Ubuntu
qemu-kvm package

image format input validation fixes tracking bug

Precise (12.04)
Bug #1322204

Bug #1322204 reported by Marc Deslauriers on 2014-05-22

256

This bug affects 1 person

	Status	Importance	Assigned to
qemu (Ubuntu)	Fix Released	Undecided	Unassigned
Lucid	Invalid	Undecided	Unassigned
Precise	Invalid	Undecided	Unassigned
Saucy	Won't Fix	Undecided	Marc Deslauriers
Trusty	Fix Released	Undecided	Unassigned
Utopic	Fix Released	Undecided	Unassigned
qemu-kvm (Ubuntu)	Invalid	Undecided	Unassigned
Lucid	Fix Released	Undecided	Marc Deslauriers
Precise	Fix Released	Undecided	Marc Deslauriers
Saucy	Invalid	Undecided	Unassigned
Trusty	Invalid	Undecided	Unassigned
Utopic	Invalid	Undecided	Unassigned

Bug Description

This bug tracks the QEMU image format input validation fixes:

parallels: Sanity check for s->tracks (CVE-2014-0142)
parallels: Fix catalog size integer overflow (CVE-2014-0143)
qcow2: Check maximum L1 size in qcow2_snapshot_load_tmp() (CVE-2014-0143)
qcow2: Fix L1 allocation size in qcow2_snapshot_load_tmp() (CVE-2014-0145)
qcow2: Fix NULL dereference in qcow2_open() error path (CVE-2014-0146)
block: Limit request size (CVE-2014-0143)
dmg: prevent chunk buffer overflow (CVE-2014-0145)
dmg: sanitize chunk length and sectorcount (CVE-2014-0145)
qcow2: Fix new L1 table size check (CVE-2014-0143)
qcow2: Avoid integer overflow in get_refcount (CVE-2014-0143)
qcow2: Don't rely on free_cluster_index in alloc_refcount_block() (CVE-2014-0147)
qcow2: Validate active L1 table offset and size (CVE-2014-0144)
qcow2: Validate snapshot table offset/size (CVE-2014-0144)
qcow2: Check refcount table size (CVE-2014-0144)
qcow2: Check backing_file_offset (CVE-2014-0144)
qcow2: Check header_length (CVE-2014-0144)
curl: check data size before memcpy to local buffer. (CVE-2014-0144)
vhdx: Bounds checking for block_size and logical_sector_size (CVE-2014-0148)
vdi: add bounds checks for blocks_in_image and disk_size header fields (CVE-2014-0144)
vpc: Validate block size (CVE-2014-0142)
vpc/vhd: add bounds check for max_table_entries and block_size (CVE-2014-0144)
bochs: Check extent_size header field (CVE-2014-0142)
bochs: Check catalog_size header field (CVE-2014-0143)
bochs: Use unsigned variables for offsets and sizes (CVE-2014-0147)
block/cloop: refuse images with bogus offsets (CVE-2014-0144)
block/cloop: refuse images with huge offsets arrays (CVE-2014-0144)
block/cloop: prevent offsets_size integer overflow (CVE-2014-0143)
block/cloop: validate block_size header field (CVE-2014-0144)

See:
http://www.openwall.com/lists/oss-security/2014/03/26/8

CVE References

Marc Deslauriers (mdeslaur) on 2014-05-22

Changed in qemu (Ubuntu Utopic):
status:	New → Fix Released
Changed in qemu (Ubuntu Trusty):
status:	New → Fix Released
Changed in qemu (Ubuntu Lucid):
status:	New → In Progress
Changed in qemu (Ubuntu Precise):
status:	New → In Progress
Changed in qemu (Ubuntu Saucy):
status:	New → In Progress
Changed in qemu (Ubuntu Lucid):
assignee:	nobody → Marc Deslauriers (mdeslaur)
Changed in qemu (Ubuntu Precise):
assignee:	nobody → Marc Deslauriers (mdeslaur)
Changed in qemu (Ubuntu Saucy):
assignee:	nobody → Marc Deslauriers (mdeslaur)
Changed in qemu (Ubuntu Lucid):
assignee:	Marc Deslauriers (mdeslaur) → nobody
status:	In Progress → Invalid
Changed in qemu (Ubuntu Precise):
assignee:	Marc Deslauriers (mdeslaur) → nobody
status:	In Progress → Invalid
Changed in qemu-kvm (Ubuntu Lucid):
assignee:	nobody → Marc Deslauriers (mdeslaur)
status:	New → In Progress
Changed in qemu-kvm (Ubuntu Precise):
assignee:	nobody → Marc Deslauriers (mdeslaur)
status:	New → In Progress
Changed in qemu-kvm (Ubuntu Saucy):
status:	New → Invalid
Changed in qemu-kvm (Ubuntu Trusty):
status:	New → Invalid
Changed in qemu-kvm (Ubuntu Utopic):
status:	New → Invalid

