http://git.qemu-project.org/?p=qemu.git;a=commit;h=765a707000e838c30b18d712fe6cb3dd8e0435f3

[oss-security] 20170201 CVE request Qemu: scsi: megasas: host memory leakage in megasas_handle_dcmd

[oss-security] 20170202 Re: CVE request Qemu: scsi: megasas: host memory leakage in megasas_handle_dcmd

95999

https://bugzilla.redhat.com/show_bug.cgi?id=1418342

[debian-lts-announce] 20180906 [SECURITY] [DLA 1497-1] qemu security update

GLSA-201702-28

According to the versions of the qemu-kvm packages installed, the EulerOS Virtualization installation on the remote host is affected by the following vulnerabilities :

  - Memory leak in hw/audio/es1370.c in QEMU (aka Quick     Emulator) allows local guest OS privileged users to     cause a denial of service (host memory consumption and     QEMU process crash) via a large number of device unplug     operations.(CVE-2017-5526)

  - Memory leak in hw/audio/ac97.c in QEMU (aka Quick     Emulator) allows local guest OS privileged users to     cause a denial of service (host memory consumption and     QEMU process crash) via a large number of device unplug     operations.(CVE-2017-5525)

  - The xhci_kick_epctx function in hw/usb/hcd-xhci.c in     QEMU (aka Quick Emulator) allows local guest OS     privileged users to cause a denial of service (infinite     loop and QEMU process crash) via vectors related to     control transfer descriptor sequence.(CVE-2017-5973)

  - The sdhci_sdma_transfer_multi_blocks function in     hw/sd/sdhci.c in QEMU (aka Quick Emulator) allows local     OS guest privileged users to cause a denial of service     (infinite loop and QEMU process crash) via vectors     involving the transfer mode register during multi block     transfer.(CVE-2017-5987)

  - Memory leak in the megasas_handle_dcmd function in     hw/scsi/megasas.c in QEMU (aka Quick Emulator) allows     local guest OS privileged users to cause a denial of     service (host memory consumption) via MegaRAID Firmware     Interface (MFI) commands with the sglist size set to a     value over 2 Gb.(CVE-2017-5856)

  - qemu_deliver_packet_iov in net/net.c in Qemu accepts     packet sizes greater than INT_MAX, which allows     attackers to cause a denial of service or possibly have     unspecified other impact.(CVE-2018-17963)

  - qemu-bridge-helper.c in QEMU 4.0.0 does not ensure that     a network interface name (obtained from bridge.conf or     a --br=bridge option) is limited to the IFNAMSIZ size,     which can lead to an ACL bypass.(CVE-2019-13164)

  - Buffer overflow in the 'megasas_mmio_write' function in     Qemu 2.9.0 allows remote attackers to have unspecified     impact via unknown vectors.(CVE-2017-8380)

  - Quick Emulator (Qemu) built with the VirtFS, host     directory sharing via Plan 9 File System(9pfs) support,     is vulnerable to an improper access control issue. It     could occur while accessing virtfs metadata files in     mapped-file security mode. A guest user could use this     flaw to escalate their privileges inside     guest.(CVE-2017-7493)

  - In QEMU 3.1.0, load_device_tree in device_tree.c calls     the deprecated load_image function, which has a buffer     overflow risk.(CVE-2018-20815)

  - Use-after-free vulnerability in the sofree function in     slirp/socket.c in QEMU (aka Quick Emulator) allows     attackers to cause a denial of service (QEMU instance     crash) by leveraging failure to properly clear ifq_so     from pending packets.(CVE-2017-13711)

  - Stack-based buffer overflow in hw/usb/redirect.c in     QEMU (aka Quick Emulator) allows local guest OS users     to cause a denial of service (QEMU process crash) via     vectors related to logging debug     messages.(CVE-2017-10806)

  - The dhcp_decode function in slirp/bootp.c in QEMU (aka     Quick Emulator) allows local guest OS users to cause a     denial of service (out-of-bounds read and QEMU process     crash) via a crafted DHCP options     string.(CVE-2017-11434)

  - The imx_fec_do_tx function in hw/net/imx_fec.c in QEMU     (aka Quick Emulator) does not properly limit the buffer     descriptor count when transmitting packets, which     allows local guest OS administrators to cause a denial     of service (infinite loop and QEMU process crash) via     vectors involving a buffer descriptor with a length of     0 and crafted values in bd.flags.(CVE-2016-7907)

  - tcp_emu in slirp/tcp_subr.c (aka slirp/src/tcp_subr.c)     in QEMU 3.0.0 uses uninitialized data in an snprintf     call, leading to Information disclosure.(CVE-2019-9824)

  - interface_release_resource in hw/display/qxl.c in QEMU     4.0.0 has a NULL pointer dereference.(CVE-2019-12155)

  - hw/scsi/vmw_pvscsi.c in QEMU (aka Quick Emulator)     allows local guest OS privileged users to cause a     denial of service (infinite loop and CPU consumption)     via the message ring page count.(CVE-2017-8112)

  - Qemu has a Buffer Overflow in rtl8139_do_receive in     hw/net/rtl8139.c because an incorrect integer data type     is used.(CVE-2018-17958)

  - TSX Asynchronous Abort condition on some CPUs utilizing     speculative execution may allow an authenticated user     to potentially enable information disclosure via a side     channel with local access.(CVE-2019-11135)

  - In QEMU 1:4.1-1, 1:2.1+dfsg-12+deb8u6,     1:2.8+dfsg-6+deb9u8, 1:3.1+dfsg-8~deb10u1,     1:3.1+dfsg-8+deb10u2, and 1:2.1+dfsg-12+deb8u12     (fixed), when executing script in lsi_execute_script(),     the LSI scsi adapter emulator advances 's->dsp' index     to read next opcode. This can lead to an infinite loop     if the next opcode is empty. Move the existing loop     exit after 10k iterations so that it covers no-op     opcodes as well.(CVE-2019-12068)

  - qemu-seccomp.c in QEMU might allow local OS guest users     to cause a denial of service (guest crash) by     leveraging mishandling of the seccomp policy for     threads other than the main thread.(CVE-2018-15746)

  - Qemu has a Buffer Overflow in pcnet_receive in     hw/net/pcnet.c because an incorrect integer data type     is used.(CVE-2018-17962)

  - Quick Emulator(Qemu) built with the VMWARE PVSCSI     paravirtual SCSI bus emulation support is vulnerable to     an OOB r/w access issue. It could occur while     processing SCSI commands 'PVSCSI_CMD_SETUP_RINGS' or     'PVSCSI_CMD_SETUP_MSG_RING'. A privileged user inside     guest could use this flaw to crash the Qemu process     resulting in DoS.(CVE-2016-4952)

  - m_cat in slirp/mbuf.c in Qemu has a heap-based buffer     overflow via incoming fragmented     datagrams.(CVE-2018-11806)

  - In Qemu 3.0.0, lsi_do_msgin in hw/scsi/lsi53c895a.c     allows out-of-bounds access by triggering an invalid     msg_len value.(CVE-2018-18849)

  - hw/9pfs/cofile.c and hw/9pfs/9p.c in QEMU can modify an     fid path while it is being accessed by a second thread,     leading to (for example) a use-after-free     outcome.(CVE-2018-19364)

  - v9fs_wstat in hw/9pfs/9p.c in QEMU allows guest OS     users to cause a denial of service (crash) because of a     race condition during file renaming.(CVE-2018-19489)

  - QEMU, through version 2.10 and through version 3.1.0,     is vulnerable to an out-of-bounds read of up to 128     bytes in the hw/i2c/i2c-ddc.c:i2c_ddc() function. A     local attacker with permission to execute i2c commands     could exploit this to read stack memory of the qemu     process on the host.(CVE-2019-3812)

  - A flaw was found in QEMU's Media Transfer Protocol     (MTP). The code opening files in usb_mtp_get_object and     usb_mtp_get_partial_object and directories in     usb_mtp_object_readdir doesn't consider that the     underlying filesystem may have changed since the time     lstat(2) was called in usb_mtp_object_alloc, a     classical TOCTTOU problem. An attacker with write     access to the host filesystem, shared with a guest, can     use this property to navigate the host filesystem in     the context of the QEMU process and read any file the     QEMU process has access to. Access to the filesystem     may be local or via a network share protocol such as     CIFS.(CVE-2018-16872)

