Upstream information

CVE-2017-5856 at MITRE

Description

Memory leak in the megasas_handle_dcmd function in hw/scsi/megasas.c in QEMU (aka Quick Emulator) allows local guest OS privileged users to cause a denial of service (host memory consumption) via MegaRAID Firmware Interface (MFI) commands with the sglist size set to a value over 2 Gb.

SUSE information

CVSS v2 Scores
  National Vulnerability Database SUSE
Base Score 4.94 2.33
Vector AV:L/AC:L/Au:N/C:N/I:N/A:C AV:A/AC:M/Au:S/C:N/I:N/A:P
Access Vector Local Adjacent Network
Access Complexity Low Medium
Authentication None Single
Confidentiality Impact None None
Integrity Impact None None
Availability Impact Complete Partial
CVSS v3 Scores
  National Vulnerability Database
Base Score 6.5
Vector AV:L/AC:L/PR:L/UI:N/S:C/C:N/I:N/A:H
Access Vector Local
Access Complexity Low
Privileges Required Low
User Interaction None
Scope Changed
Confidentiality Impact None
Integrity Impact None
Availability Impact High

This issue is currently rated as having moderate severity.

SUSE Bugzilla entries: 1023053 [RESOLVED / FIXED], 1024186 [NEW]

SUSE Security Advisories:

