Home / vulnerabilities Mandriva Linux Security Advisory 2015-061
Posted on 16 March 2015
Source : packetstormsecurity.org Link
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
_______________________________________________________________________
Mandriva Linux Security Advisory MDVSA-2015:061
http://www.mandriva.com/en/support/security/
_______________________________________________________________________
Package : qemu
Date : March 13, 2015
Affected: Business Server 2.0
_______________________________________________________________________
Problem Description:
Updated qemu packages fix multiple security vulnerabilities:
Sibiao Luo discovered that QEMU incorrectly handled device
hot-unplugging. A local user could possibly use this flaw to cause
a denial of service (CVE-2013-4377).
Michael S. Tsirkin discovered that QEMU incorrectly handled vmxnet3
devices. A local guest could possibly use this issue to cause a
denial of service, or possibly execute arbitrary code on the host
(CVE-2013-4544).
Multiple integer overflow, input validation, logic error, and buffer
overflow flaws were discovered in various QEMU block drivers. An
attacker able to modify a disk image file loaded by a guest could
use these flaws to crash the guest, or corrupt QEMU process memory
on the host, potentially resulting in arbitrary code execution on
the host with the privileges of the QEMU process (CVE-2014-0143,
CVE-2014-0144, CVE-2014-0145, CVE-2014-0147).
A buffer overflow flaw was found in the way the virtio_net_handle_mac()
function of QEMU processed guest requests to update the table of MAC
addresses. A privileged guest user could use this flaw to corrupt
QEMU process memory on the host, potentially resulting in arbitrary
code execution on the host with the privileges of the QEMU process
(CVE-2014-0150).
A divide-by-zero flaw was found in the seek_to_sector() function of
the parallels block driver in QEMU. An attacker able to modify a disk
image file loaded by a guest could use this flaw to crash the guest
(CVE-2014-0142).
A NULL pointer dereference flaw was found in the QCOW2 block driver
in QEMU. An attacker able to modify a disk image file loaded by a
guest could use this flaw to crash the guest (CVE-2014-0146).
It was found that the block driver for Hyper-V VHDX images did not
correctly calculate BAT (Block Allocation Table) entries due to
a missing bounds check. An attacker able to modify a disk image
file loaded by a guest could use this flaw to crash the guest
(CVE-2014-0148).
An out-of-bounds memory access flaw was found in the way QEMU's
IDE device driver handled the execution of SMART EXECUTE OFFLINE
commands. A privileged guest user could use this flaw to corrupt
QEMU process memory on the host, which could potentially result in
arbitrary code execution on the host with the privileges of the QEMU
process (CVE-2014-2894).
Two integer overflow flaws were found in the QEMU block driver for
QCOW version 1 disk images. A user able to alter the QEMU disk image
files loaded by a guest could use either of these flaws to corrupt
QEMU process memory on the host, which could potentially result in
arbitrary code execution on the host with the privileges of the QEMU
process (CVE-2014-0222, CVE-2014-0223).
Multiple buffer overflow, input validation, and out-of-bounds write
flaws were found in the way the virtio, virtio-net, virtio-scsi, and
usb drivers of QEMU handled state loading after migration. A user
able to alter the savevm data (either on the disk or over the wire
during migration) could use either of these flaws to corrupt QEMU
process memory on the (destination) host, which could potentially
result in arbitrary code execution on the host with the privileges
of the QEMU process (CVE-2013-4148, CVE-2013-4151, CVE-2013-4535,
CVE-2013-4536, CVE-2013-4541, CVE-2013-4542, CVE-2013-6399,
CVE-2014-0182, CVE-2014-3461).
An information leak flaw was found in the way QEMU's VGA emulator
accessed frame buffer memory for high resolution displays. A privileged
guest user could use this flaw to leak memory contents of the host to
the guest by setting the display to use a high resolution in the guest
(CVE-2014-3615).
When guest sends udp packet with source port and source addr 0,
uninitialized socket is picked up when looking for matching and already
created udp sockets, and later passed to sosendto() where NULL pointer
dereference is hit during so->slirp->vnetwork_mask.s_addr access Only
guests using qemu user networking are affected (CVE-2014-3640).
The Advanced Threat Research team at Intel Security reported that guest
provided parameter were insufficiently validated in rectangle functions
in the vmware-vga driver. A privileged guest user could use this flaw
to write into qemu address space on the host, potentially escalating
their privileges to those of the qemu host process (CVE-2014-3689).
It was discovered that QEMU incorrectly handled USB xHCI controller
live migration. An attacker could possibly use this issue to cause a
denial of service, or possibly execute arbitrary code (CVE-2014-5263).
James Spadaro of Cisco reported insufficiently sanitized bits_per_pixel
from the client in the QEMU VNC display driver. An attacker having
access to the guest's VNC console could use this flaw to crash the
guest (CVE-2014-7815).
During migration, the values read from migration stream during ram load
are not validated. Especially offset in host_from_stream_offset() and
also the length of the writes in the callers of the said function. A
user able to alter the savevm data (either on the disk or over the
wire during migration) could use either of these flaws to corrupt QEMU
process memory on the (destination) host, which could potentially
result in arbitrary code execution on the host with the privileges
of the QEMU process (CVE-2014-7840).
Paolo Bonzini of Red Hat discovered that the blit region checks were
insufficient in the Cirrus VGA emulator in qemu. A privileged guest
user could use this flaw to write into qemu address space on the host,
potentially escalating their privileges to those of the qemu host
process (CVE-2014-8106).
This update also provides usbredirparser 0.6 as a prerequisite of
qemu-1.6.2
_______________________________________________________________________
References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-4148
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-4149
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-4150
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-4151
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-4377
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-4526
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-4527
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-4529
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-4530
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-4531
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-4533
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-4534
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-4535
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-4536
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-4537
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-4538
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-4539
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-4540
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-4541
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-4542
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-6399
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-0142
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-0143
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-0144
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-0145
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-0146
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-0147
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-0148
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-0150
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-0182
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-0222
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-0223
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-3461
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-3615
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-3640
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-3689
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-5263
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-7815
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-7840
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-8106
http://advisories.mageia.org/MGASA-2014-0060.html
http://advisories.mageia.org/MGASA-2014-0426.html
http://advisories.mageia.org/MGASA-2014-0467.html
http://advisories.mageia.org/MGASA-2014-0525.html
_______________________________________________________________________
Updated Packages:
Mandriva Business Server 2/X86_64:
bd909efb6ee2c38ba548023cb8b3df4a mbs2/x86_64/lib64usbredirhost1-0.6-1.mbs2.x86_64.rpm
660807d5dbd2fd5cbbbfdf55031fc708 mbs2/x86_64/lib64usbredirhost-devel-0.6-1.mbs2.x86_64.rpm
a91c61330cd4e35533692de2ce71396e mbs2/x86_64/lib64usbredirparser1-0.6-1.mbs2.x86_64.rpm
ede2c59f4a78c5179312955b533c3808 mbs2/x86_64/lib64usbredirparser-devel-0.6-1.mbs2.x86_64.rpm
2e20f7909b92864f2fa66f3c74d4adba mbs2/x86_64/qemu-1.6.2-1.mbs2.x86_64.rpm
5e3fbb6892acf6ef3258eb385eeb68aa mbs2/x86_64/qemu-img-1.6.2-1.mbs2.x86_64.rpm
3e8a2c587ad5a99b7f3e9032385bacb9 mbs2/x86_64/usbredir-0.6-1.mbs2.x86_64.rpm
7f6c636029ae5cbe78b512e9c47e560a mbs2/x86_64/usbredir-devel-0.6-1.mbs2.x86_64.rpm
140c5089bcd9d59988548e25b7d014db mbs2/SRPMS/qemu-1.6.2-1.mbs2.src.rpm
44e21507283f0e9fb418d05cd6ebd7bb mbs2/SRPMS/usbredir-0.6-1.mbs2.src.rpm
_______________________________________________________________________
To upgrade automatically use MandrivaUpdate or urpmi. The verification
of md5 checksums and GPG signatures is performed automatically for you.
All packages are signed by Mandriva for security. You can obtain the
GPG public key of the Mandriva Security Team by executing:
gpg --recv-keys --keyserver pgp.mit.edu 0x22458A98
You can view other update advisories for Mandriva Linux at:
http://www.mandriva.com/en/support/security/advisories/
If you want to report vulnerabilities, please contact
security_(at)_mandriva.com
_______________________________________________________________________
Type Bits/KeyID Date User ID
pub 1024D/22458A98 2000-07-10 Mandriva Security Team
<security*mandriva.com>
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.12 (GNU/Linux)
iD8DBQFVAwkUmqjQ0CJFipgRApCCAJ48nICW3ajMyIYMt/qFF/GtWvpxJACgip4E
MOyF0/4/AefNCgCyoAW77Tk=
=kJao
-----END PGP SIGNATURE-----