-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 ===================================================================== Red Hat Security Advisory Synopsis: Important: qemu-kvm-rhev security, bug fix, and enhancement update Advisory ID: RHSA-2018:1104-01 Product: Red Hat Virtualization Advisory URL: https://access.redhat.com/errata/RHSA-2018:1104 Issue date: 2018-04-10 CVE Names: CVE-2017-13672 CVE-2017-13673 CVE-2017-13711 CVE-2017-15118 CVE-2017-15119 CVE-2017-15124 CVE-2017-15268 CVE-2018-5683 ===================================================================== 1. Summary: An update for qemu-kvm-rhev is now available for Red Hat Virtualization 4 for Red Hat Enterprise Linux 7. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section. 2. Relevant releases/architectures: Red Hat Virtualization 4 Management Agent for RHEL 7 Hosts - ppc64le, x86_64 3. Description: KVM (Kernel-based Virtual Machine) is a full virtualization solution for Linux on a variety of architectures. The qemu-kvm-rhev packages provide the user-space component for running virtual machines that use KVM in environments managed by Red Hat products. The following packages have been upgraded to a later upstream version: qemu-kvm-rhev (2.10.0). (BZ#1470749) Security Fix(es): * Qemu: stack buffer overflow in NBD server triggered via long export name (CVE-2017-15118) * Qemu: DoS via large option request (CVE-2017-15119) * Qemu: vga: OOB read access during display update (CVE-2017-13672) * Qemu: vga: reachable assert failure during display update (CVE-2017-13673) * Qemu: Slirp: use-after-free when sending response (CVE-2017-13711) * Qemu: memory exhaustion through framebuffer update request message in VNC server (CVE-2017-15124) * Qemu: I/O: potential memory exhaustion via websock connection to VNC (CVE-2017-15268) * Qemu: Out-of-bounds read in vga_draw_text routine (CVE-2018-5683) For more details about the security issue(s), including the impact, a CVSS score, and other related information, refer to the CVE page(s) listed in the References section. Red Hat would like to thank David Buchanan for reporting CVE-2017-13672 and CVE-2017-13673; Wjjzhang (Tencent.com) for reporting CVE-2017-13711; and Jiang Xin and Lin ZheCheng for reporting CVE-2018-5683. The CVE-2017-15118 and CVE-2017-15119 issues were discovered by Eric Blake (Red Hat) and the CVE-2017-15124 issue was discovered by Daniel Berrange (Red Hat). 4. Solution: For details on how to apply this update, which includes the changes described in this advisory, refer to: https://access.redhat.com/articles/11258 After installing this update, shut down all running virtual machines. Once all virtual machines have shut down, start them again for this update to take effect. 5. Bugs fixed (https://bugzilla.redhat.com/): 1139507 - wrong data-plane properties via info qtree to check if use iothread object syntax 1178472 - fail to boot win2012r2 guest with hv_relaxed&hv_vapic&hv_spinlocks=0x1fff&hv_time & -smp 80,cores=2,threads=1,sockets=40 1212715 - qemu-img gets wrong actual path of backing file when the file name contains colon 1213786 - qemu-img doesn't check if base image exists when size parameter indicated. 