   SUSE Security Update: Security update for qemu
______________________________________________________________________________

Announcement ID:    SUSE-SU-2016:2589-1
Rating:             important
References:         #1000048 #967012 #967013 #982017 #982018 
                    #982019 #982222 #982223 #982285 #982959 #983961 
                    #983982 #991080 #991466 #994760 #994771 #994774 
                    #996441 #997858 #997859 
Cross-References:   CVE-2016-2391 CVE-2016-2392 CVE-2016-4453
                    CVE-2016-4454 CVE-2016-5105 CVE-2016-5106
                    CVE-2016-5107 CVE-2016-5126 CVE-2016-5238
                    CVE-2016-5337 CVE-2016-5338 CVE-2016-5403
                    CVE-2016-6490 CVE-2016-6833 CVE-2016-6836
                    CVE-2016-6888 CVE-2016-7116 CVE-2016-7155
                    CVE-2016-7156
Affected Products:
                    SUSE Linux Enterprise Server 12-SP1
                    SUSE Linux Enterprise Desktop 12-SP1
______________________________________________________________________________

   An update that solves 19 vulnerabilities and has one errata
   is now available.

Description:

   qemu was updated to fix 19 security issues.

   These security issues were fixed:
   - CVE-2016-2392: The is_rndis function in the USB Net device emulator
     (hw/usb/dev-network.c) in QEMU did not properly validate USB
     configuration descriptor objects, which allowed local guest OS
     administrators to cause a denial of service (NULL pointer dereference
     and QEMU process crash) via vectors involving a remote NDIS control
     message packet (bsc#967012)
   - CVE-2016-2391: The ohci_bus_start function in the USB OHCI emulation
     support (hw/usb/hcd-ohci.c) in QEMU allowed local guest OS
     administrators to cause a denial of service (NULL pointer dereference
     and QEMU process crash) via vectors related to multiple eof_timers     (bsc#967013)
   - CVE-2016-5106: The megasas_dcmd_set_properties function in
     hw/scsi/megasas.c in QEMU, when built with MegaRAID SAS 8708EM2 Host Bus
     Adapter emulation support, allowed local guest administrators to cause a
     denial of service (out-of-bounds write access) via vectors involving a
     MegaRAID Firmware Interface (MFI) command (bsc#982018)
   - CVE-2016-5105: The megasas_dcmd_cfg_read function in hw/scsi/megasas.c
     in QEMU, when built with MegaRAID SAS 8708EM2 Host Bus Adapter emulation
     support, used an uninitialized variable, which allowed local guest
     administrators to read host memory via vectors involving a MegaRAID
     Firmware Interface (MFI) command (bsc#982017)
   - CVE-2016-5107: The megasas_lookup_frame function in QEMU, when built
     with MegaRAID SAS 8708EM2 Host Bus Adapter emulation support, allowed
     local guest OS administrators to cause a denial of service
     (out-of-bounds read and crash) via unspecified vectors (bsc#982019)
   - CVE-2016-5126: Heap-based buffer overflow in the iscsi_aio_ioctl
     function in block/iscsi.c in QEMU allowed local guest OS users to cause
     a denial of service (QEMU process crash) or possibly execute arbitrary
     code via a crafted iSCSI asynchronous I/O ioctl call (bsc#982285)
   - CVE-2016-4454: The vmsvga_fifo_read_raw function in
     hw/display/vmware_vga.c in QEMU allowed local guest OS administrators to
     obtain sensitive host memory information or cause a denial of service
     (QEMU process crash) by changing FIFO registers and issuing a VGA
     command, which triggers an out-of-bounds read (bsc#982222)
   - CVE-2016-4453: The vmsvga_fifo_run function in hw/display/vmware_vga.c
     in QEMU allowed local guest OS administrators to cause a denial of
     service (infinite loop and QEMU process crash) via a VGA command
     (bsc#982223)
   - CVE-2016-5338: The (1) esp_reg_read and (2) esp_reg_write functions in
     hw/scsi/esp.c in QEMU allowed local guest OS administrators to cause a
     denial of service (QEMU process crash) or execute arbitrary code on the
     QEMU host via vectors related to the information transfer buffer
     (bsc#983982)
   - CVE-2016-5337: The megasas_ctrl_get_info function in hw/scsi/megasas.c
     in QEMU allowed local guest OS administrators to obtain sensitive host
     memory information via vectors related to reading device control
     information (bsc#983961)
   - CVE-2016-5238: The get_cmd function in hw/scsi/esp.c in QEMU allowed
     local guest OS administrators to cause a denial of service
     (out-of-bounds write and QEMU process crash) via vectors related to
     reading from the information transfer buffer in non-DMA mode (bsc#982959)
   - CVE-2016-5403: The virtqueue_pop function in hw/virtio/virtio.c in QEMU
     allowed local guest OS administrators to cause a denial of service
     (memory consumption and QEMU process crash) by submitting requests
     without waiting for completion (bsc#991080)
   - CVE-2016-6490: Infinite loop in the virtio framework. A privileged user
     inside the guest could have used this flaw to crash the Qemu instance on
     the host resulting in DoS (bsc#991466)
   - CVE-2016-6888: Integer overflow in packet initialisation in VMXNET3
     device driver. A privileged user inside guest could have used this flaw
     to crash the Qemu instance resulting in DoS (bsc#994771)
   - CVE-2016-6833: Use-after-free issue in the VMWARE VMXNET3 NIC device
     support. A privileged user inside guest could have used this issue to
     crash the Qemu instance resulting in DoS (bsc#994774)
   - CVE-2016-7116: Host directory sharing via Plan 9 File System(9pfs) was
     vulnerable to a directory/path traversal issue. A privileged user inside
     guest could have used this flaw to access undue files on the host
     (bsc#996441)
   - CVE-2016-6836: VMWARE VMXNET3 NIC device support was leaging information
     leakage. A privileged user inside guest could have used this to leak
     host memory bytes to a guest (bsc#994760)
   - CVE-2016-7155: In the VMWARE PVSCSI paravirtual SCSI bus a OOB access
     and/or infinite loop issue could have allowed a privileged user inside
     guest to crash the Qemu process resulting in DoS (bsc#997858)
   - CVE-2016-7156: In the VMWARE PVSCSI paravirtual SCSI bus a infinite loop
     issue could have allowed a privileged user inside guest to crash the
     Qemu process resulting in DoS (bsc#997859)

