qemu: CVE-2018-7550: i386: multiboot OOB access while loading kernel image

Debian Bug report logs - #892041
qemu: CVE-2018-7550: i386: multiboot OOB access while loading kernel image

Toggle useless messages

Message #5 received at submit@bugs.debian.org (full text, mbox, reply):

From: Salvatore Bonaccorso <carnil@debian.org>

To: Debian Bug Tracking System <submit@bugs.debian.org>

Subject: qemu: CVE-2018-7550: i386: multiboot OOB access while loading kernel image

Date: Sun, 04 Mar 2018 14:12:45 +0100

Source: qemu
Version: 1:2.11+dfsg-1
Severity: important
Tags: patch security upstream

Hi,

the following vulnerability was published for qemu.

CVE-2018-7550[0]:
| The load_multiboot function in hw/i386/multiboot.c in Quick Emulator
| (aka QEMU) allows local guest OS users to execute arbitrary code on
| the QEMU host via a mh_load_end_addr value greater than
| mh_bss_end_addr, which triggers an out-of-bounds read or write memory
| access.

If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.

For further information see:

[0] https://security-tracker.debian.org/tracker/CVE-2018-7550
    https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-7550
[1] https://bugzilla.redhat.com/show_bug.cgi?id=1549798
[2] https://lists.gnu.org/archive/html/qemu-devel/2018-02/msg06890.html

Please adjust the affected versions in the BTS as needed.

Regards,
Salvatore

Message #10 received at 892041@bugs.debian.org (full text, mbox, reply):

From: Salvatore Bonaccorso <carnil@debian.org>

To: 892041@bugs.debian.org

Subject: Re: Bug#892041: qemu: CVE-2018-7550: i386: multiboot OOB access while loading kernel image

Date: Thu, 8 Mar 2018 21:59:19 +0100

On Sun, Mar 04, 2018 at 02:12:45PM +0100, Salvatore Bonaccorso wrote:
> [2] https://lists.gnu.org/archive/html/qemu-devel/2018-02/msg06890.html

Actual upstream patch according to
https://bugzilla.redhat.com/show_bug.cgi?id=1549798 is
https://lists.nongnu.org/archive/html/qemu-devel/2018-03/msg01885.html

Regards,
Salvatore

Message #17 received at 892041-close@bugs.debian.org (full text, mbox, reply):

From: Michael Tokarev <mjt@tls.msk.ru>

To: 892041-close@bugs.debian.org

Subject: Bug#892041: fixed in qemu 1:2.12~rc3+dfsg-1

Date: Thu, 12 Apr 2018 17:06:30 +0000

Source: qemu
Source-Version: 1:2.12~rc3+dfsg-1

We believe that the bug you reported is fixed in the latest version of
qemu, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 892041@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Michael Tokarev <mjt@tls.msk.ru> (supplier of updated qemu package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