1285044 - migration/RDMA: Race condition 1305398 - [RFE] PAPR Hash Page Table (HPT) resizing (qemu-kvm-rhev) 1320114 - qemu prompt "main-loop: WARNING: I/O thread spun for 1000 iterations" when block mirror from format qcow2 to raw 1344299 - PCIe: Add an option to PCIe ports to disable IO port space support 1372583 - Keyboard can't be used when install rhel7 in guest which has SATA CDROM and spice+qxl mode sometimes 1378241 - QEMU image file locking 1390346 - PCI: Reserve MMIO space over 4G for PCI hotplug 1390348 - PCI: Provide to libvirt a new query command whether a device is PCI/PCIe/hybrid 1398633 - [RFE] Kernel address space layout randomization [KASLR] support (qemu-kvm-rhev) 1406803 - RFE: native integration of LUKS and qcow2 1414049 - [RFE] Add support to qemu-img for resizing with preallocation 1433670 - Provide an API that estimates the size of QCOW2 image converted from a raw image 1434321 - [Q35] code 10 error when install VF in windows 2016 1437113 - PCIe: Allow configuring Generic PCIe Root Ports MMIO Window 1441460 - 'query-block' dirty bitmap count is shown in sectors but documented in bytes 1441684 - Re-enable op blocker assertions 1441938 - When boot windows guest with two numa nodes and pc-dimm assigned to the second node, the dimm cannot be recognized by the guest 1443877 - All the memory was assigned to the last node when guest booted up with 128 nodes 1445834 - Add support for AMD EPYC processors 1446565 - Some keys are missing when using fr-ca keyboard layout with VNC display 1447258 - Fail to create internal snapshot with data plane enable 1447413 - RFE: provide a secure way to pass cookies to curl block driver 1448344 - Failed to hot unplug cpu core which hotplugged in early boot stages 1449067 - [RFE] Device passthrough support for VT-d emulation 1449609 - qemu coredump when dd on multiple usb-storage devices concurrently in guest 1449991 - [rhel7.4][usb-hub]usb kdb doesn't work under 2 tier usb hubs with xhci contronnler for win2016 guest 1451015 - Qemu core dump when do 'quit ' in HMP via ide drive. 1451189 - Add way to select qemu-xhci / nec-usb-xhci device only 1451269 - Clarify the relativity of backing file and created image in "qemu-img create" 1453167 - [PPC] [Hot unplug CPU] Failed to hot unplug after migration 1454362 - QEMU fails to report error when requesting migration bind to "::" when ipv6 disabled 1454367 - QEMU fails to reject IPv4 connections when IPv4 listening is disabled 1455074 - qemu core dump when continuouly hotplug/unplug virtserialport and virito-serial-pci in a loop 1457662 - Windows guest cannot boot with interrupt remapping (VT-d) 1459906 - The guest with intel-iommu device enabled can not restore after managedsave 1459945 - migration fails with hungup serial console reader on -M pc-i440fx-rhel7.0.0 and pc-i440fx-rhel7.1.0 1460119 - qemu gets SIGABRT when hot-plug nvdimm device twice 1460595 - [virtio-vga]Display 2 should be dropped when guest reboot 1460848 - RFE: Enhance qemu to support freeing memory before exit when using memory-backend-file 1462145 - Qemu crashes when all fw_cfg slots are used 1463172 - [Tracing] capturing trace data failed 1464908 - [RFE] Add SCSI-3 PR support to qemu (similar to mpathpersist) 1465799 - When do migration from RHEL7.4 host to RHEL7.3.Z host, dst host prompt "error while loading state for instance 0x0 of device 'spapr_pci'" 1468260 - vhost-user/iommu: crash when backend disconnects 1470634 - Wrong allocation value after virDomainBlockCopy() (alloc=capacity) 1472756 - Keys to control audio are not forwarded to the guest 1474464 - Unable to send PAUSE/BREAK to guests in VNC or SPICE 1475634 - Requires for the seabios version that support vIOMMU of virtio 1476121 - Unable to start vhost if iommu_platform=on but intel_iommu=on not specified in guest 1481593 - Boot guest failed with "src/central_freelist.cc:333] tcmalloc: allocation failed 196608" when 465 disks are attached to 465 pci-bridges 1482478 - Fail to quit source qemu when do live migration after mirroring guest to NBD server 1486400 - CVE-2017-13711 Qemu: Slirp: use-after-free when sending response 1486560 - CVE-2017-13672 Qemu: vga: OOB read access during display update 1486588 - CVE-2017-13673 