copyright | disclaimer | privacy | contact  
Australia's Leading Computer Emergency Response Team
 
Search this site

 
On this site

 > HOME
 > About AusCERT
 > Membership
 > Contact Us
 > PKI Services
 > Publications
 > Sec. Bulletins
 > Conferences
 > News & Media
 > Services
 > Web Log
 > Site Map
 > Site Help
 > Member login





 

ESB-2016.0325 - [Debian] qemu and qemu-kvm: Multiple vulnerabilities

Date: 09 February 2016
References: ESB-2015.3208  ESB-2016.0223  ESB-2016.0717  

Click here for printable version
Click here for PGP verifiable version
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

===========================================================================
             AUSCERT External Security Bulletin Redistribution

                               ESB-2016.0325
                    qemu and qemu-kvm security updates
                              9 February 2016

===========================================================================

        AusCERT Security Bulletin Summary
        ---------------------------------

Product:           qemu
                   qemu-kvm
Publisher:         Debian
Operating System:  Debian GNU/Linux 7
                   Debian GNU/Linux 8
Impact/Access:     Execute Arbitrary Code/Commands -- Remote/Unauthenticated
                   Denial of Service               -- Remote/Unauthenticated
                   Access Confidential Data        -- Remote/Unauthenticated
Resolution:        Patch/Upgrade
CVE Names:         CVE-2016-1981 CVE-2016-1922 CVE-2016-1714
                   CVE-2016-1568 CVE-2015-8745 CVE-2015-8744
                   CVE-2015-8743 CVE-2015-8619 CVE-2015-8613
                   CVE-2015-8568 CVE-2015-8567 CVE-2015-8558
                   CVE-2015-8550 CVE-2015-8504 CVE-2015-8345
                   CVE-2015-7549 CVE-2015-7512 CVE-2015-7504
                   CVE-2015-7295  

Reference:         ESB-2016.0223
                   ESB-2015.3208

Original Bulletin: 
   http://www.debian.org/security/2016/dsa-3469
   http://www.debian.org/security/2016/dsa-3470
   http://www.debian.org/security/2016/dsa-3471

Comment: This bulletin contains three (3) Debian security advisories.

- --------------------------BEGIN INCLUDED TEXT--------------------

- -----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

- - -------------------------------------------------------------------------
Debian Security Advisory DSA-3469-1                   security@debian.org
https://www.debian.org/security/                       Sebastien Delafond
February 08, 2016                     https://www.debian.org/security/faq
- - -------------------------------------------------------------------------

Package        : qemu
CVE ID         : CVE-2015-7295 CVE-2015-7504 CVE-2015-7512 CVE-2015-8345 
                 CVE-2015-8504 CVE-2015-8558 CVE-2015-8743 CVE-2016-1568 CVE-2016-1714 CVE-2016-1922
Debian Bug     : 799452 806373 806741 806742 808130 808144 810519 810527 811201

Several vulnerabilities were discovered in qemu, a full virtualization
solution on x86 hardware.

CVE-2015-7295

    Jason Wang of Red Hat Inc. discovered that the Virtual Network
    Device support is vulnerable to denial-of-service (via resource
    exhaustion), that could occur when receiving large packets.

CVE-2015-7504

    Qinghao Tang of Qihoo 360 Inc. and Ling Liu of Qihoo 360 Inc.
    discovered that the PC-Net II ethernet controller is vulnerable to
    a heap-based buffer overflow that could result in
    denial-of-service (via application crash) or arbitrary code
    execution.

CVE-2015-7512

    Ling Liu of Qihoo 360 Inc. and Jason Wang of Red Hat Inc.
    discovered that the PC-Net II ethernet controller is vulnerable to
    a buffer overflow that could result in denial-of-service (via
    application crash) or arbitrary code execution.

CVE-2015-8345

    Qinghao Tang of Qihoo 360 Inc. discovered that the eepro100
    emulator contains a flaw that could lead to an infinite loop when
    processing Command Blocks, eventually resulting in
    denial-of-service (via application crash).

