Explore top 10 tips to secure your open-source projects now. Read More

×
Alerts This Week
Warning Icon 1 433
Alerts This Week
Warning Icon 1 433

Ubuntu 17.04 USN-3268-1 Critical: QEMU Service Interruption Vulnerabilities

ubuntu
Calendar Grey April 25, 2017
Dist Ubuntu Esm H88
Multiple vulnerabilities in QEMU resolved. Prompt upgrade is crucial for Ubuntu users to ensure system protection.
Several security issues were fixed in QEMU.

Summary

Several security issues were fixed in QEMU.

Software Description:

- qemu: Machine emulator and virtualizer

Details:

Zhenhao Hong discovered that QEMU incorrectly handled the Virtio GPU

device. An attacker inside the guest could use this issue to cause QEMU to

crash, resulting in a denial of service. (CVE-2016-10028)

It was discovered that QEMU incorrectly handled the JAZZ RC4030 device. A

privileged attacker inside the guest could use this issue to cause QEMU to

crash, resulting in a denial of service. (CVE-2016-8667)

Jann Horn discovered that QEMU incorrectly handled VirtFS directory

sharing. A privileged attacker inside the guest could use this issue to

access files on the host file system outside of the shared directory and

possibly escalate their privileges. In the default installation, when QEMU

is used with libvirt, attackers would be isolated by the libvirt AppArmor

profile. (CVE-2016-9602)

Gerd Hoffmann discovered that QEMU incorrectly handled t...

Read the Full Advisory

Update Instructions

The problem can be corrected by updating your system to the following
package versions:

Ubuntu 17.04:
  qemu-system                     1:2.8+dfsg-3ubuntu2.1
  qemu-system-aarch64             1:2.8+dfsg-3ubuntu2.1
  qemu-system-arm                 1:2.8+dfsg-3ubuntu2.1
  qemu-system-mips                1:2.8+dfsg-3ubuntu2.1
  qemu-system-misc                1:2.8+dfsg-3ubuntu2.1
  qemu-system-ppc                 1:2.8+dfsg-3ubuntu2.1
  qemu-system-s390x               1:2.8+dfsg-3ubuntu2.1
  qemu-system-sparc               1:2.8+dfsg-3ubuntu2.1
  qemu-system-x86                 1:2.8+dfsg-3ubuntu2.1

After a standard system update you need to restart all QEMU virtual
machines to make all the necessary changes.

References

https://ubuntu.com/security/notices/USN-3268-1

CVE-2016-10028, CVE-2016-8667, CVE-2016-9602, CVE-2016-9603,

CVE-2016-9908, CVE-2016-9912, CVE-2016-9914, CVE-2017-5552,

CVE-2017-5578, CVE-2017-5987, CVE-2017-6505

Severity
critical
Lowest
Low
Medium
High
Critical

April 25, 2017

Package Information

Get the latest News and Insights

Get the latest Linux and open source security news straight to your inbox.