Twenty Year Anniversary

Red Hat Security Advisory 2018-1104-01

Red Hat Security Advisory 2018-1104-01
Posted Apr 11, 2018
Authored by Red Hat | Site

Red Hat Security Advisory 2018-1104-01 - KVM is a full virtualization solution for Linux on a variety of architectures. The qemu-kvm-rhev packages provide the user-space component for running virtual machines that use KVM in environments managed by Red Hat products. The following packages have been upgraded to a later upstream version: qemu-kvm-rhev. Issues addressed include buffer overflow, denial of service, randomization, and use-after-free vulnerabilities.

tags | advisory, denial of service, overflow, vulnerability
systems | linux, redhat
advisories | CVE-2017-13672, CVE-2017-13673, CVE-2017-13711, CVE-2017-15118, CVE-2017-15119, CVE-2017-15124, CVE-2017-15268, CVE-2018-5683
MD5 | cb83aadca0e0b644bf1b0357f3ac4a0b

Red Hat Security Advisory 2018-1104-01

Change Mirror Download
Hash: SHA1

Red Hat Security Advisory

Synopsis: Important: qemu-kvm-rhev security, bug fix, and enhancement update
Advisory ID: RHSA-2018:1104-01
Product: Red Hat Virtualization
Advisory URL:
Issue date: 2018-04-10
CVE Names: CVE-2017-13672 CVE-2017-13673 CVE-2017-13711
CVE-2017-15118 CVE-2017-15119 CVE-2017-15124
CVE-2017-15268 CVE-2018-5683

1. Summary:

An update for qemu-kvm-rhev is now available for Red Hat Virtualization 4
for Red Hat Enterprise Linux 7.

Red Hat Product Security has rated this update as having a security impact
of Important. A Common Vulnerability Scoring System (CVSS) base score,
which gives a detailed severity rating, is available for each vulnerability
from the CVE link(s) in the References section.

2. Relevant releases/architectures:

Red Hat Virtualization 4 Management Agent for RHEL 7 Hosts - ppc64le, x86_64

3. Description:

KVM (Kernel-based Virtual Machine) is a full virtualization solution for
Linux on a variety of architectures. The qemu-kvm-rhev packages provide the
user-space component for running virtual machines that use KVM in
environments managed by Red Hat products.

The following packages have been upgraded to a later upstream version:
qemu-kvm-rhev (2.10.0). (BZ#1470749)

Security Fix(es):

* Qemu: stack buffer overflow in NBD server triggered via long export name

* Qemu: DoS via large option request (CVE-2017-15119)

* Qemu: vga: OOB read access during display update (CVE-2017-13672)

* Qemu: vga: reachable assert failure during display update

* Qemu: Slirp: use-after-free when sending response (CVE-2017-13711)

* Qemu: memory exhaustion through framebuffer update request message in VNC
server (CVE-2017-15124)

* Qemu: I/O: potential memory exhaustion via websock connection to VNC

* Qemu: Out-of-bounds read in vga_draw_text routine (CVE-2018-5683)

For more details about the security issue(s), including the impact, a CVSS
score, and other related information, refer to the CVE page(s) listed in
the References section.

Red Hat would like to thank David Buchanan for reporting CVE-2017-13672 and
CVE-2017-13673; Wjjzhang ( for reporting CVE-2017-13711; and
Jiang Xin and Lin ZheCheng for reporting CVE-2018-5683. The CVE-2017-15118
and CVE-2017-15119 issues were discovered by Eric Blake (Red Hat) and the
CVE-2017-15124 issue was discovered by Daniel Berrange (Red Hat).

4. Solution:

For details on how to apply this update, which includes the changes
described in this advisory, refer to:

After installing this update, shut down all running virtual machines. Once
all virtual machines have shut down, start them again for this update to
take effect.