CVE-2015-8504

    Lian Yihan of Qihoo 360 Inc. discovered that the VNC display
    driver support is vulnerable to an arithmetic exception flaw that
    could lead to denial-of-service (via application crash).

CVE-2015-8558

    Qinghao Tang of Qihoo 360 Inc. discovered that the USB EHCI
    emulation support contains a flaw that could lead to an infinite
    loop during communication between the host controller and a device
    driver. This could lead to denial-of-service (via resource
    exhaustion).

CVE-2015-8743

    Ling Liu of Qihoo 360 Inc. discovered that the NE2000 emulator is
    vulnerable to an out-of-bound read/write access issue, potentially
    resulting in information leak or memory corruption.

CVE-2016-1568

    Qinghao Tang of Qihoo 360 Inc. discovered that the IDE AHCI
    emulation support is vulnerable to a use-after-free issue, that
    could lead to denial-of-service (via application crash) or
    arbitrary code execution.

CVE-2016-1714

    Donghai Zhu of Alibaba discovered that the Firmware Configuration
    emulation support is vulnerable to an out-of-bound read/write
    access issue, that could lead to denial-of-service (via
    application crash) or arbitrary code execution.

CVE-2016-1922

    Ling Liu of Qihoo 360 Inc. discovered that 32-bit Windows guests
    support is vulnerable to a null pointer dereference issue, that
    could lead to denial-of-service (via application crash).

For the oldstable distribution (wheezy), these problems have been fixed
in version 1.1.2+dfsg-6a+deb7u12.

We recommend that you upgrade your qemu packages.

Further information about Debian Security Advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://www.debian.org/security/

Mailing list: debian-security-announce@lists.debian.org
- -----BEGIN PGP SIGNATURE-----
Version: GnuPG v2

iQEcBAEBCgAGBQJWuOWPAAoJEBC+iYPz1Z1knsoH/3rLXi0kjSWOomCiVUoXRL8O
0m6qofjGHZ2B/7DG2Vkyw1Z94GGD9RF8JEamcPToSzamptrHNa5YNxrlO+Zg7YiD
jk7hd13a43PwjTudAjJmJPeDVMCslCl9DGX7GX3RDCN4s925s1PUZOvM6KB9i1HQ
IDGCLNaihhHYjCmwc2ACse6ro7yjtSepoflSjqJTSaobgQOgE7mBLjqDyPcPFuqV
cwGzvcjsufwwY7V1/l3nK6nRXcCr4t3Zt+KvnQvKBWu+rvpxLeHS8xevHFOZ0z2T
68fbeupSQzaMBmYanwidBcuYjh/eB9qIdICIG7YnQlV1WnfHH9ukEMWpzKzbIWs=
=1mhj
- -----END PGP SIGNATURE-----

- -----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

- - -------------------------------------------------------------------------
Debian Security Advisory DSA-3470-1                   security@debian.org
https://www.debian.org/security/                       Sebastien Delafond
February 08, 2016                     https://www.debian.org/security/faq
- - -------------------------------------------------------------------------

Package        : qemu-kvm
CVE ID         : CVE-2015-7295 CVE-2015-7504 CVE-2015-7512 CVE-2015-8345 
                 CVE-2015-8504 CVE-2015-8558 CVE-2015-8743 CVE-2016-1568 CVE-2016-1714 CVE-2016-1922
Debian Bug     : 799452 806373 806741 806742 808130 808144 810519 810527 811201

Several vulnerabilities were discovered in qemu-kvm, a full
virtualization solution on x86 hardware.

CVE-2015-7295

    Jason Wang of Red Hat Inc. discovered that the Virtual Network
    Device support is vulnerable to denial-of-service (via resource
    exhaustion), that could occur when receiving large packets.

CVE-2015-7504

    Qinghao Tang of Qihoo 360 Inc. and Ling Liu of Qihoo 360 Inc.
    discovered that the PC-Net II ethernet controller is vulnerable to
    a heap-based buffer overflow that could result in
    denial-of-service (via application crash) or arbitrary code
    execution.

