Bug 47303 - qemu: Multiple issues (4.3)
qemu: Multiple issues (4.3)
Status: CLOSED FIXED
Product: UCS
Classification: Unclassified
Component: Security updates
UCS 4.3
All Linux
: P3 normal (vote)
: UCS 4.3-1-errata
Assigned To: Quality Assurance
Erik Damrose
:
Depends on:
Blocks:
  Show dependency treegraph
 
Reported: 2018-07-04 15:24 CEST by Philipp Hahn
Modified: 2018-07-18 14:12 CEST (History)
0 users

See Also:
What kind of report is it?: Security Issue
What type of bug is this?: ---
Who will be affected by this bug?: ---
How will those affected feel about the bug?: ---
User Pain:
Enterprise Customer affected?:
School Customer affected?:
ISV affected?:
Waiting Support:
Flags outvoted (downgraded) after PO Review:
Ticket number:
Bug group (optional):
Max CVSS v3 score: 7.8 (CVSS:3.0/AV:L/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H)


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Philipp Hahn univentionstaff 2018-07-04 15:24:46 CEST
New Debian qemu 1:2.8+dfsg-6+deb9u4A~4.3.1.201807041524 fixes:
This update addresses the following issue(s):
* 
CVE_2016-10028 is open
CVE_2017-5552 is open
CVE_2017-5578 is open
* Systems with microprocessors utilizing speculative execution and indirect branch prediction may allow unauthorized disclosure of information to an attacker with local user access via a side-channel analysis. (CVE-2017-5715)
CVE_2017-8284 is open
CVE_2017-9060 is open
CVE_2017-9503 is open
* Race condition in the v9fs_xattrwalk function in hw/9pfs/9p.c in QEMU (aka Quick Emulator) allows local guest OS users to obtain sensitive information from host heap memory via vectors related to reading extended attributes. (CVE-2017-15038)
CVE_2017-15119 is resolved
* VNC server implementation in Quick Emulator (QEMU) 2.11.0 and older was found to be vulnerable to an unbounded memory allocation issue, as it did not throttle the framebuffer updates sent to its client. If the client did not consume these updates, VNC server allocates growing memory to hold onto this data. A malicious remote VNC client could use this flaw to cause DoS to the server host. (CVE-2017-15124)
* Qemu through 2.10.0 allows remote attackers to cause a memory leak by triggering slow data-channel read operations, related to io/channel-websock.c. (CVE-2017-15268)
* The mode4and5 write functions in hw/display/cirrus_vga.c in Qemu allow local OS guest privileged users to cause a denial of service (out-of-bounds write access and Qemu process crash) via vectors related to dst calculation. (CVE-2017-15289)
* hw/input/ps2.c in Qemu does not validate 'rptr' and 'count' values during guest migration, leading to out-of-bounds access. (CVE-2017-16845)
* The Virtio Vring implementation in QEMU allows local OS guest users to cause a denial of service (divide-by-zero error and QEMU process crash) by unsetting vring alignment while updating Virtio rings. (CVE-2017-17381)
* Integer overflow in the macro ROUND_UP (n, d) in Quick Emulator (Qemu) allows a user to cause a denial of service (Qemu process crash). (CVE-2017-18043)
* The vga_draw_text function in Qemu allows local OS guest privileged users to cause a denial of service (out-of-bounds read and QEMU process crash) by leveraging improper memory address validation. (CVE-2018-5683)
* The load_multiboot function in hw/i386/multiboot.c in Quick Emulator (aka QEMU) allows local guest OS users to execute arbitrary code on the QEMU host via a mh_load_end_addr value greater than mh_bss_end_addr, which triggers an out-of-bounds read or write memory access. (CVE-2018-7550)
CVE_2018-11806 is open
CVE_2018-12617 is open

1:2.8+dfsg-6+deb9u4 (Sat, 26 May 2018 13:06:04 +0300)
  * CVE-2017-5715 (spectre/meltdown) fixes for i386 and s390x:
    CVE-2017-5715/i386-increase-X86CPUDefinition-model_id-to-49.patch
    CVE-2017-5715/i386-add-support-for-SPEC_CTRL-MSR.patch
    CVE-2017-5715/i386-add-spec-ctrl-CPUID-bit.patch
    CVE-2017-5715/i386-add-FEAT_8000_0008_EBX-CPUID-feature-word.patch
    CVE-2017-5715/i386-add-new-IBRS-versions-of-Intel-CPU-models.patch
    CVE-2017-5715/s390x-kvm-introduce-branch-prediction-blocking-contr.patch
    CVE-2017-5715/s390x-kvm-handle-bpb-feature.patch
, CVE-2017-5715
  * multiboot-bss_end_addr-can-be-zero-CVE-2018-7550.patch
, CVE-2018-7550
  * vga-check-the-validation-of-memory-addr-when-draw-text-CVE-2018-5683.patch
, CVE-2018-5683
  * osdep-fix-ROUND_UP-64-bit-32-bit-CVE-2017-18043.patch
    Closes: CVE-2017-18043
  * virtio-check-VirtQueue-Vring-object-is-set-CVE-2017-17381.patch
, CVE-2017-17381
  * ps2-check-PS2Queue-pointers-in-post_load-routine-CVE-2017-16845.patch
, CVE-2017-16845
  * cirrus-fix-oob-access-in-mode4and5-write-functions-CVE-2017-15289.patch
, CVE-2017-15289
  * io-monitor-encoutput-buffer-size-from-websocket-GSource-CVE-2017-15268.patch
, CVE-2017-15268
  * nbd-server-CVE-2017-15119-Reject-options-larger-than-32M.patch
, CVE-2017-15119
  * 9pfs-use-g_malloc0-to-allocate-space-for-xattr-CVE-2017-15038.patch
, CVE-2017-15038
  * CVE-2017-15124 (VNC server unbounded memory usage) fixes:
    CVE-2017-15124/01-ui-remove-sync-parameter-from-vnc_update_client.patch
    CVE-2017-15124/02-ui-remove-unreachable-code-in-vnc_update_client.patch
    CVE-2017-15124/03-ui-remove-redundant-indentation-in-vnc_client_update.patch
    CVE-2017-15124/04-ui-avoid-pointless-VNC-updates-if-framebuffer-isn-t-.patch
    CVE-2017-15124/05-ui-track-how-much-decoded-data-we-consumed-when-doin.patch
    CVE-2017-15124/06-ui-introduce-enum-to-track-VNC-client-framebuffer-up.patch
    CVE-2017-15124/07-ui-correctly-reset-framebuffer-update-state-after-pr.patch
    CVE-2017-15124/08-ui-refactor-code-for-determining-if-an-update-should.patch
    CVE-2017-15124/09-ui-fix-VNC-client-throttling-when-audio-capture-is-a.patch
    CVE-2017-15124/10-ui-fix-VNC-client-throttling-when-forced-update-is-r.patch
    CVE-2017-15124/11-ui-place-a-hard-cap-on-VNC-server-output-buffer-size.patch
    CVE-2017-15124/12-ui-add-trace-events-related-to-VNC-client-throttling.patch
    CVE-2017-15124/13-ui-mix-misleading-comments-return-types-of-VNC-I-O-h.patch
, CVE-2017-15124
* CVE-2017-5715 hw: cpu: speculative execution branch target injection (CVE-2017-5715)
* CVE-2017-15038 Qemu: 9p: virtfs: information disclosure when reading extended attributes (CVE-2017-15038)
* CVE-2017-15124 Qemu: memory exhaustion through framebuffer update request message in VNC server (CVE-2017-15124)
* CVE-2017-15268 QEMU: I/O: potential memory exhaustion via websock connection to VNC (CVE-2017-15268)
* CVE-2017-15289 Qemu: cirrus: OOB access issue in mode4and5 write functions (CVE-2017-15289)
* CVE-2017-16845 Qemu: ps2: information leakage via post_load routine (CVE-2017-16845)
* CVE-2017-17381 Qemu: virtio: divide by zero exception while updating rings (CVE-2017-17381)
* CVE-2017-18043 Qemu: integer overflow in ROUND_UP macro could result in DoS (CVE-2017-18043)
* CVE-2018-5683 Qemu: Out-of-bounds read in vga_draw_text routine (CVE-2018-5683)
* CVE-2018-7550 QEMU: i386: multiboot OOB access while loading kernel image (CVE-2018-7550)
Comment 1 Philipp Hahn univentionstaff 2018-07-04 18:16:11 CEST
b84072736e Bug #47303: qemu 1:2.8+dfsg-6+deb9u4A~4.3.1.201807041541
 doc/errata/staging/qemu.yaml | 56 ++++++++++++++++++++++++++++++++++++++++++++
 1 file changed, 56 insertions(+)

<http://10.200.17.11/4.3-1/#1309398838209178399>
Comment 2 Erik Damrose univentionstaff 2018-07-17 18:09:45 CEST
OK: patches from previous version applied
OK: start stop pause/resume snapshot
OK: revert to running snapshot from previous qemu version
OK: yaml
Verified
Comment 3 Erik Damrose univentionstaff 2018-07-18 14:12:48 CEST
<http://errata.software-univention.de/ucs/4.3/150.html>