Описание
Security update for qemu
This update for qemu fixes the following issues:
- Patch queue updated from https://gitlab.suse.de/virtualization/qemu.git SLE12-SP1
- Change package post script udevadm trigger calls to be device specific (bsc#1002116)
- Address various security/stability issues
- Fix OOB access in xlnx.xpx-ethernetlite emulation (CVE-2016-7161 bsc#1001151)
- Fix OOB access in VMware SVGA emulation (CVE-2016-7170 bsc#998516)
- Fix DOS in USB xHCI emulation (CVE-2016-7466 bsc#1000345)
- Fix DOS in Vmware pv scsi interface (CVE-2016-7421 bsc#999661)
- Fix DOS in ColdFire Fast Ethernet Controller emulation (CVE-2016-7908 bsc#1002550)
- Fix DOS in USB xHCI emulation (CVE-2016-8576 bsc#1003878)
- Fix DOS in virtio-9pfs (CVE-2016-8578 bsc#1003894)
- Fix DOS in virtio-9pfs (CVE-2016-9105 bsc#1007494)
- Fix DOS in virtio-9pfs (CVE-2016-8577 bsc#1003893)
- Plug data leak in virtio-9pfs interface (CVE-2016-9103 bsc#1007454)
- Fix DOS in virtio-9pfs interface (CVE-2016-9102 bsc#1007450)
- Fix DOS in virtio-9pfs (CVE-2016-9106 bsc#1007495)
- Fix DOS in 16550A UART emulation (CVE-2016-8669 bsc#1004707)
- Fix DOS in PC-Net II emulation (CVE-2016-7909 bsc#1002557)
- Fix DOS in PRO100 emulation (CVE-2016-9101 bsc#1007391)
- Fix DOS in RTL8139 emulation (CVE-2016-8910 bsc#1006538)
- Fix DOS in Intel HDA controller emulation (CVE-2016-8909 bsc#1006536)
- Fix DOS in virtio-9pfs (CVE-2016-9104 bsc#1007493)
- Fix DOS in JAZZ RC4030 emulation (CVE-2016-8667 bsc#1004702)
- Fix case of disk corruption with migration due to improper internal state tracking (bsc#996524)
This update was imported from the SUSE:SLE-12-SP1:Update update project.
Список пакетов
openSUSE Leap 42.1
Ссылки
- E-Mail link for openSUSE-SU-2016:3103-1
- SUSE Security Ratings
Описание
Heap-based buffer overflow in the .receive callback of xlnx.xps-ethernetlite in QEMU (aka Quick Emulator) allows attackers to execute arbitrary code on the QEMU host via a large ethlite packet.
Затронутые продукты
Ссылки
- CVE-2016-7161
- SUSE Bug 1001151
- SUSE Bug 1001152
Описание
The vmsvga_fifo_run function in hw/display/vmware_vga.c in QEMU (aka Quick Emulator) allows local guest OS administrators to cause a denial of service (out-of-bounds write and QEMU process crash) via vectors related to cursor.mask[] and cursor.image[] array sizes when processing a DEFINE_CURSOR svga command.
Затронутые продукты
Ссылки
- CVE-2016-7170
- SUSE Bug 998516
Описание
The pvscsi_ring_pop_req_descr function in hw/scsi/vmw_pvscsi.c in QEMU (aka Quick Emulator) allows local guest OS administrators to cause a denial of service (infinite loop and QEMU process crash) by leveraging failure to limit process IO loop to the ring size.
Затронутые продукты
Ссылки
- CVE-2016-7421
- SUSE Bug 999661
Описание
Memory leak in the usb_xhci_exit function in hw/usb/hcd-xhci.c in QEMU (aka Quick Emulator), when the xhci uses msix, allows local guest OS administrators to cause a denial of service (memory consumption and possibly QEMU process crash) by repeatedly unplugging a USB device.
Затронутые продукты
Ссылки
- CVE-2016-7466
- SUSE Bug 1000345
Описание
The mcf_fec_do_tx function in hw/net/mcf_fec.c in QEMU (aka Quick Emulator) does not properly limit the buffer descriptor count when transmitting packets, which allows local guest OS administrators to cause a denial of service (infinite loop and QEMU process crash) via vectors involving a buffer descriptor with a length of 0 and crafted values in bd.flags.
Затронутые продукты
Ссылки
- CVE-2016-7908
- SUSE Bug 1002550
- SUSE Bug 1003030
Описание
The pcnet_rdra_addr function in hw/net/pcnet.c in QEMU (aka Quick Emulator) allows local guest OS administrators to cause a denial of service (infinite loop and QEMU process crash) by setting the (1) receive or (2) transmit descriptor ring length to 0.
Затронутые продукты
Ссылки
- CVE-2016-7909
- SUSE Bug 1002557
- SUSE Bug 1003032
Описание
The xhci_ring_fetch function in hw/usb/hcd-xhci.c in QEMU (aka Quick Emulator) allows local guest OS administrators to cause a denial of service (infinite loop and QEMU process crash) by leveraging failure to limit the number of link Transfer Request Blocks (TRB) to process.
Затронутые продукты
Ссылки
- CVE-2016-8576
- SUSE Bug 1003878
- SUSE Bug 1004016
Описание
Memory leak in the v9fs_read function in hw/9pfs/9p.c in QEMU (aka Quick Emulator) allows local guest OS administrators to cause a denial of service (memory consumption) via vectors related to an I/O read operation.
Затронутые продукты
Ссылки
- CVE-2016-8577
- SUSE Bug 1003893
- SUSE Bug 1004021
Описание
The v9fs_iov_vunmarshal function in fsdev/9p-iov-marshal.c in QEMU (aka Quick Emulator) allows local guest OS administrators to cause a denial of service (NULL pointer dereference and QEMU process crash) by sending an empty string parameter to a 9P operation.
Затронутые продукты
Ссылки
- CVE-2016-8578
- SUSE Bug 1003894
- SUSE Bug 1004023
Описание
The rc4030_write function in hw/dma/rc4030.c in QEMU (aka Quick Emulator) allows local guest OS administrators to cause a denial of service (divide-by-zero error and QEMU process crash) via a large interval timer reload value.
Затронутые продукты
Ссылки
- CVE-2016-8667
- SUSE Bug 1004702
- SUSE Bug 1005004
Описание
The serial_update_parameters function in hw/char/serial.c in QEMU (aka Quick Emulator) allows local guest OS administrators to cause a denial of service (divide-by-zero error and QEMU process crash) via vectors involving a value of divider greater than baud base.
Затронутые продукты
Ссылки
- CVE-2016-8669
- SUSE Bug 1004707
- SUSE Bug 1005005
Описание
The intel_hda_xfer function in hw/audio/intel-hda.c in QEMU (aka Quick Emulator) allows local guest OS administrators to cause a denial of service (infinite loop and CPU consumption) via an entry with the same value for buffer length and pointer position.
Затронутые продукты
Ссылки
- CVE-2016-8909
- SUSE Bug 1006536
- SUSE Bug 1007160
Описание
The rtl8139_cplus_transmit function in hw/net/rtl8139.c in QEMU (aka Quick Emulator) allows local guest OS administrators to cause a denial of service (infinite loop and CPU consumption) by leveraging failure to limit the ring descriptor count.
Затронутые продукты
Ссылки
- CVE-2016-8910
- SUSE Bug 1006538
- SUSE Bug 1007157
- SUSE Bug 1024178
Описание
Memory leak in hw/net/eepro100.c in QEMU (aka Quick Emulator) allows local guest OS administrators to cause a denial of service (memory consumption and QEMU process crash) by repeatedly unplugging an i8255x (PRO100) NIC device.
Затронутые продукты
Ссылки
- CVE-2016-9101
- SUSE Bug 1007391
- SUSE Bug 1013668
- SUSE Bug 1024181
Описание
Memory leak in the v9fs_xattrcreate function in hw/9pfs/9p.c in QEMU (aka Quick Emulator) allows local guest OS administrators to cause a denial of service (memory consumption and QEMU process crash) via a large number of Txattrcreate messages with the same fid number.
Затронутые продукты
Ссылки
- CVE-2016-9102
- SUSE Bug 1007450
- SUSE Bug 1014256
Описание
The v9fs_xattrcreate function in hw/9pfs/9p.c in QEMU (aka Quick Emulator) allows local guest OS administrators to obtain sensitive host heap memory information by reading xattribute values before writing to them.
Затронутые продукты
Ссылки
- CVE-2016-9103
- SUSE Bug 1007454
- SUSE Bug 1014259
Описание
Multiple integer overflows in the (1) v9fs_xattr_read and (2) v9fs_xattr_write functions in hw/9pfs/9p.c in QEMU (aka Quick Emulator) allow local guest OS administrators to cause a denial of service (QEMU process crash) via a crafted offset, which triggers an out-of-bounds access.
Затронутые продукты
Ссылки
- CVE-2016-9104
- SUSE Bug 1007493
- SUSE Bug 1014297
- SUSE Bug 1034990
Описание
Memory leak in the v9fs_link function in hw/9pfs/9p.c in QEMU (aka Quick Emulator) allows local guest OS administrators to cause a denial of service (memory consumption) via vectors involving a reference to the source fid object.
Затронутые продукты
Ссылки
- CVE-2016-9105
- SUSE Bug 1007494
- SUSE Bug 1014279
Описание
Memory leak in the v9fs_write function in hw/9pfs/9p.c in QEMU (aka Quick Emulator) allows local guest OS administrators to cause a denial of service (memory consumption) by leveraging failure to free an IO vector.
Затронутые продукты
Ссылки
- CVE-2016-9106
- SUSE Bug 1007495
- SUSE Bug 1014299