List of released packages

Product(s) Fixed package version(s) References
SUSE Linux Enterprise Desktop 12 SP1
  • qemu >= 2.3.1-32.11
  • qemu-block-curl >= 2.3.1-32.11
  • qemu-ipxe >= 1.0.0-32.11
  • qemu-kvm >= 2.3.1-32.11
  • qemu-seabios >= 1.8.1-32.11
  • qemu-sgabios >= 8-32.11
  • qemu-tools >= 2.3.1-32.11
  • qemu-vgabios >= 1.8.1-32.11
  • qemu-x86 >= 2.3.1-32.11
  • xen >= 4.5.5_06-22.11.2
  • xen-kmp-default >= 4.5.5_06_k3.12.69_60.64.32-22.11.2
  • xen-libs >= 4.5.5_06-22.11.2
  • xen-libs-32bit >= 4.5.5_06-22.11.2
Patchnames:
SUSE-SLE-DESKTOP-12-SP1-2017-297
SUSE-SLE-DESKTOP-12-SP1-2017-740
SUSE Linux Enterprise Desktop 12 SP2
  • qemu >= 2.6.2-41.9.1
  • qemu-block-curl >= 2.6.2-41.9.1
  • qemu-ipxe >= 1.0.0-41.9.1
  • qemu-kvm >= 2.6.2-41.9.1
  • qemu-seabios >= 1.9.1-41.9.1
  • qemu-sgabios >= 8-41.9.1
  • qemu-tools >= 2.6.2-41.9.1
  • qemu-vgabios >= 1.9.1-41.9.1
  • qemu-x86 >= 2.6.2-41.9.1
Patchnames:
SUSE-SLE-DESKTOP-12-SP2-2017-336
SUSE Linux Enterprise Server 11 SP4
  • kvm >= 1.4.2-59.1
  • xen >= 4.4.4_14-51.1
  • xen-doc-html >= 4.4.4_14-51.1
  • xen-kmp-default >= 4.4.4_14_3.0.101_94-51.1
  • xen-kmp-pae >= 4.4.4_14_3.0.101_94-51.1
  • xen-libs >= 4.4.4_14-51.1
  • xen-libs-32bit >= 4.4.4_14-51.1
  • xen-tools >= 4.4.4_14-51.1
  • xen-tools-domU >= 4.4.4_14-51.1
Patchnames:
slessp4-kvm-13080
slessp4-xen-13019
SUSE Linux Enterprise Server 12 SP1
  • qemu >= 2.3.1-32.11
  • qemu-block-curl >= 2.3.1-32.11
  • qemu-block-rbd >= 2.3.1-32.11
  • qemu-guest-agent >= 2.3.1-32.11
  • qemu-ipxe >= 1.0.0-32.11
  • qemu-kvm >= 2.3.1-32.11
  • qemu-lang >= 2.3.1-32.11
  • qemu-ppc >= 2.3.1-32.11
  • qemu-s390 >= 2.3.1-32.11
  • qemu-seabios >= 1.8.1-32.11
  • qemu-sgabios >= 8-32.11
  • qemu-tools >= 2.3.1-32.11
  • qemu-vgabios >= 1.8.1-32.11
  • qemu-x86 >= 2.3.1-32.11
  • xen >= 4.5.5_06-22.11.2
  • xen-doc-html >= 4.5.5_06-22.11.2
  • xen-kmp-default >= 4.5.5_06_k3.12.69_60.64.32-22.11.2
  • xen-libs >= 4.5.5_06-22.11.2
  • xen-libs-32bit >= 4.5.5_06-22.11.2
  • xen-tools >= 4.5.5_06-22.11.2
  • xen-tools-domU >= 4.5.5_06-22.11.2
Patchnames:
SUSE-SLE-SERVER-12-SP1-2017-297
SUSE-SLE-SERVER-12-SP1-2017-740
SUSE Linux Enterprise Server 12 SP2
  • qemu >= 2.6.2-41.9.1
  • qemu-arm >= 2.6.2-41.9.1
  • qemu-block-curl >= 2.6.2-41.9.1
  • qemu-block-rbd >= 2.6.2-41.9.1
  • qemu-block-ssh >= 2.6.2-41.9.1
  • qemu-guest-agent >= 2.6.2-41.9.1
  • qemu-ipxe >= 1.0.0-41.9.1
  • qemu-kvm >= 2.6.2-41.9.1
  • qemu-lang >= 2.6.2-41.9.1
  • qemu-ppc >= 2.6.2-41.9.1
  • qemu-s390 >= 2.6.2-41.9.1
  • qemu-seabios >= 1.9.1-41.9.1
  • qemu-sgabios >= 8-41.9.1
  • qemu-tools >= 2.6.2-41.9.1
  • qemu-vgabios >= 1.9.1-41.9.1
  • qemu-x86 >= 2.6.2-41.9.1
Patchnames:
SUSE-SLE-SERVER-12-SP2-2017-336
SUSE Linux Enterprise Server 12-LTSS
  • qemu >= 2.0.2-48.31.1
  • qemu-block-curl >= 2.0.2-48.31.1
  • qemu-block-rbd >= 2.0.2-48.31.1
  • qemu-guest-agent >= 2.0.2-48.31.1
  • qemu-ipxe >= 1.0.0-48.31.1
  • qemu-kvm >= 2.0.2-48.31.1
  • qemu-lang >= 2.0.2-48.31.1
  • qemu-ppc >= 2.0.2-48.31.1
  • qemu-s390 >= 2.0.2-48.31.1
  • qemu-seabios >= 1.7.4-48.31.1
  • qemu-sgabios >= 8-48.31.1
  • qemu-tools >= 2.0.2-48.31.1
  • qemu-vgabios >= 1.7.4-48.31.1
  • qemu-x86 >= 2.0.2-48.31.1
  • xen >= 4.4.4_14-22.33.1
  • xen-doc-html >= 4.4.4_14-22.33.1
  • xen-kmp-default >= 4.4.4_14_k3.12.61_52.66-22.33.1
  • xen-libs >= 4.4.4_14-22.33.1
  • xen-libs-32bit >= 4.4.4_14-22.33.1
  • xen-tools >= 4.4.4_14-22.33.1
  • xen-tools-domU >= 4.4.4_14-22.33.1
Patchnames:
SUSE-SLE-SERVER-12-2017-299
SUSE-SLE-SERVER-12-2017-366
SUSE Linux Enterprise Server for Raspberry Pi 12 SP2
  • qemu >= 2.6.2-41.9.1
  • qemu-arm >= 2.6.2-41.9.1
