You are here
Home > Preporuke > Sigurnosni nedostaci programskog paketa qemu-kvm-rhev

Sigurnosni nedostaci programskog paketa qemu-kvm-rhev

  • Detalji os-a: WN7
  • Važnost: URG
  • Operativni sustavi: L
  • Kategorije: LRH

Hash: SHA1

Red Hat Security Advisory

Synopsis: Important: qemu-kvm-rhev security, bug fix, and enhancement update
Advisory ID: RHSA-2018:1104-01
Product: Red Hat Virtualization
Advisory URL:
Issue date: 2018-04-10
CVE Names: CVE-2017-13672 CVE-2017-13673 CVE-2017-13711
CVE-2017-15118 CVE-2017-15119 CVE-2017-15124
CVE-2017-15268 CVE-2018-5683

1. Summary:

An update for qemu-kvm-rhev is now available for Red Hat Virtualization 4
for Red Hat Enterprise Linux 7.

Red Hat Product Security has rated this update as having a security impact
of Important. A Common Vulnerability Scoring System (CVSS) base score,
which gives a detailed severity rating, is available for each vulnerability
from the CVE link(s) in the References section.

2. Relevant releases/architectures:

Red Hat Virtualization 4 Management Agent for RHEL 7 Hosts – ppc64le, x86_64

3. Description:

KVM (Kernel-based Virtual Machine) is a full virtualization solution for
Linux on a variety of architectures. The qemu-kvm-rhev packages provide the
user-space component for running virtual machines that use KVM in
environments managed by Red Hat products.

The following packages have been upgraded to a later upstream version:
qemu-kvm-rhev (2.10.0). (BZ#1470749)

Security Fix(es):

* Qemu: stack buffer overflow in NBD server triggered via long export name

* Qemu: DoS via large option request (CVE-2017-15119)

* Qemu: vga: OOB read access during display update (CVE-2017-13672)

* Qemu: vga: reachable assert failure during display update

* Qemu: Slirp: use-after-free when sending response (CVE-2017-13711)

* Qemu: memory exhaustion through framebuffer update request message in VNC
server (CVE-2017-15124)

* Qemu: I/O: potential memory exhaustion via websock connection to VNC

* Qemu: Out-of-bounds read in vga_draw_text routine (CVE-2018-5683)

For more details about the security issue(s), including the impact, a CVSS
score, and other related information, refer to the CVE page(s) listed in
the References section.

Red Hat would like to thank David Buchanan for reporting CVE-2017-13672 and
CVE-2017-13673; Wjjzhang ( for reporting CVE-2017-13711; and
Jiang Xin and Lin ZheCheng for reporting CVE-2018-5683. The CVE-2017-15118
and CVE-2017-15119 issues were discovered by Eric Blake (Red Hat) and the
CVE-2017-15124 issue was discovered by Daniel Berrange (Red Hat).

4. Solution:

For details on how to apply this update, which includes the changes
described in this advisory, refer to:

After installing this update, shut down all running virtual machines. Once
all virtual machines have shut down, start them again for this update to
take effect.

