[security-announce] Security Update: qemu: CVE-2016-4439 & CVE-2016-4952

Sona Sarmadi sona.sarmadi at enea.com
Tue Feb 14 11:59:01 CET 2017


		Enea Linux Security Advisory

====================================================================
Product/package: Enea Linux 6.0: (Qemu 2.5.0)
Severity: Medium
Architecture: all
CVE Name: CVE-2016-4439 & CVE-2016-4952
====================================================================

Following vulnerabilities have been fixed in Enea Linux 6.0 release:

CVE-2016-4439: scsi: esp: OOB write while writing to 's->cmdbuf' in
esp_reg_write
CVE-2016-4952: csi: pvscsi: out-of-bounds access issue in
pvsci_ring_init_msg/data routines

Description
===========
CVE-2016-4439
The esp_reg_write function in hw/scsi/esp.c in the 53C9X Fast SCSI
Controller (FSC) support in QEMU does not properly check command buffer
length, which allows local guest OS administrators to cause a denial of
service (out-of-bounds write and QEMU process crash) or potentially
execute arbitrary code on the QEMU host via unspecified vectors.

CVE-2016-4952
QEMU (aka Quick Emulator), when built with VMWARE PVSCSI paravirtual
SCSI bus emulation support, allows local guest OS administrators to
cause a denial of service (out-of-bounds array access) via vectors
related to the (1) PVSCSI_CMD_SETUP_RINGS or (2)
PVSCSI_CMD_SETUP_MSG_RING SCSI command.

References
==========
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-4439
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-4952

Reference to upstream patch:
https://lists.gnu.org/archive/html/qemu-devel/2016-05/msg03273.html
https://lists.gnu.org/archive/html/qemu-devel/2016-05/msg03774.html

Correction for Enea Linux
=========================
http://git.enea.com/cgit/linux/poky.git/patch/?id=ad13ebb1a522389441b526ddf11301761e7c3938
http://git.enea.com/cgit/linux/poky.git/patch/?id=10bef78e2135fb191166e3893cc4a1326deede8c


How to get the latest patches
=============================
- If you have already cloned needed repositories, update it to get new
security patches.

cd Enea-Linux-6.0
$ repo sync

- If you have not yet cloned needed repositories, do it as described
below. (Security patches are fetched implicitly when cloning the repos).

Use repo tool to download the source for the Enea Linux 6.0 standard,
follow the steps below:
1. Make sure that the repo tool is installed. If not, follow the
instructions below:

$ curl https://storage.googleapis.com/git-repo-downloads/repo >
~/bin/repo $ chmod a+x ~/bin/repo

The instruction assumes that ~/bin exists and is included in the PATH
variable.

2.Use the repo tool to download the source:
$ mkdir Enea-Linux-6.0
$ cd Enea-Linux-6.0
$ repo init \
-u git://git.enea.com/linux/el_manifests-standard.git \ -b krogoth\ -m
<manifest file> $ repo sync

The parameter <manifest file> depends on the target:
P2041RDB: p2041rdb/default.xml
LS1021a-IoT: ls1021aiot/default.xml
QEMUARM: qemuarm/default.xml
QEMUPCC: qemuppc/default.xml
QEMUX86: qemux86/default.xml

If you have any questions regarding the security patches and security
updates please contact security at enea.com.

For gerneral security refer to Enea Linux Security page:
http://www.enea.com/solutions/Enea-Linux/Security/

For the CVEs fixed at Enea Linux releases see CVE list:
http://www.enea.com/solutions/Enea-Linux/Security/CVEs-list/

For custom packages/releases please use the Support Channel:
http://www.enea.com/solutions/support.

Enea Security Team
Sona Sarmadi
Mobile: +46 70 971 4475
www.enea.com








-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 473 bytes
Desc: OpenPGP digital signature
URL: <http://mail.lists.enea.com/pipermail/security-announce/attachments/20170214/a7ef3909/attachment.sig>


More information about the security-announce mailing list