http://git.qemu.org/?p=qemu.git;a=commit;h=ff55e94d23ae94c8628b0115320157c763eb3e06

[oss-security] 20161028 CVE request Qemu: 9pfs: memory leakage when creating extended attribute

[oss-security] 20161030 Re: CVE request Qemu: 9pfs: memory leakage when creating extended attribute

93962

[debian-lts-announce] 20181130 [SECURITY] [DLA 1599-1] qemu security update

[qemu-devel] 20161010 Re: [PATCH] 9pfs: fix memory leak in v9fs_xattrcreate

GLSA-201611-11

Several vulnerabilities were found in QEMU, a fast processor emulator :

CVE-2016-2391

Zuozhi Fzz discovered that eof_times in USB OHCI emulation support could be used to cause a denial of service, via a NULL pointer dereference.

CVE-2016-2392 / CVE-2016-2538

Qinghao Tang found a NULL pointer dereference and multiple integer overflows in the USB Net device support that could allow local guest OS administrators to cause a denial of service. These issues related to remote NDIS control message handling.

CVE-2016-2841

Yang Hongke reported an infinite loop vulnerability in the NE2000 NIC emulation support.

CVE-2016-2857

Liu Ling found a flaw in QEMU IP checksum routines. Attackers could take advantage of this issue to cause QEMU to crash.

CVE-2016-2858

Arbitrary stack based allocation in the Pseudo Random Number Generator (PRNG) back-end support.

CVE-2016-4001 / CVE-2016-4002

Oleksandr Bazhaniuk reported buffer overflows in the Stellaris and the MIPSnet ethernet controllers emulation. Remote malicious users could use these issues to cause QEMU to crash.

CVE-2016-4020

Donghai Zdh reported that QEMU incorrectly handled the access to the Task Priority Register (TPR), allowing local guest OS administrators to obtain sensitive information from host stack memory.

CVE-2016-4037

Du Shaobo found an infinite loop vulnerability in the USB EHCI emulation support.

CVE-2016-4439 / CVE-2016-4441 / CVE-2016-5238 / CVE-2016-5338 / CVE-2016-6351

Li Qiang found different issues in the QEMU 53C9X Fast SCSI Controller (FSC) emulation support, that made it possible for local guest OS privileged users to cause denials of service or potentially execute arbitrary code.

CVE-2016-4453 / CVE-2016-4454

Li Qiang reported issues in the QEMU VMWare VGA module handling, that may be used to cause QEMU to crash, or to obtain host sensitive information.

CVE-2016-4952 / CVE-2016-7421 / CVE-2016-7156

Li Qiang reported flaws in the VMware paravirtual SCSI bus emulation support. These issues concern an out-of-bounds access and infinite loops, that allowed local guest OS privileged users to cause a denial of service.

CVE-2016-5105 / CVE-2016-5106 / CVE-2016-5107 / CVE-2016-5337

Li Qiang discovered several issues in the MegaRAID SAS 8708EM2 Host Bus Adapter emulation support. These issues include stack information leakage while reading configuration and out-of-bounds write and read.

CVE-2016-6834

Li Qiang reported an infinite loop vulnerability during packet fragmentation in the network transport abstraction layer support.
Local guest OS privileged users could made use of this flaw to cause a denial of service.

CVE-2016-6836 / CVE-2016-6888

Li Qiang found issues in the VMWare VMXNET3 network card emulation support, relating to information leak and integer overflow in packet initialisation.

CVE-2016-7116

Felix Wilhel discovered a directory traversal flaw in the Plan 9 File System (9pfs), exploitable by local guest OS privileged users.

CVE-2016-7155

Tom Victor and Li Qiang reported an out-of-bounds read and an infinite loop in the VMware paravirtual SCSI bus emulation support.

CVE-2016-7161

Hu Chaojian reported a heap overflow in the xlnx.xps-ethernetlite emulation support. Privileged users in local guest OS could made use of this to cause QEMU to crash.

CVE-2016-7170

Qinghao Tang and Li Qiang reported a flaw in the QEMU VMWare VGA module, that could be used by privileged user in local guest OS to cause QEMU to crash via an out-of-bounds stack memory access.

CVE-2016-7908 / CVE-2016-7909

Li Qiang reported infinite loop vulnerabilities in the ColdFire Fast Ethernet Controller and the AMD PC-Net II (Am79C970A) emulations.
These flaws allowed local guest OS administrators to cause a denial of service.

CVE-2016-8909

Huawei PSIRT found an infinite loop vulnerability in the Intel HDA emulation support, relating to DMA buffer stream processing.
Privileged users in local guest OS could made use of this to cause a denial of service.

CVE-2016-8910

Andrew Henderson reported an infinite loop in the RTL8139 ethernet controller emulation support. Privileged users inside a local guest OS could made use of this to cause a denial of service.

CVE-2016-9101

Li Qiang reported a memory leakage in the i8255x (PRO100) ethernet controller emulation support.