Revision history for this message

Launchpad Janitor (janitor) wrote on 2014-09-08:

This bug was fixed in the package qemu-kvm - 0.12.3+noroms-0ubuntu9.24

---------------
qemu-kvm (0.12.3+noroms-0ubuntu9.24) lucid-security; urgency=medium

  * SECURITY UPDATE: denial of service and possible code exection via
    incorrect image format validation (LP: #1322204)
    - debian/patches/CVE-2014-0142.patch: validate extent_size header field
      in block/bochs.c, validate s->tracks in block/parallels.c, validate
      block size in block/vpc.c, backport function to qemu-common.h,
      backport DIV_ROUND_UP to osdep.h.
    - CVE-2014-0142
  * SECURITY UPDATE: denial of service and possible code exection via
    incorrect image format validation (LP: #1322204)
    - debian/patches/CVE-2014-0143.patch: validate nb_sectors in
      block.c, validate catalog_size header field in block/bochs.c,
      prevent offsets_size integer overflow in block/cloop.c, fix catalog
      size integer overflow in block/parallels.c, validate new_l1_size in
      block/qcow2-cluster.c, use proper size in block/qcow2-refcount.c,
      check L1 snapshot table size in block/qcow2-snapshot.c, check active
      L1 table size in block/qcow2.c, define max size in block/qcow2.h.
    - CVE-2014-0143
  * SECURITY UPDATE: denial of service and possible code exection via
    incorrect image format validation (LP: #1322204)
    - debian/patches/CVE-2014-0144.patch: validate block sizes and offsets
      in block/cloop.c, check offset in block/curl.c, validate size in
      block/qcow2-refcount.c, check number of snapshots in
      block/qcow2-snapshot.c, check sizes and offsets in block/qcow2.c,
      move structs to block/qcow2.h, check sizes in block/vdi.c,
      prevent overflows in block/vpc.c.
    - CVE-2014-0144
  * SECURITY UPDATE: denial of service and possible code exection via
    incorrect image format validation (LP: #1322204)
    - debian/patches/CVE-2014-0145.patch: check chunk sizes in block/dmg.c,
      use correct size in block/qcow2-snapshot.c.
    - CVE-2014-0145
  * SECURITY UPDATE: denial of service and possible code exection via
    incorrect image format validation (LP: #1322204)
    - debian/patches/CVE-2014-0146.patch: calculate offsets properly in
      block/qcow2.c.
    - CVE-2014-0146
  * SECURITY UPDATE: denial of service and possible code exection via
    incorrect image format validation (LP: #1322204)
    - debian/patches/CVE-2014-0147.patch: use proper sizes in block/bochs.c.
    - CVE-2014-0147
  * SECURITY UPDATE: multiple buffer overflows on invalid state load
    - debian/patches: added large number of upstream patches pulled from
      git tree.
    - CVE-2013-4148
    - CVE-2013-4151
    - CVE-2013-4530
    - CVE-2013-4531
    - CVE-2013-4533
    - CVE-2013-4534
    - CVE-2013-4537
    - CVE-2013-4538
    - CVE-2013-4539
    - CVE-2013-4540
    - CVE-2013-6399
    - CVE-2014-0182
    - CVE-2014-0222
    - CVE-2014-0223
-- Marc Deslauriers <email address hidden> Tue, 12 Aug 2014 14:35:45 -0400

This bug was fixed in the package qemu-kvm - 0.12.3+noroms-0ubuntu9.24

---------------
qemu-kvm (0.12.3+noroms-0ubuntu9.24) lucid-security; urgency=medium

