864678 – (CVE-2013-4529) VUL-0: CVE-2013-4529: qemu: hw/pci/pcie_aer.c: buffer overrun on invalid state load

Bug 864678 (CVE-2013-4529) - VUL-0: CVE-2013-4529: qemu: hw/pci/pcie_aer.c: buffer overrun on invalid state load

Summary: VUL-0: CVE-2013-4529: qemu: hw/pci/pcie_aer.c: buffer overrun on invalid stat...

Status:	RESOLVED FIXED

Alias:	CVE-2013-4529

Product:	SUSE Security Incidents
Classification:	Novell Products
Component:	Incidents (show other bugs)
Version:	unspecified
Hardware:	Other openSUSE 13.1

Priority:	P3 - Medium Severity: Normal
Target Milestone:	---
Assignee:	Andreas Färber
QA Contact:	Security Team bot

URL:	https://smash.suse.de/issue/96369/
Whiteboard:	maint:running:57292:moderate maint:re...
Keywords:

Depends on:
Blocks:

Clone This Bug

Reported:	2014-02-19 16:48 UTC by Victor Pereira
Modified:	2016-07-07 17:25 UTC (History)
CC List:	3 users (show)

See Also:
Found By:	Security Response Team
Services Priority:
Business Priority:
Blocker:	---
Marketing QA Status:	---
IT Deployment:	---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Victor Pereira 2014-02-19 16:48:54 UTC

CVE-2013-4529

Michael S. Tsirkin writes:

There are two issues in hw/pci/pcie_aer.c:
1. log_max from remote can be larger than on local then buffer will
   overrun with data coming from state file.
2. log_num can be larger then we get data corrution again with an
   overflow but not adversary controlled.

An user able to alter the savevm data (either on the disk or over the wire
during migration) could use this flaw to to corrupt QEMU process memory on
the (destination) host, which could potentially result in arbitrary code
execution on the host with the privileges of the QEMU process.

References:
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2013-4529
https://bugzilla.redhat.com/show_bug.cgi?id=1066353

Comment 1 Swamp Workflow Management 2014-02-19 23:01:18 UTC

bugbot adjusting priority

Comment 3 Bernhard Wiedemann 2014-05-24 13:00:56 UTC

This is an autogenerated message for OBS integration:
This bug (864678) was mentioned in
https://build.opensuse.org/request/show/235281 Factory / qemu

Comment 4 Swamp Workflow Management 2014-06-18 13:48:45 UTC

Update released for: kvm, kvm-debuginfo, kvm-debugsource
Products:
SLE-DESKTOP 11-SP3 (i386, x86_64)
SLE-SERVER 11-SP3 (i386, s390x, x86_64)

Comment 5 Swamp Workflow Management 2014-06-18 17:05:45 UTC

SUSE-SU-2014:0816-1: An update that solves two vulnerabilities and has 20 fixes is now available.

Category: security (moderate)
Bug References: 864391,864649,864650,864653,864655,864665,864671,864673,864678,864682,864769,864796,864801,864802,864804,864805,864811,864812,864814,873235,874749,874788
CVE References: CVE-2014-0150,CVE-2014-2894
Sources used:
SUSE Linux Enterprise Server 11 SP3 (src):    kvm-1.4.2-0.15.2
SUSE Linux Enterprise Desktop 11 SP3 (src):    kvm-1.4.2-0.15.2

Comment 7 Johannes Segitz 2016-02-03 13:36:21 UTC

fixed everywhere

Comment 8 Swamp Workflow Management 2016-04-05 15:08:37 UTC

SUSE-SU-2016:0955-1: An update that solves 46 vulnerabilities and has 5 fixes is now available.

Category: security (important)
Bug References: 864391,864655,864673,864678,864682,864769,864805,864811,877642,897654,901508,902737,924018,928393,945404,945989,954872,956829,957162,957988,958007,958009,958491,958523,958917,959005,959387,959695,959928,960334,960707,960725,960835,960861,960862,961332,961358,961691,962320,963782,963923,964413,965315,965317,967012,967013,967630,967969,969121,969122,969350
CVE References: CVE-2013-4527,CVE-2013-4529,CVE-2013-4530,CVE-2013-4533,CVE-2013-4534,CVE-2013-4537,CVE-2013-4538,CVE-2013-4539,CVE-2014-0222,CVE-2014-3640,CVE-2014-3689,CVE-2014-7815,CVE-2014-9718,CVE-2015-1779,CVE-2015-5278,CVE-2015-6855,CVE-2015-7512,CVE-2015-7549,CVE-2015-8345,CVE-2015-8504,CVE-2015-8550,CVE-2015-8554,CVE-2015-8555,CVE-2015-8558,CVE-2015-8567,CVE-2015-8568,CVE-2015-8613,CVE-2015-8619,CVE-2015-8743,CVE-2015-8744,CVE-2015-8745,CVE-2015-8817,CVE-2015-8818,CVE-2016-1568,CVE-2016-1570,CVE-2016-1571,CVE-2016-1714,CVE-2016-1922,CVE-2016-1981,CVE-2016-2198,CVE-2016-2270,CVE-2016-2271,CVE-2016-2391,CVE-2016-2392,CVE-2016-2538,CVE-2016-2841
Sources used:
SUSE Linux Enterprise Software Development Kit 11-SP4 (src):    xen-4.4.4_02-32.1
SUSE Linux Enterprise Server 11-SP4 (src):    xen-4.4.4_02-32.1
SUSE Linux Enterprise Desktop 11-SP4 (src):    xen-4.4.4_02-32.1
SUSE Linux Enterprise Debuginfo 11-SP4 (src):    xen-4.4.4_02-32.1

Comment 9 Swamp Workflow Management 2016-07-06 09:09:57 UTC

SUSE-SU-2016:1745-1: An update that solves 35 vulnerabilities and has 5 fixes is now available.

Category: security (important)
Bug References: 864391,864655,864673,864678,864682,864769,864805,864811,877642,897654,901508,902737,928393,945404,945989,954872,956829,957162,957988,958007,958009,958491,958523,959005,959695,959928,960707,960725,960861,960862,961332,961691,963782,965315,965317,967012,967013,967630,967969,969350
CVE References: CVE-2013-4527,CVE-2013-4529,CVE-2013-4530,CVE-2013-4533,CVE-2013-4534,CVE-2013-4537,CVE-2013-4538,CVE-2013-4539,CVE-2014-0222,CVE-2014-3640,CVE-2014-3689,CVE-2014-7815,CVE-2014-9718,CVE-2015-5278,CVE-2015-6855,CVE-2015-7512,CVE-2015-8345,CVE-2015-8504,CVE-2015-8550,CVE-2015-8554,CVE-2015-8555,CVE-2015-8558,CVE-2015-8743,CVE-2015-8745,CVE-2016-1568,CVE-2016-1570,CVE-2016-1571,CVE-2016-1714,CVE-2016-1981,CVE-2016-2270,CVE-2016-2271,CVE-2016-2391,CVE-2016-2392,CVE-2016-2538,CVE-2016-2841
Sources used:
SUSE Linux Enterprise Server 11-SP3-LTSS (src):    xen-4.2.5_20-24.9
SUSE Linux Enterprise Debuginfo 11-SP3 (src):    xen-4.2.5_20-24.9