Логотип exploitDog
Консоль
Логотип exploitDog

exploitDog

suse-cvrf логотип

SUSE-SU-2015:0889-1

Опубликовано: 19 сент. 2014
Источник: suse-cvrf

Описание

Security update for kvm

kvm has been updated to fix issues in the embedded qemu:

* CVE-2014-0223: An integer overflow flaw was found in the QEMU block driver for QCOW version 1 disk images. A user able to alter the QEMU disk image files loaded by a guest could have used this flaw to corrupt QEMU process memory on the host, which could potentially have resulted in arbitrary code execution on the host with the privileges of the QEMU process. * CVE-2014-3461: A user able to alter the savevm data (either on the disk or over the wire during migration) could have used this flaw to to corrupt QEMU process memory on the (destination) host, which could have potentially resulted in arbitrary code execution on the host with the privileges of the QEMU process. * CVE-2014-0222: An integer overflow flaw was found in the QEMU block driver for QCOW version 1 disk images. A user able to alter the QEMU disk image files loaded by a guest could have used this flaw to corrupt QEMU process memory on the host, which could have potentially resulted in arbitrary code execution on the host with the privileges of the QEMU process.

Non-security bugs fixed:

* Fix exceeding IRQ routes that could have caused freezes of guests. (bnc#876842) * Fix CPUID emulation bugs that may have broken Windows guests with newer -cpu types (bnc#886535)

Security Issues:

* CVE-2014-0222 <http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-0222> * CVE-2014-0223 <http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-0223> * CVE-2014-3461 <http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-3461>

Список пакетов

SUSE Linux Enterprise Desktop 11 SP3
kvm-1.4.2-0.17.1
SUSE Linux Enterprise Server 11 SP3
kvm-1.4.2-0.17.1
SUSE Linux Enterprise Server 11 SP3-TERADATA
kvm-1.4.2-0.17.1
SUSE Linux Enterprise Server for SAP Applications 11 SP3
kvm-1.4.2-0.17.1

Ссылки

Описание

A flaw was found in the way qemu v1.3.0 and later (virtio-rng) validates addresses when guest accesses the config space of a virtio device. If the virtio device has zero/small sized config space, such as virtio-rng, a privileged guest user could use this flaw to access the matching host's qemu address space and thus increase their privileges on the host.

Затронутые продукты
SUSE Linux Enterprise Desktop 11 SP3:kvm-1.4.2-0.17.1
SUSE Linux Enterprise Server 11 SP3-TERADATA:kvm-1.4.2-0.17.1
SUSE Linux Enterprise Server 11 SP3:kvm-1.4.2-0.17.1
SUSE Linux Enterprise Server for SAP Applications 11 SP3:kvm-1.4.2-0.17.1
Ссылки

Описание

Buffer overflow in the SCSI implementation in QEMU, as used in Xen, when a SCSI controller has more than 256 attached devices, allows local users to gain privileges via a small transfer buffer in a REPORT LUNS command.

Затронутые продукты
SUSE Linux Enterprise Desktop 11 SP3:kvm-1.4.2-0.17.1
SUSE Linux Enterprise Server 11 SP3-TERADATA:kvm-1.4.2-0.17.1
SUSE Linux Enterprise Server 11 SP3:kvm-1.4.2-0.17.1
SUSE Linux Enterprise Server for SAP Applications 11 SP3:kvm-1.4.2-0.17.1
Ссылки

Описание

The usb_device_post_load function in hw/usb/bus.c in QEMU before 1.7.2 might allow remote attackers to execute arbitrary code via a crafted savevm image, related to a negative setup_len or setup_index value.

Затронутые продукты
SUSE Linux Enterprise Desktop 11 SP3:kvm-1.4.2-0.17.1
SUSE Linux Enterprise Server 11 SP3-TERADATA:kvm-1.4.2-0.17.1
SUSE Linux Enterprise Server 11 SP3:kvm-1.4.2-0.17.1
SUSE Linux Enterprise Server for SAP Applications 11 SP3:kvm-1.4.2-0.17.1
Ссылки

Описание

QEMU, possibly before 2.0.0, allows local users to cause a denial of service (divide-by-zero error and crash) via a zero value in the (1) tracks field to the seek_to_sector function in block/parallels.c or (2) extent_size field in the bochs function in block/bochs.c.

Затронутые продукты
SUSE Linux Enterprise Desktop 11 SP3:kvm-1.4.2-0.17.1
SUSE Linux Enterprise Server 11 SP3-TERADATA:kvm-1.4.2-0.17.1
SUSE Linux Enterprise Server 11 SP3:kvm-1.4.2-0.17.1
SUSE Linux Enterprise Server for SAP Applications 11 SP3:kvm-1.4.2-0.17.1
Ссылки

Описание

Multiple integer overflows in the block drivers in QEMU, possibly before 2.0.0, allow local users to cause a denial of service (crash) via a crafted catalog size in (1) the parallels_open function in block/parallels.c or (2) bochs_open function in bochs.c, a large L1 table in the (3) qcow2_snapshot_load_tmp in qcow2-snapshot.c or (4) qcow2_grow_l1_table function in qcow2-cluster.c, (5) a large request in the bdrv_check_byte_request function in block.c and other block drivers, (6) crafted cluster indexes in the get_refcount function in qcow2-refcount.c, or (7) a large number of blocks in the cloop_open function in cloop.c, which trigger buffer overflows, memory corruption, large memory allocations and out-of-bounds read and writes.

Затронутые продукты
SUSE Linux Enterprise Desktop 11 SP3:kvm-1.4.2-0.17.1
SUSE Linux Enterprise Server 11 SP3-TERADATA:kvm-1.4.2-0.17.1
SUSE Linux Enterprise Server 11 SP3:kvm-1.4.2-0.17.1
SUSE Linux Enterprise Server for SAP Applications 11 SP3:kvm-1.4.2-0.17.1
Ссылки

Описание

QEMU before 2.0.0 block drivers for CLOOP, QCOW2 version 2 and various other image formats are vulnerable to potential memory corruptions, integer/buffer overflows or crash caused by missing input validations which could allow a remote user to execute arbitrary code on the host with the privileges of the QEMU process.

Затронутые продукты
SUSE Linux Enterprise Desktop 11 SP3:kvm-1.4.2-0.17.1
SUSE Linux Enterprise Server 11 SP3-TERADATA:kvm-1.4.2-0.17.1
SUSE Linux Enterprise Server 11 SP3:kvm-1.4.2-0.17.1
SUSE Linux Enterprise Server for SAP Applications 11 SP3:kvm-1.4.2-0.17.1
Ссылки

Описание

Multiple buffer overflows in QEMU before 1.7.2 and 2.x before 2.0.0, allow local users to cause a denial of service (crash) or possibly execute arbitrary code via a large (1) L1 table in the qcow2_snapshot_load_tmp in the QCOW 2 block driver (block/qcow2-snapshot.c) or (2) uncompressed chunk, (3) chunk length, or (4) number of sectors in the DMG block driver (block/dmg.c).

Затронутые продукты
SUSE Linux Enterprise Desktop 11 SP3:kvm-1.4.2-0.17.1
SUSE Linux Enterprise Server 11 SP3-TERADATA:kvm-1.4.2-0.17.1
SUSE Linux Enterprise Server 11 SP3:kvm-1.4.2-0.17.1
SUSE Linux Enterprise Server for SAP Applications 11 SP3:kvm-1.4.2-0.17.1
Ссылки

Описание

The qcow2_open function in the (block/qcow2.c) in QEMU before 1.7.2 and 2.x before 2.0.0 allows local users to cause a denial of service (NULL pointer dereference) via a crafted image which causes an error, related to the initialization of the snapshot_offset and nb_snapshots fields.

Затронутые продукты
SUSE Linux Enterprise Desktop 11 SP3:kvm-1.4.2-0.17.1
SUSE Linux Enterprise Server 11 SP3-TERADATA:kvm-1.4.2-0.17.1
SUSE Linux Enterprise Server 11 SP3:kvm-1.4.2-0.17.1
SUSE Linux Enterprise Server for SAP Applications 11 SP3:kvm-1.4.2-0.17.1
Ссылки

Описание

Qemu before 1.6.2 block diver for the various disk image formats used by Bochs and for the QCOW version 2 format, are vulnerable to a possible crash caused by signed data types or a logic error while creating QCOW2 snapshots, which leads to incorrectly calling update_refcount() routine.

Затронутые продукты
SUSE Linux Enterprise Desktop 11 SP3:kvm-1.4.2-0.17.1
SUSE Linux Enterprise Server 11 SP3-TERADATA:kvm-1.4.2-0.17.1
SUSE Linux Enterprise Server 11 SP3:kvm-1.4.2-0.17.1
SUSE Linux Enterprise Server for SAP Applications 11 SP3:kvm-1.4.2-0.17.1
Ссылки

Описание

Integer overflow in the virtio_net_handle_mac function in hw/net/virtio-net.c in QEMU 2.0 and earlier allows local guest users to execute arbitrary code via a MAC addresses table update request, which triggers a heap-based buffer overflow.

Затронутые продукты
SUSE Linux Enterprise Desktop 11 SP3:kvm-1.4.2-0.17.1
SUSE Linux Enterprise Server 11 SP3-TERADATA:kvm-1.4.2-0.17.1
SUSE Linux Enterprise Server 11 SP3:kvm-1.4.2-0.17.1
SUSE Linux Enterprise Server for SAP Applications 11 SP3:kvm-1.4.2-0.17.1
Ссылки

Описание

Integer overflow in the qcow_open function in block/qcow.c in QEMU before 1.7.2 allows remote attackers to cause a denial of service (crash) via a large L2 table in a QCOW version 1 image.

