[oss-security] 20170301 CVE-2017-6414 Qemu: libcacard: host memory leakage while creating new APDU

96541

RHSA-2017:2408

https://bugzilla.redhat.com/show_bug.cgi?id=1427833

https://cgit.freedesktop.org/spice/libcacard/commit/?id=9113dc6a303604a2d9812ac70c17d076ef11886c

https://cgit.freedesktop.org/spice/libcacard/tree/NEWS?id=aaa5251791bf0b1640afcba77a7d79ea23c42d53

According to the version of the libcacard package installed, the EulerOS installation on the remote host is affected by the following vulnerability :

  - Memory leak in the vcard_apdu_new function in     card_7816.c in libcacard before 2.5.3 allows local     guest OS users to cause a denial of service (host     memory consumption) via vectors related to allocating a     new APDU object.(CVE-2017-6414)

Note that Tenable Network Security has extracted the preceding description block directly from the EulerOS security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

This update for xen fixes several issues. These security issues were fixed :

  - A malicious 64-bit PV guest may be able to access all of     system memory, allowing for all of privilege escalation,     host crashes, and information leaks by placing a IRET     hypercall in the middle of a multicall batch (XSA-213,     bsc#1034843)

  - A malicious pair of guests may be able to access all of     system memory, allowing for all of privilege escalation,     host crashes, and information leaks because of a missing     check when transfering pages via GNTTABOP_transfer     (XSA-214, bsc#1034844).

  - CVE-2017-7718: hw/display/cirrus_vga_rop.h allowed local     guest OS privileged users to cause a denial of service     (out-of-bounds read and QEMU process crash) via vectors     related to copying VGA data via the     cirrus_bitblt_rop_fwd_transp_ and cirrus_bitblt_rop_fwd_     functions (bsc#1034994).

  - CVE-2016-9603: A privileged user within the guest VM     could have caused a heap overflow in the device model     process, potentially escalating their privileges to that     of the device model process (bsc#1028655)

The update package also includes non-security fixes. See advisory for details.

Note that Tenable Network Security has extracted the preceding description block directly from the SUSE security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

This update for xen fixes the following issues: These security issues were fixed :

  - CVE-2017-7228: Broken check in memory_exchange()     permited PV guest breakout (bsc#1030442).

  - XSA-206: Unprivileged guests issuing writes to xenstore     were able to stall progress of the control domain or     driver domain, possibly leading to a Denial of Service     (DoS) of the entire host (bsc#1030144).

  - CVE-2016-9603: A privileged user within the guest VM can     cause a heap overflow in the device model process,     potentially escalating their privileges to that of the     device model process (bsc#1028655).

  - CVE-2017-6414: Memory leak in the vcard_apdu_new     function in card_7816.c in libcacard allowed local guest     OS users to cause a denial of service (host memory     consumption) via vectors related to allocating a new     APDU object (bsc#1027570).

  - CVE-2017-6505: The ohci_service_ed_list function in     hw/usb/hcd-ohci.c allowed local guest OS users to cause     a denial of service (infinite loop) via vectors     involving the number of link endpoint list descriptors     (bsc#1028235).

  - CVE-2017-2633: The VNC display driver support was     vulnerable to an out-of-bounds memory access issue. A     user/process inside guest could use this flaw to cause     DoS (bsc#1026636).

The update package also includes non-security fixes. See advisory for details.

Note that Tenable Network Security has extracted the preceding description block directly from the SUSE security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

This update for xen fixes the following issues: These security issues were fixed :

  - CVE-2017-7228: Broken check in memory_exchange()     permited PV guest breakout (bsc#1030442).

  - XSA-206: Unprivileged guests issuing writes to xenstore     were able to stall progress of the control domain or     driver domain, possibly leading to a Denial of Service     (DoS) of the entire host (bsc#1030144).

  - CVE-2017-6505: The ohci_service_ed_list function in     hw/usb/hcd-ohci.c allowed local guest OS users to cause     a denial of service (infinite loop) via vectors     involving the number of link endpoint list descriptors     (bsc#1028235).

  - CVE-2017-6414: Memory leak in the vcard_apdu_new     function in card_7816.c in libcacard allowed local guest     OS users to cause a denial of service (host memory     consumption) via vectors related to allocating a new     APDU object (bsc#1027570).

  - CVE-2017-2633: The VNC display driver support was     vulnerable to an out-of-bounds memory access issue. A     user/process inside guest could use this flaw to cause     DoS (bsc#1026636).

  - CVE-2016-9603: A privileged user within the guest VM can     cause a heap overflow in the device model process,     potentially escalating their privileges to that of the     device model process (bsc#1028655).

The update package also includes non-security fixes. See advisory for details.

Note that Tenable Network Security has extracted the preceding description block directly from the SUSE security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

This update for xen fixes the following security issues :

  - CVE-2017-7228: Broken check in memory_exchange()     permited PV guest breakout (bsc#1030442).

  - CVE-2017-6414: Memory leak in the vcard_apdu_new     function in card_7816.c in libcacard allowed local guest     OS users to cause a denial of service (host memory     consumption) via vectors related to allocating a new     APDU object (bsc#1027570).

  - CVE-2017-6505: The ohci_service_ed_list function in     hw/usb/hcd-ohci.c allowed local guest OS users to cause     a denial of service (infinite loop) via vectors     involving the number of link endpoint list descriptors     (bsc#1028235).

Note that Tenable Network Security has extracted the preceding description block directly from the SUSE security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

new upstream release 2.5.3, fixing leaks

Note that Tenable Network Security has extracted the preceding description block directly from the Fedora update system website.
Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

ID	Name	Product	Family	Severity
146752	EulerOS 2.0 SP2 : libcacard (EulerOS-SA-2021-1314)	Nessus	Huawei Local Security Checks	medium
145161	EulerOS 2.0 SP3 : libcacard (EulerOS-SA-2021-1082)	Nessus	Huawei Local Security Checks	medium
99962	SUSE SLED12 / SLES12 Security Update : xen (SUSE-SU-2017:1147-1)	Nessus	SuSE Local Security Checks	critical
99580	SUSE SLES11 Security Update : xen (SUSE-SU-2017:1081-1)	Nessus	SuSE Local Security Checks	critical
99579	SUSE SLES12 Security Update : xen (SUSE-SU-2017:1080-1)	Nessus	SuSE Local Security Checks	critical
99507	SUSE SLES11 Security Update : xen (SUSE-SU-2017:1058-1)	Nessus	SuSE Local Security Checks	high
97535	Fedora 25 : 3:libcacard (2017-5a6ed9d326)	Nessus	Fedora Local Security Checks	medium

CVE-2017-6414

medium

New! CVE Severity Now Using CVSS v3

Description

References

Details

Risk Information

CVSS v2

CVSS v3

Vulnerable Software

Configuration 1

Tenable Plugins

medium

medium

critical

critical

critical

high

medium