http://git.qemu.org/?p=qemu.git;a=commit;h=dd248ed7e204ee8a1873914e02b8b526e8f1b80d

[oss-security] 20170519 CVE-2017-9060 Qemu: virtio-gpu: host memory leakage in Virtio GPU device

98632

https://bugzilla.redhat.com/show_bug.cgi?id=1452597

GLSA-201706-03

USN-3414-1 fixed vulnerabilities in QEMU. The patch backport for CVE-2017-9375 was incomplete and caused a regression in the USB xHCI controller emulation support. This update fixes the problem.

We apologize for the inconvenience.

Leo Gaspard discovered that QEMU incorrectly handled VirtFS access control. A guest attacker could use this issue to elevate privileges inside the guest. (CVE-2017-7493)

Li Qiang discovered that QEMU incorrectly handled VMware PVSCSI emulation. A privileged attacker inside the guest could use this issue to cause QEMU to consume resources or crash, resulting in a denial of service. (CVE-2017-8112)

It was discovered that QEMU incorrectly handled MegaRAID SAS 8708EM2 Host Bus Adapter emulation support. A privileged attacker inside the guest could use this issue to cause QEMU to crash, resulting in a denial of service, or possibly to obtain sensitive host memory. This issue only affected Ubuntu 16.04 LTS and Ubuntu 17.04. (CVE-2017-8380)

Li Qiang discovered that QEMU incorrectly handled the Virtio GPU device. An attacker inside the guest could use this issue to cause QEMU to consume resources and crash, resulting in a denial of service. This issue only affected Ubuntu 17.04. (CVE-2017-9060)

Li Qiang discovered that QEMU incorrectly handled the e1000e device. A privileged attacker inside the guest could use this issue to cause QEMU to hang, resulting in a denial of service. This issue only affected Ubuntu 17.04.
(CVE-2017-9310)

Li Qiang discovered that QEMU incorrectly handled USB OHCI emulation support. An attacker inside the guest could use this issue to cause QEMU to crash, resulting in a denial of service. (CVE-2017-9330)

Li Qiang discovered that QEMU incorrectly handled IDE AHCI emulation support. A privileged attacker inside the guest could use this issue to cause QEMU to consume resources and crash, resulting in a denial of service. (CVE-2017-9373)

Li Qiang discovered that QEMU incorrectly handled USB EHCI emulation support. A privileged attacker inside the guest could use this issue to cause QEMU to consume resources and crash, resulting in a denial of service. (CVE-2017-9374)

Li Qiang discovered that QEMU incorrectly handled USB xHCI emulation support. A privileged attacker inside the guest could use this issue to cause QEMU to hang, resulting in a denial of service. (CVE-2017-9375)

Zhangyanyu discovered that QEMU incorrectly handled MegaRAID SAS 8708EM2 Host Bus Adapter emulation support. A privileged attacker inside the guest could use this issue to cause QEMU to crash, resulting in a denial of service. (CVE-2017-9503)

It was discovered that the QEMU qemu-nbd server incorrectly handled initialization. A remote attacker could use this issue to cause the server to crash, resulting in a denial of service. (CVE-2017-9524)

It was discovered that the QEMU qemu-nbd server incorrectly handled signals. A remote attacker could use this issue to cause the server to crash, resulting in a denial of service.
(CVE-2017-10664)

Li Qiang discovered that the QEMU USB redirector incorrectly handled logging debug messages. An attacker inside the guest could use this issue to cause QEMU to crash, resulting in a denial of service. (CVE-2017-10806)

Anthony Perard discovered that QEMU incorrectly handled Xen block-interface responses. An attacker inside the guest could use this issue to cause QEMU to leak contents of host memory. (CVE-2017-10911)

Reno Robert discovered that QEMU incorrectly handled certain DHCP options strings. An attacker inside the guest could use this issue to cause QEMU to crash, resulting in a denial of service. (CVE-2017-11434)

Ryan Salsamendi discovered that QEMU incorrectly handled empty CDROM device drives. A privileged attacker inside the guest could use this issue to cause QEMU to crash, resulting in a denial of service. This issue only affected Ubuntu 16.04 LTS and Ubuntu 17.04. (CVE-2017-12809).

Note that Tenable Network Security has extracted the preceding description block directly from the Ubuntu security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

Leo Gaspard discovered that QEMU incorrectly handled VirtFS access control. A guest attacker could use this issue to elevate privileges inside the guest. (CVE-2017-7493)

Li Qiang discovered that QEMU incorrectly handled VMware PVSCSI emulation. A privileged attacker inside the guest could use this issue to cause QEMU to consume resources or crash, resulting in a denial of service. (CVE-2017-8112)

It was discovered that QEMU incorrectly handled MegaRAID SAS 8708EM2 Host Bus Adapter emulation support. A privileged attacker inside the guest could use this issue to cause QEMU to crash, resulting in a denial of service, or possibly to obtain sensitive host memory. This issue only affected Ubuntu 16.04 LTS and Ubuntu 17.04. (CVE-2017-8380)

Li Qiang discovered that QEMU incorrectly handled the Virtio GPU device. An attacker inside the guest could use this issue to cause QEMU to consume resources and crash, resulting in a denial of service.
This issue only affected Ubuntu 17.04. (CVE-2017-9060)