Затронутые продукты
SUSE Linux Enterprise Desktop 11 SP3:kvm-1.4.2-0.17.1
SUSE Linux Enterprise Server 11 SP3-TERADATA:kvm-1.4.2-0.17.1
SUSE Linux Enterprise Server 11 SP3:kvm-1.4.2-0.17.1
SUSE Linux Enterprise Server for SAP Applications 11 SP3:kvm-1.4.2-0.17.1
Ссылки

Описание

Integer overflow in the qcow_open function in block/qcow.c in QEMU before 1.7.2 allows local users to cause a denial of service (crash) and possibly execute arbitrary code via a large image size, which triggers a buffer overflow or out-of-bounds read.

Затронутые продукты
SUSE Linux Enterprise Desktop 11 SP3:kvm-1.4.2-0.17.1
SUSE Linux Enterprise Server 11 SP3-TERADATA:kvm-1.4.2-0.17.1
SUSE Linux Enterprise Server 11 SP3:kvm-1.4.2-0.17.1
SUSE Linux Enterprise Server for SAP Applications 11 SP3:kvm-1.4.2-0.17.1
Ссылки

Описание

Off-by-one error in the cmd_smart function in the smart self test in hw/ide/core.c in QEMU before 2.0 allows local users to have unspecified impact via a SMART EXECUTE OFFLINE command that triggers a buffer underflow and memory corruption.

Затронутые продукты
SUSE Linux Enterprise Desktop 11 SP3:kvm-1.4.2-0.17.1
SUSE Linux Enterprise Server 11 SP3-TERADATA:kvm-1.4.2-0.17.1
SUSE Linux Enterprise Server 11 SP3:kvm-1.4.2-0.17.1
SUSE Linux Enterprise Server for SAP Applications 11 SP3:kvm-1.4.2-0.17.1
Ссылки

Описание

hw/usb/bus.c in QEMU 1.6.2 allows remote attackers to execute arbitrary code via crafted savevm data, which triggers a heap-based buffer overflow, related to "USB post load checks."

Затронутые продукты
SUSE Linux Enterprise Desktop 11 SP3:kvm-1.4.2-0.17.1
SUSE Linux Enterprise Server 11 SP3-TERADATA:kvm-1.4.2-0.17.1
SUSE Linux Enterprise Server 11 SP3:kvm-1.4.2-0.17.1
SUSE Linux Enterprise Server for SAP Applications 11 SP3:kvm-1.4.2-0.17.1
Ссылки

Описание

The VNC websocket frame decoder in QEMU allows remote attackers to cause a denial of service (memory and CPU consumption) via a large (1) websocket payload or (2) HTTP headers section.

Затронутые продукты
SUSE Linux Enterprise Desktop 11 SP3:kvm-1.4.2-0.17.1
SUSE Linux Enterprise Server 11 SP3-TERADATA:kvm-1.4.2-0.17.1
SUSE Linux Enterprise Server 11 SP3:kvm-1.4.2-0.17.1
SUSE Linux Enterprise Server for SAP Applications 11 SP3:kvm-1.4.2-0.17.1
Ссылки

Описание

Heap-based buffer overflow in the PCNET controller in QEMU allows remote attackers to execute arbitrary code by sending a packet with TXSTATUS_STARTPACKET set and then a crafted packet with TXSTATUS_DEVICEOWNS set.

Затронутые продукты
SUSE Linux Enterprise Desktop 11 SP3:kvm-1.4.2-0.17.1
SUSE Linux Enterprise Server 11 SP3-TERADATA:kvm-1.4.2-0.17.1
SUSE Linux Enterprise Server 11 SP3:kvm-1.4.2-0.17.1
SUSE Linux Enterprise Server for SAP Applications 11 SP3:kvm-1.4.2-0.17.1
Ссылки

Описание

The Floppy Disk Controller (FDC) in QEMU, as used in Xen 4.5.x and earlier and KVM, allows local guest users to cause a denial of service (out-of-bounds write and guest crash) or possibly execute arbitrary code via the (1) FD_CMD_READ_ID, (2) FD_CMD_DRIVE_SPECIFICATION_COMMAND, or other unspecified commands, aka VENOM.

Затронутые продукты
SUSE Linux Enterprise Desktop 11 SP3:kvm-1.4.2-0.17.1
SUSE Linux Enterprise Server 11 SP3-TERADATA:kvm-1.4.2-0.17.1
SUSE Linux Enterprise Server 11 SP3:kvm-1.4.2-0.17.1
SUSE Linux Enterprise Server for SAP Applications 11 SP3:kvm-1.4.2-0.17.1
Ссылки
Уязвимость SUSE-SU-2015:0889-1