Bugzilla – Bug 938344
VUL-0: CVE-2015-5154: qemu,kvm,xen: host code execution via IDE subsystem CD-ROM
Last modified: 2020-05-12 17:47:22 UTC
Patches apply to qemu as follows: qemu/master (clean) qemu/stable-2.2 (offset) [...] qemu/stable-1.3 (offset) qemu/stable-1.2: patch 2 fails. Patch 2 not required for <= 1.2: the function does not contain a return statement without an ide_atapi_cmd_ok call in these version. Patch 1 and 3 apply down qemu/stable-0.12. qemu/stable-0.11: Patch 1 applies to hw/ide.c (different name) Patch 3 applies to hw/ide.c (different name) patch hw/ide.c -i 1.patch patch hw/ide.c -i 3.patch
Please include LTSS targets your submission.
An update workflow for this issue was started. This issue was rated as important. Please submit fixed packages until 2015-07-23. When done, reassign the bug to security-team@suse.de. https://swamp.suse.de/webswamp/wf/62217
An update workflow for this issue was started. This issue was rated as important. Please submit fixed packages until 2015-07-23. When done, reassign the bug to security-team@suse.de. https://swamp.suse.de/webswamp/wf/62220
An update workflow for this issue was started. This issue was rated as important. Please submit fixed packages until 2015-07-23. When done, reassign the bug to security-team@suse.de. https://swamp.suse.de/webswamp/wf/62221
The following maintenance requests have been submitted: 62680 - kvm package submitted to SUSE:SLE-11-SP3:Update 62682 - kvm package submitted to SUSE:SLE-11-SP4:Update 62688 - qemu package submitted to SUSE:SLE-12:Update
Xen packages have been submitted with the following SR/MR numbers. SLE10-SP3: 62694 SLE10-SP4: 62696 SLE11-SP1: 62698 SLE11-SP1-Teradata: 62700 SLE11-SP2: 62702 SLE11-SP3: 62704 SLE11-SP4: 62706 SLE12: 62708
(In reply to Bruce Rogers from comment #10) > The following maintenance requests have been submitted: > 62680 - kvm package submitted to SUSE:SLE-11-SP3:Update > 62682 - kvm package submitted to SUSE:SLE-11-SP4:Update > 62688 - qemu package submitted to SUSE:SLE-12:Update Could you please submit qemu/kvm for SLE 10 SP3 Teradata / SLE 10 SP4 LTSS SLE 11 SP1 Teradata / SLE 11 SP2 LTSS
Official advisory: Xen Security Advisory CVE-2015-5154 / XSA-138 QEMU heap overflow flaw while processing certain ATAPI commands. *** EMBARGOED UNTIL 2015-07-27 12:00 UTC *** ISSUE DESCRIPTION ================= The QEMU security team has predisclosed the following advisory: A heap overflow flaw was found in the way QEMU's IDE subsystem handled I/O buffer access while processing certain ATAPI commands. A privileged guest user in a guest with CDROM drive enabled could potentially use this flaw to execute arbitrary code on the host with the privileges of the host's QEMU process corresponding to the guest. IMPACT ====== An HVM guest which has access to an emulated IDE CDROM device (e.g. with a device with "devtype=cdrom", or the "cdrom" convenience alias, in the VBD configuration) can exploit this vulnerability to take over the qemu process elevating its privilege to that of the qemu process. VULNERABLE SYSTEMS ================== All Xen systems running x86 HVM guests without stubdomains which have been configured with an emulated CD-ROM driver model are vulnerable. Systems using qemu-dm stubdomain device models (for example, by specifying "device_model_stubdomain_override=1" in xl's domain configuration files) are NOT vulnerable. Both the traditional "qemu-xen" or upstream qemu device models are potentially vulnerable. Systems running only PV guests are NOT vulnerable. ARM systems are NOT vulnerable. MITIGATION ========== Avoiding