Scientific Linux: Important KVM Security Update - CVE-2010-0297

Date: Tue, 9 Feb 2010 10:20:15 -0600
Reply-To: Troy Dawson 
Sender: Security Errata for Scientific Linux
 
From: Troy Dawson 
Subject: FASTBUGS for SL 4.x i386/x86_64
Comments: To: "This email address is being protected from spambots. You need JavaScript enabled to view it."
 

The following FASTBUGS have been uploaded to

 i386:
audit-1.0.16-4.el4_8.1.i386.rpm
audit-libs-1.0.16-4.el4_8.1.i386.rpm
audit-libs-devel-1.0.16-4.el4_8.1.i386.rpm
bind-9.2.4-30.el4_8.5.i386.rpm
bind-chroot-9.2.4-30.el4_8.5.i386.rpm
bind-devel-9.2.4-30.el4_8.5.i386.rpm
bind-libs-9.2.4-30.el4_8.5.i386.rpm
bind-utils-9.2.4-30.el4_8.5.i386.rpm
nss_ldap-253-7.el4_8.1.i386.rpm
parted-1.6.19-23.EL.1.i386.rpm
parted-devel-1.6.19-23.EL.1.i386.rpm
rgmanager-1.9.87-1.el4_8.1.i386.rpm
 x86_64:
audit-1.0.16-4.el4_8.1.x86_64.rpm
audit-libs-1.0.16-4.el4_8.1.i386.rpm
audit-libs-1.0.16-4.el4_8.1.x86_64.rpm
audit-libs-devel-1.0.16-4.el4_8.1.x86_64.rpm
bind-9.2.4-30.el4_8.5.x86_64.rpm
bind-chroot-9.2.4-30.el4_8.5.x86_64.rpm
bind-devel-9.2.4-30.el4_8.5.x86_64.rpm
bind-libs-9.2.4-30.el4_8.5.i386.rpm
bind-libs-9.2.4-30.el4_8.5.x86_64.rpm
bind-utils-9.2.4-30.el4_8.5.x86_64.rpm
nss_ldap-253-7.el4_8.1.i386.rpm
nss_ldap-253-7.el4_8.1.x86_64.rpm
parted-1.6.19-23.EL.1.x86_64.rpm
parted-devel-1.6.19-23.EL.1.x86_64.rpm
rgmanager-1.9.87-1.el4_8.1.x86_64.rpm

-Connie Sieh
-Troy Dawson
Date: Tue, 9 Feb 2010 10:25:16 -0600
Reply-To: Troy Dawson 
Sender: Security Errata for Scientific Linux
 
From: Troy Dawson 
Subject: FASTBUGS for SL 5.x i386/x86_64
Comments: To: "This email address is being protected from spambots. You need JavaScript enabled to view it."
 

The following FASTBUGS have been uploaded to

 i386:
coolkey-1.1.0-14.el5.i386.rpm
coolkey-devel-1.1.0-14.el5.i386.rpm
esc-1.1.0-11.el5.i386.rpm
iscsi-initiator-utils-6.2.0.871-0.12.el5_4.1.i386.rpm
systemtap-0.9.7-5.el5_4.1.i386.rpm
systemtap-client-0.9.7-5.el5_4.1.i386.rpm
systemtap-initscript-0.9.7-5.el5_4.1.i386.rpm
systemtap-runtime-0.9.7-5.el5_4.1.i386.rpm
systemtap-sdt-devel-0.9.7-5.el5_4.1.i386.rpm
systemtap-server-0.9.7-5.el5_4.1.i386.rpm
systemtap-testsuite-0.9.7-5.el5_4.1.i386.rpm

 x86_64:
coolkey-1.1.0-14.el5.i386.rpm
coolkey-1.1.0-14.el5.x86_64.rpm
coolkey-devel-1.1.0-14.el5.i386.rpm
coolkey-devel-1.1.0-14.el5.x86_64.rpm
esc-1.1.0-11.el5.x86_64.rpm
iscsi-initiator-utils-6.2.0.871-0.12.el5_4.1.x86_64.rpm
systemtap-0.9.7-5.el5_4.1.x86_64.rpm
systemtap-client-0.9.7-5.el5_4.1.x86_64.rpm
systemtap-initscript-0.9.7-5.el5_4.1.x86_64.rpm
systemtap-runtime-0.9.7-5.el5_4.1.x86_64.rpm
systemtap-sdt-devel-0.9.7-5.el5_4.1.i386.rpm
systemtap-sdt-devel-0.9.7-5.el5_4.1.x86_64.rpm
systemtap-server-0.9.7-5.el5_4.1.x86_64.rpm
systemtap-testsuite-0.9.7-5.el5_4.1.x86_64.rpm

-Connie Sieh
-Troy Dawson
Date: Tue, 9 Feb 2010 11:33:28 -0600
Reply-To: Troy Dawson 
Sender: Security Errata for Scientific Linux
 
From: Troy Dawson 
Subject: Security ERRATA Important: kvm on SL5.4 i386/x86_64
Comments: To: "This email address is being protected from spambots. You need JavaScript enabled to view it."
 

