Hash: SHA256

             AUSCERT External Security Bulletin Redistribution

    Important: qemu-kvm-rhev security, bug fix, and enhancement update
                               11 April 2018


        AusCERT Security Bulletin Summary

Product:           qemu-kvm-rhev
Publisher:         Red Hat
Operating System:  Red Hat Enterprise Linux Server 7
Impact/Access:     Execute Arbitrary Code/Commands -- Remote/Unauthenticated
                   Denial of Service               -- Remote/Unauthenticated
Resolution:        Patch/Upgrade
CVE Names:         CVE-2018-5683 CVE-2017-15268 CVE-2017-15124
                   CVE-2017-15119 CVE-2017-15118 CVE-2017-13711
                   CVE-2017-13673 CVE-2017-13672 

Reference:         ESB-2018.1092

Original Bulletin: 

- --------------------------BEGIN INCLUDED TEXT--------------------

Hash: SHA1

                   Red Hat Security Advisory

Synopsis:          Important: qemu-kvm-rhev security, bug fix, and enhancement update
Advisory ID:       RHSA-2018:1104-01
Product:           Red Hat Virtualization
Advisory URL:      https://access.redhat.com/errata/RHSA-2018:1104
Issue date:        2018-04-10
CVE Names:         CVE-2017-13672 CVE-2017-13673 CVE-2017-13711 
                   CVE-2017-15118 CVE-2017-15119 CVE-2017-15124 
                   CVE-2017-15268 CVE-2018-5683 

1. Summary:

An update for qemu-kvm-rhev is now available for Red Hat Virtualization 4
for Red Hat Enterprise Linux 7.

Red Hat Product Security has rated this update as having a security impact
of Important. A Common Vulnerability Scoring System (CVSS) base score,
which gives a detailed severity rating, is available for each vulnerability
from the CVE link(s) in the References section.

2. Relevant releases/architectures:

Red Hat Virtualization 4 Management Agent for RHEL 7 Hosts - ppc64le, x86_64

3. Description:

KVM (Kernel-based Virtual Machine) is a full virtualization solution for
Linux on a variety of architectures. The qemu-kvm-rhev packages provide the
user-space component for running virtual machines that use KVM in
environments managed by Red Hat products.

The following packages have been upgraded to a later upstream version:
qemu-kvm-rhev (2.10.0). (BZ#1470749)

Security Fix(es):

* Qemu: stack buffer overflow in NBD server triggered via long export name

* Qemu: DoS via large option request (CVE-2017-15119)

* Qemu: vga: OOB read access during display update (CVE-2017-13672)

* Qemu: vga: reachable assert failure during display update

* Qemu: Slirp: use-after-free when sending response (CVE-2017-13711)

* Qemu: memory exhaustion through framebuffer update request message in VNC
server (CVE-2017-15124)

* Qemu: I/O: potential memory exhaustion via websock connection to VNC

* Qemu: Out-of-bounds read in vga_draw_text routine (CVE-2018-5683)

For more details about the security issue(s), including the impact, a CVSS
score, and other related information, refer to the CVE page(s) listed in
the References section.

Red Hat would like to thank David Buchanan for reporting CVE-2017-13672 and
CVE-2017-13673; Wjjzhang (Tencent.com) for reporting CVE-2017-13711; and
Jiang Xin and Lin ZheCheng for reporting CVE-2018-5683. The CVE-2017-15118
and CVE-2017-15119 issues were discovered by Eric Blake (Red Hat) and the
CVE-2017-15124 issue was discovered by Daniel Berrange (Red Hat).

4. Solution:

For details on how to apply this update, which includes the changes
described in this advisory, refer to:


After installing this update, shut down all running virtual machines. Once
all virtual machines have shut down, start them again for this update to
take effect.

5. Bugs fixed (https://bugzilla.redhat.com/):

1139507 - wrong data-plane properties via info qtree to check if use iothread object syntax
1178472 - fail to boot win2012r2 guest with hv_relaxed&hv_vapic&hv_spinlocks=0x1fff&hv_time & -smp 80,cores=2,threads=1,sockets=40
1212715 - qemu-img gets wrong actual path of backing file when the file name contains colon
1213786 - qemu-img doesn't check if base image exists when size parameter indicated.
1285044 - migration/RDMA: Race condition
1305398 - [RFE] PAPR Hash Page Table (HPT) resizing (qemu-kvm-rhev)
1320114 - qemu prompt "main-loop: WARNING: I/O thread spun for 1000 iterations" when block mirror from format qcow2 to raw
1344299 - PCIe: Add an option to PCIe ports to disable IO port space support
1372583 - Keyboard can't be used when install rhel7 in guest which has SATA CDROM and spice+qxl mode sometimes
1378241 - QEMU image file locking
1390346 - PCI: Reserve MMIO space over 4G for PCI hotplug
1390348 - PCI: Provide to libvirt a new query command whether a device is PCI/PCIe/hybrid
1398633 - [RFE] Kernel address space layout randomization [KASLR] support (qemu-kvm-rhev)
1406803 - RFE: native integration of LUKS and qcow2
1414049 - [RFE] Add support to qemu-img  for resizing with preallocation
1433670 - Provide an  API that estimates the size of QCOW2 image converted from a raw image
1434321 - [Q35] code 10 error when install VF in windows 2016
1437113 - PCIe: Allow configuring  Generic PCIe Root Ports MMIO Window
1441460 - 'query-block' dirty bitmap count is shown in sectors but documented in bytes
1441684 - Re-enable op blocker assertions
1441938 - When boot windows guest with two numa nodes and  pc-dimm assigned to the second node, the dimm cannot be recognized by the guest
1443877 - All the memory was assigned to the last node when guest booted up with 128 nodes
1445834 - Add support for AMD EPYC processors
1446565 - Some keys are missing when using fr-ca keyboard layout with VNC display
1447258 - Fail to create internal snapshot with data plane enable
1447413 - RFE: provide a secure way to pass cookies to curl block driver
1448344 - Failed to hot unplug cpu core which hotplugged in early boot stages
1449067 - [RFE] Device passthrough support for VT-d emulation
1449609 - qemu coredump when dd on multiple usb-storage devices concurrently in guest
1449991 - [rhel7.4][usb-hub]usb kdb doesn't work under 2 tier usb hubs with xhci contronnler for win2016 guest
1451015 - Qemu core dump when do 'quit ' in HMP via ide drive.
1451189 - Add way to select qemu-xhci / nec-usb-xhci device only
1451269 - Clarify the relativity of backing file and created image in "qemu-img create"
1453167 - [PPC] [Hot unplug CPU] Failed to hot unplug after migration
1454362 - QEMU fails to report error when requesting migration bind to "::" when ipv6 disabled
1454367 - QEMU fails to reject IPv4 connections when IPv4 listening is disabled
1455074 - qemu core dump when continuouly hotplug/unplug virtserialport and virito-serial-pci in a loop
1457662 - Windows guest cannot boot with interrupt remapping (VT-d)
1459906 - The guest with intel-iommu device enabled can not restore after managedsave
1459945 - migration fails with hungup serial console reader on -M pc-i440fx-rhel7.0.0 and pc-i440fx-rhel7.1.0
1460119 - qemu gets SIGABRT when hot-plug nvdimm device twice
1460595 - [virtio-vga]Display 2 should be dropped when guest reboot
1460848 - RFE: Enhance qemu to support freeing memory before exit when using memory-backend-file
1462145 - Qemu crashes when all fw_cfg slots are used
1463172 - [Tracing] capturing trace data failed
1464908 - [RFE] Add SCSI-3 PR support to qemu (similar to mpathpersist)
1465799 - When do migration from RHEL7.4 host to RHEL7.3.Z host, dst host prompt "error while loading state for instance 0x0 of device 'spapr_pci'"
1468260 - vhost-user/iommu: crash when backend disconnects
1470634 - Wrong allocation value after virDomainBlockCopy() (alloc=capacity)
1472756 - Keys to control audio are not forwarded to the guest
1474464 - Unable to send PAUSE/BREAK to guests in VNC or SPICE
1475634 - Requires for the seabios version that support vIOMMU of virtio
1476121 - Unable to start vhost if iommu_platform=on but intel_iommu=on not specified in guest
1481593 - Boot guest failed with "src/central_freelist.cc:333] tcmalloc: allocation failed 196608" when 465 disks are attached to 465 pci-bridges
1482478 - Fail to quit source qemu when do live migration after mirroring guest to NBD server
1486400 - CVE-2017-13711 Qemu: Slirp: use-after-free when sending response
1486560 - CVE-2017-13672 Qemu: vga: OOB read access during display update
1486588 - CVE-2017-13673 Qemu: vga: reachable assert failure during display update
1489670 - Hot-unplugging a vhost network device leaks references to VFIOPCIDevice's
1489800 - q35/ovmf: Machine type compat vs OVMF vs windows
1491909 - IP network can not recover after several vhost-user reconnect
1492178 - Non-top-level change-backing-file causes assertion failure
1492295 - Guest hit call trace with iothrottling(iops) after the status from stop to cont during doing io testing
1495090 - Transfer a file about 10M failed from host to guest through spapr-vty device
1495456 - Update downstream qemu's max supported cpus for pseries to the RHEL supported number
1496879 - CVE-2017-15268 Qemu: I/O: potential memory exhaustion via websock connection to VNC
1497120 - migration+new block migration race: bdrv_co_do_pwritev: Assertion `!(bs->open_flags & 0x0800)' failed
1497137 - Update kvm_stat
1497740 - -cdrom option is broken
1498042 - RFE: option to mark virtual block device as rotational/non-rotational
1498496 - Handle device tree changes in QEMU 2.10.0
1498754 - Definition of HW_COMPAT_RHEL7_3 is not correct
1498817 - Vhost IOMMU support regression since qemu-kvm-rhev-2.9.0-16.el7_4.5
1498865 - There is no switch to build qemu-kvm-rhev or qemu-kvm-ma packages
1499011 - 7.5: x86 machine types for 7.5
1499647 - qemu miscalculates guest RAM size during HPT resizing
1500181 - [Q35] guest boot up failed with ovmf
1500334 - LUKS driver has poor performance compared to in-kernel driver
1501240 - Enable migration device
1501337 - Support specialized spapr-dr-connector devices
1501468 - Remove RHEL-7.4 machine machine type in 7.5 release
1502949 - Update configure parameters to cover changes in 2.10.0
1505654 - Missing libvxhs share-able object  file when try to query vxhs protocol
1505696 - Qemu crashed when open the second display of virtio video
1505701 - -blockdev fails if a qcow2 image has backing store format and backing store is referenced via node-name
1506151 - [data-plane] Quitting qemu in destination side encounters "core dumped" when doing live migration
1506531 - [data-plane] Qemu-kvm core dumped when hot-unplugging a block device with data-plane while the drive-mirror job is running
1506882 - Call trace showed up in dmesg after migrating guest when "stress-ng --numa 2" was running inside guest
1507693 - Unable to hot plug device to VM reporting libvirt errors.
1508271 - Migration is failed from host RHEL7.4.z to host RHEL7.5 with "-machine pseries-rhel7.4.0 -device pci-bridge,id=pci_bridge,bus=pci.0,addr=03,chassis_nr=1"
1508799 - qemu-kvm core dumped when doing 'savevm/loadvm/delvm' for the second time
1508886 - QEMU's AIO subsystem gets stuck inhibiting all I/O operations on virtio-blk-pci devices
1510809 - qemu-kvm core dumped when booting up guest using both virtio-vga and VGA
1511312 - Migrate an VM with  pci-bridge or pcie-root-port failed
1513870 - For VNC connection, characters '|' and '<' are both recognized as '>' in linux guests, while '<' and '>' are both recognized as '|' in windows guest
1515173 - Cross migration from rhel6.9 to rhel7.5 failed
1515393 - bootindex is not taken into account for virtio-scsi devices on ppc64 if the LUN is >= 256
1515604 - qemu-img info: failed to get "consistent read" lock on a mirroring image
1516922 - CVE-2017-15118 Qemu: stack buffer overflow in NBD server triggered via long export name
1516925 - CVE-2017-15119 qemu: DoS via large option request
1517144 - Provide a ppc64le specific /etc/modprobe.d/kvm.conf
1518482 - "share-rw" property is unavailable on scsi passthrough devices
1518649 - Client compatibility flaws in VNC websockets server
1519721 - Both qemu and guest hang when performing live snapshot transaction with data-plane
1520294 - Hot-unplug the second pf cause qemu promote " Failed to remove group $iommu_group_num from KVM VFIO device:"
1520824 - Migration with dataplane, qemu processor hang, vm hang and migration can't finish
1523414 - [POWER guests] Verify compatible CPU & hypervisor capabilities across migration
1525195 - CVE-2017-15124 Qemu: memory exhaustion through framebuffer update request message in VNC server
1525324 - 2 VMs both with 'share-rw=on' appending on '-device usb-storage' for the same source image can not be started at the same time
1525868 - Guest hit core dump with both IO throttling and data plane
1526212 - qemu-img should not need a write lock for creating the overlay image
1526423 - QEMU hang with data plane enabled after some sg_write_same operations in guest
1528173 - Hot-unplug memory  during booting early stage induced qemu-kvm coredump
1529053 - Miss the handling of EINTR in the fcntl calls made by QEMU
1529243 - Migration from P9 to P8, migration failed and qemu quit on dst end with "error while loading state for instance 0x0 of device 'ics'"
1529676 - kvm_stat: option '--guest' doesn't work
1530356 - CVE-2018-5683 Qemu: Out-of-bounds read in vga_draw_text routine
1534491 - Mirror jobs for drives with iothreads make QEMU to abort with "block.c:1895: bdrv_attach_child: Assertion `bdrv_get_aio_context(parent_bs) == bdrv_get_aio_context(child_bs)' failed."
1535752 - Device tree incorrectly advertises compatibility modes for secondary CPUs
1535992 - Set force shared option "-U" as default option for "qemu-img info"
1538494 - Guest crashed on the source host when cancel migration by virDomainMigrateBegin3Params sometimes
1538953 - IOTLB entry size mismatch before/after migration during DPDK PVP testing
1540003 - Postcopy migration failed with "Unreasonably large packaged state"
1540182 - QEMU: disallow virtio-gpu to boot with vIOMMU
1542045 - qemu-kvm-rhev seg-faults at  qemu_co_queue_run_restart (co=co@entry=0x5602801e8080) at util/qemu-coroutine-lock.c:83)

6. Package List:

Red Hat Virtualization 4 Management Agent for RHEL 7 Hosts:




These packages are GPG signed by Red Hat for security.  Our key and
details on how to verify the signature are available from

7. References:


8. Contact:

The Red Hat security contact is <secalert@redhat.com>. More contact
details at https://access.redhat.com/security/team/contact/

Copyright 2018 Red Hat, Inc.
Version: GnuPG v1


- --------------------------END INCLUDED TEXT--------------------

You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.

NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members.  As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.

NOTE: This is only the original release of the security bulletin.  It may
not be updated when updates to the original are made.  If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.

Contact information for the authors of the original document is included
in the Security Bulletin above.  If you have any questions or need further
information, please contact them directly.

Previous advisories and external security bulletins can be retrieved from:


Australian Computer Emergency Response Team
The University of Queensland
Qld 4072

Internet Email: auscert@auscert.org.au
Facsimile:      (07) 3365 7031
Telephone:      (07) 3365 4417 (International: +61 7 3365 4417)
                AusCERT personnel answer during Queensland business hours
                which are GMT+10:00 (AEST).
                On call after hours for member emergencies only.
Comment: http://www.auscert.org.au/render.html?it=1967