Login
Newsletter
Werbung
Sicherheit: Mehrere Probleme in QEMU
Aktuelle Meldungen Distributionen
Name: Mehrere Probleme in QEMU
ID: USN-3923-1
Distribution: Ubuntu
Plattformen: Ubuntu 14.04 LTS, Ubuntu 16.04 LTS, Ubuntu 18.04 LTS, Ubuntu 18.10
Datum: Mi, 27. März 2019, 19:16
Referenzen: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-20123
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-20126
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-20191
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-20216
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-20125
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-16872
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-6778
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-3812
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-19489
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-20124
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-16867
Applikationen: QEMU

Originalnachricht

 
This is an OpenPGP/MIME signed message (RFC 4880 and 3156)
--===============4570082463025293752==
Content-Type: multipart/signed; micalg=pgp-sha512;
 protocol="application/pgp-signature";
 boundary="vCJsUacbNeRW89gmxlnrq6BOeAK52MkAM"

This is an OpenPGP/MIME signed message (RFC 4880 and 3156)
--vCJsUacbNeRW89gmxlnrq6BOeAK52MkAM
Content-Type: multipart/mixed;
 boundary="zEldtePTDaNWiOEp4YB14YqHCjZp78x6Z";
 protected-headers="v1"
From: Marc Deslauriers <marc.deslauriers@canonical.com>
Reply-To: Ubuntu Security <security@ubuntu.com>
To: ubuntu-security-announce@lists.ubuntu.com
Message-ID: <968037ca-c01c-9c51-c501-889ba3f473fe@canonical.com>
Subject: [USN-3923-1] QEMU vulnerabilities

--zEldtePTDaNWiOEp4YB14YqHCjZp78x6Z
Content-Type: text/plain; charset=utf-8
Content-Language: en-C
Content-Transfer-Encoding: quoted-printable

==========================================================================
Ubuntu Security Notice USN-3923-1
March 27, 2019

qemu vulnerabilities
==========================================================================

A security issue affects these releases of Ubuntu and its derivatives:

- Ubuntu 18.10
- Ubuntu 18.04 LTS
- Ubuntu 16.04 LTS
- Ubuntu 14.04 LTS

Summary:

Several security issues were fixed in QEMU.

Software Description:
- qemu: Machine emulator and virtualizer

Details:

Michael Hanselmann discovered that QEMU incorrectly handled the Media
Transfer Protocol (MTP). An attacker inside the guest could use this issue
to read or write arbitrary files and cause a denial of service, or possibly
execute arbitrary code. This issue only affected Ubuntu 18.10.
(CVE-2018-16867)

Michael Hanselmann discovered that QEMU incorrectly handled the Media
Transfer Protocol (MTP). An attacker inside the guest could use this issue
to read arbitrary files, contrary to expectations. This issue only affected
Ubuntu 18.04 LTS and Ubuntu 18.10. (CVE-2018-16872)

Zhibin Hu discovered that QEMU incorrectly handled the Plan 9 File System
support. An attacker inside the guest could use this issue to cause QEMU to
crash, resulting in a denial of service. (CVE-2018-19489)

Li Quang and Saar Amar discovered multiple issues in the QEMU PVRDMA
device. An attacker inside the guest could use these issues to cause a
denial of service, or possibly execute arbitrary code. This issue only
affected Ubuntu 18.10. These issues were resolved by disabling PVRDMA
support in Ubuntu 18.10. (CVE-2018-20123, CVE-2018-20124, CVE-2018-20125,
CVE-2018-20126, CVE-2018-20191, CVE-2018-20216)

Michael Hanselmann discovered that QEMU incorrectly handled certain i2c
commands. A local attacker could possibly use this issue to read QEMU
process memory. This issue only affected Ubuntu 18.04 LTS and Ubuntu 18.10.
(CVE-2019-3812)

It was discovered that QEMU incorrectly handled the Slirp networking
back-end. An attacker inside the guest could use this issue to cause QEMU
to crash, resulting in a denial of service, or possibly execute arbitrary
code on the host. In the default installation, when QEMU is used with
libvirt, attackers would be isolated by the libvirt AppArmor profile.
(CVE-2019-6778)

Update instructions:

The problem can be corrected by updating your system to the following
package versions:

Ubuntu 18.10:
  qemu-system                     1:2.12+dfsg-3ubuntu8.6
  qemu-system-arm                 1:2.12+dfsg-3ubuntu8.6
  qemu-system-data                1:2.12+dfsg-3ubuntu8.6
  qemu-system-gui                 1:2.12+dfsg-3ubuntu8.6
  qemu-system-mips                1:2.12+dfsg-3ubuntu8.6
  qemu-system-misc                1:2.12+dfsg-3ubuntu8.6
  qemu-system-ppc                 1:2.12+dfsg-3ubuntu8.6
  qemu-system-s390x               1:2.12+dfsg-3ubuntu8.6
  qemu-system-sparc               1:2.12+dfsg-3ubuntu8.6
  qemu-system-x86                 1:2.12+dfsg-3ubuntu8.6

Ubuntu 18.04 LTS:
  qemu-system                     1:2.11+dfsg-1ubuntu7.12
  qemu-system-arm                 1:2.11+dfsg-1ubuntu7.12
  qemu-system-mips                1:2.11+dfsg-1ubuntu7.12
  qemu-system-misc                1:2.11+dfsg-1ubuntu7.12
  qemu-system-ppc                 1:2.11+dfsg-1ubuntu7.12
  qemu-system-s390x               1:2.11+dfsg-1ubuntu7.12
  qemu-system-sparc               1:2.11+dfsg-1ubuntu7.12
  qemu-system-x86                 1:2.11+dfsg-1ubuntu7.12

Ubuntu 16.04 LTS:
  qemu-system                     1:2.5+dfsg-5ubuntu10.36
  qemu-system-aarch64             1:2.5+dfsg-5ubuntu10.36
  qemu-system-arm                 1:2.5+dfsg-5ubuntu10.36
  qemu-system-mips                1:2.5+dfsg-5ubuntu10.36
  qemu-system-misc                1:2.5+dfsg-5ubuntu10.36
  qemu-system-ppc                 1:2.5+dfsg-5ubuntu10.36
  qemu-system-s390x               1:2.5+dfsg-5ubuntu10.36
  qemu-system-sparc               1:2.5+dfsg-5ubuntu10.36
  qemu-system-x86                 1:2.5+dfsg-5ubuntu10.36

Ubuntu 14.04 LTS:
  qemu-system                     2.0.0+dfsg-2ubuntu1.45
  qemu-system-aarch64             2.0.0+dfsg-2ubuntu1.45
  qemu-system-arm                 2.0.0+dfsg-2ubuntu1.45
  qemu-system-mips                2.0.0+dfsg-2ubuntu1.45
  qemu-system-misc                2.0.0+dfsg-2ubuntu1.45
  qemu-system-ppc                 2.0.0+dfsg-2ubuntu1.45
  qemu-system-sparc               2.0.0+dfsg-2ubuntu1.45
  qemu-system-x86                 2.0.0+dfsg-2ubuntu1.45

After a standard system update you need to restart all QEMU virtual
machines to make all the necessary changes.

References:
  https://usn.ubuntu.com/usn/usn-3923-1
  CVE-2018-16867, CVE-2018-16872, CVE-2018-19489, CVE-2018-20123,
  CVE-2018-20124, CVE-2018-20125, CVE-2018-20126, CVE-2018-20191,
  CVE-2018-20216, CVE-2019-3812, CVE-2019-6778

Package Information:
  https://launchpad.net/ubuntu/+source/qemu/1:2.12+dfsg-3ubuntu8.6
  https://launchpad.net/ubuntu/+source/qemu/1:2.11+dfsg-1ubuntu7.12
  https://launchpad.net/ubuntu/+source/qemu/1:2.5+dfsg-5ubuntu10.36
  https://launchpad.net/ubuntu/+source/qemu/2.0.0+dfsg-2ubuntu1.45


--zEldtePTDaNWiOEp4YB14YqHCjZp78x6Z--

--vCJsUacbNeRW89gmxlnrq6BOeAK52MkAM
Content-Type: application/pgp-signature; name="signature.asc"
Content-Description: OpenPGP digital signature
Content-Disposition: attachment; filename="signature.asc"

-----BEGIN PGP SIGNATURE-----

iQIzBAEBCgAdFiEEUMSg3c8x5FLOsZtRZWnYVadEvpMFAlybbyYACgkQZWnYVadE
vpMO2g//VRzSBlsDNeqc/uVRMnOGjsXA7OYsQ9Cse+FPTt6yQTwHpkFqdNeCAOMt
4VG1Nat0MflFBT41oLEzOL10TrGxiqEWNuqE2j5El2z5fS9jZuSskwPBdqMesUZK
+RxXsgrKFFQ3+9WjzNh863PTvCpH/ycR6wkHSkwdqHlO34R3sL1qUyGsec963IaB
pocGiFyJpyxMxiXOem8v7CZfHyCVtCouiuC/n2oJmofnWyhXMwLXwLxjHmwE6Y3U
4Y7F12xm2iZeLt7rj+AHWX/NjBt5B88e+dDRdsZ/Wxw3jg5F4QVzTOKLkeIjG9IC
NHJo1YetvGxN0cLEI/DTHf7bI6q6H6YrdkBpgk6ikrmcCWqJT+ENcMmCabuzb5rZ
5AZvbiIG+L4Y9OnXGcQXHGhBIutIG/6dClVBuIWK4ieDPSTZVIP8GUBidB5iWsUR
5son8qfd3F40AMopVTpiWHz/AWTmd2FVf1yilKer5iAm1K5xXALOPlTWKlIYljQ5
+txXiJCVYsSpvpQyavZz5XA/mXcfy1ZJMnAI1fsZtLxvXq9t6c/kxpxyFMIxygwg
ajd0J3aM4OD0ENf6ZXNZm214pkNd/rGL8d3VkOqRxtzIxkNddNUE+bNWHGNEubNI
oRbROdUKvi+22Eaq7a7qusinvZMVcW61D7huuycsyQLAHBf8KT8=
=kV8H
-----END PGP SIGNATURE-----

--vCJsUacbNeRW89gmxlnrq6BOeAK52MkAM--


--===============4570082463025293752==
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: base64
Content-Disposition: inline

LS0gCnVidW50dS1zZWN1cml0eS1hbm5vdW5jZSBtYWlsaW5nIGxpc3QKdWJ1bnR1LXNlY3VyaXR5
LWFubm91bmNlQGxpc3RzLnVidW50dS5jb20KTW9kaWZ5IHNldHRpbmdzIG9yIHVuc3Vic2NyaWJl
IGF0OiBodHRwczovL2xpc3RzLnVidW50dS5jb20vbWFpbG1hbi9saXN0aW5mby91YnVudHUtc2Vj
dXJpdHktYW5ub3VuY2UK

--===============4570082463025293752==--
Pro-Linux
Pro-Linux @Facebook
Neue Nachrichten

141
Mach­t's gut!

51
Neue Raspber­ry Pi-Va­ri­an­te mit 8 GB RAM

0
Genode 20.05 frei­ge­ge­ben

9
Sub­ver­si­on 1.14.0-LTS vor­ge­stellt

0
»Hum­ble Ci­ties: Sky­lines Bund­le« vor­ge­stellt

0
End of Life für Co­reOS Con­tai­ner Linux ver­kün­det

32
Elek­tra 0.9.2 er­schie­nen

8
Nex­tDNS ver­lässt die Be­ta-Pha­se

23
Tu­xe­do stellt Ga­mer-Note­book vor

0
Libre Gra­phics Mee­ting be­ginnt als On­li­ne-Va­ri­an­te
 
Werbung