You are here
Home > Preporuke > Sigurnosni nedostaci programskih paketa qemu i qemu-kvm

Sigurnosni nedostaci programskih paketa qemu i qemu-kvm

==========================================================================
Ubuntu Security Notice USN-2608-1
May 13, 2015

qemu, qemu-kvm vulnerabilities
==========================================================================

A security issue affects these releases of Ubuntu and its derivatives:

– Ubuntu 15.04
– Ubuntu 14.10
– Ubuntu 14.04 LTS
– Ubuntu 12.04 LTS

Summary:

Several security issues were fixed in QEMU.

Software Description:
– qemu: Machine emulator and virtualizer
– qemu-kvm: Machine emulator and virtualizer

Details:

Jason Geffner discovered that QEMU incorrectly handled the virtual floppy
driver. This issue is known as VENOM. A malicious guest could use this
issue to cause a denial of service, or possibly execute arbitrary code on
the host as the user running the QEMU process. In the default installation,
when QEMU is used with libvirt, attackers would be isolated by the libvirt
AppArmor profile. (CVE-2015-3456)

Daniel P. Berrange discovered that QEMU incorrectly handled VNC websockets.
A remote attacker could use this issue to cause QEMU to consume memory,
resulting in a denial of service. This issue only affected Ubuntu 14.04
LTS, Ubuntu 14.10 and Ubuntu 15.04. (CVE-2015-1779)

Jan Beulich discovered that QEMU, when used with Xen, didn’t properly
restrict access to PCI command registers. A malicious guest could use this
issue to cause a denial of service. This issue only affected Ubuntu 14.04
LTS and Ubuntu 14.10. (CVE-2015-2756)

Update instructions:

The problem can be corrected by updating your system to the following
package versions:

Ubuntu 15.04:
qemu-system 1:2.2+dfsg-5expubuntu9.1
qemu-system-aarch64 1:2.2+dfsg-5expubuntu9.1
qemu-system-arm 1:2.2+dfsg-5expubuntu9.1
qemu-system-mips 1:2.2+dfsg-5expubuntu9.1
qemu-system-misc 1:2.2+dfsg-5expubuntu9.1
qemu-system-ppc 1:2.2+dfsg-5expubuntu9.1
qemu-system-sparc 1:2.2+dfsg-5expubuntu9.1
qemu-system-x86 1:2.2+dfsg-5expubuntu9.1

Ubuntu 14.10:
qemu-system 2.1+dfsg-4ubuntu6.6
qemu-system-aarch64 2.1+dfsg-4ubuntu6.6
qemu-system-arm 2.1+dfsg-4ubuntu6.6
qemu-system-mips 2.1+dfsg-4ubuntu6.6
qemu-system-misc 2.1+dfsg-4ubuntu6.6
qemu-system-ppc 2.1+dfsg-4ubuntu6.6
qemu-system-sparc 2.1+dfsg-4ubuntu6.6
qemu-system-x86 2.1+dfsg-4ubuntu6.6

Ubuntu 14.04 LTS:
qemu-system 2.0.0+dfsg-2ubuntu1.11
qemu-system-aarch64 2.0.0+dfsg-2ubuntu1.11
qemu-system-arm 2.0.0+dfsg-2ubuntu1.11
qemu-system-mips 2.0.0+dfsg-2ubuntu1.11
qemu-system-misc 2.0.0+dfsg-2ubuntu1.11
qemu-system-ppc 2.0.0+dfsg-2ubuntu1.11
qemu-system-sparc 2.0.0+dfsg-2ubuntu1.11
qemu-system-x86 2.0.0+dfsg-2ubuntu1.11

Ubuntu 12.04 LTS:
qemu-kvm 1.0+noroms-0ubuntu14.22

After a standard system update you need to restart all QEMU virtual
machines to make all the necessary changes.

References:
http://www.ubuntu.com/usn/usn-2608-1
CVE-2015-1779, CVE-2015-2756, CVE-2015-3456

Package Information:
https://launchpad.net/ubuntu/+source/qemu/1:2.2+dfsg-5expubuntu9.1
https://launchpad.net/ubuntu/+source/qemu/2.1+dfsg-4ubuntu6.6
https://launchpad.net/ubuntu/+source/qemu/2.0.0+dfsg-2ubuntu1.11
https://launchpad.net/ubuntu/+source/qemu-kvm/1.0+noroms-0ubuntu14.22

—–BEGIN PGP SIGNATURE—–
Version: GnuPG v1

iQIcBAEBCgAGBQJVU4p3AAoJEGVp2FWnRL6TRrgP/A7/6GoYSQTdFOIHfLrvNOmF
+fArShxLlEoPLlnfCZSYSP8ohYve9/25UzOqo9Gz3TATcsZwV9s7LtMCr4V0IXgq
8utL0kcYHAUNIrhREVXKagTYcHbLCvxRCXFNOQkzl5fD5d86dc20leELi97SsixO
5Zi0FRtHUX2q8A67iK3lrodFeN8SzZTa2g/xLsbBe3mir9b7mTugk7y51uADvg58
ylA6wlPUE2QYhEbPJ/V4bDv6Hd0OENXnWy4uMFRlv9+McLpgifnuzY/XNgiyMx8o
oSDWU6L6bsqpCoB8F04n6AFbgOPS44LHBzYHKS89ziawJV42hEkvPRU5qh7MlzaX
7PtostQ24951oe0Dh8UbC0rHuJuTaJVcS5AhGo3piYkViRXUl6tioTzOnZ6i/qoi
3Sr6QaKS/gNeQt8r3DCfjTWeyhSdF0kGUPWFPqTFzq3Gpntj3VL+cyPUCZ13Whth
03Nu4ElstnU0bo3WnKUZmmr2Jz922D43eZ9RO1IzSLd8f0PlFeML7DIRHPrT2y0B
bwCiyaR6Gw6AeE2D02nt/9ZyGYRcd9AmuAkVbNChw7kOafIsKvRQwRX3Jo3U2lEi
NBG+1CqYA839EVqhiTYduifCrckJTqcgOC0YNp7VWUepQY6cVfIZEOrbdiRan1RW
uP08dY3etVVXGrAstzCo
=k72U
—–END PGP SIGNATURE—–

Top
More in Preporuke
Sigurnosni propust programskog paketa kvm

Otkriven je sigurnosni propust u programskom paketu kvm za operacijski sustav Suse. Otkriveni propust potencijalnim napadačima omogućuje izvođenje napada uskraćivanja...

Close