CVE-2011-3346
Published: 1 April 2014
Buffer overflow in hw/scsi-disk.c in the SCSI subsystem in QEMU before 0.15.2, as used by Xen, might allow local guest users with permission to access the CD-ROM to cause a denial of service (guest crash) via a crafted SAI READ CAPACITY SCSI command. NOTE: this is only a vulnerability when root has manually modified certain permissions or ACLs.
Notes
| Author | Note |
|---|---|
| jdstrand | redhat bug has reproducer non-privileged user in the guest can crash qemu. Requires write access to a scsi device, eg /dev/sr0 this only affected the RedHat xen packages, not qemu. Verified issue does not affect qemu-kvm on Ubuntu 12.04, 11.10, 11.04, 10.10, and 10.04 LTS by attaching a scsi CDROM and performing: sg_raw -r 32768 /dev/sr0 9E 10 00 00 00 00 00 00 00 00 00 04 00 00 00 00 sg_raw -r 32768 /dev/sr0 9E 10 00 00 00 00 00 00 00 00 00 01 00 00 00 00 hypervisor code for xen is in universe |
| mdeslaur | code seems different in xen, marking as not-affected |
Priority
Status
| Package | Release | Status |
|---|---|---|
|
qemu-kvm Launchpad, Ubuntu, Debian |
hardy |
Does not exist
|
| lucid |
Not vulnerable
|
|
| maverick |
Not vulnerable
|
|
| natty |
Not vulnerable
|
|
| oneiric |
Not vulnerable
|
|
| precise |
Not vulnerable
|
|
| quantal |
Not vulnerable
|
|
| upstream |
Needs triage
|
|
|
Patches: other: http://repo.or.cz/w/qemu.git/commit/7285477ab11831b1cf56e45878a89170dd06d9b9 other: http://repo.or.cz/w/qemu.git/commit/103b40f51e4012b3b0ad20f615562a1806d7f49a |
||
|
xen Launchpad, Ubuntu, Debian |
hardy |
Does not exist
|
| lucid |
Does not exist
|
|
| maverick |
Does not exist
|
|
| natty |
Does not exist
|
|
| oneiric |
Not vulnerable
|
|
| precise |
Not vulnerable
|
|
| quantal |
Not vulnerable
|
|
| upstream |
Needs triage
|
|
|
Patches: vendor: https://rhn.redhat.com/errata/RHSA-2011-1401.html |
||
| Binaries built from this source package are in Universe and so are supported by the community. | ||
|
xen-3.1 Launchpad, Ubuntu, Debian |
hardy |
Ignored
(end of life)
|
| lucid |
Does not exist
|
|
| natty |
Does not exist
|
|
| oneiric |
Does not exist
|
|
| precise |
Does not exist
|
|
| quantal |
Does not exist
|
|
| upstream |
Needs triage
|
|
| Binaries built from this source package are in Universe and so are supported by the community. | ||
|
xen-3.2 Launchpad, Ubuntu, Debian |
hardy |
Not vulnerable
|
| lucid |
Does not exist
|
|
| natty |
Does not exist
|
|
| oneiric |
Does not exist
|
|
| precise |
Does not exist
|
|
| quantal |
Does not exist
|
|
| upstream |
Needs triage
|
|
| Binaries built from this source package are in Universe and so are supported by the community. | ||
|
xen-3.3 Launchpad, Ubuntu, Debian |
hardy |
Does not exist
|
| lucid |
Not vulnerable
|
|
| maverick |
Ignored
(end of life)
|
|
| natty |
Ignored
(end of life)
|
|
| oneiric |
Does not exist
|
|
| precise |
Does not exist
|
|
| quantal |
Does not exist
|
|
| upstream |
Needs triage
|
|
|
Patches: vendor: https://rhn.redhat.com/errata/RHSA-2011-1401.html |
||
| Binaries built from this source package are in Universe and so are supported by the community. | ||