CVE-2015-7512

    Ling Liu of Qihoo 360 Inc. and Jason Wang of Red Hat Inc.
    discovered that the PC-Net II ethernet controller is vulnerable to
    a buffer overflow that could result in denial-of-service (via
    application crash) or arbitrary code execution.

CVE-2015-8345

    Qinghao Tang of Qihoo 360 Inc. discovered that the eepro100
    emulator contains a flaw that could lead to an infinite loop when
    processing Command Blocks, eventually resulting in
    denial-of-service (via application crash).

CVE-2015-8504

    Lian Yihan of Qihoo 360 Inc. discovered that the VNC display
    driver support is vulnerable to an arithmetic exception flaw that
    could lead to denial-of-service (via application crash).

CVE-2015-8558

    Qinghao Tang of Qihoo 360 Inc. discovered that the USB EHCI
    emulation support contains a flaw that could lead to an infinite
    loop during communication between the host controller and a device
    driver. This could lead to denial-of-service (via resource
    exhaustion).

CVE-2015-8743

    Ling Liu of Qihoo 360 Inc. discovered that the NE2000 emulator is
    vulnerable to an out-of-bound read/write access issue, potentially
    resulting in information leak or memory corruption.

CVE-2016-1568

    Qinghao Tang of Qihoo 360 Inc. discovered that the IDE AHCI
    emulation support is vulnerable to a use-after-free issue, that
    could lead to denial-of-service (via application crash) or
    arbitrary code execution.

CVE-2016-1714

    Donghai Zhu of Alibaba discovered that the Firmware Configuration
    emulation support is vulnerable to an out-of-bound read/write
    access issue, that could lead to denial-of-service (via
    application crash) or arbitrary code execution.

CVE-2016-1922

    Ling Liu of Qihoo 360 Inc. discovered that 32-bit Windows guests
    support is vulnerable to a null pointer dereference issue, that
    could lead to denial-of-service (via application crash).

For the oldstable distribution (wheezy), these problems have been fixed
in version 1.1.2+dfsg-6+deb7u12.

We recommend that you upgrade your qemu-kvm packages.

Further information about Debian Security Advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://www.debian.org/security/

Mailing list: debian-security-announce@lists.debian.org
- -----BEGIN PGP SIGNATURE-----
Version: GnuPG v2

iQEcBAEBCgAGBQJWuOWZAAoJEBC+iYPz1Z1kylMIALq/IPzVOF8tzSNHkwIPg0Hw
Z9NYVOgzKyy4+FYeQIC0UldwTsWl5nb5GrM8cLHFAibCNUfBkMafwAZrxxMCexvC
IJmULnfFjhWuYu8bK5m4MGjsA830k+QxREx+zrWnrBGj0/bgpYlkfns6ZvLwijb3
ieqGh3Flh+JPc+lCgCRjWEwFal9A6OBXNzhkJQGv0TE+s+p5HtPs9b45VQ+OIgC8
pIOJPihqP9w7DA8jGsGK5M3U875SoWr2vf4k+kGhv7ofBvyPwH/qf2lDqx3s/d/W
9D1JAnBVftPzfdm2Ol503gIkhDGSOto46hdcIvmD8YjmCdPASUmi22UAedgA0uU=
=CVa1
- -----END PGP SIGNATURE-----

- -----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

- - -------------------------------------------------------------------------
Debian Security Advisory DSA-3471-1                   security@debian.org
https://www.debian.org/security/                       Sebastien Delafond
February 08, 2016                     https://www.debian.org/security/faq
- - -------------------------------------------------------------------------

Package        : qemu
CVE ID         : CVE-2015-7295 CVE-2015-7504 CVE-2015-7512 CVE-2015-7549 
                 CVE-2015-8345 CVE-2015-8504 CVE-2015-8550 CVE-2015-8558 CVE-2015-8567 CVE-2015-8568 CVE-2015-8613 CVE-2015-8619 CVE-2015-8743 CVE-2015-8744 CVE-2015-8745 CVE-2016-1568 CVE-2016-1714 CVE-2016-1922 CVE-2016-1981
Debian Bug     : 799452 806373 806741 806742 808130 808131 808144 808145 809229 809232 810519 810527 811201 812307 809237 809237

Several vulnerabilities were discovered in qemu, a full virtualization
solution on x86 hardware.

