QEMU (aka Quick Emulator), when built with USB xHCI controller emulator support, allows local guest OS privileged users to cause a denial of service (infinite recursive call) via vectors involving control transfer descriptors sequencing.

Several vulnerabilities were found in QEMU, a fast processor emulator (notably used in KVM and Xen HVM virtualization).

CVE-2016-5126

Heap-based buffer overflow in the iscsi_aio_ioctl function in block/iscsi.c in QEMU allows local guest OS users to cause a denial of service (QEMU process crash) or possibly execute arbitrary code via a crafted iSCSI asynchronous I/O ioctl call.

CVE-2016-5403

The virtqueue_pop function in hw/virtio/virtio.c in QEMU allows local guest OS administrators to cause a denial of service (memory consumption and QEMU process crash) by submitting requests without waiting for completion.

CVE-2017-9375

QEMU, when built with USB xHCI controller emulator support, allows local guest OS privileged users to cause a denial of service (infinite recursive call) via vectors involving control transfer descriptors sequencing.

CVE-2019-12068

QEMU scsi disk backend: lsi: exit infinite loop while executing script

CVE-2019-12155

interface_release_resource in hw/display/qxl.c in QEMU has a NULL pointer dereference.

CVE-2019-13164

qemu-bridge-helper.c in QEMU does not ensure that a network interface name (obtained from bridge.conf or a --br=bridge option) is limited to the IFNAMSIZ size, which can lead to an ACL bypass.

CVE-2019-14378

ip_reass in ip_input.c in libslirp 4.0.0 has a heap-based buffer overflow via a large packet because it mishandles a case involving the first fragment.

CVE-2019-15890

libslirp 4.0.0, as used in QEMU, has a use-after-free in ip_reass in ip_input.c.

For Debian 8 'Jessie', these problems have been fixed in version 1:2.1+dfsg-12+deb8u12.

We recommend that you upgrade your qemu packages.

NOTE: Tenable Network Security has extracted the preceding description block directly from the DLA security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

This update for kvm fixes several issues. These security issues were fixed :

  - CVE-2017-2620: In CIRRUS_BLTMODE_MEMSYSSRC mode the     bitblit copy routine cirrus_bitblt_cputovideo failed to     check the memory region, allowing for an out-of-bounds     write that allows for privilege escalation (bsc#1024972)

  - CVE-2017-2615: An error in the bitblt copy operation     could have allowed a malicious guest administrator to     cause an out of bounds memory access, possibly leading     to information disclosure or privilege escalation     (bsc#1023004)

  - CVE-2016-9776: The ColdFire Fast Ethernet Controller     emulator support was vulnerable to an infinite loop     issue while receiving packets in 'mcf_fec_receive'. A     privileged user/process inside guest could have used     this issue to crash the Qemu process on the host leading     to DoS (bsc#1013285)

  - CVE-2016-9911: The USB EHCI Emulation support was     vulnerable to a memory leakage issue while processing     packet data in 'ehci_init_transfer'. A guest     user/process could have used this issue to leak host     memory, resulting in DoS for the host (bsc#1014111)

  - CVE-2016-9907: The USB redirector usb-guest support was     vulnerable to a memory leakage flaw when destroying the     USB redirector in 'usbredir_handle_destroy'. A guest     user/process could have used this issue to leak host     memory, resulting in DoS for a host (bsc#1014109)

  - CVE-2016-9921: The Cirrus CLGD 54xx VGA Emulator support     was vulnerable to a divide by zero issue while copying     VGA data. A privileged user inside guest could have used     this flaw to crash the process instance on the host,     resulting in DoS (bsc#1014702)

  - CVE-2016-9922: The Cirrus CLGD 54xx VGA Emulator support     was vulnerable to a divide by zero issue while copying     VGA data. A privileged user inside guest could have used     this flaw to crash the process instance on the host,     resulting in DoS (bsc#1014702)

  - CVE-2017-5898: The CCID Card device emulator support was     vulnerable to an integer overflow allowing a privileged     user inside the guest to crash the Qemu process     resulting in DoS (bnc#1023907)

  - CVE-2016-10155: The virtual hardware watchdog     'wdt_i6300esb' was vulnerable to a memory leakage issue     allowing a privileged user to cause a DoS and/or     potentially crash the Qemu process on the host     (bsc#1021129)

  - CVE-2017-5856: The MegaRAID SAS 8708EM2 Host Bus Adapter     emulation support was vulnerable to a memory leakage     issue allowing a privileged user to leak host memory     resulting in DoS (bsc#1023053)

  - CVE-2016-9602: The VirtFS host directory sharing via     Plan 9 File System(9pfs) support was vulnerable to an     improper link following issue which allowed a privileged     user inside guest to access host file system beyond the     shared folder and potentially escalating their     privileges on a host (bsc#1020427)

  - CVE-2016-9603: A privileged user within the guest VM     could have caused a heap overflow in the device model     process, potentially escalating their privileges to that     of the device model process (bsc#1028656)

  - CVE-2017-10664: qemu-nbd did not ignore SIGPIPE, which     allowed remote attackers to cause a denial of service     (daemon crash) by disconnecting during a     server-to-client reply attempt (bsc#1046636)

  - CVE-2017-10806: Stack-based buffer overflow allowed     local guest OS users to cause a denial of service (QEMU     process crash) via vectors related to logging debug     messages (bsc#1047674)

  - CVE-2017-11334: The address_space_write_continue     function allowed local guest OS privileged users to     cause a denial of service (out-of-bounds access and     guest instance crash) by leveraging use of     qemu_map_ram_ptr to access guest ram block area     (bsc#1048902)

  - CVE-2017-11434: The dhcp_decode function in     slirp/bootp.c allowed local guest OS users to cause a     denial of service (out-of-bounds read) via a crafted     DHCP options string (bsc#1049381)

  - CVE-2017-13672: The VGA display emulator support allowed     local guest OS privileged users to cause a denial of     service (out-of-bounds read and QEMU process crash) via     vectors involving display update (bsc#1056334)

  - CVE-2017-14167: Integer overflow in the load_multiboot     function allowed local guest OS users to execute     arbitrary code on the host via crafted multiboot header     address values, which trigger an out-of-bounds write     (bsc#1057585)

  - CVE-2017-15038: Race condition in the v9fs_xattrwalk     function local guest OS users to obtain sensitive     information from host heap memory via vectors related to     reading extended attributes (bsc#1062069)

  - CVE-2017-15289: The mode4and5 write functions allowed     local OS guest privileged users to cause a denial of     service (out-of-bounds write access and Qemu process     crash) via vectors related to dst calculation     (bsc#1063122)

  - CVE-2017-5579: The 16550A UART serial device emulation     support was vulnerable to a memory leakage issue     allowing a privileged user to cause a DoS and/or     potentially crash the Qemu process on the host     (bsc#1021741)

  - CVE-2017-5973: A infinite loop while doing control     transfer in xhci_kick_epctx allowed privileged user     inside the guest to crash the host process resulting in     DoS (bsc#1025109)

