Arch Linux Security Advisory ASA-201606-8
========================================
Severity: Critical
Date    : 2016-06-08
CVE-ID  : CVE-2015-8558 CVE-2016-3710 CVE-2016-3712 CVE-2016-5105
          CVE-2016-5106 CVE-2016-5107 
Package : qemu-arch-extra
Type    : multiple issues
Remote  : No
Link    : https://wiki.archlinux.org/title/CVE

Summary
======
The package qemu-arch-extra before version 2.6.0-1 is vulnerable to
multiple issues
including denial of service and arbitrary code execution.

Resolution
=========
Upgrade to 2.6.0-1.

# pacman -Syu "qemu-arch-extra>=2.6.0-1"

The problems have been fixed upstream in version 2.6.0.

Workaround
=========
None.

Description
==========
- CVE-2015-8558 (denial of service)

An infinite-loop issue was found in the QEMU emulator built with USB
EHCI emulation support. The flaw occurred during communication between
the host controller interface(EHCI) and a respective device driver.
These two communicate using an isochronous transfer descriptor
list(iTD); an infinite loop unfolded if there was a closed loop in the
list. A privileged user inside a guest could use this flaw to consume
excessive resources and cause denial of service.

- CVE-2016-3710 (arbitrary code execution)

An out-of-bounds read/write access flaw was found in the way QEMU's VGA
emulation with VESA BIOS Extensions (VBE) support performed read/write
operations using I/O port methods. A privileged guest user could use
this flaw to execute arbitrary code on the host with the privileges of
the host's QEMU process.

- CVE-2016-3712 (denial of service)

Qemu emulator built with the VGA Emulator support is vulnerable to an
integer overflow and OOB read access issues. This occurs because Qemu
allows certain VGA registers to be set while in VBE mode. A privileged
guest user could use this flaw to crash the Qemu process instance
resulting in DoS.

- CVE-2016-5105 (information leakage)

Quick Emulator(Qemu) built with the MegaRAID SAS 8708EM2 Host Bus
Adapter emulation support is vulnerable to an information leakage issue.
It could occur while processing MegaRAID Firmware Interface(MFI) command
to read device configuration in 'megasas_dcmd_cfg_read'.  A privileged
user inside guest could use this flaw to leak host memory bytes.

- CVE-2016-5106 (denial of service)

Quick Emulator(Qemu) built with the MegaRAID SAS 8708EM2 Host Bus
Adapter emulation support is vulnerable to an out-of-bounds write access
issue.  It could occur while processing MegaRAID Firmware Interface(MFI)
command to set controller properties in 'megasas_dcmd_set_properties'.
A privileged user inside guest could use this flaw to  crash the Qemu
process on the host resulting in DoS.

- CVE-2016-5107 (denial of service)

Quick Emulator(Qemu) built with the MegaRAID SAS 8708EM2 Host Bus
Adapter emulation support is vulnerable to an out-of-bounds read access
issue. It could occur while looking up MegaRAID Firmware Interface(MFI)
command frames in 'megasas_lookup_frame' routine.  A privileged user
inside guest could use this flaw to read invalid memory leading to crash
the Qemu process on the host.


Impact
=====
An attacker inside of the guest system is able to cause excessive
resource consumption, crash the qemu process, execute arbitrary code on
the host system and leak information from the host system.

References
=========
https://access.redhat.com/security/cve/CVE-2015-8558
https://access.redhat.com/security/cve/CVE-2016-3710
https://access.redhat.com/security/cve/CVE-2016-3712
https://access.redhat.com/security/cve/CVE-2016-5105
https://access.redhat.com/security/cve/CVE-2016-5106
https://access.redhat.com/security/cve/CVE-2016-5107

