Security update for qemu

Announcement ID:	SUSE-SU-2016:2879-1
Rating:	moderate
References:	bsc#1000345 bsc#1000346 bsc#1001151 bsc#1002116 bsc#1002549 bsc#1002550 bsc#1002557 bsc#1003612 bsc#1003613 bsc#1003878 bsc#1003893 bsc#1003894 bsc#1004702 bsc#1004706 bsc#1004707 bsc#1005353 bsc#1005374 bsc#1006536 bsc#1006538 bsc#1007263 bsc#1007391 bsc#1007493 bsc#1007494 bsc#1007495 bsc#1007769 bsc#1008148 bsc#998516
Cross-References:	CVE-2016-7161 CVE-2016-7170 CVE-2016-7422 CVE-2016-7466 CVE-2016-7907 CVE-2016-7908 CVE-2016-7909 CVE-2016-7994 CVE-2016-7995 CVE-2016-8576 CVE-2016-8577 CVE-2016-8578 CVE-2016-8667 CVE-2016-8668 CVE-2016-8669 CVE-2016-8909 CVE-2016-8910 CVE-2016-9101 CVE-2016-9104 CVE-2016-9105 CVE-2016-9106
CVSS scores:	CVE-2016-7161 ( NVD ): 9.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H CVE-2016-7161 ( NVD ): 9.8 CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H CVE-2016-7170 ( NVD ): 4.4 CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H CVE-2016-7170 ( NVD ): 4.4 CVSS:3.0/AV:L/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H CVE-2016-7422 ( NVD ): 6.0 CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:C/C:N/I:N/A:H CVE-2016-7422 ( NVD ): 6.0 CVSS:3.0/AV:L/AC:L/PR:H/UI:N/S:C/C:N/I:N/A:H CVE-2016-7466 ( NVD ): 6.0 CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:C/C:N/I:N/A:H CVE-2016-7466 ( NVD ): 6.0 CVSS:3.0/AV:L/AC:L/PR:H/UI:N/S:C/C:N/I:N/A:H CVE-2016-7907 ( NVD ): 4.4 CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H CVE-2016-7907 ( NVD ): 4.4 CVSS:3.0/AV:L/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H CVE-2016-7908 ( NVD ): 4.4 CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H CVE-2016-7908 ( NVD ): 4.4 CVSS:3.0/AV:L/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H CVE-2016-7909 ( NVD ): 4.4 CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H CVE-2016-7909 ( NVD ): 4.4 CVSS:3.0/AV:L/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H CVE-2016-7994 ( NVD ): 6.0 CVSS:3.0/AV:L/AC:L/PR:H/UI:N/S:C/C:N/I:N/A:H CVE-2016-7995 ( NVD ): 6.0 CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:C/C:N/I:N/A:H CVE-2016-7995 ( NVD ): 6.0 CVSS:3.0/AV:L/AC:L/PR:H/UI:N/S:C/C:N/I:N/A:H CVE-2016-8576 ( NVD ): 6.0 CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:C/C:N/I:N/A:H CVE-2016-8576 ( NVD ): 6.0 CVSS:3.0/AV:L/AC:L/PR:H/UI:N/S:C/C:N/I:N/A:H CVE-2016-8577 ( NVD ): 6.0 CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:C/C:N/I:N/A:H CVE-2016-8577 ( NVD ): 6.0 CVSS:3.0/AV:L/AC:L/PR:H/UI:N/S:C/C:N/I:N/A:H CVE-2016-8578 ( NVD ): 6.0 CVSS:3.0/AV:L/AC:L/PR:H/UI:N/S:C/C:N/I:N/A:H CVE-2016-8667 ( NVD ): 6.0 CVSS:3.0/AV:L/AC:L/PR:H/UI:N/S:C/C:N/I:N/A:H CVE-2016-8668 ( NVD ): 6.0 CVSS:3.0/AV:L/AC:L/PR:H/UI:N/S:C/C:N/I:N/A:H CVE-2016-8669 ( NVD ): 6.0 CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:C/C:N/I:N/A:H CVE-2016-8669 ( NVD ): 6.0 CVSS:3.0/AV:L/AC:L/PR:H/UI:N/S:C/C:N/I:N/A:H CVE-2016-8909 ( NVD ): 6.0 CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:C/C:N/I:N/A:H CVE-2016-8909 ( NVD ): 6.0 CVSS:3.0/AV:L/AC:L/PR:H/UI:N/S:C/C:N/I:N/A:H CVE-2016-8910 ( SUSE ): 3.0 CVSS:3.1/AV:A/AC:H/PR:L/UI:N/S:C/C:N/I:N/A:L CVE-2016-8910 ( NVD ): 6.0 CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:C/C:N/I:N/A:H CVE-2016-8910 ( NVD ): 6.0 CVSS:3.0/AV:L/AC:L/PR:H/UI:N/S:C/C:N/I:N/A:H CVE-2016-9101 ( NVD ): 6.0 CVSS:3.0/AV:L/AC:L/PR:H/UI:N/S:C/C:N/I:N/A:H CVE-2016-9104 ( NVD ): 4.4 CVSS:3.0/AV:L/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H CVE-2016-9105 ( NVD ): 6.0 CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:C/C:N/I:N/A:H CVE-2016-9105 ( NVD ): 6.0 CVSS:3.0/AV:L/AC:L/PR:H/UI:N/S:C/C:N/I:N/A:H CVE-2016-9106 ( NVD ): 6.0 CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:C/C:N/I:N/A:H CVE-2016-9106 ( NVD ): 6.0 CVSS:3.0/AV:L/AC:L/PR:H/UI:N/S:C/C:N/I:N/A:H
Affected Products:	SUSE Linux Enterprise Desktop 12 SP2 SUSE Linux Enterprise High Performance Computing 12 SP2 SUSE Linux Enterprise Server 12 SP2 SUSE Linux Enterprise Server for SAP Applications 12 SP2 SUSE Linux Enterprise Server for the Raspberry Pi 12-SP2

