[prev in list] [next in list] [prev in thread] [next in thread]
List: oss-security
Subject: [oss-security] QEMU image format input validation fixes (multiple CVEs)
From: Stefan Hajnoczi <stefanha () redhat ! com>
Date: 2014-03-26 12:37:17
Message-ID: 20140326123717.GA21851 () stefanha-thinkpad ! muc ! redhat ! com
[Download RAW message or body]
Hi,
Several missing input validation bugs in QEMU's disk image format code
have been fixed.
CVEs are as follows:
parallels: Sanity check for s->tracks (CVE-2014-0142)
parallels: Fix catalog size integer overflow (CVE-2014-0143)
qcow2: Check maximum L1 size in qcow2_snapshot_load_tmp() (CVE-2014-0143)
qcow2: Fix L1 allocation size in qcow2_snapshot_load_tmp() (CVE-2014-0145)
qcow2: Fix NULL dereference in qcow2_open() error path (CVE-2014-0146)
block: Limit request size (CVE-2014-0143)
dmg: prevent chunk buffer overflow (CVE-2014-0145)
dmg: sanitize chunk length and sectorcount (CVE-2014-0145)
qcow2: Fix new L1 table size check (CVE-2014-0143)
qcow2: Avoid integer overflow in get_refcount (CVE-2014-0143)
qcow2: Don't rely on free_cluster_index in alloc_refcount_block() (CVE-2014-0147)
qcow2: Validate active L1 table offset and size (CVE-2014-0144)
qcow2: Validate snapshot table offset/size (CVE-2014-0144)
qcow2: Check refcount table size (CVE-2014-0144)
qcow2: Check backing_file_offset (CVE-2014-0144)
qcow2: Check header_length (CVE-2014-0144)
curl: check data size before memcpy to local buffer. (CVE-2014-0144)
vhdx: Bounds checking for block_size and logical_sector_size (CVE-2014-0148)
vdi: add bounds checks for blocks_in_image and disk_size header fields (CVE-2014-0144)
vpc: Validate block size (CVE-2014-0142)
vpc/vhd: add bounds check for max_table_entries and block_size (CVE-2014-0144)
bochs: Check extent_size header field (CVE-2014-0142)
bochs: Check catalog_size header field (CVE-2014-0143)
bochs: Use unsigned variables for offsets and sizes (CVE-2014-0147)
block/cloop: refuse images with bogus offsets (CVE-2014-0144)
block/cloop: refuse images with huge offsets arrays (CVE-2014-0144)
block/cloop: prevent offsets_size integer overflow (CVE-2014-0143)
block/cloop: validate block_size header field (CVE-2014-0144)
Patches are available here:
https://lists.gnu.org/archive/html/qemu-devel/2014-03/msg04994.html
Patches will be in the upcoming QEMU 2.0 release and a QEMU 1.7.2
stable release is also planned. You are welcome to join #qemu on
irc.oftc.net or the qemu-devel@nongnu.org mailing list if you need more
information.
Stefan
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic