Control: reopen -1 There are 2 more CVEs assigned to new issues found in qcow1 format processing. Since there's the same set of isssues, and since the relevant bug has only been closed for -testing anyway (and needs backporting to -stable and even maybe -oldstable), I'm adding them here.
CVE-2014-0222 Qemu: qcow1: Validate L2 table size Too large L2 table sizes cause unbounded allocations. Images actually created by qemu-img only have 512 byte or 4k L2 tables. To keep things consistent with cluster sizes, allow ranges between 512 bytes and 64k (in fact, down to 1 entry = 8 bytes is technically working, but L2 table sizes smaller than a cluster don't make a lot of sense). This also means that the number of bytes on the virtual disk that are described by the same L2 table is limited to at most 8k * 64k or 2^29, preventively avoiding any integer overflows. https://lists.gnu.org/archive/html/qemu-devel/2014-05/msg02155.html CVE-2014-0223 Qemu: qcow1: Validate image size A huge image size could cause s->l1_size to overflow. Make sure that images never require a L1 table larger than what fits in s->l1_size. This cannot only cause unbounded allocations, but also the allocation of a too small L1 table, resulting in out-of-bounds array accesses (both reads and writes). https://lists.gnu.org/archive/html/qemu-devel/2014-05/msg02156.html This is qcow1, which is old qemu image format which is very rarely used nowadays (if at all), but we have other exotic formats in this bug too. So, with this in place, proposed patches for wheezy needs to be reworked, adding the new fixes. Thanks, /mjt -- To UNSUBSCRIBE, email to [email protected] with a subject of "unsubscribe". Trouble? Contact [email protected]
