Bug 11422 - qemu new security issue CVE-2013-4344
Summary: qemu new security issue CVE-2013-4344
Status: RESOLVED FIXED
Alias: None
Product: Mageia
Classification: Unclassified
Component: Security (show other bugs)
Version: 3
Hardware: i586 Linux
Priority: Normal critical
Target Milestone: ---
Assignee: QA Team
QA Contact: Sec team
URL: http://lwn.net/Vulnerabilities/570339/
Whiteboard: MGA2TOO advisory MGA3-64-OK MGA3-32-O...
Keywords: validated_update
Depends on:
Blocks:
 
Reported: 2013-10-10 04:38 CEST by David Walser
Modified: 2013-11-22 20:22 CET (History)
3 users (show)

See Also:
Source RPM: qemu-1.2.0-8.2.mga3.src.rpm
CVE:
Status comment:

Attachments
Add an attachment (proposed patch, testcase, etc.)

Description David Walser 2013-10-10 04:38:50 CEST 
qemu 1.6.1 has been released, fixing a security issue with SCSI disk emulation:
http://lists.nongnu.org/archive/html/qemu-stable/2013-10/msg00022.html

According to RedHat, this also affects older versions of qemu and qemu-kvm:
https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2013-4344

qemu-1.6.1-1.mga4 has fixed this for Cauldron.

Mageia 2 and Mageia 3 are affected, but no patches are available for those qemu versions at this time.

Reproducible: 

Steps to Reproduce:
David Walser 2013-10-10 04:38:59 CEST

Whiteboard: (none) => MGA2TOO

Comment 1 David Walser 2013-10-14 18:59:40 CEST 
Fedora has issued an advisory for this on October 8:
https://lists.fedoraproject.org/pipermail/package-announce/2013-October/119033.html

URL: (none) => http://lwn.net/Vulnerabilities/570339/

Comment 2 David Walser 2013-11-21 15:51:23 CET 
RedHat has issued an advisory for this today (November 21):
https://rhn.redhat.com/errata/RHSA-2013-1553.html

Patched packages uploaded for Mageia 2 and Mageia 3.

Please note that this is a high-severity security issue :o)

Advisory:
========================

Updated qemu packages fix security vulnerability:

A buffer overflow flaw was found in the way QEMU processed the SCSI "REPORT
LUNS" command when more than 256 LUNs were specified for a single SCSI
target. A privileged guest user could use this flaw to corrupt QEMU process
memory on the host, which could potentially result in arbitrary code
execution on the host with the privileges of the QEMU process
(CVE-2013-4344).

References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-4344
https://rhn.redhat.com/errata/RHSA-2013-1553.html
========================

Updated packages in core/updates_testing:
========================
qemu-1.0-6.6.mga2
qemu-img-1.0-6.6.mga2
qemu-1.2.0-8.3.mga3
qemu-img-1.2.0-8.3.mga3

from SRPMS:
qemu-1.0-6.6.mga2.src.rpm
qemu-1.2.0-8.3.mga3.src.rpm

Assignee: bugsquad => qa-bugs

Dave Hodgins 2013-11-21 20:54:59 CET

CC: (none) => davidwhodgins
Whiteboard: MGA2TOO => MGA2TOO advisory

Comment 3 Dave Hodgins 2013-11-22 12:45:53 CET 
Testing complete using virt-manager, on Mageia 2 and 3, i586 and x86_64.

Could someone from the sysadmin team push 11422.adv to updates.

Keywords: (none) => validated_update
Whiteboard: MGA2TOO advisory => MGA2TOO advisory MGA3-64-OK MGA3-32-OK MGA2-64-OK MGA2-32-OK
CC: (none) => sysadmin-bugs

Comment 4 Thomas Backlund 2013-11-22 20:22:44 CET 
Update pushed:
http://advisories.mageia.org/MGASA-2013-0341.html

Status: NEW => RESOLVED
CC: (none) => tmb
Resolution: (none) => FIXED
Note You need to log in before you can comment on or make changes to this bug.