Home / mailings [USN-3289-1] QEMU vulnerabilities
Posted on 16 May 2017
Ubuntu Security==========================
==========================
========================
Ubuntu Security Notice USN-3289-1
May 16, 2017
qemu vulnerabilities
==========================
==========================
========================
A security issue affects these releases of Ubuntu and its derivatives:
- Ubuntu 17.04
- Ubuntu 16.10
- Ubuntu 16.04 LTS
- Ubuntu 14.04 LTS
Summary:
Several security issues were fixed in QEMU.
Software Description:
- qemu: Machine emulator and virtualizer
Details:
Li Qiang discovered that QEMU incorrectly handled VirtFS directory sharin=
g.
A privileged attacker inside the guest could use this issue to cause QEMU=
to crash, resulting in a denial of service. (CVE-2017-7377, CVE-2017-8086=
)
Jiangxin discovered that QEMU incorrectly handled the Cirrus VGA device. =
A
privileged attacker inside the guest could use this issue to cause QEMU t=
o
crash, resulting in a denial of service. (CVE-2017-7718)
Li Qiang and Jiangxin discovered that QEMU incorrectly handled the Cirrus=
VGA device when being used with a VNC connection. A privileged attacker
inside the guest could use this issue to cause QEMU to crash, resulting i=
n
a denial of service, or possibly execute arbitrary code on the host. In t=
he
default installation, when QEMU is used with libvirt, attackers would be
isolated by the libvirt AppArmor profile. (CVE-2017-7980)
Jiang Xin discovered that QEMU incorrectly handled the audio subsystem. A=
privileged attacker inside the guest could use this issue to cause QEMU t=
o
crash, resulting in a denial of service. (CVE-2017-8309)
Jiang Xin discovered that QEMU incorrectly handled the input subsystem. A=
privileged attacker inside the guest could use this issue to cause QEMU t=
o
crash, resulting in a denial of service. This issue only affected Ubuntu
16.04 LTS, Ubuntu 16.10 and Ubuntu 17.04. (CVE-2017-8379)
Update instructions:
The problem can be corrected by updating your system to the following
package versions:
Ubuntu 17.04:
qemu-system 1:2.8+dfsg-3ubuntu2.2
qemu-system-aarch64 1:2.8+dfsg-3ubuntu2.2
qemu-system-arm 1:2.8+dfsg-3ubuntu2.2
qemu-system-mips 1:2.8+dfsg-3ubuntu2.2
qemu-system-misc 1:2.8+dfsg-3ubuntu2.2
qemu-system-ppc 1:2.8+dfsg-3ubuntu2.2
qemu-system-s390x 1:2.8+dfsg-3ubuntu2.2
qemu-system-sparc 1:2.8+dfsg-3ubuntu2.2
qemu-system-x86 1:2.8+dfsg-3ubuntu2.2
Ubuntu 16.10:
qemu-system 1:2.6.1+dfsg-0ubuntu5.5
qemu-system-aarch64 1:2.6.1+dfsg-0ubuntu5.5
qemu-system-arm 1:2.6.1+dfsg-0ubuntu5.5
qemu-system-mips 1:2.6.1+dfsg-0ubuntu5.5
qemu-system-misc 1:2.6.1+dfsg-0ubuntu5.5
qemu-system-ppc 1:2.6.1+dfsg-0ubuntu5.5
qemu-system-s390x 1:2.6.1+dfsg-0ubuntu5.5
qemu-system-sparc 1:2.6.1+dfsg-0ubuntu5.5
qemu-system-x86 1:2.6.1+dfsg-0ubuntu5.5
Ubuntu 16.04 LTS:
qemu-system 1:2.5+dfsg-5ubuntu10.14
qemu-system-aarch64 1:2.5+dfsg-5ubuntu10.14
qemu-system-arm 1:2.5+dfsg-5ubuntu10.14
qemu-system-mips 1:2.5+dfsg-5ubuntu10.14
qemu-system-misc 1:2.5+dfsg-5ubuntu10.14
qemu-system-ppc 1:2.5+dfsg-5ubuntu10.14
qemu-system-s390x 1:2.5+dfsg-5ubuntu10.14
qemu-system-sparc 1:2.5+dfsg-5ubuntu10.14
qemu-system-x86 1:2.5+dfsg-5ubuntu10.14
Ubuntu 14.04 LTS:
qemu-system 2.0.0+dfsg-2ubuntu1.34
qemu-system-aarch64 2.0.0+dfsg-2ubuntu1.34
qemu-system-arm 2.0.0+dfsg-2ubuntu1.34
qemu-system-mips 2.0.0+dfsg-2ubuntu1.34
qemu-system-misc 2.0.0+dfsg-2ubuntu1.34
qemu-system-ppc 2.0.0+dfsg-2ubuntu1.34
qemu-system-sparc 2.0.0+dfsg-2ubuntu1.34
qemu-system-x86 2.0.0+dfsg-2ubuntu1.34
After a standard system update you need to restart all QEMU virtual
machines to make all the necessary changes.
References:
http://www.ubuntu.com/usn/usn-3289-1
CVE-2017-7377, CVE-2017-7718, CVE-2017-7980, CVE-2017-8086,
CVE-2017-8309, CVE-2017-8379
Package Information:
https://launchpad.net/ubuntu/+source/qemu/1:2.8+dfsg-3ubuntu2.2
https://launchpad.net/ubuntu/+source/qemu/1:2.6.1+dfsg-0ubuntu5.5
https://launchpad.net/ubuntu/+source/qemu/1:2.5+dfsg-5ubuntu10.14
https://launchpad.net/ubuntu/+source/qemu/2.0.0+dfsg-2ubuntu1.34
--ubFKhm45l1pNiWCrxPnMoAAicQMgFCmVm--