5. Bugs fixed (

1139507 - wrong data-plane properties via info qtree to check if use iothread object syntax
1178472 - fail to boot win2012r2 guest with hv_relaxed&hv_vapic&hv_spinlocks=0x1fff&hv_time & -smp 80,cores=2,threads=1,sockets=40
1212715 - qemu-img gets wrong actual path of backing file when the file name contains colon
1213786 - qemu-img doesn't check if base image exists when size parameter indicated.
1285044 - migration/RDMA: Race condition
1305398 - [RFE] PAPR Hash Page Table (HPT) resizing (qemu-kvm-rhev)
1320114 - qemu prompt "main-loop: WARNING: I/O thread spun for 1000 iterations" when block mirror from format qcow2 to raw
1344299 - PCIe: Add an option to PCIe ports to disable IO port space support
1372583 - Keyboard can't be used when install rhel7 in guest which has SATA CDROM and spice+qxl mode sometimes
1378241 - QEMU image file locking
1390346 - PCI: Reserve MMIO space over 4G for PCI hotplug
1390348 - PCI: Provide to libvirt a new query command whether a device is PCI/PCIe/hybrid
1398633 - [RFE] Kernel address space layout randomization [KASLR] support (qemu-kvm-rhev)
1406803 - RFE: native integration of LUKS and qcow2
1414049 - [RFE] Add support to qemu-img for resizing with preallocation
1433670 - Provide an API that estimates the size of QCOW2 image converted from a raw image
1434321 - [Q35] code 10 error when install VF in windows 2016
1437113 - PCIe: Allow configuring Generic PCIe Root Ports MMIO Window
1441460 - 'query-block' dirty bitmap count is shown in sectors but documented in bytes
1441684 - Re-enable op blocker assertions
1441938 - When boot windows guest with two numa nodes and pc-dimm assigned to the second node, the dimm cannot be recognized by the guest
1443877 - All the memory was assigned to the last node when guest booted up with 128 nodes
1445834 - Add support for AMD EPYC processors
1446565 - Some keys are missing when using fr-ca keyboard layout with VNC display
1447258 - Fail to create internal snapshot with data plane enable
1447413 - RFE: provide a secure way to pass cookies to curl block driver
1448344 - Failed to hot unplug cpu core which hotplugged in early boot stages
1449067 - [RFE] Device passthrough support for VT-d emulation
1449609 - qemu coredump when dd on multiple usb-storage devices concurrently in guest
1449991 - [rhel7.4][usb-hub]usb kdb doesn't work under 2 tier usb hubs with xhci contronnler for win2016 guest
1451015 - Qemu core dump when do 'quit ' in HMP via ide drive.
1451189 - Add way to select qemu-xhci / nec-usb-xhci device only
1451269 - Clarify the relativity of backing file and created image in "qemu-img create"
1453167 - [PPC] [Hot unplug CPU] Failed to hot unplug after migration
1454362 - QEMU fails to report error when requesting migration bind to "::" when ipv6 disabled
1454367 - QEMU fails to reject IPv4 connections when IPv4 listening is disabled
1455074 - qemu core dump when continuouly hotplug/unplug virtserialport and virito-serial-pci in a loop
1457662 - Windows guest cannot boot with interrupt remapping (VT-d)
1459906 - The guest with intel-iommu device enabled can not restore after managedsave
1459945 - migration fails with hungup serial console reader on -M pc-i440fx-rhel7.0.0 and pc-i440fx-rhel7.1.0
1460119 - qemu gets SIGABRT when hot-plug nvdimm device twice
1460595 - [virtio-vga]Display 2 should be dropped when guest reboot
1460848 - RFE: Enhance qemu to support freeing memory before exit when using memory-backend-file
1462145 - Qemu crashes when all fw_cfg slots are used
1463172 - [Tracing] capturing trace data failed
1464908 - [RFE] Add SCSI-3 PR support to qemu (similar to mpathpersist)
1465799 - When do migration from RHEL7.4 host to RHEL7.3.Z host, dst host prompt "error while loading state for instance 0x0 of device 'spapr_pci'"
1468260 - vhost-user/iommu: crash when backend disconnects
1470634 - Wrong allocation value after virDomainBlockCopy() (alloc=capacity)
1472756 - Keys to control audio are not forwarded to the guest
1474464 - Unable to send PAUSE/BREAK to guests in VNC or SPICE
1475634 - Requires for the seabios version that support vIOMMU of virtio
1476121 - Unable to start vhost if iommu_platform=on but intel_iommu=on not specified in guest
1481593 - Boot guest failed with "src/] tcmalloc: allocation failed 196608" when 465 disks are attached to 465 pci-bridges
1482478 - Fail to quit source qemu when do live migration after mirroring guest to NBD server
1486400 - CVE-2017-13711 Qemu: Slirp: use-after-free when sending response
1486560 - CVE-2017-13672 Qemu: vga: OOB read access during display update
1486588 - CVE-2017-13673 Qemu: vga: reachable assert failure during display update
1489670 - Hot-unplugging a vhost network device leaks references to VFIOPCIDevice's
1489800 - q35/ovmf: Machine type compat vs OVMF vs windows
1491909 - IP network can not recover after several vhost-user reconnect
1492178 - Non-top-level change-backing-file causes assertion failure
1492295 - Guest hit call trace with iothrottling(iops) after the status from stop to cont during doing io testing
1495090 - Transfer a file about 10M failed from host to guest through spapr-vty device
