[security-announce] Security Update: qemu upgrade to address multiple CVEs

Sona Sarmadi sona.sarmadi at enea.com
Thu Apr 28 13:07:54 CEST 2016


	Enea Linux Security Advisory

=========================================================
Product/package: qemu 2.1.0 --> 2.4.0/ Enea Linux 5.0
Severity: See below
CVE Names: CVE-2015-7295, CVE-2015-7504, CVE-2015-7512,
CVE-2015-8345, CVE-2015-8504, CVE-2016-1568, CVE-2016-2197, CVE-2016-2198
Layer: meta
=========================================================

The upgrade fixes the following vulnerabilities:

CVE-2015-7295: Medium:
hw/virtio/virtio.c in the Virtual Network Device (virtio-net) support in
QEMU, when big or mergeable receive buffers are not supported, allows
remote attackers to cause a denial of service (guest network
consumption) via a flood of jumbo frames on the (1) tuntap or (2)
macvtap interface.

CVE-2015-7504: High
Qemu emulator built with the AMD PC-Net II Ethernet Controller support
is vulnerable to a heap buffer overflow flaw. While receiving packets in
the loopback mode, it appends CRC code to the receive buffer. If the
data size given is same as the receive buffer size, the appended CRC
code overwrites 4 bytes beyond this 's->buffer' array.

A privileged(CAP_SYS_RAWIO) user inside guest could use this flaw to
crash the Qemu instance resulting in DoS or potentially execute
arbitrary code with privileges of the Qemu process on the host.

CVE-2015-7512: High
Buffer overflow in the pcnet_receive function in hw/net/pcnet.c in QEMU,
when a guest NIC has a larger MTU, allows remote attackers to cause a
denial of service (guest OS crash) or execute arbitrary code via a large
packet.

CVE-2015-8345: Medium
Qemu emulator built with the i8255x (PRO100) emulation support is
vulnerable to an infinite loop issue. It could occur while processing a
chain of commands located in the Command Block List(CBL). Each Command
Block(CB) points to the next command in the list. An infinite loop
unfolds if the link to the next CB points to the same block or there is
a closed loop in the chain.

A privileged(CAP_SYS_RAWIO) user inside guest could use this flaw to
crash the Qemu instance resulting in DoS.

CVE-2015-8504: Medium
Qemu emulator built with the VNC display driver support is vulnerable to
an arithmetic exception flaw. It occurs on the VNC server side while
processing the 'SetPixelFormat' messages from a client.

A privileged remote client could use this flaw to crash the guest
resulting in DoS.

CVE-2016-1568: High
Use-after-free vulnerability in hw/ide/ahci.c in QEMU, when built with
IDE AHCI Emulation support, allows guest OS users to cause a denial of
service (instance crash) or possibly execute arbitrary code via an
invalid AHCI Native Command Queuing (NCQ) AIO command.

CVE-2016-2197: Low
Qemu emulator built with an IDE AHCI emulation support is vulnerable to
a null pointer dereference flaw. It occurs while unmapping the Frame
Information Structure(FIS) & Command List Block(CLB) entries.

A privileged user inside guest could use this flaw to crash the Qemu
process instance resulting in DoS.

CVE-2016-2198
Qemu emulator built with the USB EHCI emulation support is vulnerable to
a null pointer dereference flaw. It could occur when an application
attempts to write to EHCI capabilities registers.

A privileged user inside quest could use this flaw to crash the Qemu
process instance resulting in DoS.


References:
https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2015-7295
https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2015-7504
https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2015-7512
https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2015-8345
https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2015-8504
https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2016-1568
https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2016-2197
https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2016-2198


Correction for Enea Linux 5.0:
http://git.enea.com/cgit/linux/poky.git/patch/?id=d3d0c7af34b996b4518b26d4f3b4eff831a651af

How to get the latest patches
=============================
- If you have already cloned needed repositories, update it to get new
security patches.

cd Enea-Linux-5.0/poky
git pull

- If you have not yet cloned needed repositories, do it as described
below. (All patches are fetched implicitly when cloning the repos).

mkdir Enea-Linux-5.0
git -C Enea-Linux-5.0 clone -b dizzy-enea git://git.enea.com/linux/poky.git
POKY=Enea-Linux-5.0/poky
git -C $POKY clone -b dizzy-enea git://git.enea.com/linux/meta-enea.git
git -C $POKY clone -b dizzy-enea git://git.enea.com/linux/meta-fsl-ppc.git
git -C $POKY clone -b dizzy-enea git://git.enea.com/linux/meta-
hierofalcon.git
git -C $POKY clone -b dizzy-enea git://git.enea.com/linux/meta-linaro.git
git -C $POKY clone -b dizzy-enea git://git.enea.com/linux/meta-
openembedded.git
git -C $POKY clone -b dizzy-enea
git://git.enea.com/linux/meta-virtualization.git
git -C $POKY/meta-enea clone -b dizzy-enea
git://git.enea.com/linux/meta-enea/meta-vt.git

If you have any questions regarding the security patches and security
updates please contact security at enea.com.

Enea Security Team
Sona Sarmadi
Mobile: +46 70 971 4475
www.enea.com

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 473 bytes
Desc: OpenPGP digital signature
URL: <http://mail.lists.enea.com/pipermail/security-announce/attachments/20160428/23af8b4f/attachment.sig>


More information about the security-announce mailing list