CVE-2016-9102 / CVE-2016-9103 / CVE-2016-9104 / CVE-2016-9105 / CVE-2016-9106 / CVE-2016-8577 / CVE-2016-8578

Li Qiang reported various Plan 9 File System (9pfs) security issues, including host memory leakage and denial of service.

CVE-2017-10664

Denial of service in the qemu-nbd (QEMU Disk Network Block Device) Server.

CVE-2018-10839 / CVE-2018-17962 / CVE-2018-17963

Daniel Shapira reported several integer overflows in the packet handling in ethernet controllers emulated by QEMU. These issues could lead to denial of service.

For Debian 8 'Jessie', these problems have been fixed in version 1:2.1+dfsg-12+deb8u8.

We recommend that you upgrade your qemu packages.

NOTE: Tenable Network Security has extracted the preceding description block directly from the DLA security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

- CVE-2016-6836: vmxnet: Information leakage in     vmxnet3_complete_packet (bz #1366370)

  - CVE-2016-7909: pcnet: Infinite loop in pcnet_rdra_addr     (bz #1381196)

  - CVE-2016-7994: virtio-gpu: memory leak in     resource_create_2d (bz #1382667)

  - CVE-2016-8577: 9pfs: host memory leakage in v9fs_read     (bz #1383286)

  - CVE-2016-8578: 9pfs: potential NULL dereferencein 9pfs     routines (bz #1383292)

  - CVE-2016-8668: OOB buffer access in rocker switch     emulation (bz #1384898)

  - CVE-2016-8669: divide by zero error in     serial_update_parameters (bz #1384911)

  - CVE-2016-8910: rtl8139: infinite loop while transmit in     C+ mode (bz #1388047)

  - CVE-2016-8909: intel-hda: infinite loop in dma buffer     stream (bz #1388053)

  - Infinite loop vulnerability in a9_gtimer_update (bz     #1388300)

  - CVE-2016-9101: eepro100: memory leakage at device unplug     (bz #1389539)

  - CVE-2016-9103: 9pfs: information leakage via xattr (bz     #1389643)

  - CVE-2016-9102: 9pfs: memory leakage when creating     extended attribute (bz #1389551)

  - CVE-2016-9104: 9pfs: integer overflow leading to OOB     access (bz #1389687)

  - CVE-2016-9105: 9pfs: memory leakage in v9fs_link (bz     #1389704)

  - CVE-2016-9106: 9pfs: memory leakage in v9fs_write (bz     #1389713)

  - CVE-2016-9381: xen: incautious about shared ring     processing (bz #1397385)

  - CVE-2016-9921: Divide by zero vulnerability in     cirrus_do_copy (bz #1399054)

  - CVE-2016-9776: infinite loop while receiving data in     mcf_fec_receive (bz #1400830)

  - CVE-2016-9845: information leakage in     virgl_cmd_get_capset_info (bz #1402247)

  - CVE-2016-9846: virtio-gpu: memory leakage while updating     cursor data (bz #1402258)

  - CVE-2016-9907: usbredir: memory leakage when destroying     redirector (bz #1402266)

  - CVE-2016-9911: usb: ehci: memory leakage in     ehci_init_transfer (bz #1402273)

  - CVE-2016-9913: 9pfs: memory leakage via proxy/handle     callbacks (bz #1402277)

  - CVE-2016-10028: virtio-gpu-3d: OOB access while reading     virgl capabilities (bz #1406368)

  - CVE-2016-9908: virtio-gpu: information leakage in     virgl_cmd_get_capset (bz #1402263)

  - CVE-2016-9912: virtio-gpu: memory leakage when     destroying gpu resource (bz #1402285)

Note that Tenable Network Security has extracted the preceding description block directly from the Fedora update system website.
Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

- CVE-2016-6836: vmxnet: Information leakage in     vmxnet3_complete_packet (bz #1366370)

  - CVE-2016-7909: pcnet: Infinite loop in pcnet_rdra_addr     (bz #1381196)

  - CVE-2016-7994: virtio-gpu: memory leak in     resource_create_2d (bz #1382667)

  - CVE-2016-8577: 9pfs: host memory leakage in v9fs_read     (bz #1383286)

  - CVE-2016-8578: 9pfs: potential NULL dereferencein 9pfs     routines (bz #1383292)

  - CVE-2016-8668: OOB buffer access in rocker switch     emulation (bz #1384898)

  - CVE-2016-8669: divide by zero error in     serial_update_parameters (bz #1384911)

  - CVE-2016-8909: intel-hda: infinite loop in dma buffer     stream (bz #1388053)

  - Infinite loop vulnerability in a9_gtimer_update (bz     #1388300)

  - CVE-2016-9101: eepro100: memory leakage at device unplug     (bz #1389539)

  - CVE-2016-9103: 9pfs: information leakage via xattr (bz     #1389643)

  - CVE-2016-9102: 9pfs: memory leakage when creating     extended attribute (bz #1389551)

