Two DoS security issues in Qemu were announced: http://openwall.com/lists/oss-security/2015/03/24/4 http://openwall.com/lists/oss-security/2015/03/24/9 Both issues could allow the guest to crash the host via uncontrolled resource consumption. The first issue is pending a CVE, the second is CVE-2015-1779. Patches to fix both are linked in the messages above. The first is an actual upstream commit, the second is a patch submission on upstream's devel list (I guess still pending inclusion upstream). It's not clear which versions are affected. Reproducible: Steps to Reproduce:
CC: (none) => mageiaAssignee: bugsquad => joequant
I resynced with Fedora 21 and both issues now have upstream fixes included to fix them in qemu-2.1.3-1.mga5. The Fedora 21 update is currently assigned to QA: https://admin.fedoraproject.org/updates/qemu-2.1.3-5.fc21 The RedHat bugs for these issues are here: https://bugzilla.redhat.com/show_bug.cgi?id=1204919 https://bugzilla.redhat.com/show_bug.cgi?id=1199572 They haven't addressed Fedora 20 yet (same version as Mageia 4), but the patch for the first issue applies with minimal rediffing effort and the patches for CVE-2015-1779 apply.
Version: Cauldron => 4
Patched package uploaded for Mageia 4. Testing procedures: https://bugs.mageia.org/show_bug.cgi?id=13096#c34 https://bugs.mageia.org/show_bug.cgi?id=6694#c3 Advisory: ======================== Updated qemu packages fix security vulnerabilities: A denial of service flaw was found in the way QEMU handled malformed Physical Region Descriptor Table (PRDT) data sent to the host's IDE and/or AHCI controller emulation. A privileged guest user could use this flaw to crash the system (rhbz#1204919). It was found that the QEMU's websocket frame decoder processed incoming frames without limiting resources used to process the header and the payload. An attacker able to access a guest's VNC console could use this flaw to trigger a denial of service on the host by exhausting all available memory and CPU (CVE-2015-1779). References: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-1779 https://bugzilla.redhat.com/show_bug.cgi?id=1204919 https://bugzilla.redhat.com/show_bug.cgi?id=1199572 ======================== Updated packages in core/updates_testing: ======================== qemu-1.6.2-1.8.mga4 qemu-img-1.6.2-1.8.mga4 from qemu-1.6.2-1.8.mga4.src.rpm
Assignee: joequant => qa-bugsWhiteboard: (none) => has_procedureSeverity: normal => major
Testing on Mageia4x64 real hardware, using procedure mentionned in comment 2 (https://bugs.mageia.org/show_bug.cgi?id=13096#c34) From current packages --------------------- qemu-1.6.2-1.7.mga4 qemu-img-1.6.2-1.7.mga4 Stage 2 of Mageia5 installation starting OK To updated testing packages : --------------------------- If I urpmi, it brings : qemu-1.6.2-1.9.mga4 qemu-img-1.6.2-1.9.mga4 though I was expecting 1.6.2-1.8 Anyway, version 1.6.2-1.9 runs well but is it the right packages to test ?
CC: (none) => olchal
Indeed it is 1.9. My mistake :o) I forgot I had previously resynced with Fedora in SVN and had bumped the subrel then too.
Fedora has issued an advisory for this on April 4: https://lists.fedoraproject.org/pipermail/package-announce/2015-April/154656.html Advisory: ======================== Updated qemu packages fix security vulnerabilities: A denial of service flaw was found in the way QEMU handled malformed Physical Region Descriptor Table (PRDT) data sent to the host's IDE and/or AHCI controller emulation. A privileged guest user could use this flaw to crash the system (rhbz#1204919). It was found that the QEMU's websocket frame decoder processed incoming frames without limiting resources used to process the header and the payload. An attacker able to access a guest's VNC console could use this flaw to trigger a denial of service on the host by exhausting all available memory and CPU (CVE-2015-1779). References: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-1779 https://lists.fedoraproject.org/pipermail/package-announce/2015-April/154656.html
URL: (none) => http://lwn.net/Vulnerabilities/640174/
Whiteboard: has_procedure => has_procedure mga4-64-ok
Validating. Advisory uploaded. Please push to 4 updates Thanks
Keywords: (none) => validated_updateWhiteboard: has_procedure mga4-64-ok => has_procedure advisory mga4-64-okCC: (none) => sysadmin-bugs
An update for this issue has been pushed to Mageia Updates repository. http://advisories.mageia.org/MGASA-2015-0149.html
Status: NEW => RESOLVEDResolution: (none) => FIXED
The rhbz#1204919 issue is now CVE-2014-9718: http://openwall.com/lists/oss-security/2015/04/21/5 Updated advisory... Advisory: ======================== Updated qemu packages fix security vulnerabilities: A denial of service flaw was found in the way QEMU handled malformed Physical Region Descriptor Table (PRDT) data sent to the host's IDE and/or AHCI controller emulation. A privileged guest user could use this flaw to crash the system (CVE-2014-9718). It was found that the QEMU's websocket frame decoder processed incoming frames without limiting resources used to process the header and the payload. An attacker able to access a guest's VNC console could use this flaw to trigger a denial of service on the host by exhausting all available memory and CPU (CVE-2015-1779). References: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-9718 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-1779 https://lists.fedoraproject.org/pipermail/package-announce/2015-April/154656.html
Summary: qemu new DoS security issues (including CVE-2015-1779) => qemu new DoS security issues CVE-2014-9718 and CVE-2015-1779
(In reply to David Walser from comment #8) > The rhbz#1204919 issue is now CVE-2014-9718: > http://openwall.com/lists/oss-security/2015/04/21/5 LWN reference: http://lwn.net/Vulnerabilities/644506/