[security-announce] Security Update: qemu, CVE-2015-5225, CVE-2015-5278, CVE-2015-5279, CVE-2015-6855

Sona Sarmadi sona.sarmadi at enea.com
Wed May 11 14:03:11 CEST 2016


	Enea Linux Security Advisory

=========================================================
Product/package: Enea Linux 5.0-arm: qemu 2.4.0
Severity: See below
CVE Names:
CVE-2015-5225, CVE-2015-5278, CVE-2015-5279, CVE-2015-6855
=========================================================

Following vulnerabilities have been fixed in the Enea Linux 5.0 release:

1) CVE: CVE-2015-5225
Severity: High
Description:
Buffer overflow in the vnc_refresh_server_surface function in the VNC
display driver in QEMU before 2.4.0.1 allows guest users to cause a
denial of service (heap memory corruption and process crash) or possibly
execute arbitrary code on the host via unspecified vectors, related to
refreshing the server display surface.

Reference:
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-5225

Reference to upstream patch:
http://git.qemu.org/?p=qemu.git;a=commit;h=efec4dcd2552e85ed57f276b58f09fc385727450

Correction for Enea Linux 5.0:
http://git.enea.com/cgit/linux/poky.git/patch/?id=3291d1de776eb008e665746f93a65aa90f8750ce


2) CVE: CVE-2015-5278
Severity: Medium
Description:
Qemu emulator built with the NE2000 NIC emulation support is vulnerable
to an infinite loop issue. It could occur when receiving packets over
the network.

A privileged user inside guest could use this flaw to crash the Qemu
instance resulting in DoS.

Reference:
http://www.openwall.com/lists/oss-security/2015/09/15/2

Reference to upstream patch:
http://git.qemu.org/?p=qemu.git;a=commit;h=5a1ccdfe44946e726b4c6fda8a4493b3931a68c1

Correction for Enea Linux 5.0:
http://git.enea.com/cgit/linux/poky.git/patch/?id=128060b9853174f93dd4c45d4dc1b0acbe08388f

3) CVE: CVE-2015-5279
Severity: High
Description:
Heap-based buffer overflow in the ne2000_receive function in
hw/net/ne2000.c in QEMU before 2.4.0.1 allows guest OS users to cause a
denial of service (instance crash) or possibly execute arbitrary code
via vectors related to receiving packets.

Reference:
https://cve.mitre.org/cgi-bin/cvename.cgi?name=%20CVE-2015-5279

Reference to upstream patch:
http://git.qemu.org/?p=qemu.git;a=commit;h=7aa2bcad0ca837dd6d4bf4fa38a80314b4a6b755

Correction for Enea Linux 5.0:
http://git.enea.com/cgit/linux/poky.git/patch/?id=3e666afc648543a2dd73c577569e34d0d8d996ff

4) CVE: CVE-2015-6855
Severity: Low
Description:
hw/ide/core.c in QEMU does not properly restrict the commands accepted
by an ATAPI device, which allows guest users to cause a denial of
service or possibly have unspecified other impact via certain IDE
commands, as demonstrated by a WIN_READ_NATIVE_MAX command to an empty
drive, which triggers a divide-by-zero error and instance crash.

Reference:
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-6855

Reference to upstream patch:
http://git.qemu.org/?p=qemu.git;a=commit;h=63d761388d6fea994ca498c6e7a210851a99ad93

Correction for Enea Linux 5.0:
http://git.enea.com/cgit/linux/poky.git/patch/?id=9c5b66788d746491a471bed3c7c7333862f95ea7

How to get the latest patches
=============================
- If you have already cloned needed repositories, update it to get new
security patches.

cd Enea-Linux-5.0/poky
git pull

- If you have not yet cloned needed repositories, do it as described
below. (All patches are fetched implicitly when cloning the repos).

mkdir Enea-Linux-5.0
git -C Enea-Linux-5.0 clone -b dizzy-enea git://git.enea.com/linux/poky.git
POKY=Enea-Linux-5.0/poky
git -C $POKY clone -b dizzy-enea git://git.enea.com/linux/meta-enea.git
git -C $POKY clone -b dizzy-enea git://git.enea.com/linux/meta-fsl-ppc.git
git -C $POKY clone -b dizzy-enea git://git.enea.com/linux/meta-
hierofalcon.git
git -C $POKY clone -b dizzy-enea git://git.enea.com/linux/meta-linaro.git
git -C $POKY clone -b dizzy-enea git://git.enea.com/linux/meta-
openembedded.git
git -C $POKY clone -b dizzy-enea
git://git.enea.com/linux/meta-virtualization.git
git -C $POKY/meta-enea clone -b dizzy-enea
git://git.enea.com/linux/meta-enea/meta-vt.git

If you have any questions regarding the security patches and security
updates please contact security at enea.com.

Enea Security Team
Sona Sarmadi
Mobile: +46 70 971 4475
www.enea.com


-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 473 bytes
Desc: OpenPGP digital signature
URL: <http://mail.lists.enea.com/pipermail/security-announce/attachments/20160511/1fbbe1a4/attachment-0002.sig>


More information about the security-announce mailing list