ID CVE-2014-0223
Summary Integer overflow in the qcow_open function in block/qcow.c in QEMU before 1.7.2 allows local users to cause a denial of service (crash) and possibly execute arbitrary code via a large image size, which triggers a buffer overflow or out-of-bounds read.
References
Vulnerable Configurations
  • cpe:2.3:o:suse:linux_enterprise_server:11.0:sp1
    cpe:2.3:o:suse:linux_enterprise_server:11.0:sp1
  • QEMU 0.1
    cpe:2.3:a:qemu:qemu:0.1
  • QEMU 0.1.1
    cpe:2.3:a:qemu:qemu:0.1.1
  • QEMU 0.1.2
    cpe:2.3:a:qemu:qemu:0.1.2
  • QEMU 0.1.3
    cpe:2.3:a:qemu:qemu:0.1.3
  • QEMU 0.1.4
    cpe:2.3:a:qemu:qemu:0.1.4
  • QEMU 0.1.5
    cpe:2.3:a:qemu:qemu:0.1.5
  • QEMU 0.1.6
    cpe:2.3:a:qemu:qemu:0.1.6
  • QEMU 0.2
    cpe:2.3:a:qemu:qemu:0.2
  • QEMU 0.3
    cpe:2.3:a:qemu:qemu:0.3
  • QEMU 0.4
    cpe:2.3:a:qemu:qemu:0.4
  • QEMU 0.4.1
    cpe:2.3:a:qemu:qemu:0.4.1
  • QEMU 0.4.2
    cpe:2.3:a:qemu:qemu:0.4.2
  • QEMU 0.4.3
    cpe:2.3:a:qemu:qemu:0.4.3
  • QEMU 0.5.0
    cpe:2.3:a:qemu:qemu:0.5.0
  • QEMU 0.5.1
    cpe:2.3:a:qemu:qemu:0.5.1
  • QEMU 0.5.2
    cpe:2.3:a:qemu:qemu:0.5.2
  • QEMU 0.5.3
    cpe:2.3:a:qemu:qemu:0.5.3
  • QEMU 0.5.4
    cpe:2.3:a:qemu:qemu:0.5.4
  • QEMU 0.5.5
    cpe:2.3:a:qemu:qemu:0.5.5
  • QEMU 0.6.0
    cpe:2.3:a:qemu:qemu:0.6.0
  • QEMU 0.6.1
    cpe:2.3:a:qemu:qemu:0.6.1
  • QEMU 0.7.0
    cpe:2.3:a:qemu:qemu:0.7.0
  • QEMU 0.7.1
    cpe:2.3:a:qemu:qemu:0.7.1
  • QEMU 0.7.2
    cpe:2.3:a:qemu:qemu:0.7.2
  • QEMU 0.8.0
    cpe:2.3:a:qemu:qemu:0.8.0
  • QEMU 0.8.1
    cpe:2.3:a:qemu:qemu:0.8.1
  • QEMU 0.8.2
    cpe:2.3:a:qemu:qemu:0.8.2
  • QEMU 0.9.0
    cpe:2.3:a:qemu:qemu:0.9.0
  • QEMU 0.9.1
    cpe:2.3:a:qemu:qemu:0.9.1
  • QEMU 0.9.1-5
    cpe:2.3:a:qemu:qemu:0.9.1-5
  • QEMU 0.10.0
    cpe:2.3:a:qemu:qemu:0.10.0
  • QEMU 0.10.1
    cpe:2.3:a:qemu:qemu:0.10.1
  • QEMU 0.10.2
    cpe:2.3:a:qemu:qemu:0.10.2
  • QEMU 0.10.3
    cpe:2.3:a:qemu:qemu:0.10.3
  • QEMU 0.10.4
    cpe:2.3:a:qemu:qemu:0.10.4
  • QEMU 0.10.5
    cpe:2.3:a:qemu:qemu:0.10.5
  • QEMU 0.10.6
    cpe:2.3:a:qemu:qemu:0.10.6
  • QEMU 0.11.0
    cpe:2.3:a:qemu:qemu:0.11.0
  • QEMU 0.11.0-rc0
    cpe:2.3:a:qemu:qemu:0.11.0:rc0
  • QEMU 0.11.0 release candidate 1
    cpe:2.3:a:qemu:qemu:0.11.0:rc1
  • QEMU 0.11.0 release candidate 2
    cpe:2.3:a:qemu:qemu:0.11.0:rc2
  • QEMU 0.11.0-rc0
    cpe:2.3:a:qemu:qemu:0.11.0-rc0
  • QEMU 0.11.0-rc1
    cpe:2.3:a:qemu:qemu:0.11.0-rc1
  • QEMU 0.11.0-rc2
    cpe:2.3:a:qemu:qemu:0.11.0-rc2
  • QEMU 0.11.1
    cpe:2.3:a:qemu:qemu:0.11.1
  • QEMU 0.12.0
    cpe:2.3:a:qemu:qemu:0.12.0
  • QEMU 0.12.0 release candidate 1
    cpe:2.3:a:qemu:qemu:0.12.0:rc1
  • QEMU 0.12.0 release candidate 2
    cpe:2.3:a:qemu:qemu:0.12.0:rc2
