Alerts This Week
Warning Icon 1 640
Alerts This Week
Warning Icon 1 640

Ubuntu 19.10: USN-4191-1 Critical: QEMU Denial Of Service Issues

ubuntu
Calendar Grey November 13, 2019
Dist Ubuntu Esm H88
Significant vulnerabilities in QEMU addressed in Ubuntu USN-4191-1. Protect your devices immediately!
Several security issues were fixed in QEMU.

Summary

Several security issues were fixed in QEMU.

Software Description:

- qemu: Machine emulator and virtualizer

Details:

It was discovered that the LSI SCSI adapter emulator implementation in QEMU

did not properly validate executed scripts. A local attacker could use this

to cause a denial of service. (CVE-2019-12068)

Sergej Schumilo, Cornelius Aschermann and Simon Wörner discovered that the

qxl paravirtual graphics driver implementation in QEMU contained a null

pointer dereference. A local attacker in a guest could use this to cause a

denial of service. (CVE-2019-12155)

Riccardo Schirone discovered that the QEMU bridge helper did not properly

validate network interface names. A local attacker could possibly use this

to bypass ACL restrictions. (CVE-2019-13164)

It was discovered that a heap-based buffer overflow existed in the SLiRP

networking implementation of QEMU. A local attacker in a guest could use

this to cause a denial of service or possibly execute...

Read the Full Advisory

Update Instructions

The problem can be corrected by updating your system to the following
package versions:

Ubuntu 19.10:
  qemu                            1:4.0+dfsg-0ubuntu9.1
  qemu-kvm                        1:4.0+dfsg-0ubuntu9.1
  qemu-system-common              1:4.0+dfsg-0ubuntu9.1
  qemu-system-gui                 1:4.0+dfsg-0ubuntu9.1
  qemu-system-x86                 1:4.0+dfsg-0ubuntu9.1
  qemu-user-static                1:4.0+dfsg-0ubuntu9.1
  qemu-utils                      1:4.0+dfsg-0ubuntu9.1

Ubuntu 19.04:
  qemu                            1:3.1+dfsg-2ubuntu3.6
  qemu-kvm                        1:3.1+dfsg-2ubuntu3.6
  qemu-system-common              1:3.1+dfsg-2ubuntu3.6
  qemu-system-gui                 1:3.1+dfsg-2ubuntu3.6
  qemu-system-x86                 1:3.1+dfsg-2ubuntu3.6
  qemu-user-static                1:3.1+dfsg-2ubuntu3.6
  qemu-utils                      1:3.1+dfsg-2ubuntu3.6

Ubuntu 18.04 LTS:
  qemu                            1:2.11+dfsg-1ubuntu7.20
  qemu-kvm                        1:2.11+dfsg-1ubuntu7.20
  qemu-system-common              1:2.11+dfsg-1ubuntu7.20
  qemu-system-x86                 1:2.11+dfsg-1ubuntu7.20
  qemu-user-static                1:2.11+dfsg-1ubuntu7.20
  qemu-utils                      1:2.11+dfsg-1ubuntu7.20

Ubuntu 16.04 LTS:
  qemu                            1:2.5+dfsg-5ubuntu10.42
  qemu-kvm                        1:2.5+dfsg-5ubuntu10.42
  qemu-system-common              1:2.5+dfsg-5ubuntu10.42
  qemu-system-x86                 1:2.5+dfsg-5ubuntu10.42
  qemu-user-static                1:2.5+dfsg-5ubuntu10.42
  qemu-utils                      1:2.5+dfsg-5ubuntu10.42

After a standard system update you need to restart all QEMU virtual
machines to make all the necessary changes.

References

https://ubuntu.com/security/notices/USN-4191-1

CVE-2019-12068, CVE-2019-12155, CVE-2019-13164, CVE-2019-14378,

CVE-2019-15890

Severity
critical
Lowest
Low
Medium
High
Critical

November 14, 2019

Package Information

Get the latest News and Insights

Get the latest Linux and open source security news straight to your inbox.

Your message here