  - CVE-2017-6505: The ohci_service_ed_list function allowed     local guest OS users to cause a denial of service     (infinite loop) via vectors involving the number of link     endpoint list descriptors (bsc#1028184)

  - CVE-2017-7471: The VirtFS host directory sharing via     Plan 9 File System(9pfs) support was vulnerable to an     improper access control issue which allowed a privileged     user inside guest to access host file system beyond the     shared folder and potentially escalating their     privileges on a host (bsc#1034866)

  - CVE-2017-7493: The VirtFS, host directory sharing via     Plan 9 File System(9pfs) support, was vulnerable to an     improper access control issue. It could occur while     accessing virtfs metadata files in mapped-file security     mode. A guest user could have used this flaw to escalate     their privileges inside guest (bsc#1039495)

  - CVE-2017-7718: hw/display/cirrus_vga_rop.h allowed local     guest OS privileged users to cause a denial of service     (out-of-bounds read and QEMU process crash) via vectors     related to copying VGA data via the     cirrus_bitblt_rop_fwd_transp_ and cirrus_bitblt_rop_fwd_     functions (bsc#1034908)

  - CVE-2017-7980: An out-of-bounds r/w access issues in the     Cirrus CLGD 54xx VGA Emulator support allowed privileged     user inside guest to use this flaw to crash the Qemu     process resulting in DoS or potentially execute     arbitrary code on a host with privileges of Qemu process     on the host (bsc#1035406)

  - CVE-2017-8086: A memory leak in the v9fs_list_xattr     function in hw/9pfs/9p-xattr.c allowed local guest OS     privileged users to cause a denial of service (memory     consumption) via vectors involving the orig_value     variable (bsc#1035950)

  - CVE-2017-8309: Memory leak in the audio/audio.c allowed     remote attackers to cause a denial of service (memory     consumption) by repeatedly starting and stopping audio     capture (bsc#1037242)

  - CVE-2017-9330: USB OHCI Emulation in qemu allowed local     guest OS users to cause a denial of service (infinite     loop) by leveraging an incorrect return value     (bsc#1042159)

  - CVE-2017-9373: The IDE AHCI Emulation support was     vulnerable to a host memory leakage issue, which allowed     a privileged user inside guest to leak host memory     resulting in DoS (bsc#1042801)

  - CVE-2017-9375: The USB xHCI controller emulator support     was vulnerable to an infinite recursive call loop issue,     which allowed a privileged user inside guest to crash     the Qemu process resulting in DoS (bsc#1042800)

  - CVE-2017-9503: The MegaRAID SAS 8708EM2 Host Bus Adapter     emulation support was vulnerable to a NULL pointer     dereference issue which allowed a privileged user inside     guest to crash the Qemu process on the host resulting in     DoS (bsc#1043296)

  - Fix privilege escalation in TCG mode (bsc#1030624)

The update package also includes non-security fixes. See advisory for details.

Note that Tenable Network Security has extracted the preceding description block directly from the SUSE security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

This update for qemu fixes several issues. These security issues were fixed :

  - CVE-2017-15289: The mode4and5 write functions allowed     local OS guest privileged users to cause a denial of     service (out-of-bounds write access and Qemu process     crash) via vectors related to dst calculation     (bsc#1063122)

  - CVE-2017-2633: The VNC display driver support was     vulnerable to an out-of-bounds memory access issue. A     user/process inside guest could use this flaw to cause     DoS (bsc#1026612)

  - CVE-2017-15038: Race condition in the v9fs_xattrwalk     function local guest OS users to obtain sensitive     information from host heap memory via vectors related to     reading extended attributes (bsc#1062069)

  - CVE-2017-14167: Integer overflow in the load_multiboot     function allowed local guest OS users to execute     arbitrary code on the host via crafted multiboot header     address values, which trigger an out-of-bounds write     (bsc#1057585)

  - CVE-2017-11434: The dhcp_decode function in     slirp/bootp.c allowed local guest OS users to cause a     denial of service (out-of-bounds read) via a crafted     DHCP options string (bsc#1049381)

  - CVE-2017-11334: The address_space_write_continue     function allowed local guest OS privileged users to     cause a denial of service (out-of-bounds access and     guest instance crash) by leveraging use of     qemu_map_ram_ptr to access guest ram block area     (bsc#1048902)

  - CVE-2017-13672: The VGA display emulator support allowed     local guest OS privileged users to cause a denial of     service (out-of-bounds read and QEMU process crash) via     vectors involving display update (bsc#1056334)

  - CVE-2017-5973: A infinite loop while doing control     transfer in xhci_kick_epctx allowed privileged user     inside the guest to crash the host process resulting in     DoS (bsc#1025109)

  - CVE-2017-5987: The sdhci_sdma_transfer_multi_blocks     function in hw/sd/sdhci.c allowed local OS guest     privileged users to cause a denial of service (infinite     loop and QEMU process crash) via vectors involving the     transfer mode register during multi block transfer     (bsc#1025311)

  - CVE-2017-6505: The ohci_service_ed_list function allowed     local guest OS users to cause a denial of service     (infinite loop) via vectors involving the number of link     endpoint list descriptors (bsc#1028184)

  - CVE-2016-9603: A privileged user within the guest VM     could have caused a heap overflow in the device model     process, potentially escalating their privileges to that     of the device model process (bsc#1028656)

  - CVE-2017-7718: hw/display/cirrus_vga_rop.h allowed local     guest OS privileged users to cause a denial of service     (out-of-bounds read and QEMU process crash) via vectors     related to copying VGA data via the     cirrus_bitblt_rop_fwd_transp_ and cirrus_bitblt_rop_fwd_     functions (bsc#1034908)

  - CVE-2017-7980: An out-of-bounds r/w access issues in the     Cirrus CLGD 54xx VGA Emulator support allowed privileged     user inside guest to use this flaw to crash the Qemu     process resulting in DoS or potentially execute     arbitrary code on a host with privileges of Qemu process     on the host (bsc#1035406)

  - CVE-2017-8112: hw/scsi/vmw_pvscsi.c allowed local guest     OS privileged users to cause a denial of service     (infinite loop and CPU consumption) via the message ring     page count (bsc#1036211)

  - CVE-2017-9375: The USB xHCI controller emulator support     was vulnerable to an infinite recursive call loop issue,     which allowed a privileged user inside guest to crash     the Qemu process resulting in DoS (bsc#1042800)

  - CVE-2017-9373: The IDE AHCI Emulation support was     vulnerable to a host memory leakage issue, which allowed     a privileged user inside guest to leak host memory     resulting in DoS (bsc#1042801)

  - CVE-2017-9330: USB OHCI Emulation in qemu allowed local     guest OS users to cause a denial of service (infinite     loop) by leveraging an incorrect return value     (bsc#1042159)

  - CVE-2017-8309: Memory leak in the audio/audio.c allowed     remote attackers to cause a denial of service (memory     consumption) by repeatedly starting and stopping audio     capture (bsc#1037242)

  - CVE-2017-7493: The VirtFS, host directory sharing via     Plan 9 File System(9pfs) support, was vulnerable to an     improper access control issue. It could occur while     accessing virtfs metadata files in mapped-file security     mode. A guest user could have used this flaw to escalate     their privileges inside guest (bsc#1039495)

  - CVE-2016-9602: The VirtFS host directory sharing via     Plan 9 File System(9pfs) support was vulnerable to an     improper link following issue which allowed a privileged     user inside guest to access host file system beyond the     shared folder and potentially escalating their     privileges on a host (bsc#1020427)

  - CVE-2017-5579: The 16550A UART serial device emulation     support was vulnerable to a memory leakage issue     allowing a privileged user to cause a DoS and/or     potentially crash the Qemu process on the host     (bsc#1021741)

  - CVE-2017-9503: The MegaRAID SAS 8708EM2 Host Bus Adapter     emulation support was vulnerable to a NULL pointer     dereference issue which allowed a privileged user inside     guest to crash the Qemu process on the host resulting in     DoS (bsc#1043296)

  - CVE-2017-10664: qemu-nbd did not ignore SIGPIPE, which     allowed remote attackers to cause a denial of service     (daemon crash) by disconnecting during a     server-to-client reply attempt (bsc#1046636)

  - CVE-2017-10806: Stack-based buffer overflow allowed     local guest OS users to cause a denial of service (QEMU     process crash) via vectors related to logging debug     messages (bsc#1047674)

  - CVE-2016-9602: The VirtFS host directory sharing via     Plan 9 File System(9pfs) support was vulnerable to an     improper link following issue which allowed a privileged     user inside guest to access host file system beyond the     shared folder and potentially escalating their     privileges on a host (bsc#1020427)

  - CVE-2017-7377: The v9fs_create and v9fs_lcreate     functions in hw/9pfs/9p.c allowed local guest OS     privileged users to cause a denial of service (file     descriptor or memory consumption) via vectors related to     an already in-use fid (bsc#1032075)

  - CVE-2017-8086: A memory leak in the v9fs_list_xattr     function in hw/9pfs/9p-xattr.c allowed local guest OS     privileged users to cause a denial of service (memory     consumption) via vectors involving the orig_value     variable (bsc#1035950)

  - CVE-2017-7471: The VirtFS host directory sharing via     Plan 9 File System(9pfs) support was vulnerable to an     improper access control issue which allowed a privileged     user inside guest to access host file system beyond the     shared folder and potentially escalating their     privileges on a host (bsc#1034866)

  - CVE-2016-6834: A infinite loop during packet     fragmentation in the VMWARE VMXNET3 NIC device support     allowed privileged user inside guest to crash the Qemu     instance resulting in DoS (bsc#994418)

  - CVE-2016-6835: Buffer overflow in the VMWARE VMXNET3 NIC     device support, causing an OOB read access (bsc#994605)

  - Fix privilege escalation in TCG mode (bsc#1030624)

The update package also includes non-security fixes. See advisory for details.

Note that Tenable Network Security has extracted the preceding description block directly from the SUSE security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

This update for kvm fixes several issues. These security issues were fixed :

  - CVE-2016-9602: The VirtFS host directory sharing via     Plan 9 File System(9pfs) support was vulnerable to an     improper link following issue which allowed a privileged     user inside guest to access host file system beyond the     shared folder and potentially escalating their     privileges on a host (bsc#1020427)

  - CVE-2016-9603: A privileged user within the guest VM     could have caused a heap overflow in the device model     process, potentially escalating their privileges to that     of the device model process (bsc#1028656)

  - CVE-2017-10664: qemu-nbd did not ignore SIGPIPE, which     allowed remote attackers to cause a denial of service     (daemon crash) by disconnecting during a     server-to-client reply attempt (bsc#1046636)

  - CVE-2017-10806: Stack-based buffer overflow allowed     local guest OS users to cause a denial of service (QEMU     process crash) via vectors related to logging debug     messages (bsc#1047674).

  - CVE-2017-11334: The address_space_write_continue     function allowed local guest OS privileged users to     cause a denial of service (out-of-bounds access and     guest instance crash) by leveraging use of     qemu_map_ram_ptr to access guest ram block area     (bsc#1048902).

  - CVE-2017-11434: The dhcp_decode function in     slirp/bootp.c allowed local guest OS users to cause a     denial of service (out-of-bounds read) via a crafted     DHCP options string (bsc#1049381)

  - CVE-2017-13672: The VGA display emulator support allowed     local guest OS privileged users to cause a denial of     service (out-of-bounds read and QEMU process crash) via     vectors involving display update (bsc#1056334).

  - CVE-2017-14167: Integer overflow in the load_multiboot     function allowed local guest OS users to execute     arbitrary code on the host via crafted multiboot header     address values, which trigger an out-of-bounds write     (bsc#1057585).

  - CVE-2017-15038: Race condition in the v9fs_xattrwalk     function local guest OS users to obtain sensitive     information from host heap memory via vectors related to     reading extended attributes (bsc#1062069).

  - CVE-2017-15289: The mode4and5 write functions allowed     local OS guest privileged users to cause a denial of     service (out-of-bounds write access and Qemu process     crash) via vectors related to dst calculation     (bsc#1063122).

  - CVE-2017-5579: The 16550A UART serial device emulation     support was vulnerable to a memory leakage issue     allowing a privileged user to cause a DoS and/or     potentially crash the Qemu process on the host     (bsc#1021741)

  - CVE-2017-5973: A infinite loop while doing control     transfer in xhci_kick_epctx allowed privileged user     inside the guest to crash the host process resulting in     DoS (bsc#1025109)

  - CVE-2017-6505: The ohci_service_ed_list function allowed     local guest OS users to cause a denial of service     (infinite loop) via vectors involving the number of link     endpoint list descriptors (bsc#1028184)

  - CVE-2017-7471: The VirtFS host directory sharing via     Plan 9 File System(9pfs) support was vulnerable to an     improper access control issue which allowed a privileged     user inside guest to access host file system beyond the     shared folder and potentially escalating their     privileges on a host (bsc#1034866)

  - CVE-2017-7493: The VirtFS, host directory sharing via     Plan 9 File System(9pfs) support, was vulnerable to an     improper access control issue. It could occur while     accessing virtfs metadata files in mapped-file security     mode. A guest user could have used this flaw to escalate     their privileges inside guest (bsc#1039495)

  - CVE-2017-7718: hw/display/cirrus_vga_rop.h allowed local     guest OS privileged users to cause a denial of service     (out-of-bounds read and QEMU process crash) via vectors     related to copying VGA data via the     cirrus_bitblt_rop_fwd_transp_ and cirrus_bitblt_rop_fwd_     functions (bsc#1034908)

  - CVE-2017-7980: An out-of-bounds r/w access issues in the     Cirrus CLGD 54xx VGA Emulator support allowed privileged     user inside guest to use this flaw to crash the Qemu     process resulting in DoS or potentially execute     arbitrary code on a host with privileges of Qemu process     on the host (bsc#1035406)

  - CVE-2017-8086: A memory leak in the v9fs_list_xattr     function in hw/9pfs/9p-xattr.c allowed local guest OS     privileged users to cause a denial of service (memory     consumption) via vectors involving the orig_value     variable (bsc#1035950)

  - CVE-2017-8309: Memory leak in the audio/audio.c allowed     remote attackers to cause a denial of service (memory     consumption) by repeatedly starting and stopping audio     capture (bsc#1037242)

  - CVE-2017-9330: USB OHCI Emulation in qemu allowed local     guest OS users to cause a denial of service (infinite     loop) by leveraging an incorrect return value     (bsc#1042159)

  - CVE-2017-9373: The IDE AHCI Emulation support was     vulnerable to a host memory leakage issue, which allowed     a privileged user inside guest to leak host memory     resulting in DoS (bsc#1042801)

  - CVE-2017-9375: The USB xHCI controller emulator support     was vulnerable to an infinite recursive call loop issue,     which allowed a privileged user inside guest to crash     the Qemu process resulting in DoS (bsc#1042800)

  - CVE-2017-9503: The MegaRAID SAS 8708EM2 Host Bus Adapter     emulation support was vulnerable to a NULL pointer     dereference issue which allowed a privileged user inside     guest to crash the Qemu process on the host resulting in     DoS (bsc#1043296)

  - Privilege escalation in TCG mode (bsc#1030624)

The update package also includes non-security fixes. See advisory for details.

Note that Tenable Network Security has extracted the preceding description block directly from the SUSE security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

This update for qemu fixes several issues. These security issues were fixed :

  - CVE-2017-10911: The make_response function in the Linux     kernel allowed guest OS users to obtain sensitive     information from host OS (or other guest OS) kernel     memory by leveraging the copying of uninitialized     padding fields in Xen block-interface response     structures (bsc#1057378).

  - CVE-2017-12809: The IDE disk and CD/DVD-ROM Emulator     support allowed local guest OS privileged users to cause     a denial of service (NULL pointer dereference and QEMU     process crash) by flushing an empty CDROM device drive     (bsc#1054724).

  - CVE-2017-15289: The mode4and5 write functions allowed     local OS guest privileged users to cause a denial of     service (out-of-bounds write access and Qemu process     crash) via vectors related to dst calculation     (bsc#1063122)

  - CVE-2017-15038: Race condition in the v9fs_xattrwalk     function local guest OS users to obtain sensitive     information from host heap memory via vectors related to     reading extended attributes (bsc#1062069)

  - CVE-2017-14167: Integer overflow in the load_multiboot     function allowed local guest OS users to execute     arbitrary code on the host via crafted multiboot header     address values, which trigger an out-of-bounds write     (bsc#1057585)

  - CVE-2017-11434: The dhcp_decode function in     slirp/bootp.c allowed local guest OS users to cause a     denial of service (out-of-bounds read) via a crafted     DHCP options string (bsc#1049381)

  - CVE-2017-11334: The address_space_write_continue     function allowed local guest OS privileged users to     cause a denial of service (out-of-bounds access and     guest instance crash) by leveraging use of     qemu_map_ram_ptr to access guest ram block area     (bsc#1048902)

  - CVE-2017-13672: The VGA display emulator support allowed     local guest OS privileged users to cause a denial of     service (out-of-bounds read and QEMU process crash) via     vectors involving display update (bsc#1056334)

  - CVE-2017-5973: A infinite loop while doing control     transfer in xhci_kick_epctx allowed privileged user     inside the guest to crash the host process resulting in     DoS (bsc#1025109)

  - CVE-2017-5987: The sdhci_sdma_transfer_multi_blocks     function in hw/sd/sdhci.c allowed local OS guest     privileged users to cause a denial of service (infinite     loop and QEMU process crash) via vectors involving the     transfer mode register during multi block transfer     (bsc#1025311)

  - CVE-2017-6505: The ohci_service_ed_list function allowed     local guest OS users to cause a denial of service     (infinite loop) via vectors involving the number of link     endpoint list descriptors (bsc#1028184)

  - CVE-2016-9603: A privileged user within the guest VM     could have caused a heap overflow in the device model     process, potentially escalating their privileges to that     of the device model process (bsc#1028656)

  - CVE-2017-7718: hw/display/cirrus_vga_rop.h allowed local     guest OS privileged users to cause a denial of service     (out-of-bounds read and QEMU process crash) via vectors     related to copying VGA data via the     cirrus_bitblt_rop_fwd_transp_ and cirrus_bitblt_rop_fwd_     functions (bsc#1034908)

  - CVE-2017-7980: An out-of-bounds r/w access issues in the     Cirrus CLGD 54xx VGA Emulator support allowed privileged     user inside guest to use this flaw to crash the Qemu     process resulting in DoS or potentially execute     arbitrary code on a host with privileges of Qemu process     on the host (bsc#1035406)

  - CVE-2017-8112: hw/scsi/vmw_pvscsi.c allowed local guest     OS privileged users to cause a denial of service     (infinite loop and CPU consumption) via the message ring     page count (bsc#1036211)

  - CVE-2017-9375: The USB xHCI controller emulator support     was vulnerable to an infinite recursive call loop issue,     which allowed a privileged user inside guest to crash     the Qemu process resulting in DoS (bsc#1042800)

  - CVE-2017-9374: Missing free of 's->ipacket', causes a     host memory leak, allowing for DoS (bsc#1043073)

  - CVE-2017-9373: The IDE AHCI Emulation support was     vulnerable to a host memory leakage issue, which allowed     a privileged user inside guest to leak host memory     resulting in DoS (bsc#1042801)

  - CVE-2017-9330: USB OHCI Emulation in qemu allowed local     guest OS users to cause a denial of service (infinite     loop) by leveraging an incorrect return value     (bsc#1042159)

  - CVE-2017-8379: Memory leak in the keyboard input event     handlers support allowed local guest OS privileged users     to cause a denial of service (host memory consumption)     by rapidly generating large keyboard events     (bsc#1037334)

  - CVE-2017-8309: Memory leak in the audio/audio.c allowed     remote attackers to cause a denial of service (memory     consumption) by repeatedly starting and stopping audio     capture (bsc#1037242)

  - CVE-2017-8380: The MegaRAID SAS 8708EM2 Host Bus Adapter     emulation support was vulnerable to an out-of-bounds     read access issue which allowed a privileged user inside     guest to read host memory resulting in DoS (bsc#1037336)

  - CVE-2017-7493: The VirtFS, host directory sharing via     Plan 9 File System(9pfs) support, was vulnerable to an     improper access control issue. It could occur while     accessing virtfs metadata files in mapped-file security     mode. A guest user could have used this flaw to escalate     their privileges inside guest (bsc#1039495)

  - CVE-2016-9602: The VirtFS host directory sharing via     Plan 9 File System(9pfs) support was vulnerable to an     improper link following issue which allowed a privileged     user inside guest to access host file system beyond the     shared folder and potentially escalating their     privileges on a host (bsc#1020427)

  - CVE-2017-5579: The 16550A UART serial device emulation     support was vulnerable to a memory leakage issue     allowing a privileged user to cause a DoS and/or     potentially crash the Qemu process on the host     (bsc#1021741)

  - CVE-2017-9503: The MegaRAID SAS 8708EM2 Host Bus Adapter     emulation support was vulnerable to a NULL pointer     dereference issue which allowed a privileged user inside     guest to crash the Qemu process on the host resulting in     DoS (bsc#1043296)

  - CVE-2017-10664: qemu-nbd did not ignore SIGPIPE, which     allowed remote attackers to cause a denial of service     (daemon crash) by disconnecting during a     server-to-client reply attempt (bsc#1046636)

  - CVE-2017-10806: Stack-based buffer overflow allowed     local guest OS users to cause a denial of service (QEMU     process crash) via vectors related to logging debug     messages (bsc#1047674)

  - CVE-2016-9602: The VirtFS host directory sharing via     Plan 9 File System(9pfs) support was vulnerable to an     improper link following issue which allowed a privileged     user inside guest to access host file system beyond the     shared folder and potentially escalating their     privileges on a host (bsc#1020427)

  - CVE-2017-7377: The v9fs_create and v9fs_lcreate     functions in hw/9pfs/9p.c allowed local guest OS     privileged users to cause a denial of service (file     descriptor or memory consumption) via vectors related to     an already in-use fid (bsc#1032075)

  - CVE-2017-8086: A memory leak in the v9fs_list_xattr     function in hw/9pfs/9p-xattr.c allowed local guest OS     privileged users to cause a denial of service (memory     consumption) via vectors involving the orig_value     variable (bsc#1035950)

  - CVE-2017-7471: The VirtFS host directory sharing via     Plan 9 File System(9pfs) support was vulnerable to an     improper access control issue which allowed a privileged     user inside guest to access host file system beyond the     shared folder and potentially escalating their     privileges on a host (bsc#1034866)

  - CVE-2016-6835: Buffer overflow in the VMWARE VMXNET3 NIC     device support, causing an OOB read access (bsc#994605)

  - CVE-2016-6834: A infinite loop during packet     fragmentation in the VMWARE VMXNET3 NIC device support     allowed privileged user inside guest to crash the Qemu     instance resulting in DoS (bsc#994418)

  - Fix privilege escalation in TCG mode (bsc#1030624)

The update package also includes non-security fixes. See advisory for details.

Note that Tenable Network Security has extracted the preceding description block directly from the SUSE security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

Multiple vulnerabilities were found in qemu, a fast processor emulator :

  - CVE-2017-9375     Denial of service via memory leak in USB XHCI emulation.

  - CVE-2017-12809     Denial of service in the CDROM device drive emulation.

  - CVE-2017-13672     Denial of service in VGA display emulation.

  - CVE-2017-13711     Denial of service in SLIRP networking support.

  - CVE-2017-14167     Incorrect validation of multiboot headers could result     in the execution of arbitrary code.

USN-3414-1 fixed vulnerabilities in QEMU. The patch backport for CVE-2017-9375 was incomplete and caused a regression in the USB xHCI controller emulation support. This update fixes the problem.

We apologize for the inconvenience.

Leo Gaspard discovered that QEMU incorrectly handled VirtFS access control. A guest attacker could use this issue to elevate privileges inside the guest. (CVE-2017-7493)

Li Qiang discovered that QEMU incorrectly handled VMware PVSCSI emulation. A privileged attacker inside the guest could use this issue to cause QEMU to consume resources or crash, resulting in a denial of service. (CVE-2017-8112)

It was discovered that QEMU incorrectly handled MegaRAID SAS 8708EM2 Host Bus Adapter emulation support. A privileged attacker inside the guest could use this issue to cause QEMU to crash, resulting in a denial of service, or possibly to obtain sensitive host memory. This issue only affected Ubuntu 16.04 LTS and Ubuntu 17.04. (CVE-2017-8380)

Li Qiang discovered that QEMU incorrectly handled the Virtio GPU device. An attacker inside the guest could use this issue to cause QEMU to consume resources and crash, resulting in a denial of service. This issue only affected Ubuntu 17.04. (CVE-2017-9060)

Li Qiang discovered that QEMU incorrectly handled the e1000e device. A privileged attacker inside the guest could use this issue to cause QEMU to hang, resulting in a denial of service. This issue only affected Ubuntu 17.04.
(CVE-2017-9310)

Li Qiang discovered that QEMU incorrectly handled USB OHCI emulation support. An attacker inside the guest could use this issue to cause QEMU to crash, resulting in a denial of service. (CVE-2017-9330)

Li Qiang discovered that QEMU incorrectly handled IDE AHCI emulation support. A privileged attacker inside the guest could use this issue to cause QEMU to consume resources and crash, resulting in a denial of service. (CVE-2017-9373)

Li Qiang discovered that QEMU incorrectly handled USB EHCI emulation support. A privileged attacker inside the guest could use this issue to cause QEMU to consume resources and crash, resulting in a denial of service. (CVE-2017-9374)

Li Qiang discovered that QEMU incorrectly handled USB xHCI emulation support. A privileged attacker inside the guest could use this issue to cause QEMU to hang, resulting in a denial of service. (CVE-2017-9375)

Zhangyanyu discovered that QEMU incorrectly handled MegaRAID SAS 8708EM2 Host Bus Adapter emulation support. A privileged attacker inside the guest could use this issue to cause QEMU to crash, resulting in a denial of service. (CVE-2017-9503)

It was discovered that the QEMU qemu-nbd server incorrectly handled initialization. A remote attacker could use this issue to cause the server to crash, resulting in a denial of service. (CVE-2017-9524)

It was discovered that the QEMU qemu-nbd server incorrectly handled signals. A remote attacker could use this issue to cause the server to crash, resulting in a denial of service.
(CVE-2017-10664)

Li Qiang discovered that the QEMU USB redirector incorrectly handled logging debug messages. An attacker inside the guest could use this issue to cause QEMU to crash, resulting in a denial of service. (CVE-2017-10806)

Anthony Perard discovered that QEMU incorrectly handled Xen block-interface responses. An attacker inside the guest could use this issue to cause QEMU to leak contents of host memory. (CVE-2017-10911)

Reno Robert discovered that QEMU incorrectly handled certain DHCP options strings. An attacker inside the guest could use this issue to cause QEMU to crash, resulting in a denial of service. (CVE-2017-11434)

Ryan Salsamendi discovered that QEMU incorrectly handled empty CDROM device drives. A privileged attacker inside the guest could use this issue to cause QEMU to crash, resulting in a denial of service. This issue only affected Ubuntu 16.04 LTS and Ubuntu 17.04. (CVE-2017-12809).

Note that Tenable Network Security has extracted the preceding description block directly from the Ubuntu security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

Leo Gaspard discovered that QEMU incorrectly handled VirtFS access control. A guest attacker could use this issue to elevate privileges inside the guest. (CVE-2017-7493)

Li Qiang discovered that QEMU incorrectly handled VMware PVSCSI emulation. A privileged attacker inside the guest could use this issue to cause QEMU to consume resources or crash, resulting in a denial of service. (CVE-2017-8112)

It was discovered that QEMU incorrectly handled MegaRAID SAS 8708EM2 Host Bus Adapter emulation support. A privileged attacker inside the guest could use this issue to cause QEMU to crash, resulting in a denial of service, or possibly to obtain sensitive host memory. This issue only affected Ubuntu 16.04 LTS and Ubuntu 17.04. (CVE-2017-8380)

Li Qiang discovered that QEMU incorrectly handled the Virtio GPU device. An attacker inside the guest could use this issue to cause QEMU to consume resources and crash, resulting in a denial of service.
This issue only affected Ubuntu 17.04. (CVE-2017-9060)

Li Qiang discovered that QEMU incorrectly handled the e1000e device. A privileged attacker inside the guest could use this issue to cause QEMU to hang, resulting in a denial of service. This issue only affected Ubuntu 17.04. (CVE-2017-9310)

Li Qiang discovered that QEMU incorrectly handled USB OHCI emulation support. An attacker inside the guest could use this issue to cause QEMU to crash, resulting in a denial of service. (CVE-2017-9330)

Li Qiang discovered that QEMU incorrectly handled IDE AHCI emulation support. A privileged attacker inside the guest could use this issue to cause QEMU to consume resources and crash, resulting in a denial of service. (CVE-2017-9373)

Li Qiang discovered that QEMU incorrectly handled USB EHCI emulation support. A privileged attacker inside the guest could use this issue to cause QEMU to consume resources and crash, resulting in a denial of service. (CVE-2017-9374)

Li Qiang discovered that QEMU incorrectly handled USB xHCI emulation support. A privileged attacker inside the guest could use this issue to cause QEMU to hang, resulting in a denial of service.
(CVE-2017-9375)

Zhangyanyu discovered that QEMU incorrectly handled MegaRAID SAS 8708EM2 Host Bus Adapter emulation support. A privileged attacker inside the guest could use this issue to cause QEMU to crash, resulting in a denial of service. (CVE-2017-9503)

It was discovered that the QEMU qemu-nbd server incorrectly handled initialization. A remote attacker could use this issue to cause the server to crash, resulting in a denial of service. (CVE-2017-9524)

It was discovered that the QEMU qemu-nbd server incorrectly handled signals. A remote attacker could use this issue to cause the server to crash, resulting in a denial of service. (CVE-2017-10664)

Li Qiang discovered that the QEMU USB redirector incorrectly handled logging debug messages. An attacker inside the guest could use this issue to cause QEMU to crash, resulting in a denial of service.
(CVE-2017-10806)

Anthony Perard discovered that QEMU incorrectly handled Xen block-interface responses. An attacker inside the guest could use this issue to cause QEMU to leak contents of host memory. (CVE-2017-10911)

Reno Robert discovered that QEMU incorrectly handled certain DHCP options strings. An attacker inside the guest could use this issue to cause QEMU to crash, resulting in a denial of service.
(CVE-2017-11434)

Ryan Salsamendi discovered that QEMU incorrectly handled empty CDROM device drives. A privileged attacker inside the guest could use this issue to cause QEMU to crash, resulting in a denial of service. This issue only affected Ubuntu 16.04 LTS and Ubuntu 17.04.
(CVE-2017-12809).

Note that Tenable Network Security has extracted the preceding description block directly from the Ubuntu security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

An update for qemu-kvm-rhev is now available for RHEV 4.X RHEV-H and Agents for RHEL 7.

Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.

KVM (Kernel-based Virtual Machine) is a full virtualization solution for Linux on a variety of architectures. The qemu-kvm-rhev packages provide the user-space component for running virtual machines that use KVM in environments managed by Red Hat products.

The following packages have been upgraded to a later upstream version:
qemu-kvm-rhev (2.9.0). (BZ#1387372, BZ#1387600, BZ#1400962)

Security Fix(es) :

* A stack-based buffer overflow flaw was found in the Quick Emulator (QEMU) built with the Network Block Device (NBD) client support. The flaw could occur while processing server's response to a 'NBD_OPT_LIST' request. A malicious NBD server could use this issue to crash a remote NBD client resulting in DoS or potentially execute arbitrary code on client host with privileges of the QEMU process.
(CVE-2017-2630)

* An integer overflow flaw was found in Quick Emulator (QEMU) in the CCID Card device support. The flaw could occur while passing messages via command/response packets to and from the host. A privileged user inside a guest could use this flaw to crash the QEMU process.
(CVE-2017-5898)

* An information exposure flaw was found in Quick Emulator (QEMU) in Task Priority Register (TPR) optimizations for 32-bit Windows guests.
The flaw could occur while accessing TPR. A privileged user inside a guest could use this issue to read portions of the host memory.
(CVE-2016-4020)

* A memory-leak flaw was found in the Quick Emulator(QEMU) built with USB xHCI controller emulation support. The flaw could occur while doing a USB-device unplug operation. Unplugging the device repeatedly resulted in leaking host memory, affecting other services on the host.
A privileged user inside the guest could exploit this flaw to cause a denial of service on the host or potentially crash the host's QEMU process instance. (CVE-2016-7466)

* Multiple CVEs(CVE-2016-10155, CVE-2016-4020, CVE-2016-6835, CVE-2016-6888, CVE-2016-7422, CVE-2016-7466, CVE-2016-8576, CVE-2016-8669, CVE-2016-8909, CVE-2016-8910, CVE-2016-9907, CVE-2016-9911, CVE-2016-9921, CVE-2016-9922, CVE-2017-2630, CVE-2017-5579, CVE-2017-5898, CVE-2017-5973, CVE-2017-9310, CVE-2017-9373, CVE-2017-9374, CVE-2017-9375) were fixed as result of rebase to QEMU version 2.9.0.

Red Hat would like to thank Li Qiang (Qihoo 360 Inc.) for reporting CVE-2016-6835 and CVE-2016-6888; Li Qiang (360.cn Inc.) for reporting CVE-2017-5898, CVE-2016-7466, CVE-2016-10155, CVE-2017-5579, and CVE-2017-5973; Donghai Zdh (Alibaba Inc.) for reporting CVE-2016-4020;
Qinghao Tang (Marvel Team 360.cn Inc.) and Zhenhao Hong (Marvel Team 360.cn Inc.) for reporting CVE-2016-7422; PSIRT (Huawei Inc.) for reporting CVE-2016-8669; Andrew Henderson (Intelligent Automation Inc.) for reporting CVE-2016-8910; Qinghao Tang (Qihoo 360), Li Qiang (Qihoo 360), and Jiangxin (Huawei Inc.) for reporting CVE-2016-9921 and CVE-2016-9922; and Li Qiang (Qihoo 360 Gear Team) for reporting CVE-2017-9310, CVE-2017-9373, CVE-2017-9374, and CVE-2017-9375.

Additional Changes :

This update also fixes several bugs and adds various enhancements.
Documentation for these changes is available from the Release Notes document linked to in the References section.

This update for qemu fixes several issues.

These security issues were fixed :

  - CVE-2017-9330: USB OHCI Emulation in qemu allowed local     guest OS users to cause a denial of service (infinite     loop) by leveraging an incorrect return value     (bsc#1042159).

  - CVE-2017-8379: Memory leak in the keyboard input event     handlers support allowed local guest OS privileged users     to cause a denial of service (host memory consumption)     by rapidly generating large keyboard events     (bsc#1037334).

  - CVE-2017-8309: Memory leak in the audio/audio.c allowed     remote attackers to cause a denial of service (memory     consumption) by repeatedly starting and stopping audio     capture (bsc#1037242).

  - CVE-2017-7493: The VirtFS, host directory sharing via     Plan 9 File System(9pfs) support, was vulnerable to an     improper access control issue. It could occur while     accessing virtfs metadata files in mapped-file security     mode. A guest user could have used this flaw to escalate     their privileges inside guest (bsc#1039495).

  - CVE-2017-7377: The v9fs_create and v9fs_lcreate     functions in hw/9pfs/9p.c allowed local guest OS     privileged users to cause a denial of service (file     descriptor or memory consumption) via vectors related to     an already in-use fid (bsc#1032075).

  - CVE-2017-8086: A memory leak in the v9fs_list_xattr     function in hw/9pfs/9p-xattr.c allowed local guest OS     privileged users to cause a denial of service (memory     consumption) via vectors involving the orig_value     variable (bsc#1035950).

  - CVE-2017-5973: A infinite loop while doing control     transfer in xhci_kick_epctx allowed privileged user     inside the guest to crash the host process resulting in     DoS (bsc#1025109)

  - CVE-2017-5987: The sdhci_sdma_transfer_multi_blocks     function in hw/sd/sdhci.c allowed local OS guest     privileged users to cause a denial of service (infinite     loop and QEMU process crash) via vectors involving the     transfer mode register during multi block transfer     (bsc#1025311).

  - CVE-2017-6505: The ohci_service_ed_list function in     hw/usb/hcd-ohci.c allowed local guest OS users to cause     a denial of service (infinite loop) via vectors     involving the number of link endpoint list descriptors     (bsc#1028184)

  - CVE-2016-9603: A privileged user within the guest VM     could have caused a heap overflow in the device model     process, potentially escalating their privileges to that     of the device model process (bsc#1028656)

  - CVE-2017-7718: hw/display/cirrus_vga_rop.h allowed local     guest OS privileged users to cause a denial of service     (out-of-bounds read and QEMU process crash) via vectors     related to copying VGA data via the     cirrus_bitblt_rop_fwd_transp_ and cirrus_bitblt_rop_fwd_     functions (bsc#1034908)

  - CVE-2017-7980: An out-of-bounds r/w access issues in the     Cirrus CLGD 54xx VGA Emulator support allowed privileged     user inside guest to use this flaw to crash the Qemu     process resulting in DoS or potentially execute     arbitrary code on a host with privileges of Qemu process     on the host (bsc#1035406)

  - CVE-2017-8112: hw/scsi/vmw_pvscsi.c allowed local guest     OS privileged users to cause a denial of service     (infinite loop and CPU consumption) via the message ring     page count (bsc#1036211).

  - CVE-2017-9375: The USB xHCI controller emulator support     was vulnerable to an infinite recursive call loop issue,     which allowed a privileged user inside guest to crash     the Qemu process resulting in DoS (bsc#1042800).

  - CVE-2017-9374: Missing free of 's->ipacket', causes a     host memory leak, allowing for DoS (bsc#1043073).

  - CVE-2017-9373: The IDE AHCI Emulation support was     vulnerable to a host memory leakage issue, which allowed     a privileged user inside guest to leak host memory     resulting in DoS (bsc#1042801).

  - CVE-2017-8380: The MegaRAID SAS 8708EM2 Host Bus Adapter     emulation support was vulnerable to an out-of-bounds     read access issue which allowed a privileged user inside     guest to read host memory resulting in DoS     (bsc#1037336).

  - CVE-2016-9602: The VirtFS host directory sharing via     Plan 9 File System(9pfs) support was vulnerable to an     improper link following issue which allowed a privileged     user inside guest to access host file system beyond the     shared folder and potentially escalating their     privileges on a host (bsc#1020427).

  - CVE-2017-7471: The VirtFS host directory sharing via     Plan 9 File System(9pfs) support was vulnerable to an     improper access control issue which allowed a privileged     user inside guest to access host file system beyond the     shared folder and potentially escalating their     privileges on a host (bsc#1034866).

  - Fix privilege escalation in TCG mode of QEMU. This is     not considered a security issue by the upstream project,     but is included as additional hardening (bsc#1030624)

  - Fix potential DoS in virtfs

  - CVE-2016-10028: The Virtio GPU Device emulator support     was vulnerable to an out of bounds memory access issue     allowing a guest user to crash the Qemu process instance     on a host, resulting in DoS (bsc#1017084, bsc#1016503)

  - CVE-2016-10029: The Virtio GPU Device emulator support     was vulnerable to an OOB read issue allowing a guest     user to crash the Qemu process instance resulting in Dos     (bsc#1017081, bsc#1016504)

  - CVE-2017-5579: The 16550A UART serial device emulation     support was vulnerable to a memory leakage issue     allowing a privileged user to cause a DoS and/or     potentially crash the Qemu process on the host     (bsc#1021741)

  - CVE-2017-9503: The MegaRAID SAS 8708EM2 Host Bus Adapter     emulation support was vulnerable to a NULL pointer     dereference issue which allowed a privileged user inside     guest to crash the Qemu process on the host resulting in     DoS (bsc#1043296).

This non-security issue was fixed :

  - Enable MONITOR/MWAIT support for guests (bsc#1031142)

This update was imported from the SUSE:SLE-12-SP2:Update update project.

This update for qemu fixes several issues. These security issues were fixed :

  - CVE-2017-9330: USB OHCI Emulation in qemu allowed local     guest OS users to cause a denial of service (infinite     loop) by leveraging an incorrect return value     (bsc#1042159).

  - CVE-2017-8379: Memory leak in the keyboard input event     handlers support allowed local guest OS privileged users     to cause a denial of service (host memory consumption)     by rapidly generating large keyboard events     (bsc#1037334).

  - CVE-2017-8309: Memory leak in the audio/audio.c allowed     remote attackers to cause a denial of service (memory     consumption) by repeatedly starting and stopping audio     capture (bsc#1037242).

