[<prev] [next>] [day] [month] [year] [list]
Message-Id: <E1Xrrz2-0003GJ-T4@titan.mandriva.com>
Date: Fri, 21 Nov 2014 18:27:00 +0100
From: security@...driva.com
To: bugtraq@...urityfocus.com
Subject: [ MDVSA-2014:220 ] qemu
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
_______________________________________________________________________
Mandriva Linux Security Advisory MDVSA-2014:220
http://www.mandriva.com/en/support/security/
_______________________________________________________________________
Package : qemu
Date : November 21, 2014
Affected: Business Server 1.0
_______________________________________________________________________
Problem Description:
Updated qemu packages fix security vulnerabilities:
Michael S. Tsirkin discovered that QEMU incorrectly handled vmxnet3
devices. A local guest could possibly use this issue to cause a
denial of service, or possibly execute arbitrary code on the host
(CVE-2013-4544).
Multiple integer overflow, input validation, logic error, and buffer
overflow flaws were discovered in various QEMU block drivers. An
attacker able to modify a disk image file loaded by a guest could
use these flaws to crash the guest, or corrupt QEMU process memory
on the host, potentially resulting in arbitrary code execution on
the host with the privileges of the QEMU process (CVE-2014-0143,
CVE-2014-0144, CVE-2014-0145, CVE-2014-0147).
A buffer overflow flaw was found in the way the virtio_net_handle_mac()
function of QEMU processed guest requests to update the table of MAC
addresses. A privileged guest user could use this flaw to corrupt
QEMU process memory on the host, potentially resulting in arbitrary
code execution on the host with the privileges of the QEMU process
(CVE-2014-0150).
A divide-by-zero flaw was found in the seek_to_sector() function of
the parallels block driver in QEMU. An attacker able to modify a disk
image file loaded by a guest could use this flaw to crash the guest
(CVE-2014-0142).
A NULL pointer dereference flaw was found in the QCOW2 block driver
in QEMU. An attacker able to modify a disk image file loaded by a
guest could use this flaw to crash the guest (CVE-2014-0146).
It was found that the block driver for Hyper-V VHDX images did not
correctly calculate BAT (Block Allocation Table) entries due to
a missing bounds check. An attacker able to modify a disk image
file loaded by a guest could use this flaw to crash the guest
(CVE-2014-0148).
An out-of-bounds memory access flaw was found in the way QEMU's
IDE device driver handled the execution of SMART EXECUTE OFFLINE
commands. A privileged guest user could use this flaw to corrupt
QEMU process memory on the host, which could potentially result in
arbitrary code execution on the host with the privileges of the QEMU
process (CVE-2014-2894).
Two integer overflow flaws were found in the QEMU block driver for
QCOW version 1 disk images. A user able to alter the QEMU disk image
files loaded by a guest could use either of these flaws to corrupt
QEMU process memory on the host, which could potentially result in
arbitrary code execution on the host with the privileges of the QEMU
process (CVE-2014-0222, CVE-2014-0223).
Multiple buffer overflow, input validation, and out-of-bounds write
flaws were found in the way the virtio, virtio-net, virtio-scsi, and
usb drivers of QEMU handled state loading after migration. A user
able to alter the savevm data (either on the disk or over the wire
during migration) could use either of these flaws to corrupt QEMU
process memory on the (destination) host, which could potentially
result in arbitrary code execution on the host with the privileges
of the QEMU process (CVE-2013-4148, CVE-2013-4151, CVE-2013-4535,
CVE-2013-4536, CVE-2013-4541, CVE-2013-4542, CVE-2013-6399,
CVE-2014-0182, CVE-2014-3461).
An information leak flaw was found in the way QEMU's VGA emulator
accessed frame buffer memory for high resolution displays. A privileged
guest user could use this flaw to leak memory contents of the host to
the guest by setting the display to use a high resolution in the guest
(CVE-2014-3615).
When guest sends udp packet with source port and source addr 0,
uninitialized socket is picked up when looking for matching and already
created udp sockets, and later passed to sosendto() where NULL pointer
dereference is hit during so->slirp->vnetwork_mask.s_addr access Only
guests using qemu user networking are affected (CVE-2014-3640).
