SUSE SLED12 / SLES12 Security Update : qemu (SUSE-SU-2016:2879-1)

This script is Copyright (C) 2016 Tenable Network Security, Inc.


Synopsis :

The remote SUSE host is missing one or more security updates.

Description :

This update for qemu to version 2.6.2 fixes the several issues. These
security issues were fixed :

- CVE-2016-7161: Heap-based buffer overflow in the
.receive callback of xlnx.xps-ethernetlite in QEMU (aka
Quick Emulator) allowed attackers to execute arbitrary
code on the QEMU host via a large ethlite packet
(bsc#1001151).

- CVE-2016-7170: OOB stack memory access when processing
svga command (bsc#998516).

- CVE-2016-7466: xhci memory leakage during device unplug
(bsc#1000345).

- CVE-2016-7422: NULL pointer dereference in
virtqueu_map_desc (bsc#1000346).

- CVE-2016-7908: The mcf_fec_do_tx function in
hw/net/mcf_fec.c did not properly limit the buffer
descriptor count when transmitting packets, which
allowed local guest OS administrators to cause a denial
of service (infinite loop and QEMU process crash) via
vectors involving a buffer descriptor with a length of 0
and crafted values in bd.flags (bsc#1002550).

- CVE-2016-7995: Memory leak in ehci_process_itd
(bsc#1003612).

- CVE-2016-8576: The xhci_ring_fetch function in
hw/usb/hcd-xhci.c allowed local guest OS administrators
to cause a denial of service (infinite loop and QEMU
process crash) by leveraging failure to limit the number
of link Transfer Request Blocks (TRB) to process
(bsc#1003878).

- CVE-2016-8578: The v9fs_iov_vunmarshal function in
fsdev/9p-iov-marshal.c allowed local guest OS
administrators to cause a denial of service (NULL
pointer dereference and QEMU process crash) by sending
an empty string parameter to a 9P operation
(bsc#1003894).

- CVE-2016-9105: Memory leakage in v9fs_link
(bsc#1007494).

- CVE-2016-8577: Memory leak in the v9fs_read function in
hw/9pfs/9p.c allowed local guest OS administrators to
cause a denial of service (memory consumption) via
vectors related to an I/O read operation (bsc#1003893).

- CVE-2016-9106: Memory leakage in v9fs_write
(bsc#1007495).

- CVE-2016-8669: The serial_update_parameters function in
hw/char/serial.c allowed local guest OS administrators
to cause a denial of service (divide-by-zero error and
QEMU process crash) via vectors involving a value of
divider greater than baud base (bsc#1004707).

- CVE-2016-7909: The pcnet_rdra_addr function in
hw/net/pcnet.c allowed local guest OS administrators to
cause a denial of service (infinite loop and QEMU
process crash) by setting the (1) receive or (2)
transmit descriptor ring length to 0 (bsc#1002557).

- CVE-2016-9101: eepro100 memory leakage whern unplugging
a device (bsc#1007391).

- CVE-2016-8668: The rocker_io_writel function in
hw/net/rocker/rocker.c allowed local guest OS
administrators to cause a denial of service
(out-of-bounds read and QEMU process crash) by
leveraging failure to limit DMA buffer size
(bsc#1004706).

- CVE-2016-8910: The rtl8139_cplus_transmit function in
hw/net/rtl8139.c allowed local guest OS administrators
to cause a denial of service (infinite loop and CPU
consumption) by leveraging failure to limit the ring
descriptor count (bsc#1006538).

- CVE-2016-8909: The intel_hda_xfer function in
hw/audio/intel-hda.c allowed local guest OS
administrators to cause a denial of service (infinite
loop and CPU consumption) via an entry with the same
value for buffer length and pointer position
(bsc#1006536).

- CVE-2016-7994: Memory leak in
virtio_gpu_resource_create_2d (bsc#1003613).

- CVE-2016-9104: Integer overflow leading to OOB access in
9pfs (bsc#1007493).

- CVE-2016-8667: The rc4030_write function in
hw/dma/rc4030.c allowed local guest OS administrators to
cause a denial of service (divide-by-zero error and QEMU
process crash) via a large interval timer reload value
(bsc#1004702).

- CVE-2016-7907: The pcnet_rdra_addr function in
hw/net/pcnet.c allowed local guest OS administrators to
cause a denial of service (infinite loop and QEMU
process crash) by setting the (1) receive or (2)
transmit descriptor ring length to 0 (bsc#1002549).
These non-security issues were fixed :

- Change kvm-supported.txt to be per-architecture
documentation, stored in the package documentation
directory of each per-arch package (bsc#1005353).