Format: 1.8
Date: Thu, 12 Apr 2018 19:04:03 +0300
Source: qemu
Binary: qemu qemu-system qemu-block-extra qemu-system-common qemu-system-misc qemu-system-arm qemu-system-mips qemu-system-ppc qemu-system-sparc qemu-system-x86 qemu-user qemu-user-static qemu-user-binfmt qemu-utils qemu-guest-agent qemu-kvm
Architecture: source
Version: 1:2.12~rc3+dfsg-1
Distribution: unstable
Urgency: medium
Maintainer: Debian QEMU Team <pkg-qemu-devel@lists.alioth.debian.org>
Changed-By: Michael Tokarev <mjt@tls.msk.ru>
Description:
 qemu       - fast processor emulator, dummy package
 qemu-block-extra - extra block backend modules for qemu-system and qemu-utils
 qemu-guest-agent - Guest-side qemu-system agent
 qemu-kvm   - QEMU Full virtualization on x86 hardware
 qemu-system - QEMU full system emulation binaries
 qemu-system-arm - QEMU full system emulation binaries (arm)
 qemu-system-common - QEMU full system emulation binaries (common files)
 qemu-system-mips - QEMU full system emulation binaries (mips)
 qemu-system-misc - QEMU full system emulation binaries (miscellaneous)
 qemu-system-ppc - QEMU full system emulation binaries (ppc)
 qemu-system-sparc - QEMU full system emulation binaries (sparc)
 qemu-system-x86 - QEMU full system emulation binaries (x86)
 qemu-user  - QEMU user mode emulation binaries
 qemu-user-binfmt - QEMU user mode binfmt registration for qemu-user
 qemu-user-static - QEMU user mode emulation binaries (static version)
 qemu-utils - QEMU utilities
Closes: 839695 851694 854959 860822 868030 872098 879193 879532 879534 879536 882136 884806 886532 886671 887207 887392 887892 891261 891375 892041 892497 892947 893767 894852
Changes:
 qemu (1:2.12~rc3+dfsg-1) unstable; urgency=medium
 .
   * new upstream 2.12 release (Release Candidate 3)
     Closes: #892041, CVE-2018-7550
     Closes: #884806, CVE-2017-15124
     Closes: #887392, CVE-2018-5683
     Closes: #892497, CVE-2018-7858
     Closes: #882136, CVE-2017-16845
     Closes: #886532, #892947, #891375, #887892, #860822, #851694
   * refresh local debian patches
   * d/rules: enable new system (hppa riscv32 riscv64) and
     user (aarch64_be xtensa xtensaeb riskc32 riscv64) targets
     Closes: #893767
   * fix d/source/options to match current reality
   * drop use-data-path.patch, upstream now has --firmwarepath= option
   * enable capstone disassembler library support
     (build-depend on libcapstone-dev)
   * debian/extract-config-opts: use tab for option / condition separator
   * qemu-block-extra: install only block modules
   * make `qemu' metapackage to be dummy, to remove it in a future release
   * do not suggest kmod, it is pointless
   * install /usr/bin/qemu-pr-helper to qemu-utils package
   * switch from sdl2 to gtk ui
     Closes: #839695, #886671, #879536, #879534, #879532, #879193, #894852
   * qemu-system-ppc: forgotten qemu-system-ppc64le.1 link
   * mention closing of #880582 by 2.11
   * package will built against spice 0.14, so Closes: #854959
   * check sfdisk presence in qemu-make-debian-root (Closes: #872098)
   * check mke2fs presence in qemu-make-debian-root (Closes: #887207)
   * debian/binfmt-update-in: include forgotten hppa (Closes: #891261)
   * debian/TODO: removed some old ToDo items
   * use binfmt-support --fix-binary option (Closes: #868030)
Checksums-Sha1:
 f77a07f3b320534b49e44a492aa93ffe2d4597d3 5735 qemu_2.12~rc3+dfsg-1.dsc
 b1767b8dcc008005324701715d7c1a7417f07269 8162584 qemu_2.12~rc3+dfsg.orig.tar.xz
 efd0f0bbba4c380fca866f84c541e0ae81a19f0b 70040 qemu_2.12~rc3+dfsg-1.debian.tar.xz
 1903f5c923fd5ac881d197f0e0d0124b174f2589 15374 qemu_2.12~rc3+dfsg-1_source.buildinfo
Checksums-Sha256:
 a8f6ef1baf2ba84c9bf4523a27f8a5dc6c3aa1239dc30501e204449b32037bbf 5735 qemu_2.12~rc3+dfsg-1.dsc
 c9c8180421ee1b4e5891b8d9019aa2167f536e8bbd7d6f0819720f33cff065c8 8162584 qemu_2.12~rc3+dfsg.orig.tar.xz
 a716fe21f1ee0dec4b7b6cd38b43393ccec8fe2e23767da7f0219baf8cf1e4f1 70040 qemu_2.12~rc3+dfsg-1.debian.tar.xz
 9843f987d3d475b50328423b94545853c346a64de754727b4ebe5b10b2448fd7 15374 qemu_2.12~rc3+dfsg-1_source.buildinfo
Files:
 770e27784eb1fbd48ada9d01a1551078 5735 otherosfs optional qemu_2.12~rc3+dfsg-1.dsc
 6d5676f84d4d4a6a12537b33b3267a34 8162584 otherosfs optional qemu_2.12~rc3+dfsg.orig.tar.xz
 a1e214cf5f354f36e8b7ba194484e304 70040 otherosfs optional qemu_2.12~rc3+dfsg-1.debian.tar.xz
 4ffdc270915edffe0e4ed012f739e4d8 15374 otherosfs optional qemu_2.12~rc3+dfsg-1_source.buildinfo

-----BEGIN PGP SIGNATURE-----

iQFDBAEBCAAtFiEEe3O61ovnosKJMUsicBtPaxppPlkFAlrPjGQPHG1qdEB0bHMu
bXNrLnJ1AAoJEHAbT2saaT5ZkRsIALbmmqYA5S+H+TbHmj6EPAoxV+e7VawA9wL5
HtjsE3lNP05Qj+61TvCmDp7sqfoZJVGpoi9o8EoOJVwjOTJRiSzxxXRZTjvDgIIO
3yOHX1shy69zatdPrzpliJUrK9Rb92fw5Q75aIUO+OrMs/u4mYsmaOKIlZ1RXL6N
/AGcEzrAnkNpAioiceKOsv1Q9elTZlq44HCadBzZcRk9nEC3nc74fFexs8vtZsKv
mSov5xAsNff/UIZW2tYlqdRydyM8xH113dneZg7Y0jOHvw/qSgXu26p8Kzz7zFAU
JxYHx5gGH87HQcbXZlglYLdWJ+ZmkLsk7y3wHl2HP5WcFgR7yBw=
=YL4d
-----END PGP SIGNATURE-----

Send a report that this bug log contains spam.