  - CVE-2017-7493: The VirtFS, host directory sharing via     Plan 9 File System(9pfs) support, was vulnerable to an     improper access control issue. It could occur while     accessing virtfs metadata files in mapped-file security     mode. A guest user could have used this flaw to escalate     their privileges inside guest (bsc#1039495).

  - CVE-2017-7377: The v9fs_create and v9fs_lcreate     functions in hw/9pfs/9p.c allowed local guest OS     privileged users to cause a denial of service (file     descriptor or memory consumption) via vectors related to     an already in-use fid (bsc#1032075).

  - CVE-2017-8086: A memory leak in the v9fs_list_xattr     function in hw/9pfs/9p-xattr.c allowed local guest OS     privileged users to cause a denial of service (memory     consumption) via vectors involving the orig_value     variable (bsc#1035950).

  - CVE-2017-5973: A infinite loop while doing control     transfer in xhci_kick_epctx allowed privileged user     inside the guest to crash the host process resulting in     DoS (bsc#1025109)

  - CVE-2017-5987: The sdhci_sdma_transfer_multi_blocks     function in hw/sd/sdhci.c allowed local OS guest     privileged users to cause a denial of service (infinite     loop and QEMU process crash) via vectors involving the     transfer mode register during multi block transfer     (bsc#1025311).

  - CVE-2017-6505: The ohci_service_ed_list function in     hw/usb/hcd-ohci.c allowed local guest OS users to cause     a denial of service (infinite loop) via vectors     involving the number of link endpoint list descriptors     (bsc#1028184)

  - CVE-2016-9603: A privileged user within the guest VM     could have caused a heap overflow in the device model     process, potentially escalating their privileges to that     of the device model process (bsc#1028656)

  - CVE-2017-7718: hw/display/cirrus_vga_rop.h allowed local     guest OS privileged users to cause a denial of service     (out-of-bounds read and QEMU process crash) via vectors     related to copying VGA data via the     cirrus_bitblt_rop_fwd_transp_ and cirrus_bitblt_rop_fwd_     functions (bsc#1034908)

  - CVE-2017-7980: An out-of-bounds r/w access issues in the     Cirrus CLGD 54xx VGA Emulator support allowed privileged     user inside guest to use this flaw to crash the Qemu     process resulting in DoS or potentially execute     arbitrary code on a host with privileges of Qemu process     on the host (bsc#1035406)

  - CVE-2017-8112: hw/scsi/vmw_pvscsi.c allowed local guest     OS privileged users to cause a denial of service     (infinite loop and CPU consumption) via the message ring     page count (bsc#1036211).

  - CVE-2017-9375: The USB xHCI controller emulator support     was vulnerable to an infinite recursive call loop issue,     which allowed a privileged user inside guest to crash     the Qemu process resulting in DoS (bsc#1042800).

  - CVE-2017-9374: Missing free of 's->ipacket', causes a     host memory leak, allowing for DoS (bsc#1043073).

  - CVE-2017-9373: The IDE AHCI Emulation support was     vulnerable to a host memory leakage issue, which allowed     a privileged user inside guest to leak host memory     resulting in DoS (bsc#1042801).

  - CVE-2017-8380: The MegaRAID SAS 8708EM2 Host Bus Adapter     emulation support was vulnerable to an out-of-bounds     read access issue which allowed a privileged user inside     guest to read host memory resulting in DoS     (bsc#1037336).

  - CVE-2016-9602: The VirtFS host directory sharing via     Plan 9 File System(9pfs) support was vulnerable to an     improper link following issue which allowed a privileged     user inside guest to access host file system beyond the     shared folder and potentially escalating their     privileges on a host (bsc#1020427).

  - CVE-2017-7471: The VirtFS host directory sharing via     Plan 9 File System(9pfs) support was vulnerable to an     improper access control issue which allowed a privileged     user inside guest to access host file system beyond the     shared folder and potentially escalating their     privileges on a host (bsc#1034866).

  - Fix privilege escalation in TCG mode of QEMU. This is     not considered a security issue by the upstream project,     but is included as additional hardening (bsc#1030624)

  - Fix potential DoS in virtfs

  - CVE-2016-10028: The Virtio GPU Device emulator support     was vulnerable to an out of bounds memory access issue     allowing a guest user to crash the Qemu process instance     on a host, resulting in DoS (bsc#1017084, bsc#1016503)

  - CVE-2016-10029: The Virtio GPU Device emulator support     was vulnerable to an OOB read issue allowing a guest     user to crash the Qemu process instance resulting in Dos     (bsc#1017081, bsc#1016504)

  - CVE-2017-5579: The 16550A UART serial device emulation     support was vulnerable to a memory leakage issue     allowing a privileged user to cause a DoS and/or     potentially crash the Qemu process on the host     (bsc#1021741)

  - CVE-2017-9503: The MegaRAID SAS 8708EM2 Host Bus Adapter     emulation support was vulnerable to a NULL pointer     dereference issue which allowed a privileged user inside     guest to crash the Qemu process on the host resulting in     DoS (bsc#1043296).

The update package also includes non-security fixes. See advisory for details.

Note that Tenable Network Security has extracted the preceding description block directly from the SUSE security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

ID	Name	Product	Family	Severity
129105	Debian DLA-1927-1 : qemu security update	Nessus	Debian Local Security Checks	high
104780	SUSE SLES11 Security Update : kvm (SUSE-SU-2017:3084-1)	Nessus	SuSE Local Security Checks	critical
104495	SUSE SLES12 Security Update : qemu (SUSE-SU-2017:2969-1)	Nessus	SuSE Local Security Checks	critical
104494	SUSE SLES11 Security Update : kvm (SUSE-SU-2017:2963-1)	Nessus	SuSE Local Security Checks	critical
104471	SUSE SLES12 Security Update : qemu (SUSE-SU-2017:2946-1)	Nessus	SuSE Local Security Checks	critical
103655	Debian DSA-3991-1 : qemu - security update	Nessus	Debian Local Security Checks	high
103372	Ubuntu 14.04 LTS / 16.04 LTS : QEMU regression (USN-3414-2)	Nessus	Ubuntu Local Security Checks	critical
103217	Ubuntu 14.04 LTS / 16.04 LTS : QEMU vulnerabilities (USN-3414-1)	Nessus	Ubuntu Local Security Checks	critical
102158	RHEL 7 : qemu-kvm-rhev (RHSA-2017:2392)	Nessus	Red Hat Local Security Checks	high
101758	openSUSE Security Update : qemu (openSUSE-2017-822)	Nessus	SuSE Local Security Checks	critical
101227	SUSE SLED12 / SLES12 Security Update : qemu (SUSE-SU-2017:1774-1)	Nessus	SuSE Local Security Checks	critical

Detections

Analytics

CVE-2017-9375

medium

Tenable Plugins

high

critical

critical

critical

critical

high

critical

critical

high

critical

critical