CVE-2015-7295

    Jason Wang of Red Hat Inc. discovered that the Virtual Network
    Device support is vulnerable to denial-of-service, that could
    occur when receiving large packets.

CVE-2015-7504

    Qinghao Tang of Qihoo 360 Inc. and Ling Liu of Qihoo 360 Inc.
    discovered that the PC-Net II ethernet controller is vulnerable to
    a heap-based buffer overflow that could result in
    denial-of-service (via application crash) or arbitrary code
    execution.

CVE-2015-7512

    Ling Liu of Qihoo 360 Inc. and Jason Wang of Red Hat Inc.
    discovered that the PC-Net II ethernet controller is vulnerable to
    a buffer overflow that could result in denial-of-service (via
    application crash) or arbitrary code execution.

CVE-2015-7549

    Qinghao Tang of Qihoo 360 Inc. and Ling Liu of Qihoo 360
    Inc. discovered that the PCI MSI-X emulator is vulnerable to a
    null pointer dereference issue, that could lead to
    denial-of-service (via application crash).

CVE-2015-8345

    Qinghao Tang of Qihoo 360 Inc. discovered that the eepro100
    emulator contains a flaw that could lead to an infinite loop when
    processing Command Blocks, eventually resulting in
    denial-of-service (via application crash).

CVE-2015-8504

    Lian Yihan of Qihoo 360 Inc. discovered that the VNC display
    driver support is vulnerable to an arithmetic exception flaw that
    could lead to denial-of-service (via application crash).

CVE-2015-8550

    Felix Wilhelm of ERNW Research that the PV backend drivers are
    vulnerable to double fetch vulnerabilities, possibly resulting in
    arbitrary code execution.

CVE-2015-8558

    Qinghao Tang of Qihoo 360 Inc. discovered that the USB EHCI
    emulation support contains a flaw that could lead to an infinite
    loop during communication between the host controller and a device
    driver. This could lead to denial-of-service (via resource
    exhaustion).

CVE-2015-8567 CVE-2015-8568

    Qinghao Tang of Qihoo 360 Inc. discovered that the vmxnet3 device
    emulator could be used to intentionally leak host memory, thus
    resulting in denial-of-service.

CVE-2015-8613

    Qinghao Tang of Qihoo 360 Inc. discovered that the SCSI MegaRAID
    SAS HBA emulation support is vulnerable to a stack-based buffer
    overflow issue, that could lead to denial-of-service (via
    application crash).

CVE-2015-8619

    Ling Liu of Qihoo 360 Inc. discovered that the Human Monitor
    Interface support is vulnerable to an out-of-bound write access
    issue that could result in denial-of-service (via application
    crash).

CVE-2015-8743

    Ling Liu of Qihoo 360 Inc. discovered that the NE2000 emulator is
    vulnerable to an out-of-bound read/write access issue, potentially
    resulting in information leak or memory corruption.

CVE-2015-8744

   The vmxnet3 driver incorrectly processes small packets, which could
   result in denial-of-service (via application crash).

CVE-2015-8745

   The vmxnet3 driver incorrectly processes Interrupt Mask Registers,
   which could result in denial-of-service (via application crash).

CVE-2016-1568

    Qinghao Tang of Qihoo 360 Inc. discovered that the IDE AHCI
    emulation support is vulnerable to a use-after-free issue, that
    could lead to denial-of-service (via application crash) or
    arbitrary code execution.

CVE-2016-1714

    Donghai Zhu of Alibaba discovered that the Firmware Configuration
    emulation support is vulnerable to an out-of-bound read/write
    access issue, that could lead to denial-of-service (via
    application crash) or arbitrary code execution.

CVE-2016-1922

    Ling Liu of Qihoo 360 Inc. discovered that 32-bit Windows guests
    support is vulnerable to a null pointer dereference issue, that
    could lead to denial-of-service (via application crash).