   This non-security issue was fixed:
   - bsc#1000048: Fix migration failure where target host is a soon to be
     released SLES 12 SP2. Qemu's spice code gets an assertion.


Patch Instructions:

   To install this SUSE Security Update use YaST online_update.
   Alternatively you can run the command listed for your product:

   - SUSE Linux Enterprise Server 12-SP1:

      zypper in -t patch SUSE-SLE-SERVER-12-SP1-2016-1523=1

   - SUSE Linux Enterprise Desktop 12-SP1:

      zypper in -t patch SUSE-SLE-DESKTOP-12-SP1-2016-1523=1

   To bring your system up-to-date, use "zypper patch".


Package List:

   - SUSE Linux Enterprise Server 12-SP1 (ppc64le s390x x86_64):

      qemu-2.3.1-21.1
      qemu-block-curl-2.3.1-21.1
      qemu-block-curl-debuginfo-2.3.1-21.1
      qemu-debugsource-2.3.1-21.1
      qemu-guest-agent-2.3.1-21.1
      qemu-guest-agent-debuginfo-2.3.1-21.1
      qemu-lang-2.3.1-21.1
      qemu-tools-2.3.1-21.1
      qemu-tools-debuginfo-2.3.1-21.1

   - SUSE Linux Enterprise Server 12-SP1 (s390x x86_64):

      qemu-kvm-2.3.1-21.1

   - SUSE Linux Enterprise Server 12-SP1 (ppc64le):

      qemu-ppc-2.3.1-21.1
      qemu-ppc-debuginfo-2.3.1-21.1

   - SUSE Linux Enterprise Server 12-SP1 (noarch):

      qemu-ipxe-1.0.0-21.1
      qemu-seabios-1.8.1-21.1
      qemu-sgabios-8-21.1
      qemu-vgabios-1.8.1-21.1

   - SUSE Linux Enterprise Server 12-SP1 (x86_64):

      qemu-block-rbd-2.3.1-21.1
      qemu-block-rbd-debuginfo-2.3.1-21.1
      qemu-x86-2.3.1-21.1

   - SUSE Linux Enterprise Server 12-SP1 (s390x):

      qemu-s390-2.3.1-21.1
      qemu-s390-debuginfo-2.3.1-21.1

   - SUSE Linux Enterprise Desktop 12-SP1 (noarch):

      qemu-ipxe-1.0.0-21.1
      qemu-seabios-1.8.1-21.1
      qemu-sgabios-8-21.1
      qemu-vgabios-1.8.1-21.1

