Univention Bugzilla – Bug 40920
qemu: multiple issues (4.1)
Last modified: 2016-12-01 11:57:25 CET
+++ This bug was initially created as a clone of Bug #40634 +++ Upstream Debian package version 1.1.2+dfsg-6a+deb7u12 fixes these issues: * virtio-net: possible remote DoS (CVE-2015-7295) * net: pcnet: heap overflow vulnerability in loopback mode (CVE-2015-7504) * Buffer overflow in the pcnet_receive function in hw/net/pcnet.c in QEMU, when a guest NIC has a larger MTU, allows remote attackers to cause a denial of service (guest OS crash) or execute arbitrary code via a large packet. (CVE-2015-7512) * Qemu: net: eepro100: infinite loop in processing command block list (CVE-2015-8345) * vnc: avoid floating point exception (CVE-2015-8504) * usb: infinite loop in ehci_advance_state results in DoS (CVE-2015-8558) * net: ne2000: OOB r/w in ioport operations (CVE-2015-8743) * ide: ahci use-after-free vulnerability in aio port commands (CVE-2016-1568) * nvram: OOB r/w access in processing firmware configurations (CVE-2016-1714) * i386: null pointer dereference in vapic_write() (CVE-2016-1922)
Created attachment 7678 [details] CVE-2016-371x.diff from Debian Jessie qemu package Two additional issues: * The VGA module in QEMU improperly performs bounds checking on banked access to video memory, which allows local guest OS users to execute arbitrary code on the host by changing access modes after setting the bank register, aka the "Dark Portal" issue. (CVE-2016-3710) * Integer overflow in the VGA module in QEMU allows local guest OS users to cause a denial of service (out-of-bounds read and QEMU process crash) by editing VGA registers in VBE mode. (CVE-2016-3712) The source package "qemu-kvm" is not supported in Wheezy LTS. The attached patches have been extracted from the Debian Jessie "qemu" source package.
@Arvid: I think comment#0 may be a duplicate of bug #40634, can you verify this?
In Wheezy they are different source packages: * https://packages.debian.org/source/wheezy/qemu-kvm * https://packages.debian.org/source/wheezy/qemu
Ok, as discussed, Philipp fixed the issues of comment#0 via Bug 40634 Comment 3. Maybe we simply use this bug as it's rightful successor and track the issues of Comment 1 (and later).
Upstream Debian package version 1.1.2+dfsg-6a+deb7u13 fixes these issues: * The VGA module in QEMU improperly performs bounds checking on banked access to video memory, which allows local guest OS administrators to execute arbitrary code on the host by changing access modes after setting the bank register, aka the "Dark Portal" issue. (CVE-2016-3710) * Integer overflow in the VGA module in QEMU allows local guest OS users to cause a denial of service (out-of-bounds read and QEMU process crash) by editing VGA registers in VBE mode. (CVE-2016-3712) CVE-2016-3710: CVSS v2 base score: 6.5 (AV:A/AC:H/Au:S/C:C/I:C/A:C) CVE-2016-3712: CVSS v2 base score: 3.8 (AV:A/AC:M/Au:S/C:P/I:N/A:P)
Upstream Debian package version 1.1.2+dfsg-6+deb7u14 fixes these issues: * The net_checksum_calculate function in net/checksum.c in QEMU allows local guest OS users to cause a denial of service (out-of-bounds heap read and crash) via the payload length in a crafted packet. (CVE-2016-2857) * The esp_reg_write function in hw/scsi/esp.c in the 53C9X Fast SCSI Controller (FSC) support in QEMU does not properly check command buffer length, which allows local guest OS administrators to cause a denial of service (out-of-bounds write and QEMU process crash) or potentially execute arbitrary code on the QEMU host via unspecified vectors. (CVE-2016-4439) * scsi: esp: oob write access while reading ESP command (CVE-2016-6351) CVE-2016-2857: CVSS v2 base score: 4.3 (AV:A/AC:M/Au:N/C:P/I:N/A:P) CVE-2016-4439: CVSS v2 base score: 4 (AV:A/AC:H/Au:S/C:P/I:P/A:P) CVE-2016-6351: CVSS v2 base score: 4 (AV:A/AC:H/Au:S/C:P/I:P/A:P)
The package qemu-kvm is now also updated in wheezy-lts.