CVE-2016-1981

    The e1000 driver is vulnerable to an infinite loop issue that
    could lead to denial-of-service (via application crash).

For the stable distribution (jessie), these problems have been fixed in
version 1:2.1+dfsg-12+deb8u5a.

We recommend that you upgrade your qemu packages.

Further information about Debian Security Advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://www.debian.org/security/

Mailing list: debian-security-announce@lists.debian.org
- -----BEGIN PGP SIGNATURE-----
Version: GnuPG v2

iQEcBAEBCgAGBQJWuOaQAAoJEBC+iYPz1Z1kkZIH/jyJ+TuoNYvErltzw17m6TmC
4S6G4yAm3MILtC05UsClvI5uscPlpy+VaS0LA+OjEVriCqmxQaXiY35mQFa5ptiS
/IC90wHehtBjcc3ID7tuk2HF4jIbYMvdLlXRp5e4CcfSaqQQkLqE/suozViVNSsj
YIhKRjY9jeVEuSALCkkDT8nHoT6zDWZeYeT5WegouPRO+RqxjFsLnBU+DxGqjnvc
Ty2Gw7XsBxh0Bhe9YL3eWl/QsHvTSYPkBmgHWuNG+LjSNStSzjUg3cFKQf/PLdVg
CgM5yPo3Y89YNqn3U7CEA5DsIltzqfexddUFZZtUg/bgtyhrp3djTAikCjM43sU=
=kgTM
- -----END PGP SIGNATURE-----

- --------------------------END INCLUDED TEXT--------------------

You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.

NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members.  As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.

NOTE: This is only the original release of the security bulletin.  It may
not be updated when updates to the original are made.  If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.

Contact information for the authors of the original document is included
in the Security Bulletin above.  If you have any questions or need further
information, please contact them directly.

Previous advisories and external security bulletins can be retrieved from:

        http://www.auscert.org.au/render.html?cid=1980

===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072

Internet Email: auscert@auscert.org.au
Facsimile:      (07) 3365 7031
Telephone:      (07) 3365 4417 (International: +61 7 3365 4417)
                AusCERT personnel answer during Queensland business hours
                which are GMT+10:00 (AEST).
                On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967

iQIVAwUBVrlLt36ZAP0PgtI9AQL6Vw/8CDMr8WFHD0DXD9Ep4iE6XhO/PgJYJ5L1
iHbP/SfiZiGQqTaHU+KrxxkrHv8OFTLFP8d6gpzzgNGNnvwxzLk3pgFtjZkdJ+m/
ccQ3kNFGaK86mERgHabWZJZ+bqZEvMSwbIO224r9+AU2TwqGaQGD3oVH3L8oa85Z
IqCKhYW/FPaWPwDz/0VlN/5d18CpX2La9+p+p0dXHt4HKz/tKsb9oJH4RrNndEbJ
dMQEUzFBMMMwkboA2gkU/Jqls5AF5oII/QzUBeBBv3o9Yo0O6Uluv8a8+VVICJFH
DrNe+LlMsBYsoVYcHs7i1pZnKhflVBwtWP1oLtPlpPOdqlkEvRB8VsX37NN5Af0P
DbGZrMAihP4Qxq3I2C3vShu1Yy8emYRONTZL0GoQeBWQACmnyh8xK4MHQUIh5Yfz
CV+91RwRrcQbJue7wI5p/x0ebTetnMIZEFLMRzq1tio3oIWfpU+Vm3FAUknoFo6w
HxBTX2IONoZjacDgMyShMRZq9DPXWXEu8ayhXt77C9Ru3wLqP4ejC787GYFYpjen
/uZ8/rP3Vy7EGZBA+AA1B5B7zL0/mXptaJlBGuZG/5Pja48nJfezgmO6EEuOjaFu
siSvPUJQ5Xa5hv5m059K1v+H8Pq1IsfHZE+XmxmXrw7JqAtyDBl1xxGLJIdDqfov
pDp58hUSxw4=
=Gtxo
-----END PGP SIGNATURE-----