Home / mailingsPDF  

[USN-2439-1] QEMU vulnerabilities

Posted on 11 December 2014
Ubuntu Security

==========================
==========================
========================
Ubuntu Security Notice USN-2439-1
December 11, 2014

qemu, qemu-kvm vulnerabilities
==========================
==========================
========================

A security issue affects these releases of Ubuntu and its derivatives:

- Ubuntu 14.10
- Ubuntu 14.04 LTS
- Ubuntu 12.04 LTS
- Ubuntu 10.04 LTS

Summary:

Several security issues were fixed in QEMU.

Software Description:
- qemu: Machine emulator and virtualizer
- qemu-kvm: Machine emulator and virtualizer

Details:

Michael S. Tsirkin discovered that QEMU incorrectly handled certain
parameters during ram load while performing a migration. An attacker able=

to manipulate savevm data could use this issue to possibly execute
arbitrary code on the host. This issue only affected Ubuntu 12.04 LTS,
Ubuntu 14.04 LTS, and Ubuntu 14.10. (CVE-2014-7840)

Paolo Bonzini discovered that QEMU incorrectly handled memory in the Cirr=
us
VGA device. A malicious guest could possibly use this issue to write into=

memory of the host, leading to privilege escalation. (CVE-2014-8106)

Update instructions:

The problem can be corrected by updating your system to the following
package versions:

Ubuntu 14.10:
qemu-system 2.1+dfsg-4ubuntu6.3
qemu-system-aarch64 2.1+dfsg-4ubuntu6.3
qemu-system-arm 2.1+dfsg-4ubuntu6.3
qemu-system-mips 2.1+dfsg-4ubuntu6.3
qemu-system-misc 2.1+dfsg-4ubuntu6.3
qemu-system-ppc 2.1+dfsg-4ubuntu6.3
qemu-system-sparc 2.1+dfsg-4ubuntu6.3
qemu-system-x86 2.1+dfsg-4ubuntu6.3

Ubuntu 14.04 LTS:
qemu-system 2.0.0+dfsg-2ubuntu1.9
qemu-system-aarch64 2.0.0+dfsg-2ubuntu1.9
qemu-system-arm 2.0.0+dfsg-2ubuntu1.9
qemu-system-mips 2.0.0+dfsg-2ubuntu1.9
qemu-system-misc 2.0.0+dfsg-2ubuntu1.9
qemu-system-ppc 2.0.0+dfsg-2ubuntu1.9
qemu-system-sparc 2.0.0+dfsg-2ubuntu1.9
qemu-system-x86 2.0.0+dfsg-2ubuntu1.9

Ubuntu 12.04 LTS:
qemu-kvm 1.0+noroms-0ubuntu14.21

Ubuntu 10.04 LTS:
qemu-kvm 0.12.3+noroms-0ubuntu9.26

After a standard system update you need to reboot your computer to make
all the necessary changes.

References:
http://www.ubuntu.com/usn/usn-2439-1
CVE-2014-7840, CVE-2014-8106

Package Information:
https://launchpad.net/ubuntu/+source/qemu/2.1+dfsg-4ubuntu6.3
https://launchpad.net/ubuntu/+source/qemu/2.0.0+dfsg-2ubuntu1.9
https://launchpad.net/ubuntu/+source/qemu-kvm/1.0+noroms-0ubuntu14.21
https://launchpad.net/ubuntu/+source/qemu-kvm/0.12.3+noroms-0ubuntu9.26=

 

TOP

Mailings :

Exploits :