* SECURITY UPDATE: denial of service and possible code exection via
    incorrect image format validation (LP: #1322204)
    - debian/patches/CVE-2014-0142.patch: validate extent_size header field
      in block/bochs.c, validate s->tracks in block/parallels.c, validate
      block size in block/vpc.c, backport function to qemu-common.h,
      backport DIV_ROUND_UP to osdep.h.
    - CVE-2014-0142
  * SECURITY UPDATE: denial of service and possible code exection via
    incorrect image format validation (LP: #1322204)
    - debian/patches/CVE-2014-0143.patch: validate nb_sectors in
      block.c, validate catalog_size header field in block/bochs.c,
      prevent offsets_size integer overflow in block/cloop.c, fix catalog
      size integer overflow in block/parallels.c, validate new_l1_size in
      block/qcow2-cluster.c, use proper size in block/qcow2-refcount.c,
      check L1 snapshot table size in block/qcow2-snapshot.c, check active
      L1 table size in block/qcow2.c, define max size in block/qcow2.h.
    - CVE-2014-0143
  * SECURITY UPDATE: denial of service and possible code exection via
    incorrect image format validation (LP: #1322204)
    - debian/patches/CVE-2014-0144.patch: validate block sizes and offsets
      in block/cloop.c, check offset in block/curl.c, validate size in
      block/qcow2-refcount.c, check number of snapshots in
      block/qcow2-snapshot.c, check sizes and offsets in block/qcow2.c,
      move structs to block/qcow2.h, check sizes in block/vdi.c,
      prevent overflows in block/vpc.c.
    - CVE-2014-0144
  * SECURITY UPDATE: denial of service and possible code exection via
    incorrect image format validation (LP: #1322204)
    - debian/patches/CVE-2014-0145.patch: check chunk sizes in block/dmg.c,
      use correct size in block/qcow2-snapshot.c.
    - CVE-2014-0145
  * SECURITY UPDATE: denial of service and possible code exection via
    incorrect image format validation (LP: #1322204)
    - debian/patches/CVE-2014-0146.patch: calculate offsets properly in
      block/qcow2.c.
    - CVE-2014-0146
  * SECURITY UPDATE: denial of service and possible code exection via
    incorrect image format validation (LP: #1322204)
    - debian/patches/CVE-2014-0147.patch: use proper sizes in block/bochs.c.
    - CVE-2014-0147
  * SECURITY UPDATE: multiple buffer overflows on invalid state load
    - debian/patches: added large number of upstream patches pulled from
      git tree.
    - CVE-2013-4148
    - CVE-2013-4151
    - CVE-2013-4530
    - CVE-2013-4531
    - CVE-2013-4533
    - CVE-2013-4534
    - CVE-2013-4537
    - CVE-2013-4538
    - CVE-2013-4539
    - CVE-2013-4540
    - CVE-2013-6399
    - CVE-2014-0182
    - CVE-2014-0222
    - CVE-2014-0223
 -- Marc Deslauriers <marc.deslauriers@ubuntu.com>   Tue, 12 Aug 2014 14:35:45 -0400

Changed in qemu-kvm (Ubuntu Lucid):
status:	In Progress → Fix Released

Revision history for this message

Launchpad Janitor (janitor) wrote on 2014-09-08:

This bug was fixed in the package qemu-kvm - 1.0+noroms-0ubuntu14.17

---------------
qemu-kvm (1.0+noroms-0ubuntu14.17) precise-security; urgency=medium

  * SECURITY UPDATE: denial of service and possible code exection via
    incorrect image format validation (LP: #1322204)
    - debian/patches/CVE-2014-0142.patch: validate extent_size header field
      in block/bochs.c, validate s->tracks in block/parallels.c, validate
      block size in block/vpc.c, backport function to qemu-common.h.
    - CVE-2014-0142
  * SECURITY UPDATE: denial of service and possible code exection via
    incorrect image format validation (LP: #1322204)
    - debian/patches/CVE-2014-0143.patch: validate nb_sectors in
      block.c, validate catalog_size header field in block/bochs.c,
      prevent offsets_size integer overflow in block/cloop.c, fix catalog
      size integer overflow in block/parallels.c, validate new_l1_size in
      block/qcow2-cluster.c, use proper size in block/qcow2-refcount.c,
      check L1 snapshot table size in block/qcow2-snapshot.c, check active
      L1 table size in block/qcow2.c, define max size in block/qcow2.h.
    - CVE-2014-0143
  * SECURITY UPDATE: denial of service and possible code exection via
    incorrect image format validation (LP: #1322204)
    - debian/patches/CVE-2014-0144.patch: validate block sizes and offsets
      in block/cloop.c, check offset in block/curl.c, validate size in
      block/qcow2-refcount.c, check number of snapshots in
      block/qcow2-snapshot.c, check sizes and offsets in block/qcow2.c,
      move structs to block/qcow2.h, check sizes in block/vdi.c,
      prevent overflows in block/vpc.c.
    - CVE-2014-0144
  * SECURITY UPDATE: denial of service and possible code exection via
    incorrect image format validation (LP: #1322204)
    - debian/patches/CVE-2014-0145.patch: check chunk sizes in block/dmg.c,
      use correct size in block/qcow2-snapshot.c.
    - CVE-2014-0145
  * SECURITY UPDATE: denial of service and possible code exection via
    incorrect image format validation (LP: #1322204)
    - debian/patches/CVE-2014-0146.patch: calculate offsets properly in
      block/qcow2.c.
    - CVE-2014-0146
  * SECURITY UPDATE: denial of service and possible code exection via
    incorrect image format validation (LP: #1322204)
    - debian/patches/CVE-2014-0147.patch: use proper sizes in block/bochs.c,
      properly calculate refcounts in block/qcow2-refcount.c, block/qcow2.c.
    - CVE-2014-0147
  * SECURITY UPDATE: multiple buffer overflows on invalid state load
    - debian/patches: added large number of upstream patches pulled from
      git tree.
    - CVE-2013-4148
    - CVE-2013-4151
    - CVE-2013-4527
    - CVE-2013-4529
    - CVE-2013-4530
    - CVE-2013-4531
    - CVE-2013-4532
    - CVE-2013-4533
    - CVE-2013-4534
    - CVE-2013-4535
    - CVE-2013-4536
    - CVE-2013-4537
    - CVE-2013-4538
    - CVE-2013-4539
    - CVE-2013-4540
    - CVE-2013-4541
    - CVE-2013-6399
    - CVE-2014-0182
    - CVE-2014-0222
    - CVE-2014-0223
    - CVE-2014-3461
-- Marc Deslauriers <email address hidden> Tue, 12 Aug 2014 13:30:27 -0400

