Debian Long Term Support / LTS Security Information / 2016 / Security Information -- DLA-574-1 qemu-kvm

Debian Security Advisory

DLA-574-1 qemu-kvm -- LTS security update

Date Reported:

30 Jul 2016

Affected Packages:

qemu-kvm

Vulnerable:

Yes

Security database references:

In Mitre's CVE dictionary: CVE-2015-5239, CVE-2016-2857, CVE-2016-4020, CVE-2016-4439, CVE-2016-5403, CVE-2016-6351.

More information:

Multiple vulnerabilities have been discovered in qemu-kvm, a full virtualization solution on x86 hardware. The Common Vulnerabilities and Exposures project identifies the following problems:

• CVE-2015-5239

  Lian Yihan discovered that QEMU incorrectly handled certain payload messages in the VNC display driver. A malicious guest could use this issue to cause the QEMU process to hang, resulting in a denial of service.

• CVE-2016-2857

  Ling Liu discovered that QEMU incorrectly handled IP checksum routines. An attacker inside the guest could use this issue to cause QEMU to crash, resulting in a denial of service, or possibly leak host memory bytes.

• CVE-2016-4020

  Donghai Zdh discovered that QEMU incorrectly handled the Task Priority Register(TPR). A privileged attacker inside the guest could use this issue to possibly leak host memory bytes.

• CVE-2016-4439 / CVE-2016-6351

  Li Qiang disovered that the emulation of the 53C9X Fast SCSI Controller is affected by out of bound access issues.

• CVE-2016-5403

  Zhenhao Hong discovered that a malicious guest administrator can cause unbounded memory allocation in QEMU (which can cause an Out-of-Memory condition) by submitting virtio requests without bothering to wait for completion.

For Debian 7 Wheezy, these problems have been fixed in version 1.1.2+dfsg-6+deb7u14.

We recommend that you upgrade your qemu-kvm packages.

Further information about Debian LTS security advisories, how to apply these updates to your system and frequently asked questions can be found at: https://wiki.debian.org/LTS