  - CVE-2016-9104: 9pfs: integer overflow leading to OOB     access (bz #1389687)

  - CVE-2016-9105: 9pfs: memory leakage in v9fs_link (bz     #1389704)

  - CVE-2016-9106: 9pfs: memory leakage in v9fs_write (bz     #1389713)

  - CVE-2016-9381: xen: incautious about shared ring     processing (bz #1397385)

  - CVE-2016-9921: Divide by zero vulnerability in     cirrus_do_copy (bz #1399054)

  - CVE-2016-9776: infinite loop while receiving data in     mcf_fec_receive (bz #1400830)

  - CVE-2016-9845: information leakage in     virgl_cmd_get_capset_info (bz #1402247)

  - CVE-2016-9846: virtio-gpu: memory leakage while updating     cursor data (bz #1402258)

  - CVE-2016-9907: usbredir: memory leakage when destroying     redirector (bz #1402266)

  - CVE-2016-9911: usb: ehci: memory leakage in     ehci_init_transfer (bz #1402273)

  - CVE-2016-9913: 9pfs: memory leakage via proxy/handle     callbacks (bz #1402277)

  - CVE-2016-10028: virtio-gpu-3d: OOB access while reading     virgl capabilities (bz #1406368)

  - CVE-2016-9908: virtio-gpu: information leakage in     virgl_cmd_get_capset (bz #1402263)

  - CVE-2016-9912: virtio-gpu: memory leakage when     destroying gpu resource (bz #1402285)

Note that Tenable Network Security has extracted the preceding description block directly from the Fedora update system website.
Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

qemu was updated to fix several issues.

These security issues were fixed :

  - CVE-2016-9102: Memory leak in the v9fs_xattrcreate     function in hw/9pfs/9p.c in allowed local guest OS     administrators to cause a denial of service (memory     consumption and QEMU process crash) via a large number     of Txattrcreate messages with the same fid number     (bsc#1014256).

  - CVE-2016-9103: The v9fs_xattrcreate function in     hw/9pfs/9p.c in allowed local guest OS administrators to     obtain sensitive host heap memory information by reading     xattribute values writing to them (bsc#1007454).

  - CVE-2016-9381: Improper processing of shared rings     allowing guest administrators take over the qemu     process, elevating their privilege to that of the qemu     process (bsc#1009109)

  - CVE-2016-9776: The ColdFire Fast Ethernet Controller     emulator support was vulnerable to an infinite loop     issue while receiving packets in 'mcf_fec_receive'. A     privileged user/process inside guest could have used     this issue to crash the Qemu process on the host leading     to DoS (bsc#1013285).

  - CVE-2016-9845: The Virtio GPU Device emulator support as     vulnerable to an information leakage issue while     processing the 'VIRTIO_GPU_CMD_GET_CAPSET_INFO' command.
    A guest user/process could have used this flaw to leak     contents of the host memory (bsc#1013767).

  - CVE-2016-9846: The Virtio GPU Device emulator support     was vulnerable to a memory leakage issue while updating     the cursor data in update_cursor_data_virgl. A guest     user/process could have used this flaw to leak host     memory bytes, resulting in DoS for the host     (bsc#1013764).

  - CVE-2016-9907: The USB redirector usb-guest support was     vulnerable to a memory leakage flaw when destroying the     USB redirector in 'usbredir_handle_destroy'. A guest     user/process could have used this issue to leak host     memory, resulting in DoS for a host (bsc#1014109).

  - CVE-2016-9908: The Virtio GPU Device emulator support     was vulnerable to an information leakage issue while     processing the 'VIRTIO_GPU_CMD_GET_CAPSET' command. A     guest user/process could have used this flaw to leak     contents of the host memory (bsc#1014514).

  - CVE-2016-9911: The USB EHCI Emulation support was     vulnerable to a memory leakage issue while processing     packet data in 'ehci_init_transfer'. A guest     user/process could have used this issue to leak host     memory, resulting in DoS for the host (bsc#1014111).

  - CVE-2016-9912: The Virtio GPU Device emulator support     was vulnerable to a memory leakage issue while     destroying gpu resource object in     'virtio_gpu_resource_destroy'. A guest user/process     could have used this flaw to leak host memory bytes,     resulting in DoS for the host (bsc#1014112).

  - CVE-2016-9913: VirtFS was vulnerable to memory leakage     issue via its '9p-handle' or '9p-proxy' backend drivers.
    A privileged user inside guest could have used this flaw     to leak host memory, thus affecting other services on     the host and/or potentially crash the Qemu process on     the host (bsc#1014110).

These non-security issues were fixed :

  - Fixed uint64 property parsing and add regression tests     (bsc#937125)

  - Added a man page for kvm_stat

  - Fix crash in vte (bsc#1008519)

  - Various upstream commits targeted towards stable     releases (bsc#1013341)

This update was imported from the SUSE:SLE-12-SP2:Update update project.

qemu was updated to fix several issues. These security issues were fixed :

  - CVE-2016-9102: Memory leak in the v9fs_xattrcreate     function in hw/9pfs/9p.c in allowed local guest OS     administrators to cause a denial of service (memory     consumption and QEMU process crash) via a large number     of Txattrcreate messages with the same fid number     (bsc#1014256).

