==========================================================================
Ubuntu Security Notice USN-2182-1
April 28, 2014
qemu, qemu-kvm vulnerabilities
==========================================================================
A security issue affects these releases of Ubuntu and its derivatives:
– Ubuntu 14.04 LTS
– Ubuntu 13.10
– Ubuntu 12.10
– Ubuntu 12.04 LTS
– Ubuntu 10.04 LTS
Summary:
Several security issues were fixed in QEMU.
Software Description:
– qemu: Machine emulator and virtualizer
– qemu-kvm: Machine emulator and virtualizer
Details:
Michael S. Tsirkin discovered that QEMU incorrectly handled vmxnet3
devices. A local guest could possibly use this issue to cause a denial of
service, or possibly execute arbitrary code on the host. This issue only
applied to Ubuntu 13.10 and Ubuntu 14.04 LTS. (CVE-2013-4544)
Michael S. Tsirkin discovered that QEMU incorrectly handled virtio-net
MAC addresses. A local guest could possibly use this issue to cause a
denial of service, or possibly execute arbitrary code on the host.
(CVE-2014-0150)
Benoît Canet discovered that QEMU incorrectly handled SMART self-tests. A
local guest could possibly use this issue to cause a denial of service, or
possibly execute arbitrary code on the host. (CVE-2014-2894)
Update instructions:
The problem can be corrected by updating your system to the following
package versions:
Ubuntu 14.04 LTS:
qemu-system 2.0.0~rc1+dfsg-0ubuntu3.1
qemu-system-aarch64 2.0.0~rc1+dfsg-0ubuntu3.1
qemu-system-arm 2.0.0~rc1+dfsg-0ubuntu3.1
qemu-system-mips 2.0.0~rc1+dfsg-0ubuntu3.1
qemu-system-misc 2.0.0~rc1+dfsg-0ubuntu3.1
qemu-system-ppc 2.0.0~rc1+dfsg-0ubuntu3.1
qemu-system-sparc 2.0.0~rc1+dfsg-0ubuntu3.1
qemu-system-x86 2.0.0~rc1+dfsg-0ubuntu3.1
Ubuntu 13.10:
qemu-system 1.5.0+dfsg-3ubuntu5.4
qemu-system-arm 1.5.0+dfsg-3ubuntu5.4
qemu-system-mips 1.5.0+dfsg-3ubuntu5.4
qemu-system-misc 1.5.0+dfsg-3ubuntu5.4
qemu-system-ppc 1.5.0+dfsg-3ubuntu5.4
qemu-system-sparc 1.5.0+dfsg-3ubuntu5.4
qemu-system-x86 1.5.0+dfsg-3ubuntu5.4
Ubuntu 12.10:
qemu-kvm 1.2.0+noroms-0ubuntu2.12.10.7
Ubuntu 12.04 LTS:
qemu-kvm 1.0+noroms-0ubuntu14.14
Ubuntu 10.04 LTS:
qemu-kvm 0.12.3+noroms-0ubuntu9.22
After a standard system update you need to reboot your computer to make all
the necessary changes.
References:
http://www.ubuntu.com/usn/usn-2182-1
CVE-2013-4544, CVE-2014-0150, CVE-2014-2894
Package Information:
https://launchpad.net/ubuntu/+source/qemu/2.0.0~rc1+dfsg-0ubuntu3.1
https://launchpad.net/ubuntu/+source/qemu/1.5.0+dfsg-3ubuntu5.4
https://launchpad.net/ubuntu/+source/qemu-kvm/1.2.0+noroms-0ubuntu2.12.10.7
https://launchpad.net/ubuntu/+source/qemu-kvm/1.0+noroms-0ubuntu14.14
https://launchpad.net/ubuntu/+source/qemu-kvm/0.12.3+noroms-0ubuntu9.22
—–BEGIN PGP SIGNATURE—–
Version: GnuPG v1
Comment: Using GnuPG with Thunderbird – http://www.enigmail.net/
iQIcBAEBCgAGBQJTXlgwAAoJEGVp2FWnRL6TOOsP/REWftIV7UEvT0lE36lCu4ON
3e5T7MkzwH3PYC1ZC3hZRIhBKfq90akvTLkbIwhkfjMa6oiOE2k49ppaHUM1ZVGe
s4t6ozDw+LkHffIEV+LtEcGOQH8DgGpxVaSl4a9hq4CZ9FWmBPY1hetAvzhyxLVu
/38B8HSM4Kphj/wUWQQ/epEO6kH7iDe8BryaOBAc+Pguk3bDzF9HDhPDaADRTtyC
sfsLsCqY9Th9/BHD1DNagOwJqWkJQJuw2VwLYq0o3TH8V229kj4NLaR9H9Y6zslu
TYPI8zuLq0ynyg2Ly3Ty8mVSkPbgeouUh9m3BJC78i09HNwFOKJ0hBpyzHCiNfpV
kgDzo1NEuE+owzDtHTsOhNBJuuWfLXrndvUHDHmWIAECBWAEC3JtZjsW0zXtLJ8l
sAJM2riASNF2I+Ed6XKjjYYvBmYzRJ5hRAFlXeMzsD/hAGDXrPcjndDJy2rB5x6I
Q39hICpN8v15jkuNrPqjq1TfFTkOQWFiXEZ9GZFPAUFlNbf7Exhm0rF6i+PECX7m
8R+PDecdurMCJcOHyHzNNBILQhJ56r45D1NgElMyyTFFkvWAsv+85UnjIDhwxmH6
U39YFL6tlmwoi0kOR9WLS4SeiSDwkusGZyL6aeh/5elNeUFy3xdqJeWP0b3Gw3qS
u9QLYYlpgBMzPiT9i4Y2
=CSZw
—–END PGP SIGNATURE—–
—