[security-announce] Qemu 2.1: Security update

Sona Sarmadi sona.sarmadi at enea.com
Wed Aug 19 12:20:55 CEST 2015


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

	Enea Linux Security Advisory

=========================================================
Product/package: Qemu 2.1
Severity: Important
CVE Name: CVE-2014-7815
=========================================================
This security update fixes an uninitialized data structure
use flaw in qemu-vnc which allows remote attackers to
cause a denial of service (crash).

Signed patch and README files
================================
0028-qemu-vnc-CVE-2014-7815.patch
0028-qemu-vnc-CVE-2014-7815.patch.sig
0028-qemu-vnc-CVE-2014-7815.README.asc

Description
===========
The set_pixel_format function in ui/vnc.c in QEMU allows
remote attackers to cause a denial of service (crash) via
a small bytes_per_pixel value.

Reference
==========
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-7815

How to apply the patches
=======================
 - Preparation
Make sure that you have an installation of Enea Linux and have
applied the existing patches in the right order

wget https://linux.enea.com/5.0-beta-m400/\
Enea-Linux-5.0-beta-m400.tar.gz
tar zxf Enea-Linux-5.0-beta-m400.tar.gz
cd Enea-Linux-5.0-beta-m400/poky
<Fetch and apply the existing patches >

 - Fetch, verify and apply the new patch
wget https://linux.enea.com/5.0-beta-m400/\
patches/0028-qemu-vnc-CVE-2014-7815.patch
wget https://linux.enea.com/5.0-beta-m400/\
patches/0028-qemu-vnc-CVE-2014-7815.patch.sig
gpg --verify 0028-qemu-vnc-CVE-2014-7815.patch.sig
patch -p1 < ./0028-qemu-vnc-CVE-2014-7815.patch

If you have any questions regarding the security patches and security
updates please contact security at enea.com.

Enea Security Team
Sona Sarmadi
Mobile: +46 70 971 4475
www.enea.com
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2

iQIcBAEBCAAGBQJV1FiHAAoJEHc+9u9ocWoUInoP/2FlRcrd92874EgeNTX5YXeX
Sxsdn5LA2ivvHo94/Pbuub1SIOTlf7r1CeEqnQepjc58p5YsEcw9OMggVrBMQEwL
PE8deN6BbI8+QdXbJn1QEkxmLNjVqavzFKvLBP824UK0al/UnZtygVw5Oo7TUpG2
lFqB3J1kvPlAQNWjMLDBCTk96S6QJF4LLuwdhUMOGlIwXn+17UWSIRIRnvIfym7j
ZLKvBU/aMlVmWh48/VYK6FKSDnicCVIScfJusRZ7hwCBziGRxFantMyHIajgs+dr
St+mFOztLKNSdB5aihHG0gxMMcD2Xyf1Hw8QaNlczYCIiF6kata5Lc1RlT8VI3FN
a9//GyrgCnfyjlsq0k5n0UNtgPmNmScS+1od1CLaOG/lSepPweV5Gu+mEK1urK/M
1SPxfpA5SFCLFvviJVC3kmyuWt0ZEygWfNBUWqWYi1rjfMXGgIjeYDQfS3p2XFsX
BR3sfcxXk1T+iE1TE1U3LdUbFwK/psvNIC2Rm/6hg28a9yGaMzAeKoHp+tjPZ1Q4
jIMyv08WNWyT+2vrf0ym1a85QtOCbnTaAaw1pfmHDEZnYjwl+YXcAtJlWRILxWrU
Op88e9Z4BG4uEqnjH0sA5ITuAclPET2ZlQKX0XI+TSvYNfa5YGe+7oTuzJtugIuP
SRsi5zBP797QcONgbgWE
=dI2J
-----END PGP SIGNATURE-----



More information about the security-announce mailing list