Li Qiang discovered that QEMU incorrectly handled the e1000e device. A privileged attacker inside the guest could use this issue to cause QEMU to hang, resulting in a denial of service. This issue only affected Ubuntu 17.04. (CVE-2017-9310)

Li Qiang discovered that QEMU incorrectly handled USB OHCI emulation support. An attacker inside the guest could use this issue to cause QEMU to crash, resulting in a denial of service. (CVE-2017-9330)

Li Qiang discovered that QEMU incorrectly handled IDE AHCI emulation support. A privileged attacker inside the guest could use this issue to cause QEMU to consume resources and crash, resulting in a denial of service. (CVE-2017-9373)

Li Qiang discovered that QEMU incorrectly handled USB EHCI emulation support. A privileged attacker inside the guest could use this issue to cause QEMU to consume resources and crash, resulting in a denial of service. (CVE-2017-9374)

Li Qiang discovered that QEMU incorrectly handled USB xHCI emulation support. A privileged attacker inside the guest could use this issue to cause QEMU to hang, resulting in a denial of service.
(CVE-2017-9375)

Zhangyanyu discovered that QEMU incorrectly handled MegaRAID SAS 8708EM2 Host Bus Adapter emulation support. A privileged attacker inside the guest could use this issue to cause QEMU to crash, resulting in a denial of service. (CVE-2017-9503)

It was discovered that the QEMU qemu-nbd server incorrectly handled initialization. A remote attacker could use this issue to cause the server to crash, resulting in a denial of service. (CVE-2017-9524)

It was discovered that the QEMU qemu-nbd server incorrectly handled signals. A remote attacker could use this issue to cause the server to crash, resulting in a denial of service. (CVE-2017-10664)

Li Qiang discovered that the QEMU USB redirector incorrectly handled logging debug messages. An attacker inside the guest could use this issue to cause QEMU to crash, resulting in a denial of service.
(CVE-2017-10806)

Anthony Perard discovered that QEMU incorrectly handled Xen block-interface responses. An attacker inside the guest could use this issue to cause QEMU to leak contents of host memory. (CVE-2017-10911)

Reno Robert discovered that QEMU incorrectly handled certain DHCP options strings. An attacker inside the guest could use this issue to cause QEMU to crash, resulting in a denial of service.
(CVE-2017-11434)

Ryan Salsamendi discovered that QEMU incorrectly handled empty CDROM device drives. A privileged attacker inside the guest could use this issue to cause QEMU to crash, resulting in a denial of service. This issue only affected Ubuntu 16.04 LTS and Ubuntu 17.04.
(CVE-2017-12809).

Note that Tenable Network Security has extracted the preceding description block directly from the Ubuntu security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

- CVE-2017-7718: cirrus: OOB read access issue (bz     #1443443)

  - CVE-2016-9603: cirrus: heap buffer overflow via vnc     connection (bz #1432040)

  - CVE-2017-7377: 9pfs: fix file descriptor leak (bz     #1437872)

  - CVE-2017-7980: cirrus: OOB r/w access issues in bitblt     (bz #1444372)

  - CVE-2017-8112: vmw_pvscsi: infinite loop in pvscsi_log2     (bz #1445622)

  - CVE-2017-8309: audio: host memory lekage via capture     buffer (bz #1446520)

  - CVE-2017-8379: input: host memory lekage via keyboard     events (bz #1446560)

  - CVE-2017-8380: scsi: megasas: out-of-bounds read in     megasas_mmio_write (bz #1446578)

  - CVE-2017-9060: virtio-gpu: host memory leakage in Virtio     GPU device (bz #1452598)

  - CVE-2017-9310: net: infinite loop in e1000e NIC     emulation (bz #1452623)

  - CVE-2017-9330: usb: ohci: infinite loop due to incorrect     return value (bz #1457699)

  - CVE-2017-9374: usb: ehci host memory leakage during     hotunplug (bz #1459137)

  - CVE-2017-10806: usb-redirect: stack-based buffer     overflow in debug logging (bz #1468497)

Note that Tenable Network Security has extracted the preceding description block directly from the Fedora update system website.
Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

The remote host is affected by the vulnerability described in GLSA-201706-03 (QEMU: Multiple vulnerabilities)

    Multiple vulnerabilities have been discovered in QEMU. Please review the       CVE identifiers referenced below for details.
  Impact :

    A remote attacker might cause a Denial of Service or gain escalated       privileges from a guest VM.
  Workaround :

    There is no known workaround at this time.

ID	Name	Product	Family	Severity
103372	Ubuntu 14.04 LTS / 16.04 LTS / 17.04 : qemu regression (USN-3414-2)	Nessus	Ubuntu Local Security Checks	high
103217	Ubuntu 14.04 LTS / 16.04 LTS / 17.04 : qemu vulnerabilities (USN-3414-1)	Nessus	Ubuntu Local Security Checks	high
102008	Fedora 25 : 2:qemu (2017-f941184db1)	Nessus	Fedora Local Security Checks	high
100630	GLSA-201706-03 : QEMU: Multiple vulnerabilities	Nessus	Gentoo Local Security Checks	high

CVE-2017-9060

Description

References

Details

Risk Information

CVSS v2.0

CVSS v3.0

Vulnerable Software

Configuration 1

Tenable Plugins