  • qemu-block-curl >= 2.6.2-41.9.1
  • qemu-block-rbd >= 2.6.2-41.9.1
  • qemu-block-ssh >= 2.6.2-41.9.1
  • qemu-guest-agent >= 2.6.2-41.9.1
  • qemu-ipxe >= 1.0.0-41.9.1
  • qemu-lang >= 2.6.2-41.9.1
  • qemu-tools >= 2.6.2-41.9.1
Patchnames:
SUSE-SLE-RPI-12-SP2-2017-336
SUSE Linux Enterprise Software Development Kit 11 SP4
  • xen >= 4.4.4_14-51.1
  • xen-devel >= 4.4.4_14-51.1
Patchnames:
sdksp4-xen-13019
SUSE Linux Enterprise Software Development Kit 12 SP1
  • xen >= 4.5.5_06-22.11.2
  • xen-devel >= 4.5.5_06-22.11.2
Patchnames:
SUSE-SLE-SDK-12-SP1-2017-297
SUSE Linux Enterprise for SAP 12
  • qemu >= 2.0.2-48.31.1
  • qemu-block-curl >= 2.0.2-48.31.1
  • qemu-block-rbd >= 2.0.2-48.31.1
  • qemu-guest-agent >= 2.0.2-48.31.1
  • qemu-ipxe >= 1.0.0-48.31.1
  • qemu-kvm >= 2.0.2-48.31.1
  • qemu-lang >= 2.0.2-48.31.1
  • qemu-seabios >= 1.7.4-48.31.1
  • qemu-sgabios >= 8-48.31.1
  • qemu-tools >= 2.0.2-48.31.1
  • qemu-vgabios >= 1.7.4-48.31.1
  • qemu-x86 >= 2.0.2-48.31.1
  • xen >= 4.4.4_14-22.33.1
  • xen-doc-html >= 4.4.4_14-22.33.1
  • xen-kmp-default >= 4.4.4_14_k3.12.61_52.66-22.33.1
  • xen-libs >= 4.4.4_14-22.33.1
  • xen-libs-32bit >= 4.4.4_14-22.33.1
  • xen-tools >= 4.4.4_14-22.33.1
  • xen-tools-domU >= 4.4.4_14-22.33.1
Patchnames:
SUSE-SLE-SAP-12-2017-299
SUSE-SLE-SAP-12-2017-366
openSUSE Leap 42.1
  • qemu >= 2.3.1-25.1
  • qemu-arm >= 2.3.1-25.1
  • qemu-arm-debuginfo >= 2.3.1-25.1
  • qemu-block-curl >= 2.3.1-25.1
  • qemu-block-curl-debuginfo >= 2.3.1-25.1
  • qemu-block-rbd >= 2.3.1-25.1
  • qemu-block-rbd-debuginfo >= 2.3.1-25.1
  • qemu-debugsource >= 2.3.1-25.1
  • qemu-extra >= 2.3.1-25.1
  • qemu-extra-debuginfo >= 2.3.1-25.1
  • qemu-guest-agent >= 2.3.1-25.1
  • qemu-guest-agent-debuginfo >= 2.3.1-25.1
  • qemu-ipxe >= 1.0.0-25.1
  • qemu-kvm >= 2.3.1-25.1
  • qemu-lang >= 2.3.1-25.1
  • qemu-linux-user >= 2.3.1-25.1
  • qemu-linux-user-debuginfo >= 2.3.1-25.1
  • qemu-linux-user-debugsource >= 2.3.1-25.1
  • qemu-ppc >= 2.3.1-25.1
  • qemu-ppc-debuginfo >= 2.3.1-25.1
  • qemu-s390 >= 2.3.1-25.1
  • qemu-s390-debuginfo >= 2.3.1-25.1
  • qemu-seabios >= 1.8.1-25.1
  • qemu-sgabios >= 8-25.1
  • qemu-testsuite >= 2.3.1-25.1
  • qemu-tools >= 2.3.1-25.1
  • qemu-tools-debuginfo >= 2.3.1-25.1
  • qemu-vgabios >= 1.8.1-25.1
  • qemu-x86 >= 2.3.1-25.1
  • qemu-x86-debuginfo >= 2.3.1-25.1
Patchnames:
openSUSE-2017-589
openSUSE Leap 42.2
  • qemu >= 2.6.2-29.4
  • qemu-arm >= 2.6.2-29.4
  • qemu-arm-debuginfo >= 2.6.2-29.4
  • qemu-block-curl >= 2.6.2-29.4
  • qemu-block-curl-debuginfo >= 2.6.2-29.4
  • qemu-block-dmg >= 2.6.2-29.4
  • qemu-block-dmg-debuginfo >= 2.6.2-29.4
  • qemu-block-iscsi >= 2.6.2-29.4
  • qemu-block-iscsi-debuginfo >= 2.6.2-29.4
  • qemu-block-rbd >= 2.6.2-29.4
  • qemu-block-rbd-debuginfo >= 2.6.2-29.4
  • qemu-block-ssh >= 2.6.2-29.4
  • qemu-block-ssh-debuginfo >= 2.6.2-29.4
  • qemu-debugsource >= 2.6.2-29.4
  • qemu-extra >= 2.6.2-29.4
  • qemu-extra-debuginfo >= 2.6.2-29.4
  • qemu-guest-agent >= 2.6.2-29.4
  • qemu-guest-agent-debuginfo >= 2.6.2-29.4
  • qemu-ipxe >= 1.0.0-29.4
  • qemu-kvm >= 2.6.2-29.4
  • qemu-lang >= 2.6.2-29.4
  • qemu-linux-user >= 2.6.2-29.1
  • qemu-linux-user-debuginfo >= 2.6.2-29.1
  • qemu-linux-user-debugsource >= 2.6.2-29.1
  • qemu-ppc >= 2.6.2-29.4
  • qemu-ppc-debuginfo >= 2.6.2-29.4
  • qemu-s390 >= 2.6.2-29.4
  • qemu-s390-debuginfo >= 2.6.2-29.4
  • qemu-seabios >= 1.9.1-29.4
  • qemu-sgabios >= 8-29.4
  • qemu-testsuite >= 2.6.2-29.8
  • qemu-tools >= 2.6.2-29.4
  • qemu-tools-debuginfo >= 2.6.2-29.4
  • qemu-vgabios >= 1.9.1-29.4
  • qemu-x86 >= 2.6.2-29.4
  • qemu-x86-debuginfo >= 2.6.2-29.4
Patchnames:
openSUSE-2017-349