Login
Newsletter
Werbung

Sicherheit: Zwei Probleme in QEMU
Aktuelle Meldungen Distributionen
Name: Zwei Probleme in QEMU
ID: USN-2439-1
Distribution: Ubuntu
Plattformen: Ubuntu 10.04 LTS, Ubuntu 12.04 LTS, Ubuntu 14.04 LTS, Ubuntu 14.10
Datum: Fr, 12. Dezember 2014, 07:40
Referenzen: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-7840
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-8106
Applikationen: QEMU

Originalnachricht

This is an OpenPGP/MIME signed message (RFC 4880 and 3156)
--===============6605480422051614382==
Content-Type: multipart/signed; micalg=pgp-sha512;
protocol="application/pgp-signature";
boundary="DL6CBVTgp0oxedICjmwQn1n8HntODkJx0"

This is an OpenPGP/MIME signed message (RFC 4880 and 3156)
--DL6CBVTgp0oxedICjmwQn1n8HntODkJx0
Content-Type: text/plain; charset=utf-
Content-Transfer-Encoding: quoted-printable

==========================================================================
Ubuntu Security Notice USN-2439-1
December 11, 2014

qemu, qemu-kvm vulnerabilities
==========================================================================

A security issue affects these releases of Ubuntu and its derivatives:

- Ubuntu 14.10
- Ubuntu 14.04 LTS
- Ubuntu 12.04 LTS
- Ubuntu 10.04 LTS

Summary:

Several security issues were fixed in QEMU.

Software Description:
- qemu: Machine emulator and virtualizer
- qemu-kvm: Machine emulator and virtualizer

Details:

Michael S. Tsirkin discovered that QEMU incorrectly handled certain
parameters during ram load while performing a migration. An attacker able
to manipulate savevm data could use this issue to possibly execute
arbitrary code on the host. This issue only affected Ubuntu 12.04 LTS,
Ubuntu 14.04 LTS, and Ubuntu 14.10. (CVE-2014-7840)

Paolo Bonzini discovered that QEMU incorrectly handled memory in the Cirrus
VGA device. A malicious guest could possibly use this issue to write into
memory of the host, leading to privilege escalation. (CVE-2014-8106)

Update instructions:

The problem can be corrected by updating your system to the following
package versions:

Ubuntu 14.10:
qemu-system 2.1+dfsg-4ubuntu6.3
qemu-system-aarch64 2.1+dfsg-4ubuntu6.3
qemu-system-arm 2.1+dfsg-4ubuntu6.3
qemu-system-mips 2.1+dfsg-4ubuntu6.3
qemu-system-misc 2.1+dfsg-4ubuntu6.3
qemu-system-ppc 2.1+dfsg-4ubuntu6.3
qemu-system-sparc 2.1+dfsg-4ubuntu6.3
qemu-system-x86 2.1+dfsg-4ubuntu6.3

Ubuntu 14.04 LTS:
qemu-system 2.0.0+dfsg-2ubuntu1.9
qemu-system-aarch64 2.0.0+dfsg-2ubuntu1.9
qemu-system-arm 2.0.0+dfsg-2ubuntu1.9
qemu-system-mips 2.0.0+dfsg-2ubuntu1.9
qemu-system-misc 2.0.0+dfsg-2ubuntu1.9
qemu-system-ppc 2.0.0+dfsg-2ubuntu1.9
qemu-system-sparc 2.0.0+dfsg-2ubuntu1.9
qemu-system-x86 2.0.0+dfsg-2ubuntu1.9

Ubuntu 12.04 LTS:
qemu-kvm 1.0+noroms-0ubuntu14.21

Ubuntu 10.04 LTS:
qemu-kvm 0.12.3+noroms-0ubuntu9.26

After a standard system update you need to reboot your computer to make
all the necessary changes.

References:
http://www.ubuntu.com/usn/usn-2439-1
CVE-2014-7840, CVE-2014-8106

Package Information:
https://launchpad.net/ubuntu/+source/qemu/2.1+dfsg-4ubuntu6.3
https://launchpad.net/ubuntu/+source/qemu/2.0.0+dfsg-2ubuntu1.9
https://launchpad.net/ubuntu/+source/qemu-kvm/1.0+noroms-0ubuntu14.21
https://launchpad.net/ubuntu/+source/qemu-kvm/0.12.3+noroms-0ubuntu9.26



--DL6CBVTgp0oxedICjmwQn1n8HntODkJx0
Content-Type: application/pgp-signature; name="signature.asc"
Content-Description: OpenPGP digital signature
Content-Disposition: attachment; filename="signature.asc"

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1

iQIcBAEBCgAGBQJUifTTAAoJEGVp2FWnRL6TQqAP/2Ux7cwhsipssPGDMkp2YiP2
H0GhoMS86hBoGUep0b0v7j8SDG5yd1ZvYdnJjkEIzJpM0xBiHVLHdKsMN60gyB8Z
Q1AdhRHjEdTkMn/wJnoyvzS3okSo2YvJ9JJ2Ifgr3dwlU6RfR8DlxTMntFXmOrmR
Q+jcoGtbJwVbSwRldlCL2DIEM9uMYmnbqh23scZAqT2zKrBn6OYn7clIb3kVy0ay
hIB1hdIJxhOVfVuH7QTfNjoXYAnR64HD9ObsrnVCmG4eT7lnkEXkP3T1Qvd4Hl29
oQ60Q9B/x4sTIxMnc3elb0QjbfMrzYotu5XbmRv08Xrg3oFQb61C0FV+/+iPf2rj
zvI3HVIQptzR0IDQxBrBb8SHFJX4wiP45RxC/JknXrMrQZIUXHs+/n3xpq94mgHC
b+yArXX07GzityFsV5JlM4PLboAGyWRR7vazOfZ/Fb1mEHmrCX5jKxXzkb1l+7pE
z0RT3pWsdYFpB3dwj22SNVNeRMWfdLLkz6COcUSVUB/9vYryhzYWqWpDfmHlDrOc
I2WJZAS9YsFYIwFHG9WPCPP+VzSY0GcrglmUDVw9RY9xqsNUpb/7uAFCQ2j02tgP
SMANW9SK41rsssMf6mXztB88tCm/8Kf9QWinL7Ng4p/OU6AQYiSrZ6nnI7FUT5Uy
l8TPs0imBC9amO5/WO3o
=LjNp
-----END PGP SIGNATURE-----

--DL6CBVTgp0oxedICjmwQn1n8HntODkJx0--


--===============6605480422051614382==
Content-Type: text/plain; charset="us-ascii"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
Content-Disposition: inline

--
ubuntu-security-announce mailing list
ubuntu-security-announce@lists.ubuntu.com
Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-security-announce

--===============6605480422051614382==--
Pro-Linux
Traut euch!
Neue Nachrichten
Werbung