Linux Security
    Linux Security
    Linux Security

    Ubuntu 4372-1: QEMU vulnerabilities

    Date
    212
    Posted By
    Several security issues were fixed in QEMU.
    ==========================================================================
    Ubuntu Security Notice USN-4372-1
    May 21, 2020
    
    qemu vulnerabilities
    ==========================================================================
    
    A security issue affects these releases of Ubuntu and its derivatives:
    
    - Ubuntu 20.04 LTS
    - Ubuntu 19.10
    - Ubuntu 18.04 LTS
    - Ubuntu 16.04 LTS
    
    Summary:
    
    Several security issues were fixed in QEMU.
    
    Software Description:
    - qemu: Machine emulator and virtualizer
    
    Details:
    
    It was discovered that QEMU incorrectly handled bochs-display devices. A
    local attacker in a guest could use this to cause a denial of service or
    possibly execute arbitrary code in the host. This issue only affected
    Ubuntu 19.10. (CVE-2019-15034)
    
    It was discovered that QEMU incorrectly handled memory during certain VNC
    operations. A remote attacker could possibly use this issue to cause QEMU
    to consume resources, resulting in a denial of service. This issue only
    affected Ubuntu 16.04 LTS, Ubuntu 18.04 LTS, and Ubuntu 19.10.
    (CVE-2019-20382)
    
    It was discovered that QEMU incorrectly generated QEMU Pointer
    Authentication signatures on ARM. A local attacker could possibly use this
    issue to bypass PAuth. This issue only affected Ubuntu 19.10.
    (CVE-2020-10702)
    
    Ziming Zhang discovered that QEMU incorrectly handled ATI VGA emulation. A
    local attacker in a guest could use this issue to cause QEMU to crash,
    resulting in a denial of service. This issue only affected Ubuntu 20.04
    LTS. (CVE-2020-11869)
    
    Aviv Sasson discovered that QEMU incorrectly handled Slirp networking. A
    remote attacker could use this issue to cause QEMU to crash, resulting in a
    denial of service, or possibly execute arbitrary code. This issue only
    affected Ubuntu 16.04 LTS, Ubuntu 18.04 LTS, and Ubuntu 19.10.
    (CVE-2020-1983)
    
    Update instructions:
    
    The problem can be corrected by updating your system to the following
    package versions:
    
    Ubuntu 20.04 LTS:
      qemu                            1:4.2-3ubuntu6.1
      qemu-system                     1:4.2-3ubuntu6.1
      qemu-system-arm                 1:4.2-3ubuntu6.1
      qemu-system-mips                1:4.2-3ubuntu6.1
      qemu-system-ppc                 1:4.2-3ubuntu6.1
      qemu-system-s390x               1:4.2-3ubuntu6.1
      qemu-system-sparc               1:4.2-3ubuntu6.1
      qemu-system-x86                 1:4.2-3ubuntu6.1
    
    Ubuntu 19.10:
      qemu                            1:4.0+dfsg-0ubuntu9.6
      qemu-system                     1:4.0+dfsg-0ubuntu9.6
      qemu-system-arm                 1:4.0+dfsg-0ubuntu9.6
      qemu-system-mips                1:4.0+dfsg-0ubuntu9.6
      qemu-system-ppc                 1:4.0+dfsg-0ubuntu9.6
      qemu-system-s390x               1:4.0+dfsg-0ubuntu9.6
      qemu-system-sparc               1:4.0+dfsg-0ubuntu9.6
      qemu-system-x86                 1:4.0+dfsg-0ubuntu9.6
    
    Ubuntu 18.04 LTS:
      qemu                            1:2.11+dfsg-1ubuntu7.26
      qemu-system                     1:2.11+dfsg-1ubuntu7.26
      qemu-system-arm                 1:2.11+dfsg-1ubuntu7.26
      qemu-system-mips                1:2.11+dfsg-1ubuntu7.26
      qemu-system-ppc                 1:2.11+dfsg-1ubuntu7.26
      qemu-system-s390x               1:2.11+dfsg-1ubuntu7.26
      qemu-system-sparc               1:2.11+dfsg-1ubuntu7.26
      qemu-system-x86                 1:2.11+dfsg-1ubuntu7.26
    
    Ubuntu 16.04 LTS:
      qemu                            1:2.5+dfsg-5ubuntu10.44
      qemu-system                     1:2.5+dfsg-5ubuntu10.44
      qemu-system-aarch64             1:2.5+dfsg-5ubuntu10.44
      qemu-system-arm                 1:2.5+dfsg-5ubuntu10.44
      qemu-system-mips                1:2.5+dfsg-5ubuntu10.44
      qemu-system-ppc                 1:2.5+dfsg-5ubuntu10.44
      qemu-system-s390x               1:2.5+dfsg-5ubuntu10.44
      qemu-system-sparc               1:2.5+dfsg-5ubuntu10.44
      qemu-system-x86                 1:2.5+dfsg-5ubuntu10.44
    
    After a standard system update you need to restart all QEMU virtual
    machines to make all the necessary changes.
    
    References:
      https://usn.ubuntu.com/4372-1
      CVE-2019-15034, CVE-2019-20382, CVE-2020-10702, CVE-2020-11869,
      CVE-2020-1983
    
    Package Information:
      https://launchpad.net/ubuntu/+source/qemu/1:4.2-3ubuntu6.1
      https://launchpad.net/ubuntu/+source/qemu/1:4.0+dfsg-0ubuntu9.6
      https://launchpad.net/ubuntu/+source/qemu/1:2.11+dfsg-1ubuntu7.26
      https://launchpad.net/ubuntu/+source/qemu/1:2.5+dfsg-5ubuntu10.44
    
    

    LinuxSecurity Poll

    Which aspect of server security are you most interested in learning more about?

    No answer selected. Please try again.
    Please select either existing option or enter your own, however not both.
    Please select minimum 0 answer(s) and maximum 3 answer(s).
    /main-polls/38-which-aspect-of-server-security-are-you-most-interested-in-learning-more-about?task=poll.vote&format=json
    38
    radio
    [{"id":"131","title":"Preventing information leakage","votes":"1","type":"x","order":"1","pct":100,"resources":[]},{"id":"132","title":"Firewall considerations","votes":"0","type":"x","order":"2","pct":0,"resources":[]},{"id":"133","title":"Permissions ","votes":"0","type":"x","order":"3","pct":0,"resources":[]}] ["#ff5b00","#4ac0f2","#b80028","#eef66c","#60bb22","#b96a9a","#62c2cc"] ["rgba(255,91,0,0.7)","rgba(74,192,242,0.7)","rgba(184,0,40,0.7)","rgba(238,246,108,0.7)","rgba(96,187,34,0.7)","rgba(185,106,154,0.7)","rgba(98,194,204,0.7)"] 350


    VIEW MORE POLLS

    bottom 200

    Please enable / Bitte aktiviere JavaScript!
    Veuillez activer / Por favor activa el Javascript![ ? ]