1495456 - Update downstream qemu's max supported cpus for pseries to the RHEL supported number
1496879 - CVE-2017-15268 Qemu: I/O: potential memory exhaustion via websock connection to VNC
1497120 - migration+new block migration race: bdrv_co_do_pwritev: Assertion `!(bs->open_flags & 0x0800)' failed
1497137 - Update kvm_stat
1497740 - -cdrom option is broken
1498042 - RFE: option to mark virtual block device as rotational/non-rotational
1498496 - Handle device tree changes in QEMU 2.10.0
1498754 - Definition of HW_COMPAT_RHEL7_3 is not correct
1498817 - Vhost IOMMU support regression since qemu-kvm-rhev-2.9.0-16.el7_4.5
1498865 - There is no switch to build qemu-kvm-rhev or qemu-kvm-ma packages
1499011 - 7.5: x86 machine types for 7.5
1499647 - qemu miscalculates guest RAM size during HPT resizing
1500181 - [Q35] guest boot up failed with ovmf
1500334 - LUKS driver has poor performance compared to in-kernel driver
1501240 - Enable migration device
1501337 - Support specialized spapr-dr-connector devices
1501468 - Remove RHEL-7.4 machine machine type in 7.5 release
1502949 - Update configure parameters to cover changes in 2.10.0
1505654 - Missing libvxhs share-able object file when try to query vxhs protocol
1505696 - Qemu crashed when open the second display of virtio video
1505701 - -blockdev fails if a qcow2 image has backing store format and backing store is referenced via node-name
1506151 - [data-plane] Quitting qemu in destination side encounters "core dumped" when doing live migration
1506531 - [data-plane] Qemu-kvm core dumped when hot-unplugging a block device with data-plane while the drive-mirror job is running
1506882 - Call trace showed up in dmesg after migrating guest when "stress-ng --numa 2" was running inside guest
1507693 - Unable to hot plug device to VM reporting libvirt errors.
1508271 - Migration is failed from host RHEL7.4.z to host RHEL7.5 with "-machine pseries-rhel7.4.0 -device pci-bridge,id=pci_bridge,bus=pci.0,addr=03,chassis_nr=1"
1508799 - qemu-kvm core dumped when doing 'savevm/loadvm/delvm' for the second time
1508886 - QEMU's AIO subsystem gets stuck inhibiting all I/O operations on virtio-blk-pci devices
1510809 - qemu-kvm core dumped when booting up guest using both virtio-vga and VGA
1511312 - Migrate an VM with pci-bridge or pcie-root-port failed
1513870 - For VNC connection, characters '|' and '<' are both recognized as '>' in linux guests, while '<' and '>' are both recognized as '|' in windows guest
1515173 - Cross migration from rhel6.9 to rhel7.5 failed
1515393 - bootindex is not taken into account for virtio-scsi devices on ppc64 if the LUN is >= 256
1515604 - qemu-img info: failed to get "consistent read" lock on a mirroring image
1516922 - CVE-2017-15118 Qemu: stack buffer overflow in NBD server triggered via long export name
1516925 - CVE-2017-15119 qemu: DoS via large option request
1517144 - Provide a ppc64le specific /etc/modprobe.d/kvm.conf
1518482 - "share-rw" property is unavailable on scsi passthrough devices
1518649 - Client compatibility flaws in VNC websockets server
1519721 - Both qemu and guest hang when performing live snapshot transaction with data-plane
1520294 - Hot-unplug the second pf cause qemu promote " Failed to remove group $iommu_group_num from KVM VFIO device:"
1520824 - Migration with dataplane, qemu processor hang, vm hang and migration can't finish
1523414 - [POWER guests] Verify compatible CPU & hypervisor capabilities across migration
1525195 - CVE-2017-15124 Qemu: memory exhaustion through framebuffer update request message in VNC server
1525324 - 2 VMs both with 'share-rw=on' appending on '-device usb-storage' for the same source image can not be started at the same time
1525868 - Guest hit core dump with both IO throttling and data plane
1526212 - qemu-img should not need a write lock for creating the overlay image
1526423 - QEMU hang with data plane enabled after some sg_write_same operations in guest
1528173 - Hot-unplug memory during booting early stage induced qemu-kvm coredump
1529053 - Miss the handling of EINTR in the fcntl calls made by QEMU
1529243 - Migration from P9 to P8, migration failed and qemu quit on dst end with "error while loading state for instance 0x0 of device 'ics'"
1529676 - kvm_stat: option '--guest' doesn't work
1530356 - CVE-2018-5683 Qemu: Out-of-bounds read in vga_draw_text routine
1534491 - Mirror jobs for drives with iothreads make QEMU to abort with "block.c:1895: bdrv_attach_child: Assertion `bdrv_get_aio_context(parent_bs) == bdrv_get_aio_context(child_bs)' failed."
1535752 - Device tree incorrectly advertises compatibility modes for secondary CPUs
1535992 - Set force shared option "-U" as default option for "qemu-img info"
1538494 - Guest crashed on the source host when cancel migration by virDomainMigrateBegin3Params sometimes
1538953 - IOTLB entry size mismatch before/after migration during DPDK PVP testing
1540003 - Postcopy migration failed with "Unreasonably large packaged state"
1540182 - QEMU: disallow virtio-gpu to boot with vIOMMU
1542045 - qemu-kvm-rhev seg-faults at qemu_co_queue_run_restart (co=co@entry=0x5602801e8080) at util/qemu-coroutine-lock.c:83)