Additional issues fixed in 1.1.2+dfsg-6+deb7u14: * Integer overflow in vnc_client_read() and protocol_client_msg() (CVE-2015-5239) * The patch_instruction function in hw/i386/kvmvapic.c in QEMU does not initialize the imm32 variable, which allows local guest OS administrators to obtain sensitive information from host stack memory by accessing the Task Priority Register (TPR). (CVE-2016-4020) * The virtqueue_pop function in hw/virtio/virtio.c in QEMU allows local guest OS administrators to cause a denial of service (memory consumption and QEMU process crash) by submitting requests without waiting for completion. (CVE-2016-5403)
Upstream Debian package version 1.1.2+dfsg-6+deb7u15 fixes this additional issue: * 9p: directory traversal flaw in 9p virtio backend (CVE-2016-7116)
Fixed in upstream Debian package version 1.1.2+dfsg-6+deb7u16: * Heap-based buffer overflow in the .receive callback of xlnx.xps-ethernetlite in QEMU (aka Quick Emulator) allows attackers to execute arbitrary code on the QEMU host via a large ethlite packet. (CVE-2016-7161) * vmware_vga: OOB stack memory access when processing svga command (CVE-2016-7170) * The mcf_fec_do_tx function in hw/net/mcf_fec.c in QEMU (aka Quick Emulator) does not properly limit the buffer descriptor count when transmitting packets, which allows local guest OS administrators to cause a denial of service (infinite loop and QEMU process crash) via vectors involving a buffer descriptor with a length of 0 and crafted values in bd.flags. (CVE-2016-7908)
Upstream Debian package version 1.1.2+dfsg-6+deb7u17 fixes these issues: * usb: xHCI: infinite loop vulnerability in xhci_ring_fetch (CVE-2016-8576) * 9pfs: host memory leakage in v9fs_read (CVE-2016-8577) * 9pfs: potential NULL dereferencein 9pfs routines (CVE-2016-8578) * char: divide by zero error in serial_update_parameters (CVE-2016-8669)
*** Bug 42552 has been marked as a duplicate of this bug. ***
Another issue has been reported: * usb: xhci memory leakage during device unplug (CVE-2016-7466) [wheezy] - qemu <no-dsa> (Minor issue, needs qemu monitor access to unplug nec-xhci controller)
Upstream Debian package versions 1.1.2+dfsg-6+deb7u18 fix these issues: * net: pcnet: check rx/tx descriptor ring length (CVE-2016-7909) * audio: intel-hda: check stream entry count during transfer (CVE-2016-8909) * net: rtl8139: limit processing of ring descriptors (CVE-2016-8910) * net: eepro100: fix memory leak in device uninit (CVE-2016-9101) * 9pfs: fix information leak in xattr read (CVE-2016-9102) * 9pfs: fix memory leak in v9fs_xattrcreate (CVE-2016-9103) * 9pfs: fix integer overflow issue in xattr read/write (CVE-2016-9104) * 9pfs: fix memory leak in v9fs_link (CVE-2016-9105) * 9pfs: fix memory leak in v9fs_write (CVE-2016-9106)
Of those qemu-kvm is only affected by CVE-2016-7909 CVE-2016-8909 CVE-2016-8910.
Advisories: * qemu.yaml * qemu-kvm.yaml
OK: errata-announce -V --only qemu.yaml OK: errata-announce -V --only qemu-kvm.yaml FIXED: qemu.yaml qemu-kvm.yaml # r74812 OK: aptitude install '?source-package(qemu)~i' OK: zless /usr/share/doc/qemu-kvm/changelog.Debian.gz # 1.1.2+dfsg-6+deb7u18 OK: virsh OK: suspend/resume OK: VNC
<http://errata.software-univention.de/ucs/4.1/338.html> <http://errata.software-univention.de/ucs/4.1/339.html>