[security-announce] qemu: Security update

Sona Sarmadi sona.sarmadi at enea.com
Fri May 22 14:51:48 CEST 2015


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

	Enea Linux Security Advisory

=========================================================
Product/package: qemu 1.7.2
CVE Names:
CVE-2015-3456 (High), CVE-2014-5263 (Low),
CVE-2014-3689 (Moderate), CVE-2014-7815 (Moderate).
=========================================================
This security update fixes following vulnerabilities in qemu 1.7.2:

CVE-2015-3456, fdc: out-of-bounds fifo buffer memory access
CVE-2014-5263, vmstate_xhci_event: fix unterminated field list
CVE-2014-3689, vmware_vga: insufficient parameter validation in
rectangle functions
CVE-2014-7815, vnc: insufficient bits_per_pixel from the client
sanitization

The patch and README files are gpg signed by ESRT (Enea Security
Response Team) for verification of origin.
To verify the integrity of patches download the ESRT public Key from:
https://pgp.mit.edu/pks/lookup?op=vindex&search=0x773EF6EF68716A14

For detailed info refer to https://linux.enea.com/4.0/patches/README.asc

Signed/SHA512 patch/README files
================================
0075-qemu-fixed-multiple-CVEs.README.asc
0075-qemu-fixed-multiple-CVEs.patch.asc
0075-qemu-fixed-multiple-CVEs.patch.sha

Descriptions
============
CVE-2015-3456
The Floppy Disk Controller (FDC) in QEMU, as used in Xen 4.5.x
and earlier and KVM, allows local guest users to cause a denial
of service (out-of-bounds write and guest crash) or possibly
execute arbitrary code via the (1) FD_CMD_READ_ID,
(2) FD_CMD_DRIVE_SPECIFICATION_COMMAND, or other unspecified
commands, aka VENOM.

CVE-2014-5263
vmstate_xhci_event in hw/usb/hcd-xhci.c does not terminate the
list with the VMSTATE_END_OF_LIST macro, which allows attackers
to cause a denial of service (out-of-bounds access, infinite loop,
and memory corruption) and possibly gain privileges via
unspecified vectors

CVE-2014-3689
The vmware-vga driver (hw/display/vmware_vga.c) in QEMU allows
local guest users to write to qemu memory locations and gain
privileges via unspecified parameters related to rectangle handling.

CVE-2014-7815
The set_pixel_format function in ui/vnc.c in QEMU allows remote
attackers to cause a denial of service (crash) via a small
bytes_per_pixel value.

References:
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-3456
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-5263
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-3689
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-7815
http://seclists.org/oss-sec/2014/q3/382


How to apply the patches
=======================
 - Preparation
Make sure that you have an installation of Enea Linux and have
applied the existing patches in the right order.

wget https://linux.enea.com/4.0/Enea-Linux-4.0.tar.gz
tar zxf Enea-Linux-4.0.tar.gz
cd Enea-Linux-4.0/poky/
<Fetch and apply the existing patches >

 - Fetch and apply the new patch
wget
https://linux.enea.com/4.0/patches/0075-qemu-fixed-multiple-CVEs.patch.a
sc
patch -p1 < ./0075-qemu-fixed-multiple-CVEs.patch.asc

If you have any questions regarding the security patches and security
updates please contact security at enea.com.

Enea Security Team
Sona Sarmadi
Mobile: +46 70 971 4475
www.enea.com
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2

iQIcBAEBCAAGBQJVXyZjAAoJEHc+9u9ocWoUnhEQAKbQ7qGyIUhv/bTly0wLggXN
1GIrFWr2jz6PqawjvV6+pdqkSQrr1a2yAm98cQ/C9u1o3Gypni0GTjBg7SfEY7PY
5rBYaGaJmCKjXu+U5HuouRN7obGqQdMjmB7diXgK3yGusuyWvNEpUjNirM8KKPdg
u6u3f5LUiIviEyPtsahu6fvsDb8xFKVfJ2+xUbn6jEbrAEBO+hB8fcdEh8RNyWpL
IkctD3tjYQivizPbkNJhaOmqvYZCWjvVXla86axPO4qNtkXPxbCwUYEZ2WV19jQ2
eM2lun016CTuzb33bESyJWaO8GYWSrf9NPNLdHHC1CZVRfz/HctOV0ysynb+8HvB
KwaAvRpODU+emYfOChIWi2qhuPP2x1jX49+eDFMTPvuyK8XzoHnR9/KytBe2FlIR
yMYw7qCjieck1/4VhLtwDe95vvdp042Lx5wkykucRjKGi8N3pj3zfdnEZO6YjX5N
ogko6vHhX7GXRAo5rD4PRbGbKl5kxf7OBCPp46baLAAtXSDN86aTBBDuOimygsxs
QFt2e05lcCpMW+CDsYxVkHjZ+b0+WwLs8ZMDVg4MROCqzB1Eyn1n1LhfLI+vDF7R
DAzAOOl6LnYKqokZqd3GnIJr5kwVkMinpr+IzEPgFc+izJsEyHiFsrjgBDfGS+f+
MONy3njanp118eegtVRn
=LjzS
-----END PGP SIGNATURE-----


More information about the security-announce mailing list