CVE-2023-0330

[BelCloud]

Hello

Does anyone know if proxmox is vulnerable to CVE-2023-0330 and if there are any patches?

It seems to be affecting the lsi53c895a scsi controller on qemu 7.2.0.

Would simply switching to virtio-scsi be enough to mitigate this?

https://cve.report/CVE-2023-0330

 

[donhwyo]

You can check your qemu version on the pve summary page. Mine is "qemu-server: 7.3-4". Or

dpkg -l |grep qemu

.

 

[fiona]

Hi,
yes, using a different SCSI controller should mitigate the issue.

The qemu-server version is not relevant here, it's the pve-qemu-kvm package.

FYI, a fix is already included in pve-qemu-kvm=7.2.0-7 currently available on the no-subscription repository. Here is the relevant commit. The patch added there states

Resolves: https://gitlab.com/qemu-project/qemu/-/issues/556

which is the same issue referenced in the mail that's linked in the CVE. I also tried to run the reproducer from there, and with pve-qemu-kvm=7.2.0-7 it doesn't produce any errors while with upstream/stock QEMU 7.2 it results in a segfault.

 

[BelCloud]

Hi,
yes, using a different SCSI controller should mitigate the issue.

The qemu-server version is not relevant here, it's the pve-qemu-kvm package.

FYI, a fix is already included in pve-qemu-kvm=7.2.0-7 currently available on the no-subscription repository. Here is the relevant commit. The patch added there states

which is the same issue referenced in the mail that's linked in the CVE. I also tried to run the reproducer from there, and with pve-qemu-kvm=7.2.0-7 it doesn't produce any errors while with upstream/stock QEMU 7.2 it results in a segfault.

Thank you very much!