ArchLinux: 201606-9: qemu-arch-extra: multiple issues

June 8, 2016

Summary

- CVE-2015-8558 (denial of service) An infinite-loop issue was found in the QEMU emulator built with USB EHCI emulation support. The flaw occurred during communication between the host controller interface(EHCI) and a respective device driver. These two communicate using an isochronous transfer descriptor list(iTD); an infinite loop unfolded if there was a closed loop in the list. A privileged user inside a guest could use this flaw to consume excessive resources and cause denial of service.
- CVE-2016-3710 (arbitrary code execution)
An out-of-bounds read/write access flaw was found in the way QEMU's VGA emulation with VESA BIOS Extensions (VBE) support performed read/write operations using I/O port methods. A privileged guest user could use this flaw to execute arbitrary code on the host with the privileges of the host's QEMU process.
- CVE-2016-3712 (denial of service)
Qemu emulator built with the VGA Emulator support is vulnerable to an integer overflow and OOB read access issues. This occurs because Qemu allows certain VGA registers to be set while in VBE mode. A privileged guest user could use this flaw to crash the Qemu process instance resulting in DoS.
- CVE-2016-5105 (information leakage)
Quick Emulator(Qemu) built with the MegaRAID SAS 8708EM2 Host Bus Adapter emulation support is vulnerable to an information leakage issue. It could occur while processing MegaRAID Firmware Interface(MFI) command to read device configuration in 'megasas_dcmd_cfg_read'. A privileged user inside guest could use this flaw to leak host memory bytes.
- CVE-2016-5106 (denial of service)
Quick Emulator(Qemu) built with the MegaRAID SAS 8708EM2 Host Bus Adapter emulation support is vulnerable to an out-of-bounds write access issue. It could occur while processing MegaRAID Firmware Interface(MFI) command to set controller properties in 'megasas_dcmd_set_properties'. A privileged user inside guest could use this flaw to crash the Qemu process on the host resulting in DoS.
- CVE-2016-5107 (denial of service)
Quick Emulator(Qemu) built with the MegaRAID SAS 8708EM2 Host Bus Adapter emulation support is vulnerable to an out-of-bounds read access issue. It could occur while looking up MegaRAID Firmware Interface(MFI) command frames in 'megasas_lookup_frame' routine. A privileged user inside guest could use this flaw to read invalid memory leading to crash the Qemu process on the host.

Resolution

Upgrade to 2.6.0-1. # pacman -Syu "qemu-arch-extra>=2.6.0-1"
The problems have been fixed upstream in version 2.6.0.

References

https://access.redhat.com/security/cve/CVE-2015-8558 https://access.redhat.com/security/cve/CVE-2016-3710 https://access.redhat.com/security/cve/CVE-2016-3712 https://access.redhat.com/security/cve/CVE-2016-5105 https://access.redhat.com/security/cve/CVE-2016-5106 https://access.redhat.com/security/cve/CVE-2016-5107

Severity
CVE-2016-5106 CVE-2016-5107
Package : qemu-arch-extra
Type : multiple issues
Remote : No
Link : https://wiki.archlinux.org/title/CVE

Workaround

None.

Related News

23.Tablet Connections Esm H320
2 - 3 min read
The release of Ubuntu 24.04 LTS , also known as Noble Numbat, brings various security enhancements and exciting new features . These improvements
4.Lock AbstractDigital Esm H320
2 - 3 min read
Tails 6.2 is a new Linux distribution release that expands its multilingual support and improves security features. The distribution is a
19.Laptop Bed Esm H320
2 - 3 min read
AlmaLinux 9.4 beta has been released and provides compelling reasons to consider it for desktop usage. While AlmaLinux is primarily known as a
32.Lock Code Circular Esm H320
2 - 3 min read
Linux admins and security practitioners face significant challenges in keeping their Linux systems secure amidst the constant threat of kernel bugs.
1.Penguin Landscape Esm H320
2 - 3 min read
A significant security threat, known as the Spectre v2 exploit, has been observed targeting Linux systems running on modern Intel processors. Let's
10.FingerPrint Locks Esm H320
2 - 3 min read
The recent release of I2P 2.5.0 , an anonymous P2P network that protects against online censorship, surveillance, and monitoring, has brought a slew
24.Key Code Esm H320
2 - 3 min read
The Akira ransomware group has extorted approximately $42 million from over 250 victims since January 1, 2024. The group initially focused on
5.ShakingHands Esm H320
2 - 3 min read
At The Linux Foundation's Open Source Summit North America , Linus Torvalds, the creator of Linux, discussed various topics related to Linux
Sign Up

Get the Latest News & Insights

Sign up to get the latest security news affecting Linux and open source delivered straight to your inbox.

© 2024 Guardian Digital, Inc All Rights Reserved