  - CVE-2016-9103: The v9fs_xattrcreate function in     hw/9pfs/9p.c in allowed local guest OS administrators to     obtain sensitive host heap memory information by reading     xattribute values writing to them (bsc#1007454).

  - CVE-2016-9381: Improper processing of shared rings     allowing guest administrators take over the qemu     process, elevating their privilege to that of the qemu     process (bsc#1009109)

  - CVE-2016-9776: The ColdFire Fast Ethernet Controller     emulator support was vulnerable to an infinite loop     issue while receiving packets in 'mcf_fec_receive'. A     privileged user/process inside guest could have used     this issue to crash the Qemu process on the host leading     to DoS (bsc#1013285).

  - CVE-2016-9845: The Virtio GPU Device emulator support as     vulnerable to an information leakage issue while     processing the 'VIRTIO_GPU_CMD_GET_CAPSET_INFO' command.
    A guest user/process could have used this flaw to leak     contents of the host memory (bsc#1013767).

  - CVE-2016-9846: The Virtio GPU Device emulator support     was vulnerable to a memory leakage issue while updating     the cursor data in update_cursor_data_virgl. A guest     user/process could have used this flaw to leak host     memory bytes, resulting in DoS for the host     (bsc#1013764).

  - CVE-2016-9907: The USB redirector usb-guest support was     vulnerable to a memory leakage flaw when destroying the     USB redirector in 'usbredir_handle_destroy'. A guest     user/process could have used this issue to leak host     memory, resulting in DoS for a host (bsc#1014109).

  - CVE-2016-9908: The Virtio GPU Device emulator support     was vulnerable to an information leakage issue while     processing the 'VIRTIO_GPU_CMD_GET_CAPSET' command. A     guest user/process could have used this flaw to leak     contents of the host memory (bsc#1014514).

  - CVE-2016-9911: The USB EHCI Emulation support was     vulnerable to a memory leakage issue while processing     packet data in 'ehci_init_transfer'. A guest     user/process could have used this issue to leak host     memory, resulting in DoS for the host (bsc#1014111).

  - CVE-2016-9912: The Virtio GPU Device emulator support     was vulnerable to a memory leakage issue while     destroying gpu resource object in     'virtio_gpu_resource_destroy'. A guest user/process     could have used this flaw to leak host memory bytes,     resulting in DoS for the host (bsc#1014112).

  - CVE-2016-9913: VirtFS was vulnerable to memory leakage     issue via its '9p-handle' or '9p-proxy' backend drivers.
    A privileged user inside guest could have used this flaw     to leak host memory, thus affecting other services on     the host and/or potentially crash the Qemu process on     the host (bsc#1014110).

The update package also includes non-security fixes. See advisory for details.

Note that Tenable Network Security has extracted the preceding description block directly from the SUSE security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

This update for qemu fixes the following issues :

  - Patch queue updated from     https://gitlab.suse.de/virtualization/qemu.git SLE12-SP1

  - Change package post script udevadm trigger calls to be     device specific (bsc#1002116)

  - Address various security/stability issues

  - Fix OOB access in xlnx.xpx-ethernetlite emulation     (CVE-2016-7161 bsc#1001151)

  - Fix OOB access in VMware SVGA emulation (CVE-2016-7170     bsc#998516)

  - Fix DOS in USB xHCI emulation (CVE-2016-7466     bsc#1000345)

  - Fix DOS in Vmware pv scsi interface (CVE-2016-7421     bsc#999661)

  - Fix DOS in ColdFire Fast Ethernet Controller emulation     (CVE-2016-7908 bsc#1002550)

  - Fix DOS in USB xHCI emulation (CVE-2016-8576     bsc#1003878)

  - Fix DOS in virtio-9pfs (CVE-2016-8578 bsc#1003894)

  - Fix DOS in virtio-9pfs (CVE-2016-9105 bsc#1007494)

  - Fix DOS in virtio-9pfs (CVE-2016-8577 bsc#1003893)

  - Plug data leak in virtio-9pfs interface (CVE-2016-9103     bsc#1007454)

  - Fix DOS in virtio-9pfs interface (CVE-2016-9102     bsc#1007450)

  - Fix DOS in virtio-9pfs (CVE-2016-9106 bsc#1007495)

  - Fix DOS in 16550A UART emulation (CVE-2016-8669     bsc#1004707)

  - Fix DOS in PC-Net II emulation (CVE-2016-7909     bsc#1002557)

  - Fix DOS in PRO100 emulation (CVE-2016-9101 bsc#1007391)

  - Fix DOS in RTL8139 emulation (CVE-2016-8910 bsc#1006538)

  - Fix DOS in Intel HDA controller emulation (CVE-2016-8909     bsc#1006536)

  - Fix DOS in virtio-9pfs (CVE-2016-9104 bsc#1007493)

  - Fix DOS in JAZZ RC4030 emulation (CVE-2016-8667     bsc#1004702)

  - Fix case of disk corruption with migration due to     improper internal state tracking (bsc#996524)

This update was imported from the SUSE:SLE-12-SP1:Update update project.