  - ** DISPUTED ** An issue was discovered in ide_dma_cb()     in hw/ide/core.c in QEMU 2.4.0 through 4.2.0. The guest     system can crash the QEMU process in the host system     via a special SCSI_IOCTL_SEND_COMMAND. It hits an     assertion that implies that the size of successful DMA     transfers there must be a multiple of 512 (the size of     a sector). NOTE: a member of the QEMU security team     disputes the significance of this issue because a     'privileged guest user has many ways to cause similar     DoS effect, without triggering this     assert.'(CVE-2019-20175)

  - Quick Emulator (QEMU) built with Network Block Device     (NBD) Server support was vulnerable to a null-pointer     dereference issue. The flaw could occur when releasing     a client that was not initialized due to failed     negotiation. A remote user or process could exploit     this flaw to crash the qemu-nbd server (denial of     service).(CVE-2017-9524)

  - Qemu has integer overflows because IOReadHandler and     its associated functions use a signed integer data type     for a size value.(CVE-2018-18438)

  - The Bluetooth subsystem in QEMU mishandles negative     values for length variables, leading to memory     corruption.(CVE-2018-19665)

Note that Tenable Network Security has extracted the preceding description block directly from the EulerOS security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

Several vulnerabilities were found in qemu, a fast processor emulator :

CVE-2015-8666

Heap-based buffer overflow in QEMU when built with the Q35-chipset-based PC system emulator

CVE-2016-2198

NULL pointer dereference in ehci_caps_write in the USB EHCI support that may result in denial of service

CVE-2016-6833

Use after free while writing in the vmxnet3 device that could be used to cause a denial of service

CVE-2016-6835

Buffer overflow in vmxnet_tx_pkt_parse_headers() in vmxnet3 device that could result in denial of service

CVE-2016-8576

Infinite loop vulnerability in xhci_ring_fetch in the USB xHCI support

CVE-2016-8667 / CVE-2016-8669

Divide by zero errors in set_next_tick in the JAZZ RC4030 chipset emulator, and in serial_update_parameters of some serial devices, that could result in denial of service

CVE-2016-9602

Improper link following with VirtFS

CVE-2016-9603

Heap buffer overflow via vnc connection in the Cirrus CLGD 54xx VGA emulator support

CVE-2016-9776

Infinite loop while receiving data in the ColdFire Fast Ethernet Controller emulator

CVE-2016-9907

Memory leakage in the USB redirector usb-guest support 

CVE-2016-9911

Memory leakage in ehci_init_transfer in the USB EHCI support

CVE-2016-9914 / CVE-2016-9915 / CVE-2016-9916

Plan 9 File System (9pfs): add missing cleanup operation in FileOperations, in the handle backend and in the proxy backend driver

CVE-2016-9921 / CVE-2016-9922

Divide by zero in cirrus_do_copy in the Cirrus CLGD 54xx VGA Emulator support 

CVE-2016-10155

Memory leak in hw/watchdog/wdt_i6300esb.c allowing local guest OS privileged users to cause a denial of service via a large number of device unplug operations.

CVE-2017-2615 / CVE-2017-2620 / CVE-2017-18030 / CVE-2018-5683 / CVE-2017-7718

Out-of-bounds access issues in the Cirrus CLGD 54xx VGA emulator support, that could result in denial of service

CVE-2017-5525 / CVE-2017-5526

Memory leakage issues in the ac97 and es1370 device emulation

CVE-2017-5579

Most memory leakage in the 16550A UART emulation

CVE-2017-5667

Out-of-bounds access during multi block SDMA transfer in the SDHCI emulation support.

CVE-2017-5715

Mitigations against the Spectre v2 vulnerability. For more information please refer to https://www.qemu.org/2018/01/04/spectre/

CVE-2017-5856

Memory leak in the MegaRAID SAS 8708EM2 Host Bus Adapter emulation support

CVE-2017-5973 / CVE-2017-5987 / CVE-2017-6505

Infinite loop issues in the USB xHCI, in the transfer mode register of the SDHCI protocol, and the USB ohci_service_ed_list

CVE-2017-7377

9pfs: host memory leakage via v9fs_create

CVE-2017-7493

Improper access control issues in the host directory sharing via 9pfs support.

CVE-2017-7980

Heap-based buffer overflow in the Cirrus VGA device that could allow local guest OS users to execute arbitrary code or cause a denial of service

CVE-2017-8086

9pfs: host memory leakage via v9pfs_list_xattr

CVE-2017-8112

Infinite loop in the VMWare PVSCSI emulation

CVE-2017-8309 / CVE-2017-8379

Host memory leakage issues via the audio capture buffer and the keyboard input event handlers 

CVE-2017-9330

Infinite loop due to incorrect return value in USB OHCI that may result in denial of service

CVE-2017-9373 / CVE-2017-9374

Host memory leakage during hot unplug in IDE AHCI and USB emulated devices that could result in denial of service

CVE-2017-9503

NULL pointer dereference while processing megasas command

CVE-2017-10806

Stack buffer overflow in USB redirector

CVE-2017-10911

Xen disk may leak stack data via response ring

CVE-2017-11434

Out-of-bounds read while parsing Slirp/DHCP options

CVE-2017-14167

Out-of-bounds access while processing multiboot headers that could result in the execution of arbitrary code

CVE-2017-15038

9pfs: information disclosure when reading extended attributes

CVE-2017-15289

Out-of-bounds write access issue in the Cirrus graphic adaptor that could result in denial of service

CVE-2017-16845

Information leak in the PS/2 mouse and keyboard emulation support that could be exploited during instance migration 

CVE-2017-18043

Integer overflow in the macro ROUND_UP (n, d) that could result in denial of service

CVE-2018-7550

Incorrect handling of memory during multiboot that could may result in execution of arbitrary code

For Debian 8 'Jessie', these problems have been fixed in version 1:2.1+dfsg-12+deb8u7.

We recommend that you upgrade your qemu packages.

NOTE: Tenable Network Security has extracted the preceding description block directly from the DLA security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

This update for kvm fixes several issues. These security issues were fixed :

  - CVE-2017-2620: In CIRRUS_BLTMODE_MEMSYSSRC mode the     bitblit copy routine cirrus_bitblt_cputovideo failed to     check the memory region, allowing for an out-of-bounds     write that allows for privilege escalation (bsc#1024972)

  - CVE-2017-2615: An error in the bitblt copy operation     could have allowed a malicious guest administrator to     cause an out of bounds memory access, possibly leading     to information disclosure or privilege escalation     (bsc#1023004)

  - CVE-2016-9776: The ColdFire Fast Ethernet Controller     emulator support was vulnerable to an infinite loop     issue while receiving packets in 'mcf_fec_receive'. A     privileged user/process inside guest could have used     this issue to crash the Qemu process on the host leading     to DoS (bsc#1013285)

  - CVE-2016-9911: The USB EHCI Emulation support was     vulnerable to a memory leakage issue while processing     packet data in 'ehci_init_transfer'. A guest     user/process could have used this issue to leak host     memory, resulting in DoS for the host (bsc#1014111)

  - CVE-2016-9907: The USB redirector usb-guest support was     vulnerable to a memory leakage flaw when destroying the     USB redirector in 'usbredir_handle_destroy'. A guest     user/process could have used this issue to leak host     memory, resulting in DoS for a host (bsc#1014109)

  - CVE-2016-9921: The Cirrus CLGD 54xx VGA Emulator support     was vulnerable to a divide by zero issue while copying     VGA data. A privileged user inside guest could have used     this flaw to crash the process instance on the host,     resulting in DoS (bsc#1014702)

  - CVE-2016-9922: The Cirrus CLGD 54xx VGA Emulator support     was vulnerable to a divide by zero issue while copying     VGA data. A privileged user inside guest could have used     this flaw to crash the process instance on the host,     resulting in DoS (bsc#1014702)

  - CVE-2017-5898: The CCID Card device emulator support was     vulnerable to an integer overflow allowing a privileged     user inside the guest to crash the Qemu process     resulting in DoS (bnc#1023907)

  - CVE-2016-10155: The virtual hardware watchdog     'wdt_i6300esb' was vulnerable to a memory leakage issue     allowing a privileged user to cause a DoS and/or     potentially crash the Qemu process on the host     (bsc#1021129)