- Update support doc to include current ARM64 (AArch64)
support stance (bsc#1005374).

- Fix migration failure when snapshot also has been done
(bsc#1008148).

- Change package post script udevadm trigger calls to be
device specific (bsc#1002116).

- Add qmp-commands.txt documentation file back in. It was
inadvertently dropped.

- Add an x86 cpu option (l3-cache) to specify that an L3
cache is present and another option (cpuid-0xb) to
enable the cpuid 0xb leaf (bsc#1007769). For Leap 42.2
this update also enabled the smartcard support
(bsc#1007263).

Note that Tenable Network Security has extracted the preceding
description block directly from the SUSE security advisory. Tenable
has attempted to automatically clean and format it as much as possible
without introducing additional issues.

See also :

https://bugzilla.suse.com/1000345
https://bugzilla.suse.com/1000346
https://bugzilla.suse.com/1001151
https://bugzilla.suse.com/1002116
https://bugzilla.suse.com/1002549
https://bugzilla.suse.com/1002550
https://bugzilla.suse.com/1002557
https://bugzilla.suse.com/1003612
https://bugzilla.suse.com/1003613
https://bugzilla.suse.com/1003878
https://bugzilla.suse.com/1003893
https://bugzilla.suse.com/1003894
https://bugzilla.suse.com/1004702
https://bugzilla.suse.com/1004706
https://bugzilla.suse.com/1004707
https://bugzilla.suse.com/1005353
https://bugzilla.suse.com/1005374
https://bugzilla.suse.com/1006536
https://bugzilla.suse.com/1006538
https://bugzilla.suse.com/1007263
https://bugzilla.suse.com/1007391
https://bugzilla.suse.com/1007493
https://bugzilla.suse.com/1007494
https://bugzilla.suse.com/1007495
https://bugzilla.suse.com/1007769
https://bugzilla.suse.com/1008148
https://bugzilla.suse.com/998516
https://www.suse.com/security/cve/CVE-2016-7161.html
https://www.suse.com/security/cve/CVE-2016-7170.html
https://www.suse.com/security/cve/CVE-2016-7422.html
https://www.suse.com/security/cve/CVE-2016-7466.html
https://www.suse.com/security/cve/CVE-2016-7907.html
https://www.suse.com/security/cve/CVE-2016-7908.html
https://www.suse.com/security/cve/CVE-2016-7909.html
https://www.suse.com/security/cve/CVE-2016-7994.html
https://www.suse.com/security/cve/CVE-2016-7995.html
https://www.suse.com/security/cve/CVE-2016-8576.html
https://www.suse.com/security/cve/CVE-2016-8577.html
https://www.suse.com/security/cve/CVE-2016-8578.html
https://www.suse.com/security/cve/CVE-2016-8667.html
https://www.suse.com/security/cve/CVE-2016-8668.html
https://www.suse.com/security/cve/CVE-2016-8669.html
https://www.suse.com/security/cve/CVE-2016-8909.html
https://www.suse.com/security/cve/CVE-2016-8910.html
https://www.suse.com/security/cve/CVE-2016-9101.html
https://www.suse.com/security/cve/CVE-2016-9104.html
https://www.suse.com/security/cve/CVE-2016-9105.html
https://www.suse.com/security/cve/CVE-2016-9106.html
http://www.nessus.org/u?59292e84

Solution :

To install this SUSE Security Update use YaST online_update.
Alternatively you can run the command listed for your product :

SUSE Linux Enterprise Server for Raspberry Pi 12-SP2:zypper in -t
patch SUSE-SLE-RPI-12-SP2-2016-1682=1

SUSE Linux Enterprise Server 12-SP2:zypper in -t patch
SUSE-SLE-SERVER-12-SP2-2016-1682=1

SUSE Linux Enterprise Desktop 12-SP2:zypper in -t patch
SUSE-SLE-DESKTOP-12-SP2-2016-1682=1

To bring your system up-to-date, use 'zypper patch'.

Risk factor :

Critical / CVSS Base Score : 10.0
(CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C)
CVSS Temporal Score : 7.4
(CVSS2#E:U/RL:OF/RC:C)
Public Exploit Available : false

Ready to Amp Up Your Nessus Experience?

Get Nessus Professional to scan unlimited IPs, run compliance checks & more

Buy Nessus Professional Now