This update for qemu fixes the following issues :

  - Patch queue updated from     https://gitlab.suse.de/virtualization/qemu.git SLE12-SP1

  - Change package post script udevadm trigger calls to be     device specific (bsc#1002116)

  - Address various security/stability issues

  - Fix OOB access in xlnx.xpx-ethernetlite emulation     (CVE-2016-7161 bsc#1001151)

  - Fix OOB access in VMware SVGA emulation (CVE-2016-7170     bsc#998516)

  - Fix DOS in USB xHCI emulation (CVE-2016-7466     bsc#1000345)

  - Fix DOS in Vmware pv scsi interface (CVE-2016-7421     bsc#999661)

  - Fix DOS in ColdFire Fast Ethernet Controller emulation     (CVE-2016-7908 bsc#1002550)

  - Fix DOS in USB xHCI emulation (CVE-2016-8576     bsc#1003878)

  - Fix DOS in virtio-9pfs (CVE-2016-8578 bsc#1003894)

  - Fix DOS in virtio-9pfs (CVE-2016-9105 bsc#1007494)

  - Fix DOS in virtio-9pfs (CVE-2016-8577 bsc#1003893)

  - Plug data leak in virtio-9pfs interface (CVE-2016-9103     bsc#1007454)

  - Fix DOS in virtio-9pfs interface (CVE-2016-9102     bsc#1007450)

  - Fix DOS in virtio-9pfs (CVE-2016-9106 bsc#1007495)

  - Fix DOS in 16550A UART emulation (CVE-2016-8669     bsc#1004707)

  - Fix DOS in PC-Net II emulation (CVE-2016-7909     bsc#1002557)

  - Fix DOS in PRO100 emulation (CVE-2016-9101 bsc#1007391)

  - Fix DOS in RTL8139 emulation (CVE-2016-8910 bsc#1006538)

  - Fix DOS in Intel HDA controller emulation (CVE-2016-8909     bsc#1006536)

  - Fix DOS in virtio-9pfs (CVE-2016-9104 bsc#1007493)

  - Fix DOS in JAZZ RC4030 emulation (CVE-2016-8667     bsc#1004702)

  - Fix case of disk corruption with migration due to     improper internal state tracking (bsc#996524)

Note that Tenable Network Security has extracted the preceding description block directly from the SUSE security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

This update for qemu fixes the following issues :

  - Patch queue updated from     https://gitlab.suse.de/virtualization/qemu.git SLE12

  - Change package post script udevadm trigger calls to be     device specific (bsc#1002116)

  - Address various security/stability issues

  - Fix OOB access in xlnx.xpx-ethernetlite emulation     (CVE-2016-7161 bsc#1001151)

  - Fix OOB access in VMware SVGA emulation (CVE-2016-7170     bsc#998516)

  - Fix DOS in Vmware pv scsi interface (CVE-2016-7421     bsc#999661)

  - Fix DOS in ColdFire Fast Ethernet Controller emulation     (CVE-2016-7908 bsc#1002550)

  - Fix DOS in USB xHCI emulation (CVE-2016-8576     bsc#1003878)

  - Fix DOS in virtio-9pfs (CVE-2016-8578 bsc#1003894)

  - Fix DOS in virtio-9pfs (CVE-2016-9105 bsc#1007494)

  - Fix DOS in virtio-9pfs (CVE-2016-8577 bsc#1003893)

  - Plug data leak in virtio-9pfs interface (CVE-2016-9103     bsc#1007454)

  - Fix DOS in virtio-9pfs interface (CVE-2016-9102     bsc#1007450)

  - Fix DOS in virtio-9pfs (CVE-2016-9106 bsc#1007495)

  - Fix DOS in 16550A UART emulation (CVE-2016-8669     bsc#1004707)

  - Fix DOS in PC-Net II emulation (CVE-2016-7909     bsc#1002557)

  - Fix DOS in PRO100 emulation (CVE-2016-9101 bsc#1007391)

  - Fix DOS in RTL8139 emulation (CVE-2016-8910 bsc#1006538)

  - Fix DOS in Intel HDA controller emulation (CVE-2016-8909     bsc#1006536)

  - Fix DOS in virtio-9pfs (CVE-2016-9104 bsc#1007493)

  - Fix DOS in JAZZ RC4030 emulation (CVE-2016-8667     bsc#1004702)

Note that Tenable Network Security has extracted the preceding description block directly from the SUSE security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

This update for kvm fixes the following issues :

  - Address various security/stability issues

  - Fix OOB access in xlnx.xpx-ethernetlite emulation     (CVE-2016-7161 bsc#1001151)

