{ "schema_version": "1.6.2", "id": "MGASA-2016-0176", "published": "2016-05-18T20:14:22Z", "modified": "2016-05-18T20:04:18Z", "summary": "Updated qemu packages fix security vulnerabilities", "details": "Updated qemu packages fix security vulnerabilities:\n\nAn out-of-bounds flaw was found in the QEMU emulator built using\n'address_space_translate' to map an address to a MemoryRegionSection. The\nflaw could occur while doing pci_dma_read/write calls, resulting in an\nout-of-bounds read-write access error. A privileged user inside a guest could\nuse this flaw to crash the guest instance (denial of service) (CVE-2015-8817,\nCVE-2015-8818).\n\nA NULL-pointer dereference flaw was found in the QEMU emulator built with TPR\noptimization for 32-bit Windows guests support. The flaw occurs when doing\nI/O-port write operations from the HMP interface. The 'current_cpu' value\nremains null because it is not called from the cpu_exec() loop, and\ndereferencing it results in the flaw. An attacker with access to the HMP\ninterface could use this flaw to crash the QEMU instance (denial of service)\n(CVE-2016-1922).\n\nIt was discovered that QEMU incorrectly handled the e1000 device. An\nattacker inside the guest could use this issue to cause QEMU to crash,\nresulting in a denial of service (CVE-2016-1981).\n\nZuozhi Fzz discovered that QEMU incorrectly handled IDE AHCI emulation. An\nattacker inside the guest could use this issue to cause QEMU to crash,\nresulting in a denial of service (CVE-2016-2197).\n\nZuozhi Fzz discovered that QEMU incorrectly handled USB EHCI emulation. An\nattacker inside the guest could use this issue to cause QEMU to crash,\nresulting in a denial of service (CVE-2016-2198).\n\nZuozhi Fzz discovered that QEMU incorrectly handled USB OHCI emulation\nsupport. A privileged attacker inside the guest could use this issue to\ncause QEMU to crash, resulting in a denial of service (CVE-2016-2391).\n\nQinghao Tang discovered that QEMU incorrectly handled USB Net emulation\nsupport. A privileged attacker inside the guest could use this issue to\ncause QEMU to crash, resulting in a denial of service (CVE-2016-2392).\n\nQinghao Tang discovered that QEMU incorrectly handled USB Net emulation\nsupport. A privileged attacker inside the guest could use this issue to\ncause QEMU to crash, resulting in a denial of service, or possibly leak\nhost memory bytes (CVE-2016-2538).\n\nHongke Yang discovered that QEMU incorrectly handled NE2000 emulation\nsupport. A privileged attacker inside the guest could use this issue to\ncause QEMU to crash, resulting in a denial of service (CVE-2016-2841).\n\nLing Liu discovered that QEMU incorrectly handled IP checksum routines. An\nattacker inside the guest could use this issue to cause QEMU to crash,\nresulting in a denial of service, or possibly leak host memory bytes\n(CVE-2016-2857).\n\nIt was discovered that QEMU incorrectly handled the PRNG back-end support.\nAn attacker inside the guest could use this issue to cause QEMU to crash,\nresulting in a denial of service (CVE-2016-2858).\n\nWei Xiao and Qinghao Tang discovered that QEMU incorrectly handled access\nin the VGA module. A privileged attacker inside the guest could use this\nissue to cause QEMU to crash, resulting in a denial of service, or possibly\nexecute arbitrary code on the host. In the default installation, when QEMU\nis used with libvirt, attackers would be isolated by the libvirt AppArmor\nprofile (CVE-2016-3710).\n\nZuozhi Fzz discovered that QEMU incorrectly handled access in the VGA\nmodule. A privileged attacker inside the guest could use this issue to\ncause QEMU to crash, resulting in a denial of service, or possibly\nexecute arbitrary code on the host. In the default installation, when QEMU\nis used with libvirt, attackers would be isolated by the libvirt AppArmor\nprofile (CVE-2016-3712).\n\nOleksandr Bazhaniuk discovered that QEMU incorrectly handled Luminary\nMicro Stellaris ethernet controller emulation. A remote attacker could use\nthis issue to cause QEMU to crash, resulting in a denial of service\n(CVE-2016-4001).\n\nOleksandr Bazhaniuk discovered that QEMU incorrectly handled MIPSnet\ncontroller emulation. A remote attacker could use this issue to cause QEMU\nto crash, resulting in a denial of service (CVE-2016-4002).\n\nDonghai Zdh discovered that QEMU incorrectly handled the Task Priority\nRegister(TPR). A privileged attacker inside the guest could use this issue\nto possibly leak host memory bytes (CVE-2016-4020).\n\nDu Shaobo discovered that QEMU incorrectly handled USB EHCI emulation\nsupport. A privileged attacker inside the guest could use this issue to\ncause QEMU to consume resources, resulting in a denial of service\n(CVE-2016-4037).\n\nThe qemu package has been updated to version 2.4.1 and patched to fix these\nissues.\n", "related": [ "CVE-2015-8817", "CVE-2015-8818", "CVE-2016-1922", "CVE-2016-1981", "CVE-2016-2197", "CVE-2016-2198", "CVE-2016-2391", "CVE-2016-2392", "CVE-2016-2538", "CVE-2016-2841", "CVE-2016-2857", "CVE-2016-2858", "CVE-2016-3710", "CVE-2016-3712", "CVE-2016-4001", "CVE-2016-4002", "CVE-2016-4020", "CVE-2016-4037" ], "references": [ { "type": "ADVISORY", "url": "https://advisories.mageia.org/MGASA-2016-0176.html" }, { "type": "REPORT", "url": "https://bugs.mageia.org/show_bug.cgi?id=17534" }, { "type": "REPORT", "url": "http://wiki.qemu.org/ChangeLog/2.2" }, { "type": "REPORT", "url": "http://wiki.qemu.org/ChangeLog/2.3" }, { "type": "REPORT", "url": "http://wiki.qemu.org/ChangeLog/2.4" }, { "type": "REPORT", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1300771" }, { "type": "REPORT", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1283934" }, { "type": "REPORT", "url": "http://www.ubuntu.com/usn/usn-2891-1/" }, { "type": "REPORT", "url": "http://www.ubuntu.com/usn/usn-2974-1/" } ], "affected": [ { "package": { "ecosystem": "Mageia:5", "name": "qemu", "purl": "pkg:rpm/mageia/qemu?arch=source&distro=mageia-5" }, "ranges": [ { "type": "ECOSYSTEM", "events": [ { "introduced": "0" }, { "fixed": "2.4.1-5.mga5" } ] } ], "ecosystem_specific": { "section": "core" } } ], "credits": [ { "name": "Mageia", "type": "COORDINATOR", "contact": [ "https://wiki.mageia.org/en/Packages_Security_Team" ] } ] }