Security update for qemu

SUSE Security Update: Security update for qemu

---

Announcement ID:	SUSE-SU-2016:1560-1
Rating:	important
References:	#886378 #895528 #901508 #928393 #934069 #940929 #944463 #947159 #958491 #958917 #959005 #959386 #960334 #960708 #960725 #960835 #961332 #961333 #961358 #961556 #961691 #962320 #963782 #964413 #967969 #969121 #969122 #969350 #970036 #970037 #975128 #975136 #975700 #976109 #978158 #978160 #980711 #980723 #981266
Affected Products:	SUSE Linux Enterprise Server 12 SUSE Linux Enterprise Desktop 12

---

An update that solves 37 vulnerabilities and has two fixes is now available.

Description:

qemu was updated to fix 37 security issues.

These security issues were fixed:
- CVE-2016-4439: Avoid OOB access in 53C9X emulation (bsc#980711)
- CVE-2016-4441: Avoid OOB access in 53C9X emulation (bsc#980723)
- CVE-2016-4952: Avoid OOB access in Vmware PV SCSI emulation (bsc#981266)
- CVE-2015-8817: Avoid OOB access in PCI DMA I/O (bsc#969121)
- CVE-2015-8818: Avoid OOB access in PCI DMA I/O (bsc#969122)
- CVE-2016-3710: Fixed VGA emulation based OOB access with potential for
guest escape (bsc#978158)
- CVE-2016-3712: Fixed VGa emulation based DOS and OOB read access exploit
(bsc#978160)
- CVE-2016-4037: Fixed USB ehci based DOS (bsc#976109)
- CVE-2016-2538: Fixed potential OOB access in USB net device emulation
(bsc#967969)
- CVE-2016-2841: Fixed OOB access / hang in ne2000 emulation (bsc#969350)
- CVE-2016-2858: Avoid potential DOS when using QEMU pseudo random number
generator (bsc#970036)
- CVE-2016-2857: Fixed OOB access when processing IP checksums (bsc#970037)
- CVE-2016-4001: Fixed OOB access in Stellaris enet emulated nic
(bsc#975128)
- CVE-2016-4002: Fixed OOB access in MIPSnet emulated controller
(bsc#975136)
- CVE-2016-4020: Fixed possible host data leakage to guest from TPR access
(bsc#975700)
- CVE-2015-3214: Fixed OOB read in i8254 PIC (bsc#934069)
- CVE-2014-9718: Fixed the handling of malformed or short ide PRDTs to
avoid any opportunity for guest to cause DoS by abusing that interface
(bsc#928393)
- CVE-2014-3689: Fixed insufficient parameter validation in rectangle
functions (bsc#901508)
- CVE-2014-3615: The VGA emulator in QEMU allowed local guest users to
read host memory by setting the display to a high resolution
(bsc#895528).
- CVE-2015-5239: Integer overflow in vnc_client_read() and
protocol_client_msg() (bsc#944463).
- CVE-2015-5745: Buffer overflow in virtio-serial (bsc#940929).
- CVE-2015-7295: hw/virtio/virtio.c in the Virtual Network Device
(virtio-net) support in QEMU, when big or mergeable receive buffers are
not supported, allowed remote attackers to cause a denial of service
(guest network consumption) via a flood of jumbo frames on the (1)
tuntap or (2) macvtap interface (bsc#947159).
- CVE-2015-7549: PCI null pointer dereferences (bsc#958917).
- CVE-2015-8504: VNC floating point exception (bsc#958491).
- CVE-2015-8558: Infinite loop in ehci_advance_state resulting in DoS
(bsc#959005).
- CVE-2015-8567: A guest repeatedly activating a vmxnet3 device can leak
host memory (bsc#959386).
- CVE-2015-8568: A guest repeatedly activating a vmxnet3 device can leak
host memory (bsc#959386).
- CVE-2015-8613: Wrong sized memset in megasas command handler
(bsc#961358).
- CVE-2015-8619: Potential DoS for long HMP sendkey command argument
(bsc#960334).
- CVE-2015-8743: OOB memory access in ne2000 ioport r/w functions
(bsc#960725).
- CVE-2015-8744: Incorrect l2 header validation could have lead to a crash
via assert(2) call (bsc#960835).
- CVE-2015-8745: Reading IMR registers could have lead to a crash via
assert(2) call (bsc#960708).
- CVE-2016-1568: AHCI use-after-free in aio port commands (bsc#961332).
- CVE-2016-1714: Potential OOB memory access in processing firmware
configuration (bsc#961691).
- CVE-2016-1922: NULL pointer dereference when processing hmp i/o command
(bsc#962320).
- CVE-2016-1981: Potential DoS (infinite loop) in e1000 device emulation
by malicious privileged user within guest (bsc#963782).
- CVE-2016-2198: Malicious privileged guest user were able to cause DoS by
writing to read-only EHCI capabilities registers (bsc#964413).