  - Fix OOB access in VMware SVGA emulation (CVE-2016-7170     bsc#998516)

  - Fix DOS in ColdFire Fast Ethernet Controller emulation     (CVE-2016-7908 bsc#1002550)

  - Fix DOS in USB xHCI emulation (CVE-2016-8576     bsc#1003878)

  - Fix DOS in virtio-9pfs (CVE-2016-8578 bsc#1003894)

  - Fix DOS in virtio-9pfs (CVE-2016-9105 bsc#1007494)

  - Fix DOS in virtio-9pfs (CVE-2016-8577 bsc#1003893)

  - Plug data leak in virtio-9pfs interface (CVE-2016-9103     bsc#1007454)

  - Fix DOS in virtio-9pfs interface (CVE-2016-9102     bsc#1007450)

  - Fix DOS in virtio-9pfs (CVE-2016-9106 bsc#1007495)

  - Fix DOS in 16550A UART emulation (CVE-2016-8669     bsc#1004707)

  - Fix DOS in PC-Net II emulation (CVE-2016-7909     bsc#1002557)

  - Fix DOS in PRO100 emulation (CVE-2016-9101 bsc#1007391)

  - Fix DOS in RTL8139 emulation (CVE-2016-8910 bsc#1006538)

  - Fix DOS in Intel HDA controller emulation (CVE-2016-8909     bsc#1006536)

  - Fix DOS in virtio-9pfs (CVE-2016-9104 bsc#1007493)

  - Fix DOS in JAZZ RC4030 emulation (CVE-2016-8667     bsc#1004702)

  - Patch queue updated from     https://gitlab.suse.de/virtualization/qemu.git SLE11-SP4

  - Remove semi-contradictory and now determined erroneous     statement in kvm-supported.txt regarding not running ntp     in kvm guest when kvm-clock is used. It is now     recommended to use ntp in guest in this case.

Note that Tenable Network Security has extracted the preceding description block directly from the SUSE security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

The remote host is affected by the vulnerability described in GLSA-201611-11 (QEMU: Multiple vulnerabilities)

    Multiple vulnerabilities have been discovered in QEMU. Please review the       CVE identifiers referenced below for details.
  Impact :

    A privileged user /process within a guest QEMU environment can cause a       Denial of Service condition against the QEMU guest process or the host.
  Workaround :

    There is no known workaround at this time.

several qemu security fixes

Note that Tenable Network Security has extracted the preceding description block directly from the Fedora update system website.
Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

Zhenhao Hong discovered that QEMU incorrectly handled the Virtio module. A privileged attacker inside the guest could use this issue to cause QEMU to consume resources, resulting in a denial of service.
(CVE-2016-5403)

Li Qiang discovered that QEMU incorrectly handled VMWARE VMXNET3 network card emulation support. A privileged attacker inside the guest could use this issue to cause QEMU to crash, resulting in a denial of service. This issue only affected Ubuntu 14.04 LTS, Ubuntu 16.04 LTS and Ubuntu 16.10. (CVE-2016-6833, CVE-2016-6834, CVE-2016-6888)

Li Qiang discovered that QEMU incorrectly handled VMWARE VMXNET3 network card emulation support. A privileged attacker inside the guest could use this issue to cause QEMU to crash, resulting in a denial of service, or possibly execute arbitrary code on the host. In the default installation, when QEMU is used with libvirt, attackers would be isolated by the libvirt AppArmor profile. This issue only affected Ubuntu 14.04 LTS, Ubuntu 16.04 LTS and Ubuntu 16.10. (CVE-2016-6835)

Li Qiang discovered that QEMU incorrectly handled VMWARE VMXNET3 network card emulation support. A privileged attacker inside the guest could use this issue to possibly to obtain sensitive host memory. This issue only affected Ubuntu 14.04 LTS, Ubuntu 16.04 LTS and Ubuntu 16.10. (CVE-2016-6836)

Felix Wilhelm discovered that QEMU incorrectly handled Plan 9 File System (9pfs) support. A privileged attacker inside the guest could use this issue to possibly to obtain sensitive host files.
(CVE-2016-7116)

Li Qiang and Tom Victor discovered that QEMU incorrectly handled VMWARE PVSCSI paravirtual SCSI bus emulation support. A privileged attacker inside the guest could use this issue to cause QEMU to crash, resulting in a denial of service. This issue only affected Ubuntu 14.04 LTS, Ubuntu 16.04 LTS and Ubuntu 16.10. (CVE-2016-7155)

Li Qiang discovered that QEMU incorrectly handled VMWARE PVSCSI paravirtual SCSI bus emulation support. A privileged attacker inside the guest could use this issue to cause QEMU to crash, resulting in a denial of service. This issue only affected Ubuntu 14.04 LTS, Ubuntu 16.04 LTS and Ubuntu 16.10. (CVE-2016-7156, CVE-2016-7421)