Synopsis:	Important: kvm security and bug fix update
Issue date:	2010-02-09
CVE Names:	CVE-2010-0297 CVE-2010-0298 CVE-2010-0306
 CVE-2010-0309

The x86 emulator implementation was missing a check for the Current
Privilege Level (CPL) and I/O Privilege Level (IOPL). A user in a guest
could leverage these flaws to cause a denial of service (guest crash) or
possibly escalate their privileges within that guest. (CVE-2010-0298,
CVE-2010-0306)

A flaw was found in the Programmable Interval Timer (PIT) emulation.
Access to the internal data structure pit_state, which represents the
data state of the emulated PIT, was not properly validated in the
pit_ioport_read() function. A privileged guest user could use this flaw
to crash the host. (CVE-2010-0309)

A flaw was found in the USB passthrough handling code. A
specially-crafted USB packet sent from inside a guest could be used to
trigger a buffer overflow in the usb_host_handle_control() function,
which runs under the QEMU-KVM context on the host. A user in a guest
could leverage this flaw to cause a denial of service (guest hang or
crash) or possibly escalate their privileges within the host.
(CVE-2010-0297)

This update also fixes the following bugs:

* pvclock MSR values were not preserved during remote migration, causing
time drift for guests. (BZ#537028)

* SMBIOS table 4 data is now generated for Windows guests. (BZ#545874)

* if the qemu-kvm "-net user" option was used, unattended Windows XP
installations did not receive an IP address after reboot. (BZ#546562)

* when being restored from migration, a race condition caused Windows
Server 2008 R2 guests to hang during shutdown. (BZ#546563)

* the kernel symbol checking on the kvm-kmod build process has a safety
check for ABI changes. (BZ#547293)

* on hosts without high-res timers, Windows Server 2003 guests
experienced significant time drift. (BZ#547625)

* in some situations, installing Windows Server 2008 R2 from an ISO
image resulted in a blue screen "BAD_POOL_HEADER" stop error. (BZ#548368)

* a bug in the grow_refcount_table() error handling caused infinite
recursion in some cases. This caused the qemu-kvm process to hang and
eventually crash. (BZ#552159)

* for Windows Server 2003 R2, Service Pack 2, 32-bit guests, an
"unhandled vm exit" error could occur during reboot on some systems.
(BZ#552518)

* for Windows guests, QEMU could attempt to stop a stopped audio device,
resulting in a "snd_playback_stop: ASSERT playback_channel->base.active
failed" error. (BZ#552519)

* the Hypercall driver did not reset the device on power-down. (BZ#552528)

* mechanisms have been added to make older savevm versions to be emitted
in some cases. (BZ#552529)

* an error in the Makefile prevented users from using the source RPM to
install KVM. (BZ#552530)

* guests became unresponsive and could use up to 100% CPU when running
certain benchmark tests with more than 7 guests running simultaneously.
(BZ#553249)

* QEMU could terminate randomly with virtio-net and SMP enabled.
(BZ#561022)

NOTE - The following procedure must be performed before this update will
take effect:

1) Stop all KVM guest virtual machines.

2) Either reboot the hypervisor machine or, as the root user, remove
(using "modprobe -r [module]") and reload (using "modprobe [module]")
all of the following modules which are currently running (determined
using "lsmod"): kvm, ksm, kvm-intel or kvm-amd.

3) Restart the KVM guest virtual machines.

SL 5.x

 SRPMS:
kvm-83-105.el5_4.22.src.rpm
 x86_64:
kmod-kvm-83-105.el5_4.22.x86_64.rpm
kvm-83-105.el5_4.22.x86_64.rpm
kvm-qemu-img-83-105.el5_4.22.x86_64.rpm
kvm-tools-83-105.el5_4.22.x86_64.rpm

-Connie Sieh
-Troy Dawson