Univention Bugzilla – Bug 33279
qemu-kvm: Multiple issues (3.2)
Last modified: 2015-08-05 15:57:16 CEST
+++ This bug was initially created as a clone of Bug #29907 +++ Buffer overflow in the e1000 driver (CVE-2012-6075)
There a long range of security issues which will not be backported to UCS 3.x: CVE-2013-4148 CVE-2013-4149 CVE-2013-4150 CVE-2013-4151 CVE-2013-4526 CVE-2013-4527 CVE-2013-4529 CVE-2013-4530 CVE-2013-4531 CVE-2013-4532 CVE-2013-4533 CVE-2013-4534 CVE-2013-4535 CVE-2013-4536 CVE-2013-4537 CVE-2013-4538 CVE-2013-4539 CVE-2013-4540 CVE-2013-4541 CVE-2013-4542 CVE-2013-6399 These are all about saving/restoring the status of VMs. This would allow theoretical attacks where malformed status files of a VM are migrated to a different host and triggering code execution. In UCS all UVMM nodes are under the control of the administrator.
Buffer overflow in virtio-net (CVE-2014-0150)
Buffer overflow in processing SMART commands in the emulated IDE adaptor (CVE-2014-2894)
CVE-2014-0142: Denial of service through division by zero in parallels driver CVE-2014-0143: Integer overflows in various block drivers CVE-2014-0144: Memory corruption in various block drivers CVE-2014-0145: Buffer overflows in block drivers CVE-2014-0146: NULL pointer dereference in qcow driver CVE-2014-0147: Missing input sanitising in qcow driver
CVE-2014-0182 virtio: out-of-bounds buffer write on state load with invalid config_len
Out of bounds access in parsing qcow1 images (CVE-2014-0223, CVE-2014-0222)
Buffer overflow in USB state handling after migration (CVE-2014-3461)
NULL pointer dereference in SLIRP (CVE-2014-3640)
vmware_vga: insufficient parameter validation in rectangle functions (CVE-2014-3689)
Missing sanitising of the bits_per_pixel value in the VNC display driver (CVE-2014-7815)
For UCS 3.2, this leaves the following vulnerabilities to be fixed: Buffer overflow in the e1000 driver (CVE-2012-6075) Buffer overflow in virtio-net (CVE-2014-0150) Buffer overflow in processing SMART commands in the emulated IDE adaptor (CVE-2014-2894) Denial of service through division by zero in parallels driver (CVE-2014-0142) Integer overflows in various block drivers (CVE-2014-0143) Memory corruption in various block drivers (CVE-2014-0144) Buffer overflows in block drivers (CVE-2014-0145) NULL pointer dereference in qcow driver (CVE-2014-0146) Missing input sanitising in qcow driver (CVE-2014-0147) Out of bounds access in parsing qcow1 images (CVE-2014-0223, CVE-2014-0222) NULL pointer dereference in SLIRP (CVE-2014-3640) vmware_vga: insufficient parameter validation in rectangle functions (CVE-2014-3689) Missing sanitising of the bits_per_pixel value in the VNC display driver (CVE-2014-7815)
CVE-2013-4148, CVE-2013-4149, CVE-2013-4150, CVE-2013-4151, CVE-2013-4526, CVE-2013-4527, CVE-2013-4529, CVE-2014-4530, CVE-2013-4531, CVE-2013-4532, CVE-2013-4533, CVE-2013-4534, CVE-2013-4535, CVE-2013-4536, CVE-2013-4537, CVE-2013-4538, CVE-2013-4539, CVE-2013-4540, CVE-2013-4541, CVE-2013-4542, CVE-2013-6399, CVE-2014-0182, CVE-2014-3461 and CVE-2014-7840 are for various minor security vulnerabilities in loading/processing state files. Exploitation is mostly theoretical; either during live migration (but in UVMM all virtualisation nodes are part of the same trust context) or when processing a malformed memory image provided by a malicious party. The fixes are very intrusive and have been skipped in Debian since the risk of introducing data loss regressions exceeds the potential risk. For UCS 3.2 and 4.0 (which use the same version of KVM) we're doing the same as in Debian.
Missing access checks in the Cirrus VGA emulator may result in privilege escalation (CVE-2014-8106)
qemu-kvm shares the same base version in 3.2 und 4.0. Once we release an update in 3.2, we need to add a similar downgrade step to the preup as we already do for Firefox. Otherwise the version in 3.2-x would be higher than the one in 4.0-0 and it would interrupt the update.