Qemu: vga: reachable assert failure during display update 1489670 - Hot-unplugging a vhost network device leaks references to VFIOPCIDevice's 1489800 - q35/ovmf: Machine type compat vs OVMF vs windows 1491909 - IP network can not recover after several vhost-user reconnect 1492178 - Non-top-level change-backing-file causes assertion failure 1492295 - Guest hit call trace with iothrottling(iops) after the status from stop to cont during doing io testing 1495090 - Transfer a file about 10M failed from host to guest through spapr-vty device 1495456 - Update downstream qemu's max supported cpus for pseries to the RHEL supported number 1496879 - CVE-2017-15268 Qemu: I/O: potential memory exhaustion via websock connection to VNC 1497120 - migration+new block migration race: bdrv_co_do_pwritev: Assertion `!(bs->open_flags & 0x0800)' failed 1497137 - Update kvm_stat 1497740 - -cdrom option is broken 1498042 - RFE: option to mark virtual block device as rotational/non-rotational 1498496 - Handle device tree changes in QEMU 2.10.0 1498754 - Definition of HW_COMPAT_RHEL7_3 is not correct 1498817 - Vhost IOMMU support regression since qemu-kvm-rhev-2.9.0-16.el7_4.5 1498865 - There is no switch to build qemu-kvm-rhev or qemu-kvm-ma packages 1499011 - 7.5: x86 machine types for 7.5 1499647 - qemu miscalculates guest RAM size during HPT resizing 1500181 - [Q35] guest boot up failed with ovmf 1500334 - LUKS driver has poor performance compared to in-kernel driver 1501240 - Enable migration device 1501337 - Support specialized spapr-dr-connector devices 1501468 - Remove RHEL-7.4 machine machine type in 7.5 release 1502949 - Update configure parameters to cover changes in 2.10.0 1505654 - Missing libvxhs share-able object file when try to query vxhs protocol 1505696 - Qemu crashed when open the second display of virtio video 1505701 - -blockdev fails if a qcow2 image has backing store format and backing store is referenced via node-name 1506151 - [data-plane] Quitting qemu in destination side encounters "core dumped" when doing live migration 1506531 - [data-plane] Qemu-kvm core dumped when hot-unplugging a block device with data-plane while the drive-mirror job is running 1506882 - Call trace showed up in dmesg after migrating guest when "stress-ng --numa 2" was running inside guest 1507693 - Unable to hot plug device to VM reporting libvirt errors. 1508271 - Migration is failed from host RHEL7.4.z to host RHEL7.5 with "-machine pseries-rhel7.4.0 -device pci-bridge,id=pci_bridge,bus=pci.0,addr=03,chassis_nr=1" 1508799 - qemu-kvm core dumped when doing 'savevm/loadvm/delvm' for the second time 1508886 - QEMU's AIO subsystem gets stuck inhibiting all I/O operations on virtio-blk-pci devices 1510809 - qemu-kvm core dumped when booting up guest using both virtio-vga and VGA 1511312 - Migrate an VM with pci-bridge or pcie-root-port failed 1513870 - For VNC connection, characters '|' and '<' are both recognized as '>' in linux guests, while '<' and '>' are both recognized as '|' in windows guest 1515173 - Cross migration from rhel6.9 to rhel7.5 failed 1515393 - bootindex is not taken into account for virtio-scsi devices on ppc64 if the LUN is >= 256 1515604 - qemu-img info: failed to get "consistent read" lock on a mirroring image 1516922 - CVE-2017-15118 Qemu: stack buffer overflow in NBD server triggered via long export name 1516925 - CVE-2017-15119 qemu: DoS via large option request 1517144 - Provide a ppc64le specific /etc/modprobe.d/kvm.conf 1518482 - "share-rw" property is unavailable on scsi passthrough devices 1518649 - Client compatibility flaws in VNC websockets server 1519721 - Both qemu and guest hang when performing live snapshot transaction with data-plane 1520294 - Hot-unplug the second pf cause qemu promote " Failed to remove group $iommu_group_num from KVM VFIO device:" 1520824 - Migration with dataplane, qemu processor hang, vm hang and migration can't finish 1523414 - [POWER guests] Verify compatible CPU & hypervisor capabilities across migration 1525195 - CVE-2017-15124 Qemu: memory exhaustion through framebuffer update request message in VNC server 1525324 - 2 VMs both with 'share-rw=on' appending on '-device usb-storage' for the same source image can not be started at the same time 1525868 - Guest hit core dump with both IO throttling and data plane 1526212 - qemu-img should not need a write lock for creating the overlay image 1526423 - QEMU hang with data plane enabled after some sg_write_same operations in guest 1528173 - Hot-unplug memory during booting early stage induced qemu-kvm coredump 1529053 - Miss the handling of EINTR in the fcntl calls made by QEMU 1529243 - Migration from P9 to P8, migration failed and qemu quit on dst end with "error while loading state for instance 0x0 of device 'ics'" 1529676 - kvm_stat: option '--guest' doesn't work 1530356 - CVE-2018-5683 Qemu: Out-of-bounds read in vga_draw_text routine 1534491 - Mirror jobs for drives with iothreads make QEMU to abort with "block.c:1895: bdrv_attach_child: Assertion `bdrv_get_aio_context(parent_bs) == bdrv_get_aio_context(child_bs)' failed." 1535752 - Device tree incorrectly advertises compatibility modes for secondary CPUs 1535992 - Set force shared option "-U" as default option for "qemu-img info" 1538494 - Guest crashed on the source host when cancel migration by virDomainMigrateBegin3Params sometimes 1538953 - IOTLB entry size mismatch before/after migration during DPDK PVP testing 1540003 - Postcopy migration failed with "Unreasonably large packaged state" 1540182 - QEMU: disallow virtio-gpu to boot with vIOMMU 1542045 - qemu-kvm-rhev seg-faults at qemu_co_queue_run_restart (co=co@entry=0x5602801e8080) at util/qemu-coroutine-lock.c:83) 6. Package List: Red Hat Virtualization 4 Management Agent for RHEL 7 Hosts: Source: qemu-kvm-rhev-2.10.0-21.el7.src.rpm ppc64le: qemu-img-rhev-2.10.0-21.el7.ppc64le.rpm qemu-kvm-common-rhev-2.10.0-21.el7.ppc64le.rpm qemu-kvm-rhev-2.10.0-21.el7.ppc64le.rpm qemu-kvm-rhev-debuginfo-2.10.0-21.el7.ppc64le.rpm qemu-kvm-tools-rhev-2.10.0-21.el7.ppc64le.rpm x86_64: qemu-img-rhev-2.10.0-21.el7.x86_64.rpm qemu-kvm-common-rhev-2.10.0-21.el7.x86_64.rpm qemu-kvm-rhev-2.10.0-21.el7.x86_64.rpm qemu-kvm-rhev-debuginfo-2.10.0-21.el7.x86_64.rpm qemu-kvm-tools-rhev-2.10.0-21.el7.x86_64.rpm These packages are GPG signed by Red Hat for security. Our key and details on how to verify the signature are available from https://access.redhat.com/security/team/key/ 7. References: https://access.redhat.com/security/cve/CVE-2017-13672 https://access.redhat.com/security/cve/CVE-2017-13673 https://access.redhat.com/security/cve/CVE-2017-13711 https://access.redhat.com/security/cve/CVE-2017-15118 https://access.redhat.com/security/cve/CVE-2017-15119 https://access.redhat.com/security/cve/CVE-2017-15124 https://access.redhat.com/security/cve/CVE-2017-15268 https://access.redhat.com/security/cve/CVE-2018-5683 https://access.redhat.com/security/updates/classification/#important 8. Contact: The Red Hat security contact is . More contact details at https://access.redhat.com/security/team/contact/ Copyright 2018 Red Hat, Inc. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1 iD8DBQFazQivXlSAg2UNWIIRAvRfAJ98ez1o2WqwAlg/gdvEnRSbX48HsACfQkOz Df708KcQ3kqiE166VNHDXyo= =7DzE -----END PGP SIGNATURE----- -- RHSA-announce mailing list RHSA-announce@redhat.com https://www.redhat.com/mailman/listinfo/rhsa-announce