  - CVE-2017-5856: The MegaRAID SAS 8708EM2 Host Bus Adapter     emulation support was vulnerable to a memory leakage     issue allowing a privileged user to leak host memory     resulting in DoS (bsc#1023053)

  - CVE-2016-9602: The VirtFS host directory sharing via     Plan 9 File System(9pfs) support was vulnerable to an     improper link following issue which allowed a privileged     user inside guest to access host file system beyond the     shared folder and potentially escalating their     privileges on a host (bsc#1020427)

  - CVE-2016-9603: A privileged user within the guest VM     could have caused a heap overflow in the device model     process, potentially escalating their privileges to that     of the device model process (bsc#1028656)

  - CVE-2017-10664: qemu-nbd did not ignore SIGPIPE, which     allowed remote attackers to cause a denial of service     (daemon crash) by disconnecting during a     server-to-client reply attempt (bsc#1046636)

  - CVE-2017-10806: Stack-based buffer overflow allowed     local guest OS users to cause a denial of service (QEMU     process crash) via vectors related to logging debug     messages (bsc#1047674)

  - CVE-2017-11334: The address_space_write_continue     function allowed local guest OS privileged users to     cause a denial of service (out-of-bounds access and     guest instance crash) by leveraging use of     qemu_map_ram_ptr to access guest ram block area     (bsc#1048902)

  - CVE-2017-11434: The dhcp_decode function in     slirp/bootp.c allowed local guest OS users to cause a     denial of service (out-of-bounds read) via a crafted     DHCP options string (bsc#1049381)

  - CVE-2017-13672: The VGA display emulator support allowed     local guest OS privileged users to cause a denial of     service (out-of-bounds read and QEMU process crash) via     vectors involving display update (bsc#1056334)

  - CVE-2017-14167: Integer overflow in the load_multiboot     function allowed local guest OS users to execute     arbitrary code on the host via crafted multiboot header     address values, which trigger an out-of-bounds write     (bsc#1057585)

  - CVE-2017-15038: Race condition in the v9fs_xattrwalk     function local guest OS users to obtain sensitive     information from host heap memory via vectors related to     reading extended attributes (bsc#1062069)

  - CVE-2017-15289: The mode4and5 write functions allowed     local OS guest privileged users to cause a denial of     service (out-of-bounds write access and Qemu process     crash) via vectors related to dst calculation     (bsc#1063122)

  - CVE-2017-5579: The 16550A UART serial device emulation     support was vulnerable to a memory leakage issue     allowing a privileged user to cause a DoS and/or     potentially crash the Qemu process on the host     (bsc#1021741)

  - CVE-2017-5973: A infinite loop while doing control     transfer in xhci_kick_epctx allowed privileged user     inside the guest to crash the host process resulting in     DoS (bsc#1025109)

  - CVE-2017-6505: The ohci_service_ed_list function allowed     local guest OS users to cause a denial of service     (infinite loop) via vectors involving the number of link     endpoint list descriptors (bsc#1028184)

  - CVE-2017-7471: The VirtFS host directory sharing via     Plan 9 File System(9pfs) support was vulnerable to an     improper access control issue which allowed a privileged     user inside guest to access host file system beyond the     shared folder and potentially escalating their     privileges on a host (bsc#1034866)

  - CVE-2017-7493: The VirtFS, host directory sharing via     Plan 9 File System(9pfs) support, was vulnerable to an     improper access control issue. It could occur while     accessing virtfs metadata files in mapped-file security     mode. A guest user could have used this flaw to escalate     their privileges inside guest (bsc#1039495)

  - CVE-2017-7718: hw/display/cirrus_vga_rop.h allowed local     guest OS privileged users to cause a denial of service     (out-of-bounds read and QEMU process crash) via vectors     related to copying VGA data via the     cirrus_bitblt_rop_fwd_transp_ and cirrus_bitblt_rop_fwd_     functions (bsc#1034908)

  - CVE-2017-7980: An out-of-bounds r/w access issues in the     Cirrus CLGD 54xx VGA Emulator support allowed privileged     user inside guest to use this flaw to crash the Qemu     process resulting in DoS or potentially execute     arbitrary code on a host with privileges of Qemu process     on the host (bsc#1035406)

  - CVE-2017-8086: A memory leak in the v9fs_list_xattr     function in hw/9pfs/9p-xattr.c allowed local guest OS     privileged users to cause a denial of service (memory     consumption) via vectors involving the orig_value     variable (bsc#1035950)

  - CVE-2017-8309: Memory leak in the audio/audio.c allowed     remote attackers to cause a denial of service (memory     consumption) by repeatedly starting and stopping audio     capture (bsc#1037242)

  - CVE-2017-9330: USB OHCI Emulation in qemu allowed local     guest OS users to cause a denial of service (infinite     loop) by leveraging an incorrect return value     (bsc#1042159)

  - CVE-2017-9373: The IDE AHCI Emulation support was     vulnerable to a host memory leakage issue, which allowed     a privileged user inside guest to leak host memory     resulting in DoS (bsc#1042801)

  - CVE-2017-9375: The USB xHCI controller emulator support     was vulnerable to an infinite recursive call loop issue,     which allowed a privileged user inside guest to crash     the Qemu process resulting in DoS (bsc#1042800)

  - CVE-2017-9503: The MegaRAID SAS 8708EM2 Host Bus Adapter     emulation support was vulnerable to a NULL pointer     dereference issue which allowed a privileged user inside     guest to crash the Qemu process on the host resulting in     DoS (bsc#1043296)

  - Fix privilege escalation in TCG mode (bsc#1030624)

The update package also includes non-security fixes. See advisory for details.

Note that Tenable Network Security has extracted the preceding description block directly from the SUSE security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

This update for qemu fixes several issues.

These security issues were fixed :

  - CVE-2017-2620: In CIRRUS_BLTMODE_MEMSYSSRC mode the     bitblit copy routine cirrus_bitblt_cputovideo failed to     check the memory region, allowing for an out-of-bounds     write that allows for privilege escalation (bsc#1024972)

  - CVE-2017-2615: An error in the bitblt copy operation     could have allowed a malicious guest administrator to     cause an out of bounds memory access, possibly leading     to information disclosure or privilege escalation     (bsc#1023004)

  - CVE-2017-5856: The MegaRAID SAS 8708EM2 Host Bus Adapter     emulation support was vulnerable to a memory leakage     issue allowing a privileged user to leak host memory     resulting in DoS (bsc#1023053)

  - CVE-2016-9776: The ColdFire Fast Ethernet Controller     emulator support was vulnerable to an infinite loop     issue while receiving packets in 'mcf_fec_receive'. A     privileged user/process inside guest could have used     this issue to crash the Qemu process on the host leading     to DoS (bsc#1013285)

  - CVE-2016-9911: The USB EHCI Emulation support was     vulnerable to a memory leakage issue while processing     packet data in 'ehci_init_transfer'. A guest     user/process could have used this issue to leak host     memory, resulting in DoS for the host (bsc#1014111)

  - CVE-2016-9907: The USB redirector usb-guest support was     vulnerable to a memory leakage flaw when destroying the     USB redirector in 'usbredir_handle_destroy'. A guest     user/process could have used this issue to leak host     memory, resulting in DoS for a host (bsc#1014109)

  - CVE-2016-9921: The Cirrus CLGD 54xx VGA Emulator support     was vulnerable to a divide by zero issue while copying     VGA data. A privileged user inside guest could have used     this flaw to crash the process instance on the host,     resulting in DoS (bsc#1014702)

  - CVE-2016-9922: The Cirrus CLGD 54xx VGA Emulator support     was vulnerable to a divide by zero issue while copying     VGA data. A privileged user inside guest could have used     this flaw to crash the process instance on the host,     resulting in DoS (bsc#1014702)

  - CVE-2016-10155: The virtual hardware watchdog     'wdt_i6300esb' was vulnerable to a memory leakage issue     allowing a privileged user to cause a DoS and/or     potentially crash the Qemu process on the host     (bsc#1021129)

  - CVE-2017-5526: The ES1370 audio device emulation support     was vulnerable to a memory leakage issue allowing a     privileged user inside the guest to cause a DoS and/or     potentially crash the Qemu process on the host     (bsc#1020589)

  - CVE-2017-5525: The ac97 audio device emulation support     was vulnerable to a memory leakage issue allowing a     privileged user inside the guest to cause a DoS and/or     potentially crash the Qemu process on the host     (bsc#1020491)

  - CVE-2017-5667: The SDHCI device emulation support was     vulnerable to an OOB heap access issue allowing a     privileged user inside the guest to crash the Qemu     process resulting in DoS or potentially execute     arbitrary code with privileges of the Qemu process on     the host (bsc#1022541)

  - CVE-2017-5898: The CCID Card device emulator support was     vulnerable to an integer overflow allowing a privileged     user inside the guest to crash the Qemu process     resulting in DoS (bnc#1023907)

These non-security issues were fixed :

  - Fix post script for qemu-guest-agent rpm to actually     activate the guest agent at rpm install time

  - Fixed various inaccuracies in cirrus vga device     emulation

  - Fixed cause of infrequent migration failures from bad     virtio device state (bsc#1020928)

  - Fixed virtio interface failure (bsc#1015048)

  - Fixed graphical update errors introduced by previous     security fix (bsc#1016779)

  - Fixed uint64 property parsing and add regression tests     (bsc#937125)

This update was imported from the SUSE:SLE-12-SP1:Update update project.

