CVE-2013-4535: Input Validation
First published: Tue Feb 18 2014(Updated: )
Both virtio-block and virtio-serial read, VirtQueueElements are read in as buffers, and passed to virtqueue_map_sg(), where num_sg is taken from the wire and can force writes to indicies beyond VIRTQUEUE_MAX_SIZE. An user able to alter the savevm data (either on the disk or over the wire during migration) could use this flaw to to corrupt QEMU process memory on the (destination) host, which could potentially result in arbitrary code execution on the host with the privileges of the QEMU process. Upstream fix: ------------- -> <a href="http://git.qemu.org/?p=qemu.git;a=commit;h=36cf2a37132c7f01fa9adb5f95f5312b27742fd4">http://git.qemu.org/?p=qemu.git;a=commit;h=36cf2a37132c7f01fa9adb5f95f5312b27742fd4</a>
Credit: secalert@redhat.com
| Affected Software | Affected Version | How to fix |
|---|---|---|
| redhat/qemu-kvm | <1.5.3 | 1.5.3 |
| QEMU qemu | <1.7.2 | |
| Redhat Virtualization | =3.0 | |
| Redhat Enterprise Linux Desktop | =6.0 | |
| Redhat Enterprise Linux Server | =6.0 | |
| Redhat Enterprise Linux Server Tus | =6.5 | |
| Redhat Enterprise Linux Workstation | =6.0 |
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Reference Links
- http://git.qemu.org/?p=qemu.git;a=commit;h=36cf2a37132c7f01fa9adb5f95f5312b27742fd4
- https://bugzilla.redhat.com/show_bug.cgi/show_bug.cgi?id=1095764
- https://rhn.redhat.com/errata/RHSA-2014-0674.html
- https://rhn.redhat.com/errata/RHSA-2014-0744.html
- https://rhn.redhat.com/errata/RHSA-2014-0743.html
- https://rhn.redhat.com/errata/RHSA-2014-0927.html
- https://rhn.redhat.com/errata/RHSA-2014-0888.html
- https://rhn.redhat.com/errata/RHSA-2014-1268.html
- https://bugzilla.redhat.com/show_bug.cgi?id=1066401
- http://git.qemu.org/?p=qemu.git;a=commitdiff;h=36cf2a37132c7f01fa9adb5f95f5312b27742fd4
- http://lists.fedoraproject.org/pipermail/package-announce/2014-May/133345.html
- http://lists.nongnu.org/archive/html/qemu-stable/2014-07/msg00187.html
- http://rhn.redhat.com/errata/RHSA-2014-0743.html
- http://rhn.redhat.com/errata/RHSA-2014-0744.html
- http://git.qemu.org/?p=qemu.git%3Ba=commitdiff%3Bh=36cf2a37132c7f01fa9adb5f95f5312b27742fd4
- collector/nvd-index
- agent/type
- agent/first-publish-date
- agent/softwarecombine
- collector/mitre-cve
- source/MITRE
- agent/remedy
- agent/weakness
- agent/severity
- agent/author
- agent/references
- agent/last-modified-date
- agent/description
- agent/event
- collector/redhat-bugzilla
- source/Red Hat
- alias/CVE-2013-4535
- agent/software-canonical-lookup
- agent/tags
- agent/trending
- vendor/qemu
- canonical/qemu qemu
- vendor/redhat
- canonical/redhat virtualization
- version/redhat virtualization/3.0
- canonical/redhat enterprise linux desktop
- version/redhat enterprise linux desktop/6.0
- canonical/redhat enterprise linux server
- version/redhat enterprise linux server/6.0
- canonical/redhat enterprise linux server tus
- version/redhat enterprise linux server tus/6.5
- canonical/redhat enterprise linux workstation
- version/redhat enterprise linux workstation/6.0
- package-manager/redhat