   - SUSE Linux Enterprise Desktop 12-SP1 (x86_64):

      qemu-2.3.1-21.1
      qemu-block-curl-2.3.1-21.1
      qemu-block-curl-debuginfo-2.3.1-21.1
      qemu-debugsource-2.3.1-21.1
      qemu-kvm-2.3.1-21.1
      qemu-tools-2.3.1-21.1
      qemu-tools-debuginfo-2.3.1-21.1
      qemu-x86-2.3.1-21.1


References:

   https://www.suse.com/security/cve/CVE-2016-2391.html
   https://www.suse.com/security/cve/CVE-2016-2392.html
   https://www.suse.com/security/cve/CVE-2016-4453.html
   https://www.suse.com/security/cve/CVE-2016-4454.html
   https://www.suse.com/security/cve/CVE-2016-5105.html
   https://www.suse.com/security/cve/CVE-2016-5106.html
   https://www.suse.com/security/cve/CVE-2016-5107.html
   https://www.suse.com/security/cve/CVE-2016-5126.html
   https://www.suse.com/security/cve/CVE-2016-5238.html
   https://www.suse.com/security/cve/CVE-2016-5337.html
   https://www.suse.com/security/cve/CVE-2016-5338.html
   https://www.suse.com/security/cve/CVE-2016-5403.html
   https://www.suse.com/security/cve/CVE-2016-6490.html
   https://www.suse.com/security/cve/CVE-2016-6833.html
   https://www.suse.com/security/cve/CVE-2016-6836.html
   https://www.suse.com/security/cve/CVE-2016-6888.html
   https://www.suse.com/security/cve/CVE-2016-7116.html
   https://www.suse.com/security/cve/CVE-2016-7155.html
   https://www.suse.com/security/cve/CVE-2016-7156.html
   https://bugzilla.suse.com/1000048
   https://bugzilla.suse.com/967012
   https://bugzilla.suse.com/967013
   https://bugzilla.suse.com/982017
   https://bugzilla.suse.com/982018
   https://bugzilla.suse.com/982019
   https://bugzilla.suse.com/982222
   https://bugzilla.suse.com/982223
   https://bugzilla.suse.com/982285
   https://bugzilla.suse.com/982959
   https://bugzilla.suse.com/983961
   https://bugzilla.suse.com/983982
   https://bugzilla.suse.com/991080
   https://bugzilla.suse.com/991466
   https://bugzilla.suse.com/994760
   https://bugzilla.suse.com/994771
   https://bugzilla.suse.com/994774
   https://bugzilla.suse.com/996441
   https://bugzilla.suse.com/997858
   https://bugzilla.suse.com/997859

SuSE: 2016:2589-1: important: qemu

October 21, 2016

An update that solves 19 vulnerabilities and has one errata An update that solves 19 vulnerabilities and has one errata An update that solves 19 vulnerabilities and has one errata ...