This bug was fixed in the package qemu-kvm - 1.0+noroms-0ubuntu14.17

---------------
qemu-kvm (1.0+noroms-0ubuntu14.17) precise-security; urgency=medium

* SECURITY UPDATE: denial of service and possible code exection via
    incorrect image format validation (LP: #1322204)
    - debian/patches/CVE-2014-0142.patch: validate extent_size header field
      in block/bochs.c, validate s->tracks in block/parallels.c, validate
      block size in block/vpc.c, backport function to qemu-common.h.
    - CVE-2014-0142
  * SECURITY UPDATE: denial of service and possible code exection via
    incorrect image format validation (LP: #1322204)
    - debian/patches/CVE-2014-0143.patch: validate nb_sectors in
      block.c, validate catalog_size header field in block/bochs.c,
      prevent offsets_size integer overflow in block/cloop.c, fix catalog
      size integer overflow in block/parallels.c, validate new_l1_size in
      block/qcow2-cluster.c, use proper size in block/qcow2-refcount.c,
      check L1 snapshot table size in block/qcow2-snapshot.c, check active
      L1 table size in block/qcow2.c, define max size in block/qcow2.h.
    - CVE-2014-0143
  * SECURITY UPDATE: denial of service and possible code exection via
    incorrect image format validation (LP: #1322204)
    - debian/patches/CVE-2014-0144.patch: validate block sizes and offsets
      in block/cloop.c, check offset in block/curl.c, validate size in
      block/qcow2-refcount.c, check number of snapshots in
      block/qcow2-snapshot.c, check sizes and offsets in block/qcow2.c,
      move structs to block/qcow2.h, check sizes in block/vdi.c,
      prevent overflows in block/vpc.c.
    - CVE-2014-0144
  * SECURITY UPDATE: denial of service and possible code exection via
    incorrect image format validation (LP: #1322204)
    - debian/patches/CVE-2014-0145.patch: check chunk sizes in block/dmg.c,
      use correct size in block/qcow2-snapshot.c.
    - CVE-2014-0145
  * SECURITY UPDATE: denial of service and possible code exection via
    incorrect image format validation (LP: #1322204)
    - debian/patches/CVE-2014-0146.patch: calculate offsets properly in
      block/qcow2.c.
    - CVE-2014-0146
  * SECURITY UPDATE: denial of service and possible code exection via
    incorrect image format validation (LP: #1322204)
    - debian/patches/CVE-2014-0147.patch: use proper sizes in block/bochs.c,
      properly calculate refcounts in block/qcow2-refcount.c, block/qcow2.c.
    - CVE-2014-0147
  * SECURITY UPDATE: multiple buffer overflows on invalid state load
    - debian/patches: added large number of upstream patches pulled from
      git tree.
    - CVE-2013-4148
    - CVE-2013-4151
    - CVE-2013-4527
    - CVE-2013-4529
    - CVE-2013-4530
    - CVE-2013-4531
    - CVE-2013-4532
    - CVE-2013-4533
    - CVE-2013-4534
    - CVE-2013-4535
    - CVE-2013-4536
    - CVE-2013-4537
    - CVE-2013-4538
    - CVE-2013-4539
    - CVE-2013-4540
    - CVE-2013-4541
    - CVE-2013-6399
    - CVE-2014-0182
    - CVE-2014-0222
    - CVE-2014-0223
    - CVE-2014-3461
 -- Marc Deslauriers <marc.deslauriers@ubuntu.com>   Tue, 12 Aug 2014 13:30:27 -0400

Changed in qemu-kvm (Ubuntu Precise):
status:	In Progress → Fix Released

Marc Deslauriers (mdeslaur) on 2014-11-03

Changed in qemu (Ubuntu Saucy):
status:	In Progress → Won't Fix

Report a bug

This report contains Public Security information

Everyone can see this security related information.

You are

Subscribing...

Edit bug mail

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.

Ubuntuqemu-kvm package