This update for qemu fixes several issues. These security issues were fixed :

  - CVE-2017-2620: In CIRRUS_BLTMODE_MEMSYSSRC mode the     bitblit copy routine cirrus_bitblt_cputovideo failed to     check the memory region, allowing for an out-of-bounds     write that allows for privilege escalation (bsc#1024972)

  - CVE-2017-2615: An error in the bitblt copy operation     could have allowed a malicious guest administrator to     cause an out of bounds memory access, possibly leading     to information disclosure or privilege escalation     (bsc#1023004)

  - CVE-2017-5856: The MegaRAID SAS 8708EM2 Host Bus Adapter     emulation support was vulnerable to a memory leakage     issue allowing a privileged user to leak host memory     resulting in DoS (bsc#1023053)

  - CVE-2016-9776: The ColdFire Fast Ethernet Controller     emulator support was vulnerable to an infinite loop     issue while receiving packets in 'mcf_fec_receive'. A     privileged user/process inside guest could have used     this issue to crash the Qemu process on the host leading     to DoS (bsc#1013285)

  - CVE-2016-9911: The USB EHCI Emulation support was     vulnerable to a memory leakage issue while processing     packet data in 'ehci_init_transfer'. A guest     user/process could have used this issue to leak host     memory, resulting in DoS for the host (bsc#1014111)

  - CVE-2016-9907: The USB redirector usb-guest support was     vulnerable to a memory leakage flaw when destroying the     USB redirector in 'usbredir_handle_destroy'. A guest     user/process could have used this issue to leak host     memory, resulting in DoS for a host (bsc#1014109)

  - CVE-2016-9921: The Cirrus CLGD 54xx VGA Emulator support     was vulnerable to a divide by zero issue while copying     VGA data. A privileged user inside guest could have used     this flaw to crash the process instance on the host,     resulting in DoS (bsc#1014702)

  - CVE-2016-9922: The Cirrus CLGD 54xx VGA Emulator support     was vulnerable to a divide by zero issue while copying     VGA data. A privileged user inside guest could have used     this flaw to crash the process instance on the host,     resulting in DoS (bsc#1014702)

  - CVE-2016-10155: The virtual hardware watchdog     'wdt_i6300esb' was vulnerable to a memory leakage issue     allowing a privileged user to cause a DoS and/or     potentially crash the Qemu process on the host     (bsc#1021129)

  - CVE-2017-5526: The ES1370 audio device emulation support     was vulnerable to a memory leakage issue allowing a     privileged user inside the guest to cause a DoS and/or     potentially crash the Qemu process on the host     (bsc#1020589)

  - CVE-2017-5525: The ac97 audio device emulation support     was vulnerable to a memory leakage issue allowing a     privileged user inside the guest to cause a DoS and/or     potentially crash the Qemu process on the host     (bsc#1020491)

  - CVE-2017-5667: The SDHCI device emulation support was     vulnerable to an OOB heap access issue allowing a     privileged user inside the guest to crash the Qemu     process resulting in DoS or potentially execute     arbitrary code with privileges of the Qemu process on     the host (bsc#1022541)

  - CVE-2017-5898: The CCID Card device emulator support was     vulnerable to an integer overflow allowing a privileged     user inside the guest to crash the Qemu process     resulting in DoS (bnc#1023907)

The update package also includes non-security fixes. See advisory for details.

Note that Tenable Network Security has extracted the preceding description block directly from the SUSE security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

This update for kvm fixes several issues. These security issues were fixed :

  - CVE-2017-2620: In CIRRUS_BLTMODE_MEMSYSSRC mode the     bitblit copy routine cirrus_bitblt_cputovideo failed to     check the memory region, allowing for an out-of-bounds     write that allows for privilege escalation (bsc#1024972)

  - CVE-2017-2615: An error in the bitblt copy operation     could have allowed a malicious guest administrator to     cause an out of bounds memory access, possibly leading     to information disclosure or privilege escalation     (bsc#1023004)

  - CVE-2016-9776: The ColdFire Fast Ethernet Controller     emulator support was vulnerable to an infinite loop     issue while receiving packets in 'mcf_fec_receive'. A     privileged user/process inside guest could have used     this issue to crash the Qemu process on the host leading     to DoS (bsc#1013285)

  - CVE-2016-9911: The USB EHCI Emulation support was     vulnerable to a memory leakage issue while processing     packet data in 'ehci_init_transfer'. A guest     user/process could have used this issue to leak host     memory, resulting in DoS for the host (bsc#1014111)

  - CVE-2016-9907: The USB redirector usb-guest support was     vulnerable to a memory leakage flaw when destroying the     USB redirector in 'usbredir_handle_destroy'. A guest     user/process could have used this issue to leak host     memory, resulting in DoS for a host (bsc#1014109)

  - CVE-2016-9921: The Cirrus CLGD 54xx VGA Emulator support     was vulnerable to a divide by zero issue while copying     VGA data. A privileged user inside guest could have used     this flaw to crash the process instance on the host,     resulting in DoS (bsc#1014702)

  - CVE-2016-9922: The Cirrus CLGD 54xx VGA Emulator support     was vulnerable to a divide by zero issue while copying     VGA data. A privileged user inside guest could have used     this flaw to crash the process instance on the host,     resulting in DoS (bsc#1014702)

  - CVE-2017-5898: The CCID Card device emulator support was     vulnerable to an integer overflow allowing a privileged     user inside the guest to crash the Qemu process     resulting in DoS (bnc#1023907)

  - CVE-2016-10155: The virtual hardware watchdog     'wdt_i6300esb' was vulnerable to a memory leakage issue     allowing a privileged user to cause a DoS and/or     potentially crash the Qemu process on the host     (bsc#1021129)

  - CVE-2017-5856: The MegaRAID SAS 8708EM2 Host Bus Adapter     emulation support was vulnerable to a memory leakage     issue allowing a privileged user to leak host memory     resulting in DoS (bsc#1023053)

The update package also includes non-security fixes. See advisory for details.

Note that Tenable Network Security has extracted the preceding description block directly from the SUSE security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

Zhenhao Hong discovered that QEMU incorrectly handled the Virtio GPU device. An attacker inside the guest could use this issue to cause QEMU to crash, resulting in a denial of service. This issue only affected Ubuntu 16.04 LTS and Ubuntu 16.10. (CVE-2016-10028, CVE-2016-10029)

Li Qiang discovered that QEMU incorrectly handled the 6300esb watchdog. A privileged attacker inside the guest could use this issue to cause QEMU to crash, resulting in a denial of service.
(CVE-2016-10155)

Li Qiang discovered that QEMU incorrectly handled the i.MX Fast Ethernet Controller. A privileged attacker inside the guest could use this issue to cause QEMU to crash, resulting in a denial of service.
This issue only affected Ubuntu 16.04 LTS and Ubuntu 16.10.
(CVE-2016-7907)

It was discovered that QEMU incorrectly handled the JAZZ RC4030 device. A privileged attacker inside the guest could use this issue to cause QEMU to crash, resulting in a denial of service. (CVE-2016-8667)

It was discovered that QEMU incorrectly handled the 16550A UART device. A privileged attacker inside the guest could use this issue to cause QEMU to crash, resulting in a denial of service. (CVE-2016-8669)

It was discovered that QEMU incorrectly handled the shared rings when used with Xen. A privileged attacker inside the guest could use this issue to cause QEMU to crash, resulting in a denial of service, or possibly execute arbitrary code on the host. (CVE-2016-9381)

Jann Horn discovered that QEMU incorrectly handled VirtFS directory sharing. A privileged attacker inside the guest could use this issue to access files on the host file system outside of the shared directory and possibly escalate their privileges. In the default installation, when QEMU is used with libvirt, attackers would be isolated by the libvirt AppArmor profile. (CVE-2016-9602)

Gerd Hoffmann discovered that QEMU incorrectly handled the Cirrus VGA device when being used with a VNC connection. A privileged attacker inside the guest could use this issue to cause QEMU to crash, resulting in a denial of service, or possibly execute arbitrary code on the host. In the default installation, when QEMU is used with libvirt, attackers would be isolated by the libvirt AppArmor profile.
(CVE-2016-9603)

It was discovered that QEMU incorrectly handled the ColdFire Fast Ethernet Controller. A privileged attacker inside the guest could use this issue to cause QEMU to crash, resulting in a denial of service.
(CVE-2016-9776)

Li Qiang discovered that QEMU incorrectly handled the Virtio GPU device. An attacker inside the guest could use this issue to cause QEMU to leak contents of host memory. This issue only affected Ubuntu 16.04 LTS and Ubuntu 16.10. (CVE-2016-9845, CVE-2016-9908)

Li Qiang discovered that QEMU incorrectly handled the Virtio GPU device. An attacker inside the guest could use this issue to cause QEMU to crash, resulting in a denial of service. This issue only affected Ubuntu 16.04 LTS and Ubuntu 16.10. (CVE-2016-9846, CVE-2016-9912, CVE-2017-5552, CVE-2017-5578, CVE-2017-5857)

Li Qiang discovered that QEMU incorrectly handled the USB redirector.
An attacker inside the guest could use this issue to cause QEMU to crash, resulting in a denial of service. This issue only affected Ubuntu 16.04 LTS and Ubuntu 16.10. (CVE-2016-9907)

Li Qiang discovered that QEMU incorrectly handled USB EHCI emulation.
An attacker inside the guest could use this issue to cause QEMU to crash, resulting in a denial of service. (CVE-2016-9911)

Li Qiang discovered that QEMU incorrectly handled VirtFS directory sharing. A privileged attacker inside the guest could use this issue to cause QEMU to crash, resulting in a denial of service.
(CVE-2016-9913, CVE-2016-9914, CVE-2016-9915, CVE-2016-9916)

Qinghao Tang, Li Qiang, and Jiangxin discovered that QEMU incorrectly handled the Cirrus VGA device. A privileged attacker inside the guest could use this issue to cause QEMU to crash, resulting in a denial of service. (CVE-2016-9921, CVE-2016-9922)

Wjjzhang and Li Qiang discovered that QEMU incorrectly handled the Cirrus VGA device. A privileged attacker inside the guest could use this issue to cause QEMU to crash, resulting in a denial of service, or possibly execute arbitrary code on the host. In the default installation, when QEMU is used with libvirt, attackers would be isolated by the libvirt AppArmor profile. (CVE-2017-2615)

It was discovered that QEMU incorrectly handled the Cirrus VGA device.
A privileged attacker inside the guest could use this issue to cause QEMU to crash, resulting in a denial of service, or possibly execute arbitrary code on the host. In the default installation, when QEMU is used with libvirt, attackers would be isolated by the libvirt AppArmor profile. (CVE-2017-2620)

It was discovered that QEMU incorrectly handled VNC connections. An attacker inside the guest could use this issue to cause QEMU to crash, resulting in a denial of service. (CVE-2017-2633)

Li Qiang discovered that QEMU incorrectly handled the ac97 audio device. A privileged attacker inside the guest could use this issue to cause QEMU to crash, resulting in a denial of service. (CVE-2017-5525)

Li Qiang discovered that QEMU incorrectly handled the es1370 audio device. A privileged attacker inside the guest could use this issue to cause QEMU to crash, resulting in a denial of service. (CVE-2017-5526)

Li Qiang discovered that QEMU incorrectly handled the 16550A UART device. A privileged attacker inside the guest could use this issue to cause QEMU to crash, resulting in a denial of service. (CVE-2017-5579)

Jiang Xin discovered that QEMU incorrectly handled SDHCI device emulation. A privileged attacker inside the guest could use this issue to cause QEMU to crash, resulting in a denial of service, or possibly execute arbitrary code on the host. In the default installation, when QEMU is used with libvirt, attackers would be isolated by the libvirt AppArmor profile. (CVE-2017-5667)

Li Qiang discovered that QEMU incorrectly handled the MegaRAID SAS device. A privileged attacker inside the guest could use this issue to cause QEMU to crash, resulting in a denial of service. (CVE-2017-5856)

Li Qiang discovered that QEMU incorrectly handled the CCID Card device. A privileged attacker inside the guest could use this issue to cause QEMU to crash, resulting in a denial of service. (CVE-2017-5898)

Li Qiang discovered that QEMU incorrectly handled USB xHCI controller emulation. A privileged attacker inside the guest could use this issue to cause QEMU to crash, resulting in a denial of service.
(CVE-2017-5973)

Jiang Xin and Wjjzhang discovered that QEMU incorrectly handled SDHCI device emulation. A privileged attacker inside the guest could use this issue to cause QEMU to crash, resulting in a denial of service.
(CVE-2017-5987)

Li Qiang discovered that QEMU incorrectly handled USB OHCI controller emulation. A privileged attacker inside the guest could use this issue to cause QEMU to hang, resulting in a denial of service.
(CVE-2017-6505).

Note that Tenable Network Security has extracted the preceding description block directly from the Ubuntu security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

- CVE-2017-5525: audio: memory leakage in ac97 (bz     #1414110)

  - CVE-2017-5526: audio: memory leakage in es1370 (bz     #1414210)

  - CVE-2016-10155 watchdog: memory leakage in i6300esb (bz     #1415200)

  - CVE-2017-5552: virtio-gpu-3d: memory leakage (bz     #1415283)

  - CVE-2017-5667: sd: sdhci OOB access during multi block     transfer (bz #1417560)

  - CVE-2017-5857: virtio-gpu-3d: host memory leakage in     virgl_cmd_resource_unref (bz #1418383)

  - CVE-2017-5856: scsi: megasas: memory leakage (bz     #1418344)

  - CVE-2017-5898: usb: integer overflow in     emulated_apdu_from_guest (bz #1419700)

  - CVE-2017-5987: sd: infinite loop issue in multi block     transfers (bz #1422001)

  - CVE-2017-6505: usb: an infinite loop issue in     ohci_service_ed_list (bz #1429434)

  - CVE-2017-2615: cirrus: oob access while doing bitblt     copy backward (bz #1418206)

  - CVE-2017-2620: cirrus: potential arbitrary code     execution (bz #1425419)

Note that Tenable Network Security has extracted the preceding description block directly from the Fedora update system website.
Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

- CVE-2016-7907: net: imx: infinite loop (bz #1381182)

  - CVE-2017-5525: audio: memory leakage in ac97 (bz     #1414110)

  - CVE-2017-5526: audio: memory leakage in es1370 (bz     #1414210)

  - CVE-2016-10155 watchdog: memory leakage in i6300esb (bz     #1415200)

  - CVE-2017-5552: virtio-gpu-3d: memory leakage (bz     #1415283)

  - CVE-2017-5578: virtio-gpu: memory leakage (bz #1415797)

  - CVE-2017-5667: sd: sdhci OOB access during multi block     transfer (bz #1417560)

  - CVE-2017-5856: scsi: megasas: memory leakage (bz     #1418344)

  - CVE-2017-5857: virtio-gpu-3d: host memory leakage in     virgl_cmd_resource_unref (bz #1418383)

  - CVE-2017-5898: usb: integer overflow in     emulated_apdu_from_guest (bz #1419700)

  - CVE-2017-5987: sd: infinite loop issue in multi block     transfers (bz #1422001)

  - CVE-2017-6058: vmxnet3: OOB access when doing vlan     stripping (bz #1423359)

  - CVE-2017-6505: usb: an infinite loop issue in     ohci_service_ed_list (bz #1429434)

  - CVE-2017-2615: cirrus: oob access while doing bitblt     copy backward (bz #1418206)

  - CVE-2017-2620: cirrus: potential arbitrary code     execution (bz #1425419)

  - Fix spice GL with new mesa/libglvnd (bz #1431905)

Note that Tenable Network Security has extracted the preceding description block directly from the Fedora update system website.
Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

This update for qemu fixes several issues.