6. Package List:

Red Hat Virtualization 4 Management Agent for RHEL 7 Hosts:




These packages are GPG signed by Red Hat for security. Our key and
details on how to verify the signature are available from

7. References:

8. Contact:

The Red Hat security contact is <>. More contact
details at

Copyright 2018 Red Hat, Inc.
Version: GnuPG v1


RHSA-announce mailing list


RSS Feed Subscribe to this comment feed

No comments yet, be the first!

Login or Register to post a comment

File Archive:

October 2018

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Oct 1st
    26 Files
  • 2
    Oct 2nd
    15 Files
  • 3
    Oct 3rd
    15 Files
  • 4
    Oct 4th
    15 Files
  • 5
    Oct 5th
    15 Files
  • 6
    Oct 6th
    2 Files
  • 7
    Oct 7th
    3 Files
  • 8
    Oct 8th
    23 Files
  • 9
    Oct 9th
    16 Files
  • 10
    Oct 10th
    15 Files
  • 11
    Oct 11th
    19 Files
  • 12
    Oct 12th
    16 Files
  • 13
    Oct 13th
    2 Files
  • 14
    Oct 14th
    2 Files
  • 15
    Oct 15th
    15 Files
  • 16
    Oct 16th
    20 Files
  • 17
    Oct 17th
    19 Files
  • 18
    Oct 18th
    21 Files
  • 19
    Oct 19th
    16 Files
  • 20
    Oct 20th
    0 Files
  • 21
    Oct 21st
    0 Files
  • 22
    Oct 22nd
    19 Files
  • 23
    Oct 23rd
    0 Files
  • 24
    Oct 24th
    0 Files
  • 25
    Oct 25th
    0 Files
  • 26
    Oct 26th
    0 Files
  • 27
    Oct 27th
    0 Files
  • 28
    Oct 28th
    0 Files
  • 29
    Oct 29th
    0 Files
  • 30
    Oct 30th
    0 Files
  • 31
    Oct 31st
    0 Files

Top Authors In Last 30 Days

File Tags


packet storm

© 2018 Packet Storm. All rights reserved.

Security Services
Hosting By