the use of emulated CD-ROM devices altogether, by not specifying such devices in the domain configuration, will avoid this issue. Enabling stubdomains will mitigate this issue, by reducing the escalation to only those privileges accorded to the service domain. qemu-dm stubdomains are only available with the traditional "qemu-xen" version. RESOLUTION ========== Applying the appropriate attached patch resolves this issue. xsa138-qemut-{1,2}.patch qemu-xen-traditional, Xen unstable, Xen 4.5.x, Xen 4.4.x, Xen 4.3.x, Xen 4.2.x xsa138-qemuu-{1,2,3}.patch qemu-upstream, xen unstable, Xen 4.5.x, Xen 4.4.x, Xen 4.3.x xsa138-qemuu-{1,3}.patch qemu-upstream, Xen 4.2.x NOTE: xsa138-qemuu-2.patch is not required for Xen 4.2.x. $ sha256sum xsa138*.patch 7e385455379d88658b8ab0d4c1effffe9af21fff2e1dc0fe51cacc779afc83a4 xsa138-qemut-1.patch c9a89082e36a0646a6fe002c6892d966d415d11ad5cfdcfea7e9c8d7a3f1316c xsa138-qemut-2.patch a076808f543c82aeac2f0239a4a46d9baadcd4e4b0a2f9ae7ded99cf59cffde6 xsa138-qemuu-1.patch ed16dca7d2c179d0931d6e2503264d6593547a803eb3f08f6db7fff2127509a9 xsa138-qemuu-2.patch 090bdec00ede1f0ace1af52833038a74971e060d0c176b42bfca08511d36c644 xsa138-qemuu-3.patch
is public
SUSE-SU-2015:1299-1: An update that solves two vulnerabilities and has one errata is now available. Category: security (important) Bug References: 925466,935634,938344 CVE References: CVE-2015-3259,CVE-2015-5154 Sources used: SUSE Linux Enterprise Software Development Kit 11-SP4 (src): xen-4.4.2_10-5.1 SUSE Linux Enterprise Server 11-SP4 (src): xen-4.4.2_10-5.1 SUSE Linux Enterprise Desktop 11-SP4 (src): xen-4.4.2_10-5.1 SUSE Linux Enterprise Debuginfo 11-SP4 (src): xen-4.4.2_10-5.1
SUSE-SU-2015:1302-1: An update that solves two vulnerabilities and has two fixes is now available. Category: security (important) Bug References: 925466,935256,935634,938344 CVE References: CVE-2015-3259,CVE-2015-5154 Sources used: SUSE Linux Enterprise Software Development Kit 12 (src): xen-4.4.2_08-22.5.1 SUSE Linux Enterprise Server 12 (src): xen-4.4.2_08-22.5.1 SUSE Linux Enterprise Desktop 12 (src): xen-4.4.2_08-22.5.1
SUSE-SU-2015:1408-1: An update that fixes two vulnerabilities is now available. Category: security (moderate) Bug References: 938344,939712 CVE References: CVE-2015-5154,CVE-2015-5165 Sources used: SUSE Linux Enterprise Server 11-SP2-LTSS (src): xen-4.1.6_08-17.1 SUSE Linux Enterprise Debuginfo 11-SP2 (src): xen-4.1.6_08-17.1
SUSE-SU-2015:1409-1: An update that fixes one vulnerability is now available. Category: security (important) Bug References: 938344 CVE References: CVE-2015-5154 Sources used: SUSE Linux Enterprise Server 11-SP1-LTSS (src): kvm-0.12.5-1.30.2 SUSE Linux Enterprise Debuginfo 11-SP1 (src): kvm-0.12.5-1.30.2
SUSE-SU-2015:1421-1: An update that fixes two vulnerabilities is now available. Category: security (important) Bug References: 938344,939712 CVE References: CVE-2015-5154,CVE-2015-5165 Sources used: SUSE Linux Enterprise Server 11-SP1-LTSS (src): xen-4.0.3_21548_18-29.1 SUSE Linux Enterprise Debuginfo 11-SP1 (src): xen-4.0.3_21548_18-29.1
SUSE-SU-2015:1426-1: An update that fixes two vulnerabilities is now available. Category: security (important) Bug References: 932770,938344 CVE References: CVE-2015-3209,CVE-2015-5154 Sources used: SUSE Linux Enterprise Server 11-SP2-LTSS (src): kvm-0.15.1-0.32.2 SUSE Linux Enterprise Debuginfo 11-SP2 (src): kvm-0.15.1-0.32.2
SUSE-SU-2015:1455-1: An update that fixes one vulnerability is now available. Category: security (important) Bug References: 938344 CVE References: CVE-2015-5154 Sources used: SUSE Linux Enterprise Server 11-SP4 (src): kvm-1.4.2-32.1 SUSE Linux Enterprise Desktop 11-SP4 (src): kvm-1.4.2-32.1