Tom Victor discovered that QEMU incorrectly handled LSI SAS1068 host bus emulation support. A privileged attacker inside the guest could use this issue to cause QEMU to crash, resulting in a denial of service. This issue only affected Ubuntu 16.10. (CVE-2016-7157)

Hu Chaojian discovered that QEMU incorrectly handled xlnx.xps-ethernetlite emulation support. A privileged attacker inside the guest could use this issue to cause QEMU to crash, resulting in a denial of service, or possibly execute arbitrary code on the host. In the default installation, when QEMU is used with libvirt, attackers would be isolated by the libvirt AppArmor profile. (CVE-2016-7161)

Qinghao Tang and Li Qiang discovered that QEMU incorrectly handled the VMware VGA module. A privileged attacker inside the guest could use this issue to cause QEMU to crash, resulting in a denial of service.
(CVE-2016-7170)

Qinghao Tang and Zhenhao Hong discovered that QEMU incorrectly handled the Virtio module. A privileged attacker inside the guest could use this issue to cause QEMU to crash, resulting in a denial of service.
This issue only affected Ubuntu 16.10. (CVE-2016-7422)

Li Qiang discovered that QEMU incorrectly handled LSI SAS1068 host bus emulation support. A privileged attacker inside the guest could use this issue to cause QEMU to crash, resulting in a denial of service.
This issue only affected Ubuntu 16.10. (CVE-2016-7423)

Li Qiang discovered that QEMU incorrectly handled USB xHCI controller emulation support. A privileged attacker inside the guest could use this issue to cause QEMU to crash, resulting in a denial of service.
This issue only affected Ubuntu 16.04 LTS and Ubuntu 16.10.
(CVE-2016-7466)

Li Qiang discovered that QEMU incorrectly handled ColdFire Fast Ethernet Controller emulation support. A privileged attacker inside the guest could use this issue to cause QEMU to crash, resulting in a denial of service. (CVE-2016-7908)

Li Qiang discovered that QEMU incorrectly handled AMD PC-Net II emulation support. A privileged attacker inside the guest could use this issue to cause QEMU to crash, resulting in a denial of service.
(CVE-2016-7909)

Li Qiang discovered that QEMU incorrectly handled the Virtio GPU support. A privileged attacker inside the guest could use this issue to cause QEMU to consume resources, resulting in a denial of service.
This issue only affected Ubuntu 16.04 LTS and Ubuntu 16.10.
(CVE-2016-7994)

Li Qiang discovered that QEMU incorrectly handled USB EHCI emulation support. A privileged attacker inside the guest could use this issue to cause QEMU to consume resources, resulting in a denial of service.
This issue only affected Ubuntu 16.10. (CVE-2016-7995)

Li Qiang discovered that QEMU incorrectly handled USB xHCI controller support. A privileged attacker inside the guest could use this issue to cause QEMU to crash, resulting in a denial of service. This issue only affected Ubuntu 14.04 LTS, Ubuntu 16.04 LTS and Ubuntu 16.10.
(CVE-2016-8576)

Li Qiang discovered that QEMU incorrectly handled Plan 9 File System (9pfs) support. A privileged attacker inside the guest could use this issue to cause QEMU to crash, resulting in a denial of service. This issue only affected Ubuntu 14.04 LTS, Ubuntu 16.04 LTS and Ubuntu 16.10. (CVE-2016-8577, CVE-2016-8578)

It was discovered that QEMU incorrectly handled Rocker switch emulation support. A privileged attacker inside the guest could use this issue to cause QEMU to crash, resulting in a denial of service.
This issue only affected Ubuntu 16.04 LTS and Ubuntu 16.10.
(CVE-2016-8668)

It was discovered that QEMU incorrectly handled Intel HDA controller emulation support. A privileged attacker inside the guest could use this issue to cause QEMU to consume resources, resulting in a denial of service. (CVE-2016-8909)

Andrew Henderson discovered that QEMU incorrectly handled RTL8139 ethernet controller emulation support. A privileged attacker inside the guest could use this issue to cause QEMU to consume resources, resulting in a denial of service. (CVE-2016-8910)

Li Qiang discovered that QEMU incorrectly handled Intel i8255x ethernet controller emulation support. A privileged attacker inside the guest could use this issue to cause QEMU to consume resources, resulting in a denial of service. (CVE-2016-9101)

Li Qiang discovered that QEMU incorrectly handled Plan 9 File System (9pfs) support. A privileged attacker inside the guest could use this issue to cause QEMU to consume resources, resulting in a denial of service. (CVE-2016-9102, CVE-2016-9104, CVE-2016-9105)

Li Qiang discovered that QEMU incorrectly handled Plan 9 File System (9pfs) support. A privileged attacker inside the guest could use this issue to possibly to obtain sensitive host memory. (CVE-2016-9103)

Li Qiang discovered that QEMU incorrectly handled Plan 9 File System (9pfs) support. A privileged attacker inside the guest could use this issue to cause QEMU to consume resources, resulting in a denial of service. This issue only affected Ubuntu 14.04 LTS, Ubuntu 16.04 LTS and Ubuntu 16.10. (CVE-2016-9106).