This non-security issue was fixed
- bsc#886378: qemu truncates vhd images in virt-rescue

Patch Instructions:

To install this SUSE Security Update use YaST online_update.
Alternatively you can run the command listed for your product:

• SUSE Linux Enterprise Server 12:
  zypper in -t patch SUSE-SLE-SERVER-12-2016-924=1
• SUSE Linux Enterprise Desktop 12:
  zypper in -t patch SUSE-SLE-DESKTOP-12-2016-924=1

To bring your system up-to-date, use "zypper patch".

Package List:

• SUSE Linux Enterprise Server 12 (ppc64le s390x x86_64):
  • qemu-2.0.2-48.19.1
  • qemu-block-curl-2.0.2-48.19.1
  • qemu-block-curl-debuginfo-2.0.2-48.19.1
  • qemu-debugsource-2.0.2-48.19.1
  • qemu-guest-agent-2.0.2-48.19.1
  • qemu-guest-agent-debuginfo-2.0.2-48.19.1
  • qemu-lang-2.0.2-48.19.1
  • qemu-tools-2.0.2-48.19.1
  • qemu-tools-debuginfo-2.0.2-48.19.1
• SUSE Linux Enterprise Server 12 (s390x x86_64):
  • qemu-kvm-2.0.2-48.19.1
• SUSE Linux Enterprise Server 12 (ppc64le):
  • qemu-ppc-2.0.2-48.19.1
  • qemu-ppc-debuginfo-2.0.2-48.19.1
• SUSE Linux Enterprise Server 12 (x86_64):
  • qemu-block-rbd-2.0.2-48.19.1
  • qemu-block-rbd-debuginfo-2.0.2-48.19.1
  • qemu-x86-2.0.2-48.19.1
  • qemu-x86-debuginfo-2.0.2-48.19.1
• SUSE Linux Enterprise Server 12 (noarch):
  • qemu-ipxe-1.0.0-48.19.1
  • qemu-seabios-1.7.4-48.19.1
  • qemu-sgabios-8-48.19.1
  • qemu-vgabios-1.7.4-48.19.1
• SUSE Linux Enterprise Server 12 (s390x):
  • qemu-s390-2.0.2-48.19.1
  • qemu-s390-debuginfo-2.0.2-48.19.1
• SUSE Linux Enterprise Desktop 12 (x86_64):
  • qemu-2.0.2-48.19.1
  • qemu-block-curl-2.0.2-48.19.1
  • qemu-block-curl-debuginfo-2.0.2-48.19.1
  • qemu-debugsource-2.0.2-48.19.1
  • qemu-kvm-2.0.2-48.19.1
  • qemu-tools-2.0.2-48.19.1
  • qemu-tools-debuginfo-2.0.2-48.19.1
  • qemu-x86-2.0.2-48.19.1
  • qemu-x86-debuginfo-2.0.2-48.19.1
• SUSE Linux Enterprise Desktop 12 (noarch):
  • qemu-ipxe-1.0.0-48.19.1
  • qemu-seabios-1.7.4-48.19.1
  • qemu-sgabios-8-48.19.1
  • qemu-vgabios-1.7.4-48.19.1

References:

• https://www.suse.com/security/cve/CVE-2014-3615.html
• https://www.suse.com/security/cve/CVE-2014-3689.html
• https://www.suse.com/security/cve/CVE-2014-9718.html
• https://www.suse.com/security/cve/CVE-2015-3214.html
• https://www.suse.com/security/cve/CVE-2015-5239.html
• https://www.suse.com/security/cve/CVE-2015-5745.html
• https://www.suse.com/security/cve/CVE-2015-7295.html
• https://www.suse.com/security/cve/CVE-2015-7549.html
• https://www.suse.com/security/cve/CVE-2015-8504.html
• https://www.suse.com/security/cve/CVE-2015-8558.html
• https://www.suse.com/security/cve/CVE-2015-8567.html
• https://www.suse.com/security/cve/CVE-2015-8568.html
• https://www.suse.com/security/cve/CVE-2015-8613.html
• https://www.suse.com/security/cve/CVE-2015-8619.html
• https://www.suse.com/security/cve/CVE-2015-8743.html
• https://www.suse.com/security/cve/CVE-2015-8744.html
• https://www.suse.com/security/cve/CVE-2015-8745.html
• https://www.suse.com/security/cve/CVE-2015-8817.html
• https://www.suse.com/security/cve/CVE-2015-8818.html
• https://www.suse.com/security/cve/CVE-2016-1568.html
• https://www.suse.com/security/cve/CVE-2016-1714.html
• https://www.suse.com/security/cve/CVE-2016-1922.html
• https://www.suse.com/security/cve/CVE-2016-1981.html
• https://www.suse.com/security/cve/CVE-2016-2198.html
• https://www.suse.com/security/cve/CVE-2016-2538.html
• https://www.suse.com/security/cve/CVE-2016-2841.html
• https://www.suse.com/security/cve/CVE-2016-2857.html
• https://www.suse.com/security/cve/CVE-2016-2858.html
• https://www.suse.com/security/cve/CVE-2016-3710.html
• https://www.suse.com/security/cve/CVE-2016-3712.html
• https://www.suse.com/security/cve/CVE-2016-4001.html
• https://www.suse.com/security/cve/CVE-2016-4002.html
• https://www.suse.com/security/cve/CVE-2016-4020.html
• https://www.suse.com/security/cve/CVE-2016-4037.html
• https://www.suse.com/security/cve/CVE-2016-4439.html
• https://www.suse.com/security/cve/CVE-2016-4441.html
• https://www.suse.com/security/cve/CVE-2016-4952.html
• https://bugzilla.suse.com/886378
• https://bugzilla.suse.com/895528
• https://bugzilla.suse.com/901508
• https://bugzilla.suse.com/928393
• https://bugzilla.suse.com/934069
• https://bugzilla.suse.com/940929
• https://bugzilla.suse.com/944463
• https://bugzilla.suse.com/947159
• https://bugzilla.suse.com/958491
• https://bugzilla.suse.com/958917
• https://bugzilla.suse.com/959005
• https://bugzilla.suse.com/959386
• https://bugzilla.suse.com/960334
• https://bugzilla.suse.com/960708
• https://bugzilla.suse.com/960725
• https://bugzilla.suse.com/960835
• https://bugzilla.suse.com/961332
• https://bugzilla.suse.com/961333
• https://bugzilla.suse.com/961358
• https://bugzilla.suse.com/961556
• https://bugzilla.suse.com/961691
• https://bugzilla.suse.com/962320
• https://bugzilla.suse.com/963782
• https://bugzilla.suse.com/964413
• https://bugzilla.suse.com/967969
• https://bugzilla.suse.com/969121
• https://bugzilla.suse.com/969122
• https://bugzilla.suse.com/969350
• https://bugzilla.suse.com/970036
• https://bugzilla.suse.com/970037
• https://bugzilla.suse.com/975128
• https://bugzilla.suse.com/975136
• https://bugzilla.suse.com/975700
• https://bugzilla.suse.com/976109
• https://bugzilla.suse.com/978158
• https://bugzilla.suse.com/978160
• https://bugzilla.suse.com/980711
• https://bugzilla.suse.com/980723
• https://bugzilla.suse.com/981266