SUSE-SU-2016:2589-1

Source
https://www.suse.com/support/update/announcement/2016/suse-su-20162589-1/
Import Source
https://ftp.suse.com/pub/projects/security/osv/SUSE-SU-2016:2589-1.json
JSON Data
https://api.osv.dev/v1/vulns/SUSE-SU-2016:2589-1
Related
Published
2016-10-21T13:19:52Z
Modified
2016-10-21T13:19:52Z
Summary
Security update for qemu
Details

qemu was updated to fix 19 security issues.

These security issues were fixed: - CVE-2016-2392: The isrndis function in the USB Net device emulator (hw/usb/dev-network.c) in QEMU did not properly validate USB configuration descriptor objects, which allowed local guest OS administrators to cause a denial of service (NULL pointer dereference and QEMU process crash) via vectors involving a remote NDIS control message packet (bsc#967012) - CVE-2016-2391: The ohcibusstart function in the USB OHCI emulation support (hw/usb/hcd-ohci.c) in QEMU allowed local guest OS administrators to cause a denial of service (NULL pointer dereference and QEMU process crash) via vectors related to multiple eoftimers (bsc#967013) - CVE-2016-5106: The megasasdcmdsetproperties function in hw/scsi/megasas.c in QEMU, when built with MegaRAID SAS 8708EM2 Host Bus Adapter emulation support, allowed local guest administrators to cause a denial of service (out-of-bounds write access) via vectors involving a MegaRAID Firmware Interface (MFI) command (bsc#982018) - CVE-2016-5105: The megasasdcmdcfgread function in hw/scsi/megasas.c in QEMU, when built with MegaRAID SAS 8708EM2 Host Bus Adapter emulation support, used an uninitialized variable, which allowed local guest administrators to read host memory via vectors involving a MegaRAID Firmware Interface (MFI) command (bsc#982017) - CVE-2016-5107: The megasaslookupframe function in QEMU, when built with MegaRAID SAS 8708EM2 Host Bus Adapter emulation support, allowed local guest OS administrators to cause a denial of service (out-of-bounds read and crash) via unspecified vectors (bsc#982019) - CVE-2016-5126: Heap-based buffer overflow in the iscsiaioioctl function in block/iscsi.c in QEMU allowed local guest OS users to cause a denial of service (QEMU process crash) or possibly execute arbitrary code via a crafted iSCSI asynchronous I/O ioctl call (bsc#982285) - CVE-2016-4454: The vmsvgafiforeadraw function in hw/display/vmwarevga.c in QEMU allowed local guest OS administrators to obtain sensitive host memory information or cause a denial of service (QEMU process crash) by changing FIFO registers and issuing a VGA command, which triggers an out-of-bounds read (bsc#982222) - CVE-2016-4453: The vmsvgafiforun function in hw/display/vmwarevga.c in QEMU allowed local guest OS administrators to cause a denial of service (infinite loop and QEMU process crash) via a VGA command (bsc#982223) - CVE-2016-5338: The (1) espregread and (2) espregwrite functions in hw/scsi/esp.c in QEMU allowed local guest OS administrators to cause a denial of service (QEMU process crash) or execute arbitrary code on the QEMU host via vectors related to the information transfer buffer (bsc#983982) - CVE-2016-5337: The megasasctrlgetinfo function in hw/scsi/megasas.c in QEMU allowed local guest OS administrators to obtain sensitive host memory information via vectors related to reading device control information (bsc#983961) - CVE-2016-5238: The getcmd function in hw/scsi/esp.c in QEMU allowed local guest OS administrators to cause a denial of service (out-of-bounds write and QEMU process crash) via vectors related to reading from the information transfer buffer in non-DMA mode (bsc#982959) - CVE-2016-5403: The virtqueuepop function in hw/virtio/virtio.c in QEMU allowed local guest OS administrators to cause a denial of service (memory consumption and QEMU process crash) by submitting requests without waiting for completion (bsc#991080) - CVE-2016-6490: Infinite loop in the virtio framework. A privileged user inside the guest could have used this flaw to crash the Qemu instance on the host resulting in DoS (bsc#991466) - CVE-2016-6888: Integer overflow in packet initialisation in VMXNET3 device driver. A privileged user inside guest could have used this flaw to crash the Qemu instance resulting in DoS (bsc#994771) - CVE-2016-6833: Use-after-free issue in the VMWARE VMXNET3 NIC device support. A privileged user inside guest could have used this issue to crash the Qemu instance resulting in DoS (bsc#994774) - CVE-2016-7116: Host directory sharing via Plan 9 File System(9pfs) was vulnerable to a directory/path traversal issue. A privileged user inside guest could have used this flaw to access undue files on the host (bsc#996441) - CVE-2016-6836: VMWARE VMXNET3 NIC device support was leaging information leakage. A privileged user inside guest could have used this to leak host memory bytes to a guest (bsc#994760) - CVE-2016-7155: In the VMWARE PVSCSI paravirtual SCSI bus a OOB access and/or infinite loop issue could have allowed a privileged user inside guest to crash the Qemu process resulting in DoS (bsc#997858) - CVE-2016-7156: In the VMWARE PVSCSI paravirtual SCSI bus a infinite loop issue could have allowed a privileged user inside guest to crash the Qemu process resulting in DoS (bsc#997859)

This non-security issue was fixed: - bsc#1000048: Fix migration failure where target host is a soon to be released SLES 12 SP2. Qemu's spice code gets an assertion.

References

Affected packages

SUSE:Linux Enterprise Desktop 12 SP1 / qemu

Package

Name
qemu
Purl
pkg:rpm/suse/qemu&distro=SUSE%20Linux%20Enterprise%20Desktop%2012%20SP1

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
2.3.1-21.1

Ecosystem specific

{
    "binaries": [
        {
            "qemu-tools": "2.3.1-21.1",
            "qemu": "2.3.1-21.1",
            "qemu-block-curl": "2.3.1-21.1",
            "qemu-sgabios": "8-21.1",
            "qemu-seabios": "1.8.1-21.1",
            "qemu-kvm": "2.3.1-21.1",
            "qemu-ipxe": "1.0.0-21.1",
            "qemu-vgabios": "1.8.1-21.1",
            "qemu-x86": "2.3.1-21.1"
        }
    ]
}

SUSE:Linux Enterprise Server 12 SP1 / qemu

Package

Name
qemu
Purl
pkg:rpm/suse/qemu&distro=SUSE%20Linux%20Enterprise%20Server%2012%20SP1

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
2.3.1-21.1

Ecosystem specific

{
    "binaries": [
        {
            "qemu-tools": "2.3.1-21.1",
            "qemu-block-curl": "2.3.1-21.1",
            "qemu-guest-agent": "2.3.1-21.1",
            "qemu-lang": "2.3.1-21.1",
            "qemu-seabios": "1.8.1-21.1",
            "qemu-kvm": "2.3.1-21.1",
            "qemu-vgabios": "1.8.1-21.1",
            "qemu-x86": "2.3.1-21.1",
            "qemu-s390": "2.3.1-21.1",
            "qemu": "2.3.1-21.1",
            "qemu-sgabios": "8-21.1",
            "qemu-ipxe": "1.0.0-21.1",
            "qemu-ppc": "2.3.1-21.1",
            "qemu-block-rbd": "2.3.1-21.1"
        }
    ]
}

SUSE:Linux Enterprise Server for SAP Applications 12 SP1 / qemu

Package

Name
qemu
Purl
pkg:rpm/suse/qemu&distro=SUSE%20Linux%20Enterprise%20Server%20for%20SAP%20Applications%2012%20SP1

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
2.3.1-21.1

Ecosystem specific

{
    "binaries": [
        {
            "qemu-tools": "2.3.1-21.1",
            "qemu-block-curl": "2.3.1-21.1",
            "qemu-guest-agent": "2.3.1-21.1",
            "qemu-lang": "2.3.1-21.1",
            "qemu-seabios": "1.8.1-21.1",
            "qemu-kvm": "2.3.1-21.1",
            "qemu-vgabios": "1.8.1-21.1",
            "qemu-x86": "2.3.1-21.1",
            "qemu-s390": "2.3.1-21.1",
            "qemu": "2.3.1-21.1",
            "qemu-sgabios": "8-21.1",
            "qemu-ipxe": "1.0.0-21.1",
            "qemu-ppc": "2.3.1-21.1",
            "qemu-block-rbd": "2.3.1-21.1"
        }
    ]
}