Note that Tenable Network Security has extracted the preceding description block directly from the Ubuntu security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

Several vulnerabilities were discovered in qemu, a fast processor emulator. The Common Vulnerabilities and Exposures project identifies the following problems :

CVE-2016-7909

Quick Emulator(Qemu) built with the AMD PC-Net II emulator support is vulnerable to an infinite loop issue. It could occur while receiving packets via pcnet_receive().

A privileged user/process inside guest could use this issue to crash the Qemu process on the host leading to DoS.

CVE-2016-8909

Quick Emulator(Qemu) built with the Intel HDA controller emulation support is vulnerable to an infinite loop issue. It could occur while processing the DMA buffer stream while doing data transfer in 'intel_hda_xfer'.

A privileged user inside guest could use this flaw to consume excessive CPU cycles on the host, resulting in DoS.

CVE-2016-8910

Quick Emulator(Qemu) built with the RTL8139 ethernet controller emulation support is vulnerable to an infinite loop issue. It could occur while transmitting packets in C+ mode of operation.

A privileged user inside guest could use this flaw to consume excessive CPU cycles on the host, resulting in DoS situation.

CVE-2016-9101

Quick Emulator(Qemu) built with the i8255x (PRO100) NIC emulation support is vulnerable to a memory leakage issue. It could occur while unplugging the device, and doing so repeatedly would result in leaking host memory affecting, other services on the host.

A privileged user inside guest could use this flaw to cause a DoS on the host and/or potentially crash the Qemu process on the host.

CVE-2016-9102 CVE-2016-9105 CVE-2016-9106

Quick Emulator(Qemu) built with the VirtFS, host directory sharing via Plan 9 File System(9pfs) support, is vulnerable to a several memory leakage issues.

A privileged user inside guest could use this flaws to leak the host memory bytes resulting in DoS for other services.

CVE-2016-9104

Quick Emulator(Qemu) built with the VirtFS, host directory sharing via Plan 9 File System(9pfs) support, is vulnerable to an integer overflow issue. It could occur by accessing xattributes values.

A privileged user inside guest could use this flaw to crash the Qemu process instance resulting in DoS.

CVE-2016-9103

Quick Emulator(Qemu) built with the VirtFS, host directory sharing via Plan 9 File System(9pfs) support, is vulnerable to an information leakage issue. It could occur by accessing xattribute value before it's written to.

A privileged user inside guest could use this flaw to leak host memory bytes.

For Debian 7 'Wheezy', these problems have been fixed in version 1.1.2+dfsg-6+deb7u18.

We recommend that you upgrade your qemu packages.

NOTE: Tenable Network Security has extracted the preceding description block directly from the DLA security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

ID	Name	Product	Family	Severity
119310	Debian DLA-1599-1 : qemu security update	Nessus	Debian Local Security Checks	critical
96782	Fedora 24 : 2:qemu (2017-12394e2cc7)	Nessus	Fedora Local Security Checks	medium
96677	Fedora 25 : 2:qemu (2017-b953d4d3a4)	Nessus	Fedora Local Security Checks	medium
96623	openSUSE Security Update : qemu (openSUSE-2017-116)	Nessus	SuSE Local Security Checks	medium
96529	SUSE SLED12 / SLES12 Security Update : qemu (SUSE-SU-2017:0127-1)	Nessus	SuSE Local Security Checks	medium
95757	openSUSE Security Update : qemu (openSUSE-2016-1451)	Nessus	SuSE Local Security Checks	critical
95537	SUSE SLED12 / SLES12 Security Update : qemu (SUSE-SU-2016:2988-1)	Nessus	SuSE Local Security Checks	critical
95396	SUSE SLES12 Security Update : qemu (SUSE-SU-2016:2936-1)	Nessus	SuSE Local Security Checks	critical
95316	SUSE SLES11 Security Update : kvm (SUSE-SU-2016:2902-1)	Nessus	SuSE Local Security Checks	critical
95018	GLSA-201611-11 : QEMU: Multiple vulnerabilities	Nessus	Gentoo Local Security Checks	critical
95006	Fedora 25 : xen (2016-7b6fbff620)	Nessus	Fedora Local Security Checks	low
94690	Fedora 23 : xen (2016-da6b1d277b)	Nessus	Fedora Local Security Checks	low
94669	Ubuntu 12.04 LTS / 14.04 LTS / 16.04 LTS / 16.10 : qemu, qemu-kvm vulnerabilities (USN-3125-1)	Nessus	Ubuntu Local Security Checks	critical
94656	Fedora 24 : xen (2016-0d1a8ee35b)	Nessus	Fedora Local Security Checks	low
94519	Debian DLA-698-1 : qemu security update	Nessus	Debian Local Security Checks	medium

CVE-2016-9102

Description

References

Details

Risk Information

CVSS v2.0

CVSS v3.0

Vulnerable Software

Configuration 1

Tenable Plugins