5. Bugs fixed (

1139507 – wrong data-plane properties via info qtree to check if use iothread object syntax
1178472 – fail to boot win2012r2 guest with hv_relaxed&hv_vapic&hv_spinlocks=0x1fff&hv_time & -smp 80,cores=2,threads=1,sockets=40
1212715 – qemu-img gets wrong actual path of backing file when the file name contains colon
1213786 – qemu-img doesn’t check if base image exists when size parameter indicated.
1285044 – migration/RDMA: Race condition
1305398 – [RFE] PAPR Hash Page Table (HPT) resizing (qemu-kvm-rhev)
1320114 – qemu prompt “main-loop: WARNING: I/O thread spun for 1000 iterations” when block mirror from format qcow2 to raw
1344299 – PCIe: Add an option to PCIe ports to disable IO port space support
1372583 – Keyboard can’t be used when install rhel7 in guest which has SATA CDROM and spice+qxl mode sometimes
1378241 – QEMU image file locking
1390346 – PCI: Reserve MMIO space over 4G for PCI hotplug
1390348 – PCI: Provide to libvirt a new query command whether a device is PCI/PCIe/hybrid
1398633 – [RFE] Kernel address space layout randomization [KASLR] support (qemu-kvm-rhev)
1406803 – RFE: native integration of LUKS and qcow2
1414049 – [RFE] Add support to qemu-img for resizing with preallocation
1433670 – Provide an API that estimates the size of QCOW2 image converted from a raw image
1434321 – [Q35] code 10 error when install VF in windows 2016
1437113 – PCIe: Allow configuring Generic PCIe Root Ports MMIO Window
1441460 – ‘query-block’ dirty bitmap count is shown in sectors but documented in bytes
1441684 – Re-enable op blocker assertions
1441938 – When boot windows guest with two numa nodes and pc-dimm assigned to the second node, the dimm cannot be recognized by the guest
1443877 – All the memory was assigned to the last node when guest booted up with 128 nodes
1445834 – Add support for AMD EPYC processors
1446565 – Some keys are missing when using fr-ca keyboard layout with VNC display
1447258 – Fail to create internal snapshot with data plane enable
1447413 – RFE: provide a secure way to pass cookies to curl block driver
1448344 – Failed to hot unplug cpu core which hotplugged in early boot stages
1449067 – [RFE] Device passthrough support for VT-d emulation
1449609 – qemu coredump when dd on multiple usb-storage devices concurrently in guest
1449991 – [rhel7.4][usb-hub]usb kdb doesn’t work under 2 tier usb hubs with xhci contronnler for win2016 guest
1451015 – Qemu core dump when do ‘quit ‘ in HMP via ide drive.
1451189 – Add way to select qemu-xhci / nec-usb-xhci device only
1451269 – Clarify the relativity of backing file and created image in “qemu-img create”
1453167 – [PPC] [Hot unplug CPU] Failed to hot unplug after migration
1454362 – QEMU fails to report error when requesting migration bind to “::” when ipv6 disabled
1454367 – QEMU fails to reject IPv4 connections when IPv4 listening is disabled
1455074 – qemu core dump when continuouly hotplug/unplug virtserialport and virito-serial-pci in a loop
1457662 – Windows guest cannot boot with interrupt remapping (VT-d)
1459906 – The guest with intel-iommu device enabled can not restore after managedsave
1459945 – migration fails with hungup serial console reader on -M pc-i440fx-rhel7.0.0 and pc-i440fx-rhel7.1.0
1460119 – qemu gets SIGABRT when hot-plug nvdimm device twice
1460595 – [virtio-vga]Display 2 should be dropped when guest reboot
1460848 – RFE: Enhance qemu to support freeing memory before exit when using memory-backend-file
1462145 – Qemu crashes when all fw_cfg slots are used
1463172 – [Tracing] capturing trace data failed
1464908 – [RFE] Add SCSI-3 PR support to qemu (similar to mpathpersist)
1465799 – When do migration from RHEL7.4 host to RHEL7.3.Z host, dst host prompt “error while loading state for instance 0x0 of device ‘spapr_pci'”
1468260 – vhost-user/iommu: crash when backend disconnects
1470634 – Wrong allocation value after virDomainBlockCopy() (alloc=capacity)
1472756 – Keys to control audio are not forwarded to the guest
1474464 – Unable to send PAUSE/BREAK to guests in VNC or SPICE
1475634 – Requires for the seabios version that support vIOMMU of virtio
1476121 – Unable to start vhost if iommu_platform=on but intel_iommu=on not specified in guest
1481593 – Boot guest failed with “src/] tcmalloc: allocation failed 196608” when 465 disks are attached to 465 pci-bridges
1482478 – Fail to quit source qemu when do live migration after mirroring guest to NBD server
1486400 – CVE-2017-13711 Qemu: Slirp: use-after-free when sending response
1486560 – CVE-2017-13672 Qemu: vga: OOB read access during display update
1486588 – CVE-2017-13673 Qemu: vga: reachable assert failure during display update
1489670 – Hot-unplugging a vhost network device leaks references to VFIOPCIDevice’s
1489800 – q35/ovmf: Machine type compat vs OVMF vs windows
1491909 – IP network can not recover after several vhost-user reconnect
1492178 – Non-top-level change-backing-file causes assertion failure
1492295 – Guest hit call trace with iothrottling(iops) after the status from stop to cont during doing io testing
1495090 – Transfer a file about 10M failed from host to guest through spapr-vty device
1495456 – Update downstream qemu’s max supported cpus for pseries to the RHEL supported number
1496879 – CVE-2017-15268 Qemu: I/O: potential memory exhaustion via websock connection to VNC
1497120 – migration+new block migration race: bdrv_co_do_pwritev: Assertion `!(bs->open_flags & 0x0800)’ failed
1497137 – Update kvm_stat
1497740 – -cdrom option is broken