These security issues were fixed :

  - CVE-2017-5898: The CCID Card device emulator support was     vulnerable to an integer overflow flaw allowing a     privileged user to crash the Qemu process on the host     resulting in DoS (bsc#1023907).

  - CVE-2017-5857: The Virtio GPU Device emulator support     was vulnerable to a host memory leakage issue allowing a     guest user to leak host memory resulting in DoS     (bsc#1023073).

  - CVE-2017-2620: In CIRRUS_BLTMODE_MEMSYSSRC mode the     bitblit copy routine cirrus_bitblt_cputovideo failed to     check the memory region, allowing for an out-of-bounds     write that allows for privilege escalation (bsc#1024972)

  - CVE-2017-2615: An error in the bitblt copy operation     could have allowed a malicious guest administrator to     cause an out of bounds memory access, possibly leading     to information disclosure or privilege escalation     (bsc#1023004)

  - CVE-2017-5856: The MegaRAID SAS 8708EM2 Host Bus Adapter     emulation support was vulnerable to a memory leakage     issue allowing a privileged user to leak host memory     resulting in DoS (bsc#1023053)

  - CVE-2016-9921: The Cirrus CLGD 54xx VGA Emulator support     was vulnerable to a divide by zero issue while copying     VGA data. A privileged user inside guest could have used     this flaw to crash the process instance on the host,     resulting in DoS (bsc#1014702)

  - CVE-2016-9922: The Cirrus CLGD 54xx VGA Emulator support     was vulnerable to a divide by zero issue while copying     VGA data. A privileged user inside guest could have used     this flaw to crash the process instance on the host,     resulting in DoS (bsc#1014702)

  - CVE-2016-10029: The Virtio GPU Device emulator support     was vulnerable to an OOB read issue allowing a guest     user to crash the Qemu process instance resulting in Dos     (bsc#1017081).

  - CVE-2016-10028: The Virtio GPU Device emulator support     was vulnerable to an out of bounds memory access issue     allowing a guest user to crash the Qemu process instance     on a host, resulting in DoS (bsc#1017084).

  - CVE-2016-10155: The virtual hardware watchdog     'wdt_i6300esb' was vulnerable to a memory leakage issue     allowing a privileged user to cause a DoS and/or     potentially crash the Qemu process on the host     (bsc#1021129)

  - CVE-2017-5552: The Virtio GPU Device emulator support     was vulnerable to a memory leakage issue allowing a     guest user to leak host memory resulting in DoS     (bsc#1021195).

  - CVE-2017-5578: The Virtio GPU Device emulator support     was vulnerable to a memory leakage issue allowing a     guest user to leak host memory resulting in DoS     (bsc#1021481).

  - CVE-2017-5526: The ES1370 audio device emulation support     was vulnerable to a memory leakage issue allowing a     privileged user inside the guest to cause a DoS and/or     potentially crash the Qemu process on the host     (bsc#1020589).

  - CVE-2017-5525: The ac97 audio device emulation support     was vulnerable to a memory leakage issue allowing a     privileged user inside the guest to cause a DoS and/or     potentially crash the Qemu process on the host     (bsc#1020491).

  - CVE-2017-5667: The SDHCI device emulation support was     vulnerable to an OOB heap access issue allowing a     privileged user inside the guest to crash the Qemu     process resulting in DoS or potentially execute     arbitrary code with privileges of the Qemu process on     the host (bsc#1022541).

  - CVE-2017-5898: The CCID Card device emulator support was     vulnerable to an integer overflow allowing a privileged     user inside the guest to crash the Qemu process     resulting in DoS (bnc#1023907)

These non-security issues were fixed :

  - Fix name of s390x specific sysctl configuration file to     end with .conf (bsc#1026583)

  - XHCI fixes (bsc#977027)

  - Fixed rare race during s390x guest reboot

  - Fixed various inaccuracies in cirrus vga device     emulation

  - Fixed cause of infrequent migration failures from bad     virtio device state (bsc#1020928)

  - Fixed graphical update errors introduced by previous     security fix (bsc#1016779)

This update was imported from the SUSE:SLE-12-SP2:Update update project.

This update for qemu fixes several issues. These security issues were fixed :

  - CVE-2017-2620: In CIRRUS_BLTMODE_MEMSYSSRC mode the     bitblit copy routine cirrus_bitblt_cputovideo failed to     check the memory region, allowing for an out-of-bounds     write that allows for privilege escalation (bsc#1024972)

  - CVE-2017-2615: An error in the bitblt copy operation     could have allowed a malicious guest administrator to     cause an out of bounds memory access, possibly leading     to information disclosure or privilege escalation     (bsc#1023004)

  - CVE-2017-5856: The MegaRAID SAS 8708EM2 Host Bus Adapter     emulation support was vulnerable to a memory leakage     issue allowing a privileged user to leak host memory     resulting in DoS (bsc#1023053)

  - CVE-2016-9776: The ColdFire Fast Ethernet Controller     emulator support was vulnerable to an infinite loop     issue while receiving packets in 'mcf_fec_receive'. A     privileged user/process inside guest could have used     this issue to crash the Qemu process on the host leading     to DoS (bsc#1013285)

  - CVE-2016-9911: The USB EHCI Emulation support was     vulnerable to a memory leakage issue while processing     packet data in 'ehci_init_transfer'. A guest     user/process could have used this issue to leak host     memory, resulting in DoS for the host (bsc#1014111)

  - CVE-2016-9907: The USB redirector usb-guest support was     vulnerable to a memory leakage flaw when destroying the     USB redirector in 'usbredir_handle_destroy'. A guest     user/process could have used this issue to leak host     memory, resulting in DoS for a host (bsc#1014109)

  - CVE-2016-9921: The Cirrus CLGD 54xx VGA Emulator support     was vulnerable to a divide by zero issue while copying     VGA data. A privileged user inside guest could have used     this flaw to crash the process instance on the host,     resulting in DoS (bsc#1014702)

  - CVE-2016-9922: The Cirrus CLGD 54xx VGA Emulator support     was vulnerable to a divide by zero issue while copying     VGA data. A privileged user inside guest could have used     this flaw to crash the process instance on the host,     resulting in DoS (bsc#1014702)

  - CVE-2017-5667: The SDHCI device emulation support was     vulnerable to an OOB heap access issue allowing a     privileged user inside the guest to crash the Qemu     process resulting in DoS or potentially execute     arbitrary code with privileges of the Qemu process on     the host (bsc#1022541)

  - CVE-2017-5898: The CCID Card device emulator support was     vulnerable to an integer overflow allowing a privileged     user inside the guest to crash the Qemu process     resulting in DoS (bnc#1023907)

  - CVE-2016-10155: The i6300esb watchdog emulation support     was vulnerable to a memory leakage issue allowing a     privileged user inside the guest to leak memory on the     host resulting in DoS (bnc#1021129)

The update package also includes non-security fixes. See advisory for details.

