ubuntu-translations-coordinators team mailing list archive

Thread
Date

[Bug 1449062] [NEW] qemu-img calls need to be restricted by ulimit (CVE-2015-5162)

To: ubuntu-translations-coordinators@xxxxxxxxxxxxxxxxxxx
From: Launchpad Bug Tracker <1449062@xxxxxxxxxxxxxxxxxx>
Date: Mon, 08 Aug 2016 04:23:04 -0000
Reply-to: Bug 1449062 <1449062@xxxxxxxxxxxxxxxxxx>
Sender: bounces@xxxxxxxxxxxxx

*** This bug is a security vulnerability ***

You have been subscribed to a public security bug:

Reported via private E-mail from Richard W.M. Jones.

Turns out qemu image parser is not hardened against malicious input and
can be abused to allocated an arbitrary amount of memory and/or dump a
lot of information when used with "--output=json".

The solution seems to be: limit qemu-img ressource using ulimit.

Example of abuse:

-- afl1.img --

$ /usr/bin/time qemu-img info afl1.img
image: afl1.img
[...]
0.13user 0.19system 0:00.36elapsed 92%CPU (0avgtext+0avgdata 642416maxresident)k
0inputs+0outputs (0major+156927minor)pagefaults 0swaps

The original image is 516 bytes, but it causes qemu-img to allocate 640
MB.

-- afl2.img --

$ qemu-img info --output=json afl2.img | wc -l
589843

This is a 200K image which causes qemu-img info to output half a
million lines of JSON (14 MB of JSON).

Glance runs the --output=json variant of the command.

-- afl3.img --

$ /usr/bin/time qemu-img info afl3.img
image: afl3.img
[...]
0.09user 0.35system 0:00.47elapsed 94%CPU (0avgtext+0avgdata 1262388maxresident)k
0inputs+0outputs (0major+311994minor)pagefaults 0swaps

qemu-img allocates 1.3 GB (actually, a bit more if you play with
ulimit -v).  It appears that you could change it to allocate
arbitrarily large amounts of RAM.

** Affects: ubuntu-translations
     Importance: Low
         Status: In Progress

** Affects: nova
     Importance: Medium
     Assignee: Daniel Berrange (berrange)
         Status: Fix Released

** Affects: ossa
     Importance: Medium
         Status: Confirmed

** Affects: python-oslo.concurrency (Ubuntu)
     Importance: Medium
         Status: Fix Released

** Affects: python-oslo.concurrency (Ubuntu Wily)
     Importance: Medium
         Status: Fix Committed

** Affects: python-oslo.concurrency (Ubuntu Xenial)
     Importance: Medium
     Assignee: Corey Bryant (corey.bryant)
         Status: Fix Released

** Affects: python-oslo.concurrency (Ubuntu Yakkety)
     Importance: Medium
         Status: Fix Released


** Tags: in-stable-mitaka liberty-rc-potential verification-needed
-- 
qemu-img calls need to be restricted by ulimit (CVE-2015-5162)
https://bugs.launchpad.net/bugs/1449062
You received this bug notification because you are a member of Ubuntu Translations Coordinators, which is subscribed to Ubuntu Translations.