1498042 – RFE: option to mark virtual block device as rotational/non-rotational
1498496 – Handle device tree changes in QEMU 2.10.0
1498754 – Definition of HW_COMPAT_RHEL7_3 is not correct
1498817 – Vhost IOMMU support regression since qemu-kvm-rhev-2.9.0-16.el7_4.5
1498865 – There is no switch to build qemu-kvm-rhev or qemu-kvm-ma packages
1499011 – 7.5: x86 machine types for 7.5
1499647 – qemu miscalculates guest RAM size during HPT resizing
1500181 – [Q35] guest boot up failed with ovmf
1500334 – LUKS driver has poor performance compared to in-kernel driver
1501240 – Enable migration device
1501337 – Support specialized spapr-dr-connector devices
1501468 – Remove RHEL-7.4 machine machine type in 7.5 release
1502949 – Update configure parameters to cover changes in 2.10.0
1505654 – Missing libvxhs share-able object file when try to query vxhs protocol
1505696 – Qemu crashed when open the second display of virtio video
1505701 – -blockdev fails if a qcow2 image has backing store format and backing store is referenced via node-name
1506151 – [data-plane] Quitting qemu in destination side encounters “core dumped” when doing live migration
1506531 – [data-plane] Qemu-kvm core dumped when hot-unplugging a block device with data-plane while the drive-mirror job is running
1506882 – Call trace showed up in dmesg after migrating guest when “stress-ng –numa 2” was running inside guest
1507693 – Unable to hot plug device to VM reporting libvirt errors.
1508271 – Migration is failed from host RHEL7.4.z to host RHEL7.5 with “-machine pseries-rhel7.4.0 -device pci-bridge,id=pci_bridge,bus=pci.0,addr=03,chassis_nr=1”
1508799 – qemu-kvm core dumped when doing ‘savevm/loadvm/delvm’ for the second time
1508886 – QEMU’s AIO subsystem gets stuck inhibiting all I/O operations on virtio-blk-pci devices
1510809 – qemu-kvm core dumped when booting up guest using both virtio-vga and VGA
1511312 – Migrate an VM with pci-bridge or pcie-root-port failed
1513870 – For VNC connection, characters ‘|’ and ‘<‘ are both recognized as ‘>’ in linux guests, while ‘<‘ and ‘>’ are both recognized as ‘|’ in windows guest
1515173 – Cross migration from rhel6.9 to rhel7.5 failed
1515393 – bootindex is not taken into account for virtio-scsi devices on ppc64 if the LUN is >= 256
1515604 – qemu-img info: failed to get “consistent read” lock on a mirroring image
1516922 – CVE-2017-15118 Qemu: stack buffer overflow in NBD server triggered via long export name
1516925 – CVE-2017-15119 qemu: DoS via large option request
1517144 – Provide a ppc64le specific /etc/modprobe.d/kvm.conf
1518482 – “share-rw” property is unavailable on scsi passthrough devices
1518649 – Client compatibility flaws in VNC websockets server
1519721 – Both qemu and guest hang when performing live snapshot transaction with data-plane
1520294 – Hot-unplug the second pf cause qemu promote ” Failed to remove group $iommu_group_num from KVM VFIO device:”
1520824 – Migration with dataplane, qemu processor hang, vm hang and migration can’t finish
1523414 – [POWER guests] Verify compatible CPU & hypervisor capabilities across migration
1525195 – CVE-2017-15124 Qemu: memory exhaustion through framebuffer update request message in VNC server
1525324 – 2 VMs both with ‘share-rw=on’ appending on ‘-device usb-storage’ for the same source image can not be started at the same time
1525868 – Guest hit core dump with both IO throttling and data plane
1526212 – qemu-img should not need a write lock for creating the overlay image
1526423 – QEMU hang with data plane enabled after some sg_write_same operations in guest
1528173 – Hot-unplug memory during booting early stage induced qemu-kvm coredump
1529053 – Miss the handling of EINTR in the fcntl calls made by QEMU
1529243 – Migration from P9 to P8, migration failed and qemu quit on dst end with “error while loading state for instance 0x0 of device ‘ics'”
1529676 – kvm_stat: option ‘–guest’ doesn’t work
1530356 – CVE-2018-5683 Qemu: Out-of-bounds read in vga_draw_text routine
1534491 – Mirror jobs for drives with iothreads make QEMU to abort with “block.c:1895: bdrv_attach_child: Assertion `bdrv_get_aio_context(parent_bs) == bdrv_get_aio_context(child_bs)’ failed.”
1535752 – Device tree incorrectly advertises compatibility modes for secondary CPUs
1535992 – Set force shared option “-U” as default option for “qemu-img info”
1538494 – Guest crashed on the source host when cancel migration by virDomainMigrateBegin3Params sometimes
1538953 – IOTLB entry size mismatch before/after migration during DPDK PVP testing
1540003 – Postcopy migration failed with “Unreasonably large packaged state”
1540182 – QEMU: disallow virtio-gpu to boot with vIOMMU
1542045 – qemu-kvm-rhev seg-faults at qemu_co_queue_run_restart (co=co@entry=0x5602801e8080) at util/qemu-coroutine-lock.c:83)

6. Package List:

Red Hat Virtualization 4 Management Agent for RHEL 7 Hosts:




These packages are GPG signed by Red Hat for security. Our key and
details on how to verify the signature are available from

7. References:

8. Contact:

The Red Hat security contact is <>. More contact
details at

Copyright 2018 Red Hat, Inc.
Version: GnuPG v1


RHSA-announce mailing list

AutorPetar Bertok
Cert idNCERT-REF-2018-04-0001-ADV
More in Preporuke
Sigurnosni nedostaci programskog paketa drupal7

Otkriveni su sigurnosni nedostaci u programskom paketu drupal7 za operacijski sustav Fedora. Otkriveni nedostaci potencijalnim napadačima omogućuju zaobilaženje sigurnosnih ograničenja,...