Bugzilla – Bug 842006
VUL-1: CVE-2013-4344: XSA-65: xen: qemu SCSI REPORT LUNS buffer overflow
Last modified: 2015-04-22 11:06:29 UTC
public now, via oss-sec Xen Security Advisory CVE-2013-4344 / XSA-65 version 2 qemu SCSI REPORT LUNS buffer overflow UPDATES IN VERSION 2 ==================== Public release. ISSUE DESCRIPTION ================= qemu contains a possible buffer overflow in the SCSI code that implements the REPORT LUNS command. The buffer can be overflowed by creating a SCSI controller with more than 256 attached devices (such as disks) and sending a REPORT LUNS command with a short transfer buffer (less than 2056 bytes). Xen systems do not use the qemu SCSI code by default. IMPACT ====== On Xen systems where the device_model_args (or equivalent) parameters have been used to configure a SCSI controller for a guest, with more than 256 devices, a malicious guest might be able to escalate its privilege to that of the qemu process in the host (typically root). VULNERABLE SYSTEMS ================== Only Xen systems whose administrators have deliberately configured HVM guests to have emulated SCSI controllers, and where those guests are provided with more than 256 devices, are vulnerable. We are not aware of any such systems. MITIGATION AND RESOLUTION ========================= Please refer to the advisories and information from the Qemu project. If, during the embargo period, you have any questions about this advisory in the context of Xen, please contact the Xen Project Security Team. CREDITS ======= This issue was reported to us by the Qemu project.
This is an autogenerated message for OBS integration: This bug (842006) was mentioned in https://build.opensuse.org/request/show/215063 13.1+12.3 / qemu+qemu-linux-user
@Charles This is really a narrow-band scenario. Is it even applicable for any SLE Xen version? If not I would suggest to close this bug.
(In reply to comment #4) > @Charles > > This is really a narrow-band scenario. Is it even applicable for any SLE Xen > version? If not I would suggest to close this bug. All SLE versions prior to SLE12 use the legacy qemu for HVM guests. SLE11 SP3 allows the use of the newer qemu with HVM guests but it is considered 'technical preview' and is not the default. SLE12 Xen has the fix in its version of qemu. It is applicable to the Xen version on os13.1 which uses qemu 1.3.1 for both HVM and PV guests. I have taken the patch for os13.1 and SLE11 SP3 (even though it is not the default) just for completeness. I'm ok with closing it.
Closing as discussed.
Update released for: kvm, kvm-debuginfo, kvm-debugsource Products: SLE-DESKTOP 11-SP3 (i386, x86_64) SLE-SERVER 11-SP3 (i386, s390x, x86_64)
SUSE-SU-2014:0623-1: An update that fixes 9 vulnerabilities is now available. Category: security (important) Bug References: 812983,817593,842006,864802,870439 CVE References: CVE-2013-2016,CVE-2013-4344,CVE-2013-4541,CVE-2014-0142,CVE-2014-0143,CVE-2014-0144,CVE-2014-0145,CVE-2014-0146,CVE-2014-0147 Sources used: SUSE Linux Enterprise Server 11 SP3 (src): kvm-1.4.2-0.11.1 SUSE Linux Enterprise Desktop 11 SP3 (src): kvm-1.4.2-0.11.1
openSUSE-SU-2014:1279-1: An update that solves 10 vulnerabilities and has 8 fixes is now available. Category: security (important) Bug References: 798770,820873,833483,842006,858178,862608,864801,865682,867910,878841,880751,881900,891539,895798,895799,895802,896023,897657 CVE References: CVE-2013-4344,CVE-2013-4540,CVE-2014-2599,CVE-2014-3967,CVE-2014-3968,CVE-2014-4021,CVE-2014-7154,CVE-2014-7155,CVE-2014-7156,CVE-2014-7188 Sources used: openSUSE 12.3 (src): xen-4.2.4_04-1.32.1
openSUSE-SU-2014:1281-1: An update that solves 10 vulnerabilities and has four fixes is now available. Category: security (important) Bug References: 798770,820873,842006,864801,865682,875668,878841,880751,882127,895798,895799,895802,896023,897657 CVE References: CVE-2013-4344,CVE-2013-4540,CVE-2014-3124,CVE-2014-3967,CVE-2014-3968,CVE-2014-4021,CVE-2014-7154,CVE-2014-7155,CVE-2014-7156,CVE-2014-7188 Sources used: openSUSE 13.1 (src): xen-4.3.2_02-27.1
SUSE-SU-2014:1318-1: An update that solves 10 vulnerabilities and has 7 fixes is now available. Category: security (moderate) Bug References: 798770,833483,842006,858178,862608,864801,865682,867910,878841,880751,881900,882092,891539,895798,895799,895802,897657 CVE References: CVE-2013-4344,CVE-2013-4540,CVE-2014-2599,CVE-2014-3967,CVE-2014-3968,CVE-2014-4021,CVE-2014-7154,CVE-2014-7155,CVE-2014-7156,CVE-2014-7188 Sources used: SUSE Linux Enterprise Software Development Kit 11 SP3 (src): xen-4.2.4_04-0.9.1 SUSE Linux Enterprise Server 11 SP3 (src): xen-4.2.4_04-0.9.1 SUSE Linux Enterprise Desktop 11 SP3 (src): xen-4.2.4_04-0.9.1
all updates released