Summary

qemu was updated to fix 19 security issues. These security issues were fixed: - CVE-2016-2392: The is_rndis function in the USB Net device emulator (hw/usb/dev-network.c) in QEMU did not properly validate USB configuration descriptor objects, which allowed local guest OS administrators to cause a denial of service (NULL pointer dereference and QEMU process crash) via vectors involving a remote NDIS control message packet (bsc#967012) - CVE-2016-2391: The ohci_bus_start function in the USB OHCI emulation support (hw/usb/hcd-ohci.c) in QEMU allowed local guest OS administrators to cause a denial of service (NULL pointer dereference and QEMU process crash) via vectors related to multiple eof_timers (bsc#967013) - CVE-2016-5106: The megasas_dcmd_set_properties function in hw/scsi/megasas.c in QEMU, when built with MegaRAID SAS 8708EM2 Host Bus Adapter emulation support, allowed local guest administrators to cause a denial of service (out-of-bounds write access) via vectors involving a MegaRAID Firmware Interface (MFI) command (bsc#982018) - CVE-2016-5105: The megasas_dcmd_cfg_read function in hw/scsi/megasas.c in QEMU, when built with MegaRAID SAS 8708EM2 Host Bus Adapter emulation support, used an uninitialized variable, which allowed local guest administrators to read host memory via vectors involving a MegaRAID Firmware Interface (MFI) command (bsc#982017) - CVE-2016-5107: The megasas_lookup_frame function in QEMU, when built with MegaRAID SAS 8708EM2 Host Bus Adapter emulation support, allowed local guest OS administrators to cause a denial of service (out-of-bounds read and crash) via unspecified vectors (bsc#982019) - CVE-2016-5126: Heap-based buffer overflow in the iscsi_aio_ioctl function in block/iscsi.c in QEMU allowed local guest OS users to cause a denial of service (QEMU process crash) or possibly execute arbitrary code via a crafted iSCSI asynchronous I/O ioctl call (bsc#982285) - CVE-2016-4454: The vmsvga_fifo_read_raw function in hw/display/vmware_vga.c in QEMU allowed local guest OS administrators to obtain sensitive host memory information or cause a denial of service (QEMU process crash) by changing FIFO registers and issuing a VGA command, which triggers an out-of-bounds read (bsc#982222) - CVE-2016-4453: The vmsvga_fifo_run function in hw/display/vmware_vga.c in QEMU allowed local guest OS administrators to cause a denial of service (infinite loop and QEMU process crash) via a VGA command (bsc#982223) - CVE-2016-5338: The (1) esp_reg_read and (2) esp_reg_write functions in hw/scsi/esp.c in QEMU allowed local guest OS administrators to cause a denial of service (QEMU process crash) or execute arbitrary code on the QEMU host via vectors related to the information transfer buffer (bsc#983982) - CVE-2016-5337: The megasas_ctrl_get_info function in hw/scsi/megasas.c in QEMU allowed local guest OS administrators to obtain sensitive host memory information via vectors related to reading device control information (bsc#983961) - CVE-2016-5238: The get_cmd function in hw/scsi/esp.c in QEMU allowed local guest OS administrators to cause a denial of service (out-of-bounds write and QEMU process crash) via vectors related to reading from the information transfer buffer in non-DMA mode (bsc#982959) - CVE-2016-5403: The virtqueue_pop function in hw/virtio/virtio.c in QEMU allowed local guest OS administrators to cause a denial of service (memory consumption and QEMU process crash) by submitting requests without waiting for completion (bsc#991080) - CVE-2016-6490: Infinite loop in the virtio framework. A privileged user inside the guest could have used this flaw to crash the Qemu instance on the host resulting in DoS (bsc#991466) - CVE-2016-6888: Integer overflow in packet initialisation in VMXNET3 device driver. A privileged user inside guest could have used this flaw to crash the Qemu instance resulting in DoS (bsc#994771) - CVE-2016-6833: Use-after-free issue in the VMWARE VMXNET3 NIC device support. A privileged user inside guest could have used this issue to crash the Qemu instance resulting in DoS (bsc#994774) - CVE-2016-7116: Host directory sharing via Plan 9 File System(9pfs) was vulnerable to a directory/path traversal issue. A privileged user inside guest could have used this flaw to access undue files on the host (bsc#996441) - CVE-2016-6836: VMWARE VMXNET3 NIC device support was leaging information leakage. A privileged user inside guest could have used this to leak host memory bytes to a guest (bsc#994760) - CVE-2016-7155: In the VMWARE PVSCSI paravirtual SCSI bus a OOB access and/or infinite loop issue could have allowed a privileged user inside guest to crash the Qemu process resulting in DoS (bsc#997858) - CVE-2016-7156: In the VMWARE PVSCSI paravirtual SCSI bus a infinite loop issue could have allowed a privileged user inside guest to crash the Qemu process resulting in DoS (bsc#997859) This non-security issue was fixed: - bsc#1000048: Fix migration failure where target host is a soon to be released SLES 12 SP2. Qemu's spice code gets an assertion. Patch Instructions: To install this SUSE Security Update use YaST online_update. Alternatively you can run the command listed for your product: - SUSE Linux Enterprise Server 12-SP1: zypper in -t patch SUSE-SLE-SERVER-12-SP1-2016-1523=1 - SUSE Linux Enterprise Desktop 12-SP1: zypper in -t patch SUSE-SLE-DESKTOP-12-SP1-2016-1523=1 To bring your system up-to-date, use "zypper patch". Package List: - SUSE Linux Enterprise Server 12-SP1 (ppc64le s390x x86_64): qemu-2.3.1-21.1 qemu-block-curl-2.3.1-21.1 qemu-block-curl-debuginfo-2.3.1-21.1 qemu-debugsource-2.3.1-21.1 qemu-guest-agent-2.3.1-21.1 qemu-guest-agent-debuginfo-2.3.1-21.1 qemu-lang-2.3.1-21.1 qemu-tools-2.3.1-21.1 qemu-tools-debuginfo-2.3.1-21.1 - SUSE Linux Enterprise Server 12-SP1 (s390x x86_64): qemu-kvm-2.3.1-21.1 - SUSE Linux Enterprise Server 12-SP1 (ppc64le): qemu-ppc-2.3.1-21.1 qemu-ppc-debuginfo-2.3.1-21.1 - SUSE Linux Enterprise Server 12-SP1 (noarch): qemu-ipxe-1.0.0-21.1 qemu-seabios-1.8.1-21.1 qemu-sgabios-8-21.1 qemu-vgabios-1.8.1-21.1 - SUSE Linux Enterprise Server 12-SP1 (x86_64): qemu-block-rbd-2.3.1-21.1 qemu-block-rbd-debuginfo-2.3.1-21.1 qemu-x86-2.3.1-21.1 - SUSE Linux Enterprise Server 12-SP1 (s390x): qemu-s390-2.3.1-21.1 qemu-s390-debuginfo-2.3.1-21.1 - SUSE Linux Enterprise Desktop 12-SP1 (noarch): qemu-ipxe-1.0.0-21.1 qemu-seabios-1.8.1-21.1 qemu-sgabios-8-21.1 qemu-vgabios-1.8.1-21.1 - SUSE Linux Enterprise Desktop 12-SP1 (x86_64): qemu-2.3.1-21.1 qemu-block-curl-2.3.1-21.1 qemu-block-curl-debuginfo-2.3.1-21.1 qemu-debugsource-2.3.1-21.1 qemu-kvm-2.3.1-21.1 qemu-tools-2.3.1-21.1 qemu-tools-debuginfo-2.3.1-21.1 qemu-x86-2.3.1-21.1

References

#1000048 #967012 #967013 #982017 #982018

#982019 #982222 #982223 #982285 #982959 #983961

#983982 #991080 #991466 #994760 #994771 #994774

#996441 #997858 #997859

Cross- CVE-2016-2391 CVE-2016-2392 CVE-2016-4453

CVE-2016-4454 CVE-2016-5105 CVE-2016-5106

CVE-2016-5107 CVE-2016-5126 CVE-2016-5238

CVE-2016-5337 CVE-2016-5338 CVE-2016-5403

CVE-2016-6490 CVE-2016-6833 CVE-2016-6836

CVE-2016-6888 CVE-2016-7116 CVE-2016-7155

CVE-2016-7156

Affected Products:

SUSE Linux Enterprise Server 12-SP1

SUSE Linux Enterprise Desktop 12-SP1

https://www.suse.com/security/cve/CVE-2016-2391.html

https://www.suse.com/security/cve/CVE-2016-2392.html

https://www.suse.com/security/cve/CVE-2016-4453.html

https://www.suse.com/security/cve/CVE-2016-4454.html

https://www.suse.com/security/cve/CVE-2016-5105.html

https://www.suse.com/security/cve/CVE-2016-5106.html

https://www.suse.com/security/cve/CVE-2016-5107.html

https://www.suse.com/security/cve/CVE-2016-5126.html

https://www.suse.com/security/cve/CVE-2016-5238.html

https://www.suse.com/security/cve/CVE-2016-5337.html

https://www.suse.com/security/cve/CVE-2016-5338.html

https://www.suse.com/security/cve/CVE-2016-5403.html

https://www.suse.com/security/cve/CVE-2016-6490.html

https://www.suse.com/security/cve/CVE-2016-6833.html

https://www.suse.com/security/cve/CVE-2016-6836.html

https://www.suse.com/security/cve/CVE-2016-6888.html

https://www.suse.com/security/cve/CVE-2016-7116.html

https://www.suse.com/security/cve/CVE-2016-7155.html

https://www.suse.com/security/cve/CVE-2016-7156.html

https://bugzilla.suse.com/1000048

https://bugzilla.suse.com/967012

https://bugzilla.suse.com/967013

https://bugzilla.suse.com/982017

https://bugzilla.suse.com/982018

https://bugzilla.suse.com/982019

https://bugzilla.suse.com/982222

https://bugzilla.suse.com/982223

https://bugzilla.suse.com/982285

https://bugzilla.suse.com/982959

https://bugzilla.suse.com/983961

https://bugzilla.suse.com/983982

https://bugzilla.suse.com/991080

https://bugzilla.suse.com/991466

https://bugzilla.suse.com/994760

https://bugzilla.suse.com/994771

https://bugzilla.suse.com/994774

https://bugzilla.suse.com/996441

https://bugzilla.suse.com/997858

https://bugzilla.suse.com/997859

Severity

Announcement ID: SUSE-SU-2016:2589-1

Rating: important

Get the Latest News & Insights

SuSE: 2016:2589-1: important: qemu

Summary

References

Related News

Get the Latest News & Insights

News

Advisories

HOWTOs

Features

About Us

Powered By