The Advanced Threat Research team at Intel Security reported that guest
provided parameter were insufficiently validated in rectangle functions
in the vmware-vga driver. A privileged guest user could use this flaw
to write into qemu address space on the host, potentially escalating
their privileges to those of the qemu host process (CVE-2014-3689).
It was discovered that QEMU incorrectly handled USB xHCI controller
live migration. An attacker could possibly use this issue to cause a
denial of service, or possibly execute arbitrary code (CVE-2014-5263).
James Spadaro of Cisco reported insufficiently sanitized bits_per_pixel
from the client in the QEMU VNC display driver. An attacker having
access to the guest's VNC console could use this flaw to crash the
guest (CVE-2014-7815).
Additionally qemu-1.6+ requires usbredir-0.6+ for USB redirection
support which is also being provided with this advisory.
_______________________________________________________________________
References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-4148
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-4149
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-4150
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-4151
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-4526
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-4527
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-4529
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-4530
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-4531
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-4533
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-4534
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-4535
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-4536
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-4537
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-4538
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-4539
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-4540
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-4541
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-4542
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-6399
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-0142
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-0143
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-0144
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-0145
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-0146
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-0147
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-0148
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-0150
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-0182
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-0222
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-0223
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-3461
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-3615
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-3640
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-3689
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-5263
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-7815
http://advisories.mageia.org/MGASA-2014-0426.html
http://advisories.mageia.org/MGASA-2014-0467.html
_______________________________________________________________________
Updated Packages:
Mandriva Business Server 1/X86_64:
7f36fbcae0e720a7b18e318462c086b1 mbs1/x86_64/lib64usbredirhost1-0.7-1.mbs1.x86_64.rpm
5dada10711cfbcb8ed96c13e8dfe288a mbs1/x86_64/lib64usbredirhost-devel-0.7-1.mbs1.x86_64.rpm
fdaed5f5fe87862e1061036761ea7454 mbs1/x86_64/lib64usbredirparser1-0.7-1.mbs1.x86_64.rpm
ebb64169af682de4cc744aa3a53a6f3e mbs1/x86_64/lib64usbredirparser-devel-0.7-1.mbs1.x86_64.rpm
a115c0d8df0978370670c045d55d8c72 mbs1/x86_64/qemu-1.6.2-1.1.mbs1.x86_64.rpm
ef03d856097f0b2208e2f242889c5925 mbs1/x86_64/qemu-img-1.6.2-1.1.mbs1.x86_64.rpm
094bc6fd01b3159cacc349664741aac9 mbs1/x86_64/usbredir-0.7-1.mbs1.x86_64.rpm
496daeeb13d59090f602241b45f6b039 mbs1/x86_64/usbredir-devel-0.7-1.mbs1.x86_64.rpm
e1d0cb5cf20cc99e3a739d1623a0bf99 mbs1/SRPMS/qemu-1.6.2-1.1.mbs1.src.rpm
8f60583fe76898ae2dad71fe78967f68 mbs1/SRPMS/usbredir-0.7-1.mbs1.src.rpm
_______________________________________________________________________
To upgrade automatically use MandrivaUpdate or urpmi. The verification
of md5 checksums and GPG signatures is performed automatically for you.
All packages are signed by Mandriva for security. You can obtain the
GPG public key of the Mandriva Security Team by executing:
gpg --recv-keys --keyserver pgp.mit.edu 0x22458A98
You can view other update advisories for Mandriva Linux at:
http://www.mandriva.com/en/support/security/advisories/
If you want to report vulnerabilities, please contact
security_(at)_mandriva.com
_______________________________________________________________________
Type Bits/KeyID Date User ID
pub 1024D/22458A98 2000-07-10 Mandriva Security Team
<security*mandriva.com>
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.12 (GNU/Linux)
iD8DBQFUb2fYmqjQ0CJFipgRAohlAJ9Iz5ESPdz087rq91YRMTWqK818RgCaAork
yeVFpQoCk4oYyr5XRfzoFbE=
=dhPd
-----END PGP SIGNATURE-----
Powered by blists - more mailing lists