  • QEMU 0.12.1
    cpe:2.3:a:qemu:qemu:0.12.1
  • QEMU 0.12.2
    cpe:2.3:a:qemu:qemu:0.12.2
  • QEMU 0.12.3
    cpe:2.3:a:qemu:qemu:0.12.3
  • QEMU 0.12.4
    cpe:2.3:a:qemu:qemu:0.12.4
  • QEMU 0.12.5
    cpe:2.3:a:qemu:qemu:0.12.5
  • QEMU 0.13.0
    cpe:2.3:a:qemu:qemu:0.13.0
  • QEMU 0.13.0 release candidate 0
    cpe:2.3:a:qemu:qemu:0.13.0:rc0
  • QEMU 0.13.0 release candidate 1
    cpe:2.3:a:qemu:qemu:0.13.0:rc1
  • QEMU 0.14.0
    cpe:2.3:a:qemu:qemu:0.14.0
  • QEMU 0.14.0 release candidate 0
    cpe:2.3:a:qemu:qemu:0.14.0:rc0
  • QEMU 0.14.0 release candidate 1
    cpe:2.3:a:qemu:qemu:0.14.0:rc1
  • QEMU 0.14.0 release candidate 2
    cpe:2.3:a:qemu:qemu:0.14.0:rc2
  • QEMU 0.14.1
    cpe:2.3:a:qemu:qemu:0.14.1
  • QEMU 0.15.0 release candidate 1
    cpe:2.3:a:qemu:qemu:0.15.0:rc1
  • QEMU 0.15.0 release candidate 2
    cpe:2.3:a:qemu:qemu:0.15.0:rc2
  • QEMU 0.15.1
    cpe:2.3:a:qemu:qemu:0.15.1
  • QEMU 0.15.2
    cpe:2.3:a:qemu:qemu:0.15.2
  • QEMU 1.0
    cpe:2.3:a:qemu:qemu:1.0
  • QEMU 1.0 release candidate 1
    cpe:2.3:a:qemu:qemu:1.0:rc1
  • QEMU 1.0 release candidate 2
    cpe:2.3:a:qemu:qemu:1.0:rc2
  • QEMU 1.0 release candidate 3
    cpe:2.3:a:qemu:qemu:1.0:rc3
  • QEMU 1.0 release candidate 4
    cpe:2.3:a:qemu:qemu:1.0:rc4
  • QEMU 1.0.1
    cpe:2.3:a:qemu:qemu:1.0.1
  • QEMU 1.1
    cpe:2.3:a:qemu:qemu:1.1
  • QEMU 1.1 release candidate 1
    cpe:2.3:a:qemu:qemu:1.1:rc1
  • QEMU 1.1 release candidate 2
    cpe:2.3:a:qemu:qemu:1.1:rc2
  • QEMU 1.1 release candidate 3
    cpe:2.3:a:qemu:qemu:1.1:rc3
  • QEMU 1.1 release candidate 4
    cpe:2.3:a:qemu:qemu:1.1:rc4
  • QEMU 1.4.1
    cpe:2.3:a:qemu:qemu:1.4.1
  • QEMU 1.4.2
    cpe:2.3:a:qemu:qemu:1.4.2
  • QEMU 1.5.0
    cpe:2.3:a:qemu:qemu:1.5.0
  • QEMU 1.5.0 release candidate 1
    cpe:2.3:a:qemu:qemu:1.5.0:rc1
  • QEMU 1.5.0 release candidate 2
    cpe:2.3:a:qemu:qemu:1.5.0:rc2
  • QEMU 1.5.0 release candidate 3
    cpe:2.3:a:qemu:qemu:1.5.0:rc3
  • QEMU 1.5.1
    cpe:2.3:a:qemu:qemu:1.5.1
  • QEMU 1.5.2
    cpe:2.3:a:qemu:qemu:1.5.2
  • QEMU 1.5.3
    cpe:2.3:a:qemu:qemu:1.5.3
  • QEMU 1.6.0
    cpe:2.3:a:qemu:qemu:1.6.0
  • QEMU 1.6.0 release candidate 1
    cpe:2.3:a:qemu:qemu:1.6.0:rc1
  • QEMU 1.6.0 release candidate 2
    cpe:2.3:a:qemu:qemu:1.6.0:rc2
  • QEMU 1.6.0 release candidate 3
    cpe:2.3:a:qemu:qemu:1.6.0:rc3
  • QEMU 1.6.1
    cpe:2.3:a:qemu:qemu:1.6.1
  • QEMU 1.6.2
    cpe:2.3:a:qemu:qemu:1.6.2
  • QEMU 1.7.1
    cpe:2.3:a:qemu:qemu:1.7.1
CVSS
Base: 4.6 (as of 16-10-2015 - 10:45)
Impact:
Exploitability:
CWE CWE-189
CAPEC
Access
VectorComplexityAuthentication
LOCAL LOW NONE
Impact
ConfidentialityIntegrityAvailability
PARTIAL PARTIAL PARTIAL
nessus via4
  • