image format input validation fixes tracking bug
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
qemu (Ubuntu) |
Fix Released
|
Undecided
|
Unassigned | ||
Lucid |
Invalid
|
Undecided
|
Unassigned | ||
Precise |
Invalid
|
Undecided
|
Unassigned | ||
Saucy |
Won't Fix
|
Undecided
|
Marc Deslauriers | ||
Trusty |
Fix Released
|
Undecided
|
Unassigned | ||
Utopic |
Fix Released
|
Undecided
|
Unassigned | ||
qemu-kvm (Ubuntu) |
Invalid
|
Undecided
|
Unassigned | ||
Lucid |
Fix Released
|
Undecided
|
Marc Deslauriers | ||
Precise |
Fix Released
|
Undecided
|
Marc Deslauriers | ||
Saucy |
Invalid
|
Undecided
|
Unassigned | ||
Trusty |
Invalid
|
Undecided
|
Unassigned | ||
Utopic |
Invalid
|
Undecided
|
Unassigned |
Bug Description
This bug tracks the QEMU image format input validation fixes:
parallels: Sanity check for s->tracks (CVE-2014-0142)
parallels: Fix catalog size integer overflow (CVE-2014-0143)
qcow2: Check maximum L1 size in qcow2_snapshot_
qcow2: Fix L1 allocation size in qcow2_snapshot_
qcow2: Fix NULL dereference in qcow2_open() error path (CVE-2014-0146)
block: Limit request size (CVE-2014-0143)
dmg: prevent chunk buffer overflow (CVE-2014-0145)
dmg: sanitize chunk length and sectorcount (CVE-2014-0145)
qcow2: Fix new L1 table size check (CVE-2014-0143)
qcow2: Avoid integer overflow in get_refcount (CVE-2014-0143)
qcow2: Don't rely on free_cluster_index in alloc_refcount_
qcow2: Validate active L1 table offset and size (CVE-2014-0144)
qcow2: Validate snapshot table offset/size (CVE-2014-0144)
qcow2: Check refcount table size (CVE-2014-0144)
qcow2: Check backing_file_offset (CVE-2014-0144)
qcow2: Check header_length (CVE-2014-0144)
curl: check data size before memcpy to local buffer. (CVE-2014-0144)
vhdx: Bounds checking for block_size and logical_sector_size (CVE-2014-0148)
vdi: add bounds checks for blocks_in_image and disk_size header fields (CVE-2014-0144)
vpc: Validate block size (CVE-2014-0142)
vpc/vhd: add bounds check for max_table_entries and block_size (CVE-2014-0144)
bochs: Check extent_size header field (CVE-2014-0142)
bochs: Check catalog_size header field (CVE-2014-0143)
bochs: Use unsigned variables for offsets and sizes (CVE-2014-0147)
block/cloop: refuse images with bogus offsets (CVE-2014-0144)
block/cloop: refuse images with huge offsets arrays (CVE-2014-0144)
block/cloop: prevent offsets_size integer overflow (CVE-2014-0143)
block/cloop: validate block_size header field (CVE-2014-0144)
See:
http://
Changed in qemu (Ubuntu Utopic): | |
status: | New → Fix Released |
Changed in qemu (Ubuntu Trusty): | |
status: | New → Fix Released |
Changed in qemu (Ubuntu Lucid): | |
status: | New → In Progress |
Changed in qemu (Ubuntu Precise): | |
status: | New → In Progress |
Changed in qemu (Ubuntu Saucy): | |
status: | New → In Progress |
Changed in qemu (Ubuntu Lucid): | |
assignee: | nobody → Marc Deslauriers (mdeslaur) |
Changed in qemu (Ubuntu Precise): | |
assignee: | nobody → Marc Deslauriers (mdeslaur) |
Changed in qemu (Ubuntu Saucy): | |
assignee: | nobody → Marc Deslauriers (mdeslaur) |
Changed in qemu (Ubuntu Lucid): | |
assignee: | Marc Deslauriers (mdeslaur) → nobody |
status: | In Progress → Invalid |
Changed in qemu (Ubuntu Precise): | |
assignee: | Marc Deslauriers (mdeslaur) → nobody |
status: | In Progress → Invalid |
Changed in qemu-kvm (Ubuntu Lucid): | |
assignee: | nobody → Marc Deslauriers (mdeslaur) |
status: | New → In Progress |
Changed in qemu-kvm (Ubuntu Precise): | |
assignee: | nobody → Marc Deslauriers (mdeslaur) |
status: | New → In Progress |
Changed in qemu-kvm (Ubuntu Saucy): | |
status: | New → Invalid |
Changed in qemu-kvm (Ubuntu Trusty): | |
status: | New → Invalid |
Changed in qemu-kvm (Ubuntu Utopic): | |
status: | New → Invalid |
Changed in qemu (Ubuntu Saucy): | |
status: | In Progress → Won't Fix |
This bug was fixed in the package qemu-kvm - 0.12.3+ noroms- 0ubuntu9. 24
--------------- noroms- 0ubuntu9. 24) lucid-security; urgency=medium
qemu-kvm (0.12.3+
* SECURITY UPDATE: denial of service and possible code exection via patches/ CVE-2014- 0142.patch: validate extent_size header field patches/ CVE-2014- 0143.patch: validate nb_sectors in qcow2-cluster. c, use proper size in block/qcow2- refcount. c, snapshot. c, check active patches/ CVE-2014- 0144.patch: validate block sizes and offsets qcow2-refcount. c, check number of snapshots in qcow2-snapshot. c, check sizes and offsets in block/qcow2.c, patches/ CVE-2014- 0145.patch: check chunk sizes in block/dmg.c, snapshot. c. patches/ CVE-2014- 0146.patch: calculate offsets properly in qcow2.c. patches/ CVE-2014- 0147.patch: use proper sizes in block/bochs.c.
incorrect image format validation (LP: #1322204)
- debian/
in block/bochs.c, validate s->tracks in block/parallels.c, validate
block size in block/vpc.c, backport function to qemu-common.h,
backport DIV_ROUND_UP to osdep.h.
- CVE-2014-0142
* SECURITY UPDATE: denial of service and possible code exection via
incorrect image format validation (LP: #1322204)
- debian/
block.c, validate catalog_size header field in block/bochs.c,
prevent offsets_size integer overflow in block/cloop.c, fix catalog
size integer overflow in block/parallels.c, validate new_l1_size in
block/
check L1 snapshot table size in block/qcow2-
L1 table size in block/qcow2.c, define max size in block/qcow2.h.
- CVE-2014-0143
* SECURITY UPDATE: denial of service and possible code exection via
incorrect image format validation (LP: #1322204)
- debian/
in block/cloop.c, check offset in block/curl.c, validate size in
block/
block/
move structs to block/qcow2.h, check sizes in block/vdi.c,
prevent overflows in block/vpc.c.
- CVE-2014-0144
* SECURITY UPDATE: denial of service and possible code exection via
incorrect image format validation (LP: #1322204)
- debian/
use correct size in block/qcow2-
- CVE-2014-0145
* SECURITY UPDATE: denial of service and possible code exection via
incorrect image format validation (LP: #1322204)
- debian/
block/
- CVE-2014-0146
* SECURITY UPDATE: denial of service and possible code exection via
incorrect image format validation (LP: #1322204)
- debian/
- CVE-2014-0147
* SECURITY UPDATE: multiple buffer overflows on invalid state load
- debian/patches: added large number of upstream patches pulled from
git tree.
- CVE-2013-4148
- CVE-2013-4151
- CVE-2013-4530
- CVE-2013-4531
- CVE-2013-4533
- CVE-2013-4534
- CVE-2013-4537
- CVE-2013-4538
- CVE-2013-4539
- CVE-2013-4540
- CVE-2013-6399
- CVE-2014-0182
- CVE-2014-0222
- CVE-2014-0223
-- Marc Deslauriers <email address hidden> Tue, 12 Aug 2014 14:35:45 -0400