACE       log system calls
-version      QEMU_VERSION      display version information and exit

Defaults:
QEMU_LD_PREFIX  = /usr/qemu-alpha
QEMU_STACK_SIZE = 8388608 byte

You can use -E and -U options or the QEMU_SET_ENV and
QEMU_UNSET_ENV environment variables to set and unset
environment variables for the target process.
It is possible to provide several variables by separating them
by commas in getsubopt(3) style. Additionally it is possible to
provide the -E and -U options multiple times.
The following lines are equivalent:
    -E var1=val2 -E var2=val2 -U LD_PRELOAD -U LD_DEBUG
    -E var1=val2,var2=val2 -U LD_PRELOAD,LD_DEBUG
    QEMU_SET_ENV=var1=val2,var2=val2 QEMU_UNSET_ENV=LD_PRELOAD,LD_DEBUG
Note that if you provide several changes to a single variable
the last change will stay in effect.


[brian@localhost ~]$ /usr/bin/qemu-i386
usage: qemu-i386 [options] program [arguments...]
Linux CPU emulator (compiled for i386 emulation)

Options and associated environment variables:

Argument      Env-variable      Description
-h                              print this help
-g port       QEMU_GDB          wait gdb connection to 'port'
-L path       QEMU_LD_PREFIX    set the elf interpreter prefix to 'path'
-s size       QEMU_STACK_SIZE   set the stack size to 'size' bytes
-cpu model    QEMU_CPU          select CPU (-cpu help for list)
-E var=value  QEMU_SET_ENV      sets targets environment variable (see below)
-U var        QEMU_UNSET_ENV    unsets targets environment variable (see below)
-0 argv0      QEMU_ARGV0        forces target process argv[0] to be 'argv0'
-r uname      QEMU_UNAME        set qemu uname release string to 'uname'
-B address    QEMU_GUEST_BASE   set guest_base address to 'address'
-R size       QEMU_RESERVED_VA  reserve 'size' bytes for guest virtual address space
-d item[,...] QEMU_LOG          enable logging of specified items (use '-d help' for a list of items)
-D logfile    QEMU_LOG_FILENAME write logs to 'logfile' (default stderr)
-p pagesize   QEMU_PAGESIZE     set the host page size to 'pagesize'
-singlestep   QEMU_SINGLESTEP   run in singlestep mode
-strace       QEMU_STRACE       log system calls
-version      QEMU_VERSION      display version information and exit

Defaults:
QEMU_LD_PREFIX  = /usr/qemu-i386
QEMU_STACK_SIZE = 8388608 byte

You can use -E and -U options or the QEMU_SET_ENV and
QEMU_UNSET_ENV environment variables to set and unset
environment variables for the target process.
It is possible to provide several variables by separating them
by commas in getsubopt(3) style. Additionally it is possible to
provide the -E and -U options multiple times.
The following lines are equivalent:
    -E var1=val2 -E var2=val2 -U LD_PRELOAD -U LD_DEBUG
    -E var1=val2,var2=val2 -U LD_PRELOAD,LD_DEBUG
    QEMU_SET_ENV=var1=val2,var2=val2 QEMU_UNSET_ENV=LD_PRELOAD,LD_DEBUG
Note that if you provide several changes to a single variable
the last change will stay in effect.

I would say this is working

Whiteboard: has_procedure => has_procedure MGA5-32-OK

Comment 34 William Kenney 2016-01-16 19:15:40 CET 
In VirtualBox, M5, KDE, 64-bit

Package(s) under test:
qemu qemu-img

default install of qemu qemu-img

[root@localhost wilcal]# urpmi qemu
Package qemu-1.6.2-1.12.mga4.i586 is already installed
[root@localhost wilcal]# urpmi qemu-img
Package qemu-img-1.6.2-1.12.mga4.i586 is already installed

create /home/wilcal/qemu_test
into that copy M5 KDE i586 boot.iso change name to: boot_5_x86_64.iso
using a terminal in /home/wilcal/qemu_test run:
qemu-kvm -net user -net nic,model=virtio -cdrom boot_5_x86_64.iso -boot d -m 512
boot_5_x86_64 opens and runs. Choose HTTP server. Selected DHCP network connection.
Selected a mirror for Mageia 5. Stage2 is started. Install begins.

install qemu & qemu-img from updates_testing

[root@localhost wilcal]# urpmi qemu
Package qemu-2.1.3-2.11.mga5.x86_64 is already installed
[root@localhost wilcal]# urpmi qemu-img
Package qemu-img-2.1.3-2.11.mga5.x86_64 is already installed

using a terminal in /home/wilcal/qemu_test run:
qemu-kvm -net user -net nic,model=virtio -cdrom boot_5_x86_64.iso -boot d -m 512
boot_5_x86_64.iso opens and runs. Choose HTTP server. Selected DHCP network connection.
Selected a mirror for Mageia 5. Stage2 is started. Install begins.

[wilcal@localhost qemu_test]$ qemu-alpha
usage: qemu-alpha [options] program [arguments...]
Linux CPU emulator (compiled for alpha emulation)

Options and associated environment variables:

Argument      Env-variable      Description
-h                              print this help.......

CC: (none) => wilcal.int

William Kenney 2016-01-16 19:17:09 CET

Whiteboard: has_procedure MGA5-32-OK => has_procedure MGA5-32-OK MGA5-64-OK

Comment 35 William Kenney 2016-01-16 19:17:49 CET 
I'd say this is good to go.
You get the validation honors Brian.
Dave Hodgins 2016-01-17 00:46:13 CET

Keywords: (none) => validated_update
Whiteboard: has_procedure MGA5-32-OK MGA5-64-OK => has_procedure MGA5-32-OK MGA5-64-OK advisory
CC: (none) => davidwhodgins, sysadmin-bugs

Comment 36 Mageia Robot 2016-01-17 01:27:09 CET 
An update for this issue has been pushed to Mageia Updates repository.

http://advisories.mageia.org/MGASA-2016-0023.html

Status: NEW => RESOLVED
Resolution: (none) => FIXED

Comment 37 David Walser 2016-01-19 19:13:43 CET 
LWN reference for...
CVE-2015-8613
CVE-2015-8619
CVE-2015-8743
CVE-2016-1568
CVE-2016-1714:
http://lwn.net/Vulnerabilities/672331/
Comment 38 David Walser 2016-01-25 20:34:04 CET 
LWN reference for CVE-2015-8701:
http://lwn.net/Vulnerabilities/673466/