Note that Tenable Network Security has extracted the preceding description block directly from the SUSE security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

This update for xen fixes several issues. These security issues were fixed :

  - CVE-2017-5973: A infinite loop while doing control     transfer in xhci_kick_epctx allowed privileged user     inside the guest to crash the host process resulting in     DoS (bsc#1025188)

  - CVE-2016-10155: The virtual hardware watchdog     'wdt_i6300esb' was vulnerable to a memory leakage issue     allowing a privileged user to cause a DoS and/or     potentially crash the Qemu process on the host     (bsc#1024183)

  - CVE-2017-2620: In CIRRUS_BLTMODE_MEMSYSSRC mode the     bitblit copy routine cirrus_bitblt_cputovideo failed to     check the memory region, allowing for an out-of-bounds     write that allows for privilege escalation (bsc#1024834)

  - CVE-2017-5856: The MegaRAID SAS 8708EM2 Host Bus Adapter     emulation support was vulnerable to a memory leakage     issue allowing a privileged user to leak host memory     resulting in DoS (bsc#1024186)

  - CVE-2017-5898: The CCID Card device emulator support was     vulnerable to an integer overflow flaw allowing a     privileged user to crash the Qemu process on the host     resulting in DoS (bsc#1024307)

  - CVE-2017-2615: An error in the bitblt copy operation     could have allowed a malicious guest administrator to     cause an out of bounds memory access, possibly leading     to information disclosure or privilege escalation     (bsc#1023004)

  - CVE-2014-8106: A heap-based buffer overflow in the     Cirrus VGA emulator allowed local guest users to execute     arbitrary code via vectors related to blit regions     (bsc#907805)

  - CVE-2017-5579: The 16550A UART serial device emulation     support was vulnerable to a memory leakage issue     allowing a privileged user to cause a DoS and/or     potentially crash the Qemu process on the host     (bsc#1022627)

  - CVE-2016-9907: The USB redirector usb-guest support was     vulnerable to a memory leakage flaw when destroying the     USB redirector in 'usbredir_handle_destroy'. A guest     user/process could have used this issue to leak host     memory, resulting in DoS for a host (bsc#1014490)

  - CVE-2016-9911: The USB EHCI Emulation support was     vulnerable to a memory leakage issue while processing     packet data in 'ehci_init_transfer'. A guest     user/process could have used this issue to leak host     memory, resulting in DoS for the host (bsc#1014507)

  - CVE-2016-9921: The Cirrus CLGD 54xx VGA Emulator support     was vulnerable to a divide by zero issue while copying     VGA data. A privileged user inside guest could have used     this flaw to crash the process instance on the host,     resulting in DoS (bsc#1015169)

  - CVE-2016-9922: The Cirrus CLGD 54xx VGA Emulator support     was vulnerable to a divide by zero issue while copying     VGA data. A privileged user inside guest could have used     this flaw to crash the process instance on the host,     resulting in DoS (bsc#1015169)

  - CVE-2016-9101: A memory leak in hw/net/eepro100.c     allowed local guest OS administrators to cause a denial     of service (memory consumption and QEMU process crash)     by repeatedly unplugging an i8255x (PRO100) NIC device     (bsc#1013668)

  - CVE-2016-9776: The ColdFire Fast Ethernet Controller     emulator support was vulnerable to an infinite loop     issue while receiving packets in 'mcf_fec_receive'. A     privileged user/process inside guest could have used     this issue to crash the Qemu process on the host leading     to DoS (bsc#1013657)

  - A malicious guest could have, by frequently rebooting     over extended periods of time, run the host system out     of memory, resulting in a Denial of Service (DoS)     (bsc#1022871)

The update package also includes non-security fixes. See advisory for details.

Note that Tenable Network Security has extracted the preceding description block directly from the SUSE security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

This update for qemu fixes several issues. These security issues were fixed :

  - CVE-2017-5898: The CCID Card device emulator support was     vulnerable to an integer overflow flaw allowing a     privileged user to crash the Qemu process on the host     resulting in DoS (bsc#1023907).

  - CVE-2017-5857: The Virtio GPU Device emulator support     was vulnerable to a host memory leakage issue allowing a     guest user to leak host memory resulting in DoS     (bsc#1023073).

  - CVE-2017-2620: In CIRRUS_BLTMODE_MEMSYSSRC mode the     bitblit copy routine cirrus_bitblt_cputovideo failed to     check the memory region, allowing for an out-of-bounds     write that allows for privilege escalation (bsc#1024972)

  - CVE-2017-2615: An error in the bitblt copy operation     could have allowed a malicious guest administrator to     cause an out of bounds memory access, possibly leading     to information disclosure or privilege escalation     (bsc#1023004)

  - CVE-2017-5856: The MegaRAID SAS 8708EM2 Host Bus Adapter     emulation support was vulnerable to a memory leakage     issue allowing a privileged user to leak host memory     resulting in DoS (bsc#1023053)

  - CVE-2016-9921: The Cirrus CLGD 54xx VGA Emulator support     was vulnerable to a divide by zero issue while copying     VGA data. A privileged user inside guest could have used     this flaw to crash the process instance on the host,     resulting in DoS (bsc#1014702)

  - CVE-2016-9922: The Cirrus CLGD 54xx VGA Emulator support     was vulnerable to a divide by zero issue while copying     VGA data. A privileged user inside guest could have used     this flaw to crash the process instance on the host,     resulting in DoS (bsc#1014702)

  - CVE-2016-10029: The Virtio GPU Device emulator support     was vulnerable to an OOB read issue allowing a guest     user to crash the Qemu process instance resulting in Dos     (bsc#1017081).

  - CVE-2016-10028: The Virtio GPU Device emulator support     was vulnerable to an out of bounds memory access issue     allowing a guest user to crash the Qemu process instance     on a host, resulting in DoS (bsc#1017084).

  - CVE-2016-10155: The virtual hardware watchdog     'wdt_i6300esb' was vulnerable to a memory leakage issue     allowing a privileged user to cause a DoS and/or     potentially crash the Qemu process on the host     (bsc#1021129)

  - CVE-2017-5552: The Virtio GPU Device emulator support     was vulnerable to a memory leakage issue allowing a     guest user to leak host memory resulting in DoS     (bsc#1021195).

  - CVE-2017-5578: The Virtio GPU Device emulator support     was vulnerable to a memory leakage issue allowing a     guest user to leak host memory resulting in DoS     (bsc#1021481).

  - CVE-2017-5526: The ES1370 audio device emulation support     was vulnerable to a memory leakage issue allowing a     privileged user inside the guest to cause a DoS and/or     potentially crash the Qemu process on the host     (bsc#1020589).

  - CVE-2017-5525: The ac97 audio device emulation support     was vulnerable to a memory leakage issue allowing a     privileged user inside the guest to cause a DoS and/or     potentially crash the Qemu process on the host     (bsc#1020491).

  - CVE-2017-5667: The SDHCI device emulation support was     vulnerable to an OOB heap access issue allowing a     privileged user inside the guest to crash the Qemu     process resulting in DoS or potentially execute     arbitrary code with privileges of the Qemu process on     the host (bsc#1022541).

  - CVE-2017-5898: The CCID Card device emulator support was     vulnerable to an integer overflow allowing a privileged     user inside the guest to crash the Qemu process     resulting in DoS (bnc#1023907)

The update package also includes non-security fixes. See advisory for details.

Note that Tenable Network Security has extracted the preceding description block directly from the SUSE security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

This update for xen fixes several issues. These security issues were fixed :

  - CVE-2017-5973: A infinite loop while doing control     transfer in xhci_kick_epctx allowed privileged user     inside the guest to crash the host process resulting in     DoS (bsc#1025188)

  - CVE-2016-10155: The virtual hardware watchdog     'wdt_i6300esb' was vulnerable to a memory leakage issue     allowing a privileged user to cause a DoS and/or     potentially crash the Qemu process on the host     (bsc#1024183)

  - CVE-2017-2620: In CIRRUS_BLTMODE_MEMSYSSRC mode the     bitblit copy routine cirrus_bitblt_cputovideo failed to     check the memory region, allowing for an out-of-bounds     write that allows for privilege escalation (bsc#1024834)

  - CVE-2017-5856: The MegaRAID SAS 8708EM2 Host Bus Adapter     emulation support was vulnerable to a memory leakage     issue allowing a privileged user to leak host memory     resulting in DoS (bsc#1024186)

  - CVE-2017-5898: The CCID Card device emulator support was     vulnerable to an integer overflow flaw allowing a     privileged user to crash the Qemu process on the host     resulting in DoS (bsc#1024307)

  - CVE-2017-2615: An error in the bitblt copy operation     could have allowed a malicious guest administrator to     cause an out of bounds memory access, possibly leading     to information disclosure or privilege escalation     (bsc#1023004)

  - CVE-2014-8106: A heap-based buffer overflow in the     Cirrus VGA emulator allowed local guest users to execute     arbitrary code via vectors related to blit regions     (bsc#907805).

