Alerts This Week
Warning Icon 1 483
Alerts This Week
Warning Icon 1 483

Ubuntu 18.10: USN-3923-1 Critical: QEMU DoS, Code Exec Issues

ubuntu
Calendar Grey March 27, 2019
Dist Ubuntu Esm H88
Several vulnerabilities in QEMU affect a range of Ubuntu releases. It is essential to update your systems promptly to reduce potential threats.
Several security issues were fixed in QEMU.

Summary

Several security issues were fixed in QEMU.

Software Description:

- qemu: Machine emulator and virtualizer

Details:

Michael Hanselmann discovered that QEMU incorrectly handled the Media

Transfer Protocol (MTP). An attacker inside the guest could use this issue

to read or write arbitrary files and cause a denial of service, or possibly

execute arbitrary code. This issue only affected Ubuntu 18.10.

(CVE-2018-16867)

Michael Hanselmann discovered that QEMU incorrectly handled the Media

Transfer Protocol (MTP). An attacker inside the guest could use this issue

to read arbitrary files, contrary to expectations. This issue only affected

Ubuntu 18.04 LTS and Ubuntu 18.10. (CVE-2018-16872)

Zhibin Hu discovered that QEMU incorrectly handled the Plan 9 File System

support. An attacker inside the guest could use this issue to cause QEMU to

crash, resulting in a denial of service. (CVE-2018-19489)

Li Quang and Saar Amar discovered multiple issues in the QEMU PVRDMA

...

Read the Full Advisory

Update Instructions

The problem can be corrected by updating your system to the following
package versions:

Ubuntu 18.10:
  qemu-system                     1:2.12+dfsg-3ubuntu8.6
  qemu-system-arm                 1:2.12+dfsg-3ubuntu8.6
  qemu-system-data                1:2.12+dfsg-3ubuntu8.6
  qemu-system-gui                 1:2.12+dfsg-3ubuntu8.6
  qemu-system-mips                1:2.12+dfsg-3ubuntu8.6
  qemu-system-misc                1:2.12+dfsg-3ubuntu8.6
  qemu-system-ppc                 1:2.12+dfsg-3ubuntu8.6
  qemu-system-s390x               1:2.12+dfsg-3ubuntu8.6
  qemu-system-sparc               1:2.12+dfsg-3ubuntu8.6
  qemu-system-x86                 1:2.12+dfsg-3ubuntu8.6

Ubuntu 18.04 LTS:
  qemu-system                     1:2.11+dfsg-1ubuntu7.12
  qemu-system-arm                 1:2.11+dfsg-1ubuntu7.12
  qemu-system-mips                1:2.11+dfsg-1ubuntu7.12
  qemu-system-misc                1:2.11+dfsg-1ubuntu7.12
  qemu-system-ppc                 1:2.11+dfsg-1ubuntu7.12
  qemu-system-s390x               1:2.11+dfsg-1ubuntu7.12
  qemu-system-sparc               1:2.11+dfsg-1ubuntu7.12
  qemu-system-x86                 1:2.11+dfsg-1ubuntu7.12

Ubuntu 16.04 LTS:
  qemu-system                     1:2.5+dfsg-5ubuntu10.36
  qemu-system-aarch64             1:2.5+dfsg-5ubuntu10.36
  qemu-system-arm                 1:2.5+dfsg-5ubuntu10.36
  qemu-system-mips                1:2.5+dfsg-5ubuntu10.36
  qemu-system-misc                1:2.5+dfsg-5ubuntu10.36
  qemu-system-ppc                 1:2.5+dfsg-5ubuntu10.36
  qemu-system-s390x               1:2.5+dfsg-5ubuntu10.36
  qemu-system-sparc               1:2.5+dfsg-5ubuntu10.36
  qemu-system-x86                 1:2.5+dfsg-5ubuntu10.36

Ubuntu 14.04 LTS:
  qemu-system                     2.0.0+dfsg-2ubuntu1.45
  qemu-system-aarch64             2.0.0+dfsg-2ubuntu1.45
  qemu-system-arm                 2.0.0+dfsg-2ubuntu1.45
  qemu-system-mips                2.0.0+dfsg-2ubuntu1.45
  qemu-system-misc                2.0.0+dfsg-2ubuntu1.45
  qemu-system-ppc                 2.0.0+dfsg-2ubuntu1.45
  qemu-system-sparc               2.0.0+dfsg-2ubuntu1.45
  qemu-system-x86                 2.0.0+dfsg-2ubuntu1.45

After a standard system update you need to restart all QEMU virtual
machines to make all the necessary changes.

References

https://ubuntu.com/security/notices/USN-3923-1

CVE-2018-16867, CVE-2018-16872, CVE-2018-19489, CVE-2018-20123,

CVE-2018-20124, CVE-2018-20125, CVE-2018-20126, CVE-2018-20191,

CVE-2018-20216, CVE-2019-3812, CVE-2019-6778

Severity
critical
Lowest
Low
Medium
High
Critical

March 27, 2019

Package Information

Get the latest News and Insights

Get the latest Linux and open source security news straight to your inbox.

Your message here