SB2018080137 - Fedora 27 update for qemu

Description

This security bulletin contains information about 9 secuirty vulnerabilities.

1) Out-of-bounds read (CVE-ID: CVE-2017-16845)

The vulnerability allows a remote attacker to cause DoS condition or execute arbitrary code on the target system.

The weakness exists due to out-of-bounds read. A remote attacker can cause the service to crash or execute arbitrary code.

Successful exploitation of the vulnerability may result in system compromise.

2) Divide by zero (CVE-ID: CVE-2017-17381)

The vulnerability allows an adjacent attacker to cause DoS condition on the target system.

The weakness exists due to divide by zero when unsetting vring alignment while updating Virtio rings. An adjacent attacker can cause the service to crash.

3) Out-of-bounds read (CVE-ID: CVE-2018-5683)

The vulnerability allows an adjacent low-privileged attacker to cause DoS condition on the target system.

The weakness exists in the vga_draw_text function due to out-of-bounds read. A remote attacker can leverage improper memory address validation, trigger memory error and cause QEMU process to crash.

4) Memory corruption (CVE-ID: CVE-2018-7550)

The vulnerability allows an adjacent attacker to execute arbitrary code on the target system.

The weakness exists in the load_multiboot function due to out-of-bounds read or write. An adjacent attacker can load a kernel image during the boot process, which may cause the mh_load_end_addr address to be greater than the mh_bss_end_addr address, trigger memory corruption and execute arbitrary code.

Successful exploitation of the vulnerability may result in system compromise.

5) Out-of-bounds read (CVE-ID: CVE-2018-7858)

The vulnerability allows an adjacent attacker to cause DoS condition on the target system.

The weakness exists due to improper VGA display updates. An adjacent attacker can use incorrect region calculations during VGA display updates, trigger out-of-bounds read and cause the service to crash.

6) Heap-based buffer overflow (CVE-ID: CVE-2018-11806)

The vulnerability allows a remote authenticated attacker to cause DoS condition on the target system.

The vulnerability exists due to heap-based buffer overflow when insufficient input and validation checking of Slirp networking back-end processes by the m_cat function, as defined in the slirp/mbuf.c source code file. A remote attacker can send malformed, fragmented packets, trigger memory corruption and cause the QEMU process to crash.

7) Integer overflow (CVE-ID: CVE-2018-12617)

The vulnerability allows a remote attacker to cause DoS condition on the target system.

The vulnerability exists due to integer overflow in qmp_guest_file_read in qga/commands-posix.c and qga/commands-win32.c in qemu-ga (aka QEMU Guest Agent). A remote attacker can send a specially crafted QMP command (including guest-file-read with a large count value) to the agent via the listening socket, cause a g_malloc0() call to trigger a segmentation fault when trying to allocate a large memory chunk and cause the service to crash.

8) Resource exhaustion (CVE-ID: CVE-2017-15119)

The vulnerability allows a remote attacker to cause DoS condition on the target system.

The weakness exists due to resource exhaustion when sending large option requests, making the server waste CPU time on reading up to 4GB per request. A remote attacker can cause the service to crash.

9) Stack-based buffer overflow (CVE-ID: CVE-2017-15118)

The vulnerability allows a remote attacker to execute arbitrary code on the target system.

The vulnerability exists in the network block device (NBD) server implementation due to stack-based buffer overflow when handling malicious input. A remote unauthenticated attacker can send a large export-name request, trigger memory corruption and cause the service to crash or execute arbitrary code with elevated privileges.

Remediation

Install update from vendor's website.

References

• https://bodhi.fedoraproject.org/updates/FEDORA-2018-6c1be5e1c8