SUSE-SU-2015:1472-1: An update that fixes one vulnerability is now available. Category: security (important) Bug References: 938344 CVE References: CVE-2015-5154 Sources used: SUSE Linux Enterprise Server 11-SP3 (src): kvm-1.4.2-0.22.34.3 SUSE Linux Enterprise Desktop 11-SP3 (src): kvm-1.4.2-0.22.34.3
SUSE-SU-2015:1479-1: An update that fixes 6 vulnerabilities is now available. Category: security (important) Bug References: 922709,932996,935634,938344,939709,939712 CVE References: CVE-2015-2751,CVE-2015-3259,CVE-2015-4164,CVE-2015-5154,CVE-2015-5165,CVE-2015-5166 Sources used: SUSE Linux Enterprise Software Development Kit 11-SP3 (src): xen-4.2.5_12-15.1 SUSE Linux Enterprise Server 11-SP3 (src): xen-4.2.5_12-15.1 SUSE Linux Enterprise Desktop 11-SP3 (src): xen-4.2.5_12-15.1 SUSE Linux Enterprise Debuginfo 11-SP3 (src): xen-4.2.5_12-15.1
SUSE-SU-2015:1479-2: An update that fixes 6 vulnerabilities is now available. Category: security (important) Bug References: 922709,932996,935634,938344,939709,939712 CVE References: CVE-2015-2751,CVE-2015-3259,CVE-2015-4164,CVE-2015-5154,CVE-2015-5165,CVE-2015-5166 Sources used: SUSE Linux Enterprise Desktop 11-SP3 (src): xen-4.2.5_12-15.1
all things are in qa at least, so close
SUSE-SU-2015:1643-1: An update that fixes four vulnerabilities is now available. Category: security (important) Bug References: 932770,932996,938344,939712 CVE References: CVE-2015-3209,CVE-2015-4164,CVE-2015-5154,CVE-2015-5165 Sources used: SUSE Linux Enterprise Server 10 SP4 LTSS (src): xen-3.2.3_17040_46-0.21.1
SUSE-SU-2015:1782-1: An update that solves 5 vulnerabilities and has 10 fixes is now available. Category: security (important) Bug References: 902737,928308,934506,934517,936537,937125,937572,938344,939216,943446,944017,945404,945778,945987,945989 CVE References: CVE-2014-7815,CVE-2015-5154,CVE-2015-5278,CVE-2015-5279,CVE-2015-6855 Sources used: SUSE Linux Enterprise Server 12 (src): qemu-2.0.2-48.9.1 SUSE Linux Enterprise Desktop 12 (src): qemu-2.0.2-48.9.1
An update workflow for this issue was started. This issue was rated as moderate. Please submit fixed packages until 2015-11-25. When done, reassign the bug to security-team@suse.de. https://swamp.suse.de/webswamp/wf/62332
openSUSE-SU-2015:1964-1: An update that solves 12 vulnerabilities and has two fixes is now available. Category: security (important) Bug References: 877642,932267,938344,939709,939712,941074,944463,944697,947165,950367,950703,950705,950706,951845 CVE References: CVE-2014-0222,CVE-2015-4037,CVE-2015-5154,CVE-2015-5165,CVE-2015-5166,CVE-2015-5239,CVE-2015-6815,CVE-2015-7311,CVE-2015-7835,CVE-2015-7969,CVE-2015-7971,CVE-2015-7972 Sources used: openSUSE 13.1 (src): xen-4.3.4_06-50.1
openSUSE-SU-2015:2003-1: An update that solves 13 vulnerabilities and has 9 fixes is now available. Category: security (important) Bug References: 877642,901488,907514,910258,918984,923967,925466,932267,935634,938344,939709,939712,944463,944697,945167,947165,949138,950367,950703,950705,950706,951845 CVE References: CVE-2014-0222,CVE-2015-3259,CVE-2015-4037,CVE-2015-5154,CVE-2015-5165,CVE-2015-5166,CVE-2015-5239,CVE-2015-6815,CVE-2015-7311,CVE-2015-7835,CVE-2015-7969,CVE-2015-7971,CVE-2015-7972 Sources used: openSUSE 13.2 (src): xen-4.4.3_02-30.1
An update workflow for this issue was started. This issue was rated as important. Please submit fixed packages until 2016-01-26. When done, reassign the bug to security-team@suse.de. https://swamp.suse.de/webswamp/wf/62448