  - A malicious guest could have, by frequently rebooting     over extended periods of time, run the host system out     of memory, resulting in a Denial of Service (DoS)     (bsc#1022871)

  - CVE-2017-5579: The 16550A UART serial device emulation     support was vulnerable to a memory leakage issue     allowing a privileged user to cause a DoS and/or     potentially crash the Qemu process on the host     (bsc#1022627)

  - CVE-2016-9907: The USB redirector usb-guest support was     vulnerable to a memory leakage flaw when destroying the     USB redirector in 'usbredir_handle_destroy'. A guest     user/process could have used this issue to leak host     memory, resulting in DoS for a host (bsc#1014490)

  - CVE-2016-9911: The USB EHCI Emulation support was     vulnerable to a memory leakage issue while processing     packet data in 'ehci_init_transfer'. A guest     user/process could have used this issue to leak host     memory, resulting in DoS for the host (bsc#1014507)

  - CVE-2016-9921: The Cirrus CLGD 54xx VGA Emulator support     was vulnerable to a divide by zero issue while copying     VGA data. A privileged user inside guest could have used     this flaw to crash the process instance on the host,     resulting in DoS (bsc#1015169)

  - CVE-2016-9922: The Cirrus CLGD 54xx VGA Emulator support     was vulnerable to a divide by zero issue while copying     VGA data. A privileged user inside guest could have used     this flaw to crash the process instance on the host,     resulting in DoS (bsc#1015169)

  - CVE-2016-9101: A memory leak in hw/net/eepro100.c     allowed local guest OS administrators to cause a denial     of service (memory consumption and QEMU process crash)     by repeatedly unplugging an i8255x (PRO100) NIC device     (bsc#1013668)

  - CVE-2016-9776: The ColdFire Fast Ethernet Controller     emulator support was vulnerable to an infinite loop     issue while receiving packets in 'mcf_fec_receive'. A     privileged user/process inside guest could have used     this issue to crash the Qemu process on the host leading     to DoS (bsc#1013657)

The update package also includes non-security fixes. See advisory for details.

Note that Tenable Network Security has extracted the preceding description block directly from the SUSE security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

This update for xen fixes several issues. These security issues were fixed :

  - CVE-2017-5973: A infinite loop while doing control     transfer in xhci_kick_epctx allowed privileged user     inside the guest to crash the host process resulting in     DoS (bsc#1025188).

  - CVE-2016-10155: The virtual hardware watchdog     'wdt_i6300esb' was vulnerable to a memory leakage issue     allowing a privileged user to cause a DoS and/or     potentially crash the Qemu process on the host     (bsc#1024183).

  - CVE-2017-2620: In CIRRUS_BLTMODE_MEMSYSSRC mode the     bitblit copy routine cirrus_bitblt_cputovideo failed to     check the memory region, allowing for an out-of-bounds     write that allows for privilege escalation (bsc#1024834)

  - CVE-2017-5856: The MegaRAID SAS 8708EM2 Host Bus Adapter     emulation support was vulnerable to a memory leakage     issue allowing a privileged user to leak host memory     resulting in DoS (bsc#1024186).

  - CVE-2017-5898: The CCID Card device emulator support was     vulnerable to an integer overflow flaw allowing a     privileged user to crash the Qemu process on the host     resulting in DoS (bsc#1024307).

  - CVE-2017-2615: An error in the bitblt copy operation     could have allowed a malicious guest administrator to     cause an out of bounds memory access, possibly leading     to information disclosure or privilege escalation     (bsc#1023004)

  - A malicious guest could have, by frequently rebooting     over extended periods of time, run the host system out     of memory, resulting in a Denial of Service (DoS)     (bsc#1022871)

  - CVE-2017-5579: The 16550A UART serial device emulation     support was vulnerable to a memory leakage issue     allowing a privileged user to cause a DoS and/or     potentially crash the Qemu process on the host     (bsc#1022627).

  - CVE-2016-9907: The USB redirector usb-guest support was     vulnerable to a memory leakage flaw when destroying the     USB redirector in 'usbredir_handle_destroy'. A guest     user/process could have used this issue to leak host     memory, resulting in DoS for a host (bsc#1014490)

  - CVE-2016-9911: The USB EHCI Emulation support was     vulnerable to a memory leakage issue while processing     packet data in 'ehci_init_transfer'. A guest     user/process could have used this issue to leak host     memory, resulting in DoS for the host (bsc#1014507)

  - CVE-2016-9921: The Cirrus CLGD 54xx VGA Emulator support     was vulnerable to a divide by zero issue while copying     VGA data. A privileged user inside guest could have used     this flaw to crash the process instance on the host,     resulting in DoS (bsc#1015169)

  - CVE-2016-9922: The Cirrus CLGD 54xx VGA Emulator support     was vulnerable to a divide by zero issue while copying     VGA data. A privileged user inside guest could have used     this flaw to crash the process instance on the host,     resulting in DoS (bsc#1015169)

  - CVE-2016-9101: A memory leak in hw/net/eepro100.c     allowed local guest OS administrators to cause a denial     of service (memory consumption and QEMU process crash)     by repeatedly unplugging an i8255x (PRO100) NIC device     (bsc#1013668).

  - CVE-2016-9776: The ColdFire Fast Ethernet Controller     emulator support was vulnerable to an infinite loop     issue while receiving packets in 'mcf_fec_receive'. A     privileged user/process inside guest could have used     this issue to crash the Qemu process on the host leading     to DoS (bsc#1013657)

The update package also includes non-security fixes. See advisory for details.

Note that Tenable Network Security has extracted the preceding description block directly from the SUSE security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

The remote host is affected by the vulnerability described in GLSA-201702-28 (QEMU: Multiple vulnerabilities)

    Multiple vulnerabilities have been discovered in QEMU. Please review the       CVE identifiers referenced below for details.
  Impact :

    A local attacker could potentially execute arbitrary code with       privileges of QEMU process on the host, gain privileges on the host       system, cause a Denial of Service condition, or obtain sensitive       information.
  Workaround :

    There is no known workaround at this time.

ID	Name	Product	Family	Severity
138009	EulerOS Virtualization 3.0.6.0 : qemu-kvm (EulerOS-SA-2020-1790)	Nessus	Huawei Local Security Checks	high
117351	Debian DLA-1497-1 : qemu security update (Spectre)	Nessus	Debian Local Security Checks	high
104780	SUSE SLES11 Security Update : kvm (SUSE-SU-2017:3084-1)	Nessus	SuSE Local Security Checks	high
100232	openSUSE Security Update : qemu (openSUSE-2017-589)	Nessus	SuSE Local Security Checks	high
100149	SUSE SLED12 / SLES12 Security Update : qemu (SUSE-SU-2017:1241-1)	Nessus	SuSE Local Security Checks	high
99758	SUSE SLES11 Security Update : kvm (SUSE-SU-2017:1135-1)	Nessus	SuSE Local Security Checks	high
99581	Ubuntu 14.04 LTS / 16.04 LTS / 16.10 : qemu vulnerabilities (USN-3261-1)	Nessus	Ubuntu Local Security Checks	high
97865	Fedora 24 : 2:qemu (2017-62ac1230f7)	Nessus	Fedora Local Security Checks	high
97804	Fedora 25 : 2:qemu (2017-31b976672b)	Nessus	Fedora Local Security Checks	high
97791	openSUSE Security Update : qemu (openSUSE-2017-349)	Nessus	SuSE Local Security Checks	high
97696	SUSE SLES12 Security Update : qemu (SUSE-SU-2017:0661-1)	Nessus	SuSE Local Security Checks	high
97657	SUSE SLES11 Security Update : xen (SUSE-SU-2017:0647-1)	Nessus	SuSE Local Security Checks	high
97599	SUSE SLED12 / SLES12 Security Update : qemu (SUSE-SU-2017:0625-1)	Nessus	SuSE Local Security Checks	high
97467	SUSE SLES12 Security Update : xen (SUSE-SU-2017:0582-1)	Nessus	SuSE Local Security Checks	high
97432	SUSE SLED12 / SLES12 Security Update : xen (SUSE-SU-2017:0570-1)	Nessus	SuSE Local Security Checks	high
97271	GLSA-201702-28 : QEMU: Multiple vulnerabilities	Nessus	Gentoo Local Security Checks	high

CVE-2017-5856

Description

References

Details

Risk Information

CVSS v2.0

CVSS v3.0

Vulnerable Software

Configuration 1

Configuration 2

Tenable Plugins