Description
A flaw was found in the QEMU disk image utility (qemu-img) 'info' command. A specially crafted image file containing a `json:{}` value describing block devices in QMP could cause the qemu-img process on the host to consume large amounts of memory or CPU time, leading to denial of service or read/write to an existing external file.
Problem types
Uncontrolled Resource Consumption
Product status
4.0.0 (semver) before 9.1.0
8020120240708124623.863bb0db (rpm) before *
8040020240708093550.522a0ee4 (rpm) before *
8040020240708093550.522a0ee4 (rpm) before *
8100020240704072441.489197e6 (rpm) before *
8100020240704072441.489197e6 (rpm) before *
8040020240703100448.522a0ee4 (rpm) before *
8040020240703100448.522a0ee4 (rpm) before *
8040020240703100448.522a0ee4 (rpm) before *
8060020240703092415.ad008a3a (rpm) before *
8060020240703092415.ad008a3a (rpm) before *
8060020240703092415.ad008a3a (rpm) before *
8080020240703085245.63b34585 (rpm) before *
8080020240703085245.63b34585 (rpm) before *
17:8.2.0-11.el9_4.4 (rpm) before *
17:6.2.0-11.el9_0.9 (rpm) before *
17:7.2.0-14.el9_2.11 (rpm) before *
Timeline
| 2024-05-02: | Reported to Red Hat. |
| 2024-07-02: | Made public. |
Credits
Red Hat would like to thank Martin Kaesberger for reporting this issue.
References
access.redhat.com/errata/RHSA-2024:4276 (RHSA-2024:4276)
access.redhat.com/errata/RHSA-2024:4277 (RHSA-2024:4277)
access.redhat.com/errata/RHSA-2024:4278 (RHSA-2024:4278)
access.redhat.com/errata/RHSA-2024:4372 (RHSA-2024:4372)
access.redhat.com/errata/RHSA-2024:4373 (RHSA-2024:4373)
access.redhat.com/errata/RHSA-2024:4374 (RHSA-2024:4374)
access.redhat.com/errata/RHSA-2024:4420 (RHSA-2024:4420)
access.redhat.com/errata/RHSA-2024:4724 (RHSA-2024:4724)
access.redhat.com/errata/RHSA-2024:4727 (RHSA-2024:4727)
access.redhat.com/security/cve/CVE-2024-4467
bugzilla.redhat.com/show_bug.cgi?id=2278875 (RHBZ#2278875)
