Home / mailings [USN-2608-1] QEMU vulnerabilities
Posted on 13 May 2015
Ubuntu Security==========================
==========================
========================
Ubuntu Security Notice USN-2608-1
May 13, 2015
qemu, qemu-kvm vulnerabilities
==========================
==========================
========================
A security issue affects these releases of Ubuntu and its derivatives:
- Ubuntu 15.04
- Ubuntu 14.10
- Ubuntu 14.04 LTS
- Ubuntu 12.04 LTS
Summary:
Several security issues were fixed in QEMU.
Software Description:
- qemu: Machine emulator and virtualizer
- qemu-kvm: Machine emulator and virtualizer
Details:
Jason Geffner discovered that QEMU incorrectly handled the virtual floppy=
driver. This issue is known as VENOM. A malicious guest could use this
issue to cause a denial of service, or possibly execute arbitrary code on=
the host as the user running the QEMU process. In the default installatio=
n,
when QEMU is used with libvirt, attackers would be isolated by the libvir=
t
AppArmor profile. (CVE-2015-3456)
Daniel P. Berrange discovered that QEMU incorrectly handled VNC websocket=
s.
A remote attacker could use this issue to cause QEMU to consume memory,
resulting in a denial of service. This issue only affected Ubuntu 14.04
LTS, Ubuntu 14.10 and Ubuntu 15.04. (CVE-2015-1779)
Jan Beulich discovered that QEMU, when used with Xen, didn't properly
restrict access to PCI command registers. A malicious guest could use thi=
s
issue to cause a denial of service. This issue only affected Ubuntu 14.04=
LTS and Ubuntu 14.10. (CVE-2015-2756)
Update instructions:
The problem can be corrected by updating your system to the following
package versions:
Ubuntu 15.04:
qemu-system 1:2.2+dfsg-5expubuntu9.1
qemu-system-aarch64 1:2.2+dfsg-5expubuntu9.1
qemu-system-arm 1:2.2+dfsg-5expubuntu9.1
qemu-system-mips 1:2.2+dfsg-5expubuntu9.1
qemu-system-misc 1:2.2+dfsg-5expubuntu9.1
qemu-system-ppc 1:2.2+dfsg-5expubuntu9.1
qemu-system-sparc 1:2.2+dfsg-5expubuntu9.1
qemu-system-x86 1:2.2+dfsg-5expubuntu9.1
Ubuntu 14.10:
qemu-system 2.1+dfsg-4ubuntu6.6
qemu-system-aarch64 2.1+dfsg-4ubuntu6.6
qemu-system-arm 2.1+dfsg-4ubuntu6.6
qemu-system-mips 2.1+dfsg-4ubuntu6.6
qemu-system-misc 2.1+dfsg-4ubuntu6.6
qemu-system-ppc 2.1+dfsg-4ubuntu6.6
qemu-system-sparc 2.1+dfsg-4ubuntu6.6
qemu-system-x86 2.1+dfsg-4ubuntu6.6
Ubuntu 14.04 LTS:
qemu-system 2.0.0+dfsg-2ubuntu1.11
qemu-system-aarch64 2.0.0+dfsg-2ubuntu1.11
qemu-system-arm 2.0.0+dfsg-2ubuntu1.11
qemu-system-mips 2.0.0+dfsg-2ubuntu1.11
qemu-system-misc 2.0.0+dfsg-2ubuntu1.11
qemu-system-ppc 2.0.0+dfsg-2ubuntu1.11
qemu-system-sparc 2.0.0+dfsg-2ubuntu1.11
qemu-system-x86 2.0.0+dfsg-2ubuntu1.11
Ubuntu 12.04 LTS:
qemu-kvm 1.0+noroms-0ubuntu14.22
After a standard system update you need to restart all QEMU virtual
machines to make all the necessary changes.
References:
http://www.ubuntu.com/usn/usn-2608-1
CVE-2015-1779, CVE-2015-2756, CVE-2015-3456
Package Information:
https://launchpad.net/ubuntu/+source/qemu/1:2.2+dfsg-5expubuntu9.1
https://launchpad.net/ubuntu/+source/qemu/2.1+dfsg-4ubuntu6.6
https://launchpad.net/ubuntu/+source/qemu/2.0.0+dfsg-2ubuntu1.11
https://launchpad.net/ubuntu/+source/qemu-kvm/1.0+noroms-0ubuntu14.22
