Bug 42552 – qemu-kvm: multiple issues (4.1)

Bug 42552 - qemu-kvm: multiple issues (4.1)


Summary:	qemu-kvm: multiple issues (4.1)

Status:	RESOLVED DUPLICATE of bug 40920

Product:	UCS
Classification:	Unclassified
Component:	Security updates
Version:	UCS 4.1
Hardware:	Other Linux

Importance:	P3 normal (vote)
Target Milestone:	---
Assigned To:	Security maintainers
QA Contact:

URL:
Keywords:

Depends on:	40634
Blocks:
	Show dependency tree / graph

Reported:	2016-10-04 15:44 CEST by Arvid Requate
Modified:	2017-06-01 18:34 CEST (History)
CC List:	2 users (show)

See Also:
What kind of report is it?:	Security Issue
What type of bug is this?:	---
Who will be affected by this bug?:	---
How will those affected feel about the bug?:	---
User Pain:
Enterprise Customer affected?:
School Customer affected?:
ISV affected?:
Waiting Support:
Flags outvoted (downgraded) after PO Review:
Ticket number:
Bug group (optional):	Security
Max CVSS v3 score:

Flags:	requate: Patch_Available+

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Arvid Requate

2016-10-04 15:44:06 CEST

+++ This bug was initially created as a clone of Bug #40920 +++

Upstream Debian package version 1.1.2+dfsg-6a+deb7u13 fixes these issues:

* The VGA module in QEMU improperly performs bounds checking on banked access to video memory, which allows local guest OS administrators to execute arbitrary code on the host by changing access modes after setting the bank register, aka the "Dark Portal" issue. (CVE-2016-3710)

* Integer overflow in the VGA module in QEMU allows local guest OS users to cause a denial of service (out-of-bounds read and QEMU process crash) by editing VGA registers in VBE mode. (CVE-2016-3712)

Comment 1 Arvid Requate

2016-10-04 15:44:59 CEST

Additional issues fixed in 1.1.2+dfsg-6+deb7u14:

* Integer overflow in vnc_client_read() and protocol_client_msg() (CVE-2015-5239)

* The patch_instruction function in hw/i386/kvmvapic.c in QEMU does not initialize the imm32 variable, which allows local guest OS administrators to obtain sensitive information from host stack memory by accessing the Task Priority Register (TPR). (CVE-2016-4020)

* The virtqueue_pop function in hw/virtio/virtio.c in QEMU allows local guest OS administrators to cause a denial of service (memory consumption and QEMU process crash) by submitting requests without waiting for completion. (CVE-2016-5403)

Comment 2 Arvid Requate

2016-10-04 15:45:21 CEST

Upstream Debian package version 1.1.2+dfsg-6+deb7u15 fixes this additional issue:

* 9p: directory traversal flaw in 9p virtio backend (CVE-2016-7116)

Comment 3 Arvid Requate

2016-10-13 15:08:00 CEST

Fixed in upstream Debian package version 1.1.2+dfsg-6+deb7u16:

* Heap-based buffer overflow in the .receive callback of xlnx.xps-ethernetlite in QEMU (aka Quick Emulator) allows attackers to execute arbitrary code on the QEMU host via a large ethlite packet. (CVE-2016-7161)

* vmware_vga: OOB stack memory access when processing svga command (CVE-2016-7170)

* The mcf_fec_do_tx function in hw/net/mcf_fec.c in QEMU (aka Quick Emulator) does not properly limit the buffer descriptor count when transmitting packets, which allows local guest OS administrators to cause a denial of service (infinite loop and QEMU process crash) via vectors involving a buffer descriptor with a length of 0 and crafted values in bd.flags. (CVE-2016-7908)

CVSS v3 base scores:
CVE-2016-7161: 8.5 (CVSS:3.0/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H)
CVE-2016-7170: 3.5 (CVSS:3.0/AV:A/AC:L/PR:H/UI:N/S:U/C:N/I:L/A:L)
CVE-2016-7908: 3.0 (CVSS:3.0/AV:A/AC:H/PR:L/UI:N/S:C/C:N/I:N/A:L)

Comment 4 Arvid Requate

2016-11-05 20:34:07 CET

Let's simply track this together with qemu itself, they are getting release in parallel.

*** This bug has been marked as a duplicate of bug 40920 ***