An update that solves 21 vulnerabilities and has six security fixes can now be installed.

Description:

This update for qemu to version 2.6.2 fixes the several issues.

These security issues were fixed: - CVE-2016-7161: Heap-based buffer overflow in the .receive callback of xlnx.xps-ethernetlite in QEMU (aka Quick Emulator) allowed attackers to execute arbitrary code on the QEMU host via a large ethlite packet (bsc#1001151). - CVE-2016-7170: OOB stack memory access when processing svga command (bsc#998516). - CVE-2016-7466: xhci memory leakage during device unplug (bsc#1000345). - CVE-2016-7422: NULL pointer dereference in virtqueu_map_desc (bsc#1000346). - CVE-2016-7908: The mcf_fec_do_tx function in hw/net/mcf_fec.c did not properly limit the buffer descriptor count when transmitting packets, which allowed local guest OS administrators to cause a denial of service (infinite loop and QEMU process crash) via vectors involving a buffer descriptor with a length of 0 and crafted values in bd.flags (bsc#1002550). - CVE-2016-7995: Memory leak in ehci_process_itd (bsc#1003612). - CVE-2016-8576: The xhci_ring_fetch function in hw/usb/hcd-xhci.c allowed local guest OS administrators to cause a denial of service (infinite loop and QEMU process crash) by leveraging failure to limit the number of link Transfer Request Blocks (TRB) to process (bsc#1003878). - CVE-2016-8578: The v9fs_iov_vunmarshal function in fsdev/9p-iov-marshal.c allowed local guest OS administrators to cause a denial of service (NULL pointer dereference and QEMU process crash) by sending an empty string parameter to a 9P operation (bsc#1003894). - CVE-2016-9105: Memory leakage in v9fs_link (bsc#1007494). - CVE-2016-8577: Memory leak in the v9fs_read function in hw/9pfs/9p.c allowed local guest OS administrators to cause a denial of service (memory consumption) via vectors related to an I/O read operation (bsc#1003893). - CVE-2016-9106: Memory leakage in v9fs_write (bsc#1007495). - CVE-2016-8669: The serial_update_parameters function in hw/char/serial.c allowed local guest OS administrators to cause a denial of service (divide-by-zero error and QEMU process crash) via vectors involving a value of divider greater than baud base (bsc#1004707). - CVE-2016-7909: The pcnet_rdra_addr function in hw/net/pcnet.c allowed local guest OS administrators to cause a denial of service (infinite loop and QEMU process crash) by setting the (1) receive or (2) transmit descriptor ring length to 0 (bsc#1002557). - CVE-2016-9101: eepro100 memory leakage whern unplugging a device (bsc#1007391). - CVE-2016-8668: The rocker_io_writel function in hw/net/rocker/rocker.c allowed local guest OS administrators to cause a denial of service (out-of-bounds read and QEMU process crash) by leveraging failure to limit DMA buffer size (bsc#1004706). - CVE-2016-8910: The rtl8139_cplus_transmit function in hw/net/rtl8139.c allowed local guest OS administrators to cause a denial of service (infinite loop and CPU consumption) by leveraging failure to limit the ring descriptor count (bsc#1006538). - CVE-2016-8909: The intel_hda_xfer function in hw/audio/intel-hda.c allowed local guest OS administrators to cause a denial of service (infinite loop and CPU consumption) via an entry with the same value for buffer length and pointer position (bsc#1006536). - CVE-2016-7994: Memory leak in virtio_gpu_resource_create_2d (bsc#1003613). - CVE-2016-9104: Integer overflow leading to OOB access in 9pfs (bsc#1007493). - CVE-2016-8667: The rc4030_write function in hw/dma/rc4030.c allowed local guest OS administrators to cause a denial of service (divide-by-zero error and QEMU process crash) via a large interval timer reload value (bsc#1004702). - CVE-2016-7907: The pcnet_rdra_addr function in hw/net/pcnet.c allowed local guest OS administrators to cause a denial of service (infinite loop and QEMU process crash) by setting the (1) receive or (2) transmit descriptor ring length to 0 (bsc#1002549).