VGA emulator in QEMU allows local guest users to read host memory by setting the display to a high resolution (CVE-2014-3615)
* Virtualized Environment Neglected Operations Manipulation (VENOM) vulnerability in QEMU's virtual Floppy Disk Controller (CVE-2015-3456)
$ repo_admin.py -U -p qemu-kvm -d wheezy -r 3.2-0-0 -s errata3.2-6 All CVEs (expect those from comment #12) from this bug have been fixed Debian 6+deb7u7. It also fixes CVE-2013-4344, which isn't mentioned here, as it is relevant in UCS. r14773 | Bug #33279 qemu-kvm: debian/changelog quilt refresh r14774 | Bug #33279 qemu-kvm: debian/changelog $ (cd /var/univention/buildsystem2/mirror/ftp/;find {3.2,4.0}/maintained/ -name qemu-kvm_\* -printf '%f\t%h\n')|sort -V qemu-kvm_1.1.2+dfsg-6.28.201307262155_amd64.deb 3.2/maintained/3.2-0/amd64 qemu-kvm_1.1.2+dfsg-6.28.201307262155_i386.deb 3.2/maintained/3.2-0/i386 qemu-kvm_1.1.2+dfsg-6.36.201411131534_amd64.deb 4.0/maintained/4.0-0/amd64 qemu-kvm_1.1.2+dfsg-6.36.201411131534_i386.deb 4.0/maintained/4.0-0/i386 qemu-kvm_1.1.2+dfsg-6.43.201501191249_amd64.deb 4.0/maintained/4.0-1/amd64 qemu-kvm_1.1.2+dfsg-6.43.201501191249_amd64.deb 4.0/maintained/component/4.0-0-errata/amd64 qemu-kvm_1.1.2+dfsg-6.43.201501191249_i386.deb 4.0/maintained/4.0-1/i386 qemu-kvm_1.1.2+dfsg-6.43.201501191249_i386.deb 4.0/maintained/component/4.0-0-errata/i386 qemu-kvm_1.1.2+dfsg-6.44.201505131916_amd64.deb 4.0/maintained/component/4.0-1-errata/amd64 qemu-kvm_1.1.2+dfsg-6.44.201505131916_amd64.deb 4.0/maintained/component/4.0-2-errata/amd64 qemu-kvm_1.1.2+dfsg-6.44.201505131916_i386.deb 4.0/maintained/component/4.0-1-errata/i386 qemu-kvm_1.1.2+dfsg-6.44.201505131916_i386.deb 4.0/maintained/component/4.0-2-errata/i386 $ dpkg --compare-versions 1.1.2+dfsg-6.28.201307262155 lt 1.1.2+dfsg-6.29.45.201505221302 ; echo $? 0 $ dpkg --compare-versions 1.1.2+dfsg-6.29.45.201505221302 lt 1.1.2+dfsg-6.36.201411131534 ; echo $? 0 $ b32-scope errata3.2-6 qemu-kvm Successful build Package: qemu-kvm Version: 1.1.2+dfsg-6.29.45.201505221302 Branch: ucs_3.2-0 Scope: errata3.2-6 r60850 | Bug #33279: qemu-kvm errata3.1-6 YAML 2015-05-22-qemu-kvm.yaml
*** Bug 38669 has been marked as a duplicate of this bug. ***
wheezy-security package version 1.1.2+dfsg-6+deb7u8 fixes these additional issues: * Denial of service due to insecure temporary file use in /net/slirp.c (CVE-2015-4037) [minor] * A privileged guest user in a guest with an AMD PCNet ethernet card enabled can potentially use this flaw to execute arbitrary code on the host with the privileges of the hosting QEMU process (CVE-2015-3209)
repo_admin.py --cherrypick -r 4.0 -s errata4.0-2 --releasedest 3.2 --dest errata3.2-6 -p qemu-kvm build-package-ng -r 3.2-0-0 -P ucs -s errata3.2-6 --no-pbuilder-update -p qemu-kvm Package: qemu-kvm Version: 1.1.2+dfsg-6.29.46.201506231342 Branch: ucs_3.2-0 Scope: errata3.2-6 r61418 | Bug #33279: qemu-kvm errata3.2-6 YAML 2015-05-22-qemu-kvm.yaml OK: apt-cache policy qemu-kvm OK: deb-ver-comp 1.1.2+dfsg-6.28.201307262155 1.1.2+dfsg-6.29.45.201505221302 1.1.2+dfsg-6.44.201505131916 OK: zless /usr/share/doc/qemu-kvm/changelog.Debian.gz OK: univention-install qemu-kvm=1.1.2+dfsg-6.28.201307262155 OK: univention-install qemu-kvm=1.1.2+dfsg-6.29.45.201505221302 OK: apt-get remove qemu-kvm OK: univention-install qemu-kvm OK: apt-get purge qemu-kvm OK: univention-install qemu-kvm OK: apt-get remove qemu-kvm OK: apt-get purge qemu-kvm OK: amd64 i386
Tests (amd64): OK Advisory: OK
<http://errata.univention.de/ucs/3.2/349.html>