CVE-2011-3346

2014-04-0100:00:00

ubuntu.com

CVSS2

Attack Vector

LOCAL

Attack Complexity

HIGH

Authentication

NONE

Confidentiality Impact

NONE

Integrity Impact

NONE

Availability Impact

COMPLETE

AV:L/AC:H/Au:N/C:N/I:N/A:C

EPSS

0.001

Percentile

46.6%

JSON

Buffer overflow in hw/scsi-disk.c in the SCSI subsystem in QEMU before
0.15.2, as used by Xen, might allow local guest users with permission to
access the CD-ROM to cause a denial of service (guest crash) via a crafted
SAI READ CAPACITY SCSI command. NOTE: this is only a vulnerability when
root has manually modified certain permissions or ACLs.

Bugs

<https://bugzilla.redhat.com/show_bug.cgi?id=736038>

Notes

Author	Note
jdstrand	redhat bug has reproducer non-privileged user in the guest can crash qemu. Requires write access to a scsi device, eg /dev/sr0 this only affected the RedHat xen packages, not qemu. Verified issue does not affect qemu-kvm on Ubuntu 12.04, 11.10, 11.04, 10.10, and 10.04 LTS by attaching a scsi CDROM and performing: sg_raw -r 32768 /dev/sr0 9E 10 00 00 00 00 00 00 00 00 00 04 00 00 00 00 sg_raw -r 32768 /dev/sr0 9E 10 00 00 00 00 00 00 00 00 00 01 00 00 00 00 hypervisor code for xen is in universe
mdeslaur	code seems different in xen, marking as not-affected

Author

Note

jdstrand

redhat bug has reproducer non-privileged user in the guest can crash qemu. Requires write access to a scsi device, eg /dev/sr0 this only affected the RedHat xen packages, not qemu. Verified issue does not affect qemu-kvm on Ubuntu 12.04, 11.10, 11.04, 10.10, and 10.04 LTS by attaching a scsi CDROM and performing: sg_raw -r 32768 /dev/sr0 9E 10 00 00 00 00 00 00 00 00 00 04 00 00 00 00 sg_raw -r 32768 /dev/sr0 9E 10 00 00 00 00 00 00 00 00 00 01 00 00 00 00 hypervisor code for xen is in universe

mdeslaur

code seems different in xen, marking as not-affected