These non-security issues were fixed: - Change kvm-supported.txt to be per-architecture documentation, stored in the package documentation directory of each per-arch package (bsc#1005353). - Update support doc to include current ARM64 (AArch64) support stance (bsc#1005374). - Fix migration failure when snapshot also has been done (bsc#1008148). - Change package post script udevadm trigger calls to be device specific (bsc#1002116). - Add qmp-commands.txt documentation file back in. It was inadvertently dropped. - Add an x86 cpu option (l3-cache) to specify that an L3 cache is present and another option (cpuid-0xb) to enable the cpuid 0xb leaf (bsc#1007769).

For Leap 42.2 this update also enabled the smartcard support (bsc#1007263).

Patch Instructions:

To install this SUSE update use the SUSE recommended installation methods like YaST online_update or "zypper patch".
Alternatively you can run the command listed for your product:

• SUSE Linux Enterprise Desktop 12 SP2
  zypper in -t patch SUSE-SLE-DESKTOP-12-SP2-2016-1682=1
• SUSE Linux Enterprise Server for the Raspberry Pi 12-SP2
  zypper in -t patch SUSE-SLE-RPI-12-SP2-2016-1682=1
• SUSE Linux Enterprise High Performance Computing 12 SP2
  zypper in -t patch SUSE-SLE-SERVER-12-SP2-2016-1682=1
• SUSE Linux Enterprise Server 12 SP2
  zypper in -t patch SUSE-SLE-SERVER-12-SP2-2016-1682=1
• SUSE Linux Enterprise Server for SAP Applications 12 SP2
  zypper in -t patch SUSE-SLE-SERVER-12-SP2-2016-1682=1

Package List:

• SUSE Linux Enterprise Desktop 12 SP2 (x86_64)
  • qemu-block-curl-2.6.2-31.2
  • qemu-tools-2.6.2-31.2
  • qemu-kvm-2.6.2-31.2
  • qemu-x86-2.6.2-31.2
  • qemu-2.6.2-31.2
  • qemu-debugsource-2.6.2-31.2
  • qemu-block-curl-debuginfo-2.6.2-31.2
  • qemu-tools-debuginfo-2.6.2-31.2
• SUSE Linux Enterprise Desktop 12 SP2 (noarch)
  • qemu-vgabios-1.9.1-31.2
  • qemu-ipxe-1.0.0-31.2
  • qemu-sgabios-8-31.2
  • qemu-seabios-1.9.1-31.2
• SUSE Linux Enterprise Server for the Raspberry Pi 12-SP2 (aarch64)
  • qemu-block-curl-2.6.2-31.2
  • qemu-guest-agent-2.6.2-31.2
  • qemu-block-ssh-2.6.2-31.2
  • qemu-block-ssh-debuginfo-2.6.2-31.2
  • qemu-tools-2.6.2-31.2
  • qemu-guest-agent-debuginfo-2.6.2-31.2
  • qemu-lang-2.6.2-31.2
  • qemu-2.6.2-31.2
  • qemu-block-curl-debuginfo-2.6.2-31.2
  • qemu-block-rbd-debuginfo-2.6.2-31.2
  • qemu-debugsource-2.6.2-31.2
  • qemu-arm-2.6.2-31.2
  • qemu-tools-debuginfo-2.6.2-31.2
  • qemu-block-rbd-2.6.2-31.2
  • qemu-arm-debuginfo-2.6.2-31.2
• SUSE Linux Enterprise Server for the Raspberry Pi 12-SP2 (noarch)
  • qemu-ipxe-1.0.0-31.2
• SUSE Linux Enterprise High Performance Computing 12 SP2 (aarch64 x86_64)
  • qemu-block-curl-2.6.2-31.2
  • qemu-guest-agent-2.6.2-31.2
  • qemu-block-ssh-2.6.2-31.2
  • qemu-block-ssh-debuginfo-2.6.2-31.2
  • qemu-tools-2.6.2-31.2
  • qemu-guest-agent-debuginfo-2.6.2-31.2
  • qemu-lang-2.6.2-31.2
  • qemu-2.6.2-31.2
  • qemu-block-rbd-debuginfo-2.6.2-31.2
  • qemu-block-curl-debuginfo-2.6.2-31.2
  • qemu-debugsource-2.6.2-31.2
  • qemu-tools-debuginfo-2.6.2-31.2
  • qemu-block-rbd-2.6.2-31.2
• SUSE Linux Enterprise High Performance Computing 12 SP2 (aarch64)
  • qemu-arm-2.6.2-31.2
  • qemu-arm-debuginfo-2.6.2-31.2
• SUSE Linux Enterprise High Performance Computing 12 SP2 (noarch)
  • qemu-vgabios-1.9.1-31.2
  • qemu-ipxe-1.0.0-31.2
  • qemu-sgabios-8-31.2
  • qemu-seabios-1.9.1-31.2
• SUSE Linux Enterprise High Performance Computing 12 SP2 (x86_64)
  • qemu-kvm-2.6.2-31.2
  • qemu-x86-2.6.2-31.2
• SUSE Linux Enterprise Server 12 SP2 (aarch64 ppc64le s390x x86_64)
  • qemu-block-curl-2.6.2-31.2
  • qemu-guest-agent-2.6.2-31.2
  • qemu-block-ssh-2.6.2-31.2
  • qemu-block-ssh-debuginfo-2.6.2-31.2
  • qemu-tools-2.6.2-31.2
  • qemu-guest-agent-debuginfo-2.6.2-31.2
  • qemu-lang-2.6.2-31.2
  • qemu-2.6.2-31.2
  • qemu-block-curl-debuginfo-2.6.2-31.2
  • qemu-debugsource-2.6.2-31.2
  • qemu-tools-debuginfo-2.6.2-31.2
• SUSE Linux Enterprise Server 12 SP2 (aarch64)
  • qemu-arm-2.6.2-31.2
  • qemu-arm-debuginfo-2.6.2-31.2
• SUSE Linux Enterprise Server 12 SP2 (aarch64 x86_64)
  • qemu-block-rbd-2.6.2-31.2
  • qemu-block-rbd-debuginfo-2.6.2-31.2
• SUSE Linux Enterprise Server 12 SP2 (noarch)
  • qemu-vgabios-1.9.1-31.2
  • qemu-ipxe-1.0.0-31.2
  • qemu-sgabios-8-31.2
  • qemu-seabios-1.9.1-31.2
• SUSE Linux Enterprise Server 12 SP2 (ppc64le)
  • qemu-ppc-2.6.2-31.2
  • qemu-ppc-debuginfo-2.6.2-31.2
• SUSE Linux Enterprise Server 12 SP2 (s390x x86_64)
  • qemu-kvm-2.6.2-31.2
• SUSE Linux Enterprise Server 12 SP2 (s390x)
  • qemu-s390-debuginfo-2.6.2-31.2
  • qemu-s390-2.6.2-31.2
• SUSE Linux Enterprise Server 12 SP2 (x86_64)
  • qemu-x86-2.6.2-31.2
• SUSE Linux Enterprise Server for SAP Applications 12 SP2 (ppc64le x86_64)
  • qemu-block-curl-2.6.2-31.2
  • qemu-guest-agent-2.6.2-31.2
  • qemu-block-ssh-2.6.2-31.2
  • qemu-block-ssh-debuginfo-2.6.2-31.2
  • qemu-tools-2.6.2-31.2
  • qemu-guest-agent-debuginfo-2.6.2-31.2
  • qemu-lang-2.6.2-31.2
  • qemu-2.6.2-31.2
  • qemu-block-curl-debuginfo-2.6.2-31.2
  • qemu-debugsource-2.6.2-31.2
  • qemu-tools-debuginfo-2.6.2-31.2
• SUSE Linux Enterprise Server for SAP Applications 12 SP2 (ppc64le)
  • qemu-ppc-2.6.2-31.2
  • qemu-ppc-debuginfo-2.6.2-31.2
• SUSE Linux Enterprise Server for SAP Applications 12 SP2 (x86_64)
  • qemu-kvm-2.6.2-31.2
  • qemu-x86-2.6.2-31.2
  • qemu-block-rbd-2.6.2-31.2
  • qemu-block-rbd-debuginfo-2.6.2-31.2
• SUSE Linux Enterprise Server for SAP Applications 12 SP2 (noarch)
  • qemu-vgabios-1.9.1-31.2
  • qemu-ipxe-1.0.0-31.2
  • qemu-sgabios-8-31.2
  • qemu-seabios-1.9.1-31.2

References:

• https://www.suse.com/security/cve/CVE-2016-7161.html
• https://www.suse.com/security/cve/CVE-2016-7170.html
• https://www.suse.com/security/cve/CVE-2016-7422.html
• https://www.suse.com/security/cve/CVE-2016-7466.html
• https://www.suse.com/security/cve/CVE-2016-7907.html
• https://www.suse.com/security/cve/CVE-2016-7908.html
• https://www.suse.com/security/cve/CVE-2016-7909.html
• https://www.suse.com/security/cve/CVE-2016-7994.html
• https://www.suse.com/security/cve/CVE-2016-7995.html
• https://www.suse.com/security/cve/CVE-2016-8576.html
• https://www.suse.com/security/cve/CVE-2016-8577.html
• https://www.suse.com/security/cve/CVE-2016-8578.html
• https://www.suse.com/security/cve/CVE-2016-8667.html
• https://www.suse.com/security/cve/CVE-2016-8668.html
• https://www.suse.com/security/cve/CVE-2016-8669.html
• https://www.suse.com/security/cve/CVE-2016-8909.html
• https://www.suse.com/security/cve/CVE-2016-8910.html
• https://www.suse.com/security/cve/CVE-2016-9101.html
• https://www.suse.com/security/cve/CVE-2016-9104.html
• https://www.suse.com/security/cve/CVE-2016-9105.html
• https://www.suse.com/security/cve/CVE-2016-9106.html
• https://bugzilla.suse.com/show_bug.cgi?id=1000345
• https://bugzilla.suse.com/show_bug.cgi?id=1000346
• https://bugzilla.suse.com/show_bug.cgi?id=1001151
• https://bugzilla.suse.com/show_bug.cgi?id=1002116
• https://bugzilla.suse.com/show_bug.cgi?id=1002549
• https://bugzilla.suse.com/show_bug.cgi?id=1002550
• https://bugzilla.suse.com/show_bug.cgi?id=1002557
• https://bugzilla.suse.com/show_bug.cgi?id=1003612
• https://bugzilla.suse.com/show_bug.cgi?id=1003613
• https://bugzilla.suse.com/show_bug.cgi?id=1003878
• https://bugzilla.suse.com/show_bug.cgi?id=1003893
• https://bugzilla.suse.com/show_bug.cgi?id=1003894
• https://bugzilla.suse.com/show_bug.cgi?id=1004702
• https://bugzilla.suse.com/show_bug.cgi?id=1004706
• https://bugzilla.suse.com/show_bug.cgi?id=1004707
• https://bugzilla.suse.com/show_bug.cgi?id=1005353
• https://bugzilla.suse.com/show_bug.cgi?id=1005374