Explore top 10 tips to secure your open-source projects now. Read More

×
Alerts This Week
Warning Icon 1 569
Alerts This Week
Warning Icon 1 569

Ubuntu 17.04 USN-3289-1 Critical: QEMU DoS and Security Issues

ubuntu
Calendar Grey May 16, 2017
Dist Ubuntu Esm H88
A series of QEMU vulnerabilities addressed in Ubuntu Security Notice USN-3289-1, affecting several releases and requiring immediate patches.
Several security issues were fixed in QEMU.

Summary

Several security issues were fixed in QEMU.

Software Description:

- qemu: Machine emulator and virtualizer

Details:

Li Qiang discovered that QEMU incorrectly handled VirtFS directory sharing.

A privileged attacker inside the guest could use this issue to cause QEMU

to crash, resulting in a denial of service. (CVE-2017-7377, CVE-2017-8086)

Jiangxin discovered that QEMU incorrectly handled the Cirrus VGA device. A

privileged attacker inside the guest could use this issue to cause QEMU to

crash, resulting in a denial of service. (CVE-2017-7718)

Li Qiang and Jiangxin discovered that QEMU incorrectly handled the Cirrus

VGA device when being used with a VNC connection. A privileged attacker

inside the guest could use this issue to cause QEMU to crash, resulting in

a denial of service, or possibly execute arbitrary code on the host. In the

default installation, when QEMU is used with libvirt, attackers would be

isolated by the libvirt AppArmor profile. (CVE-2017-...

Read the Full Advisory

Update Instructions

The problem can be corrected by updating your system to the following
package versions:

Ubuntu 17.04:
  qemu-system                     1:2.8+dfsg-3ubuntu2.2
  qemu-system-aarch64             1:2.8+dfsg-3ubuntu2.2
  qemu-system-arm                 1:2.8+dfsg-3ubuntu2.2
  qemu-system-mips                1:2.8+dfsg-3ubuntu2.2
  qemu-system-misc                1:2.8+dfsg-3ubuntu2.2
  qemu-system-ppc                 1:2.8+dfsg-3ubuntu2.2
  qemu-system-s390x               1:2.8+dfsg-3ubuntu2.2
  qemu-system-sparc               1:2.8+dfsg-3ubuntu2.2
  qemu-system-x86                 1:2.8+dfsg-3ubuntu2.2

Ubuntu 16.10:
  qemu-system                     1:2.6.1+dfsg-0ubuntu5.5
  qemu-system-aarch64             1:2.6.1+dfsg-0ubuntu5.5
  qemu-system-arm                 1:2.6.1+dfsg-0ubuntu5.5
  qemu-system-mips                1:2.6.1+dfsg-0ubuntu5.5
  qemu-system-misc                1:2.6.1+dfsg-0ubuntu5.5
  qemu-system-ppc                 1:2.6.1+dfsg-0ubuntu5.5
  qemu-system-s390x               1:2.6.1+dfsg-0ubuntu5.5
  qemu-system-sparc               1:2.6.1+dfsg-0ubuntu5.5
  qemu-system-x86                 1:2.6.1+dfsg-0ubuntu5.5

Ubuntu 16.04 LTS:
  qemu-system                     1:2.5+dfsg-5ubuntu10.14
  qemu-system-aarch64             1:2.5+dfsg-5ubuntu10.14
  qemu-system-arm                 1:2.5+dfsg-5ubuntu10.14
  qemu-system-mips                1:2.5+dfsg-5ubuntu10.14
  qemu-system-misc                1:2.5+dfsg-5ubuntu10.14
  qemu-system-ppc                 1:2.5+dfsg-5ubuntu10.14
  qemu-system-s390x               1:2.5+dfsg-5ubuntu10.14
  qemu-system-sparc               1:2.5+dfsg-5ubuntu10.14
  qemu-system-x86                 1:2.5+dfsg-5ubuntu10.14

Ubuntu 14.04 LTS:
  qemu-system                     2.0.0+dfsg-2ubuntu1.34
  qemu-system-aarch64             2.0.0+dfsg-2ubuntu1.34
  qemu-system-arm                 2.0.0+dfsg-2ubuntu1.34
  qemu-system-mips                2.0.0+dfsg-2ubuntu1.34
  qemu-system-misc                2.0.0+dfsg-2ubuntu1.34
  qemu-system-ppc                 2.0.0+dfsg-2ubuntu1.34
  qemu-system-sparc               2.0.0+dfsg-2ubuntu1.34
  qemu-system-x86                 2.0.0+dfsg-2ubuntu1.34

After a standard system update you need to restart all QEMU virtual
machines to make all the necessary changes.

References

https://ubuntu.com/security/notices/USN-3289-1

CVE-2017-7377, CVE-2017-7718, CVE-2017-7980, CVE-2017-8086,

CVE-2017-8309, CVE-2017-8379

Severity
critical
Lowest
Low
Medium
High
Critical

May 16, 2017

Package Information

Get the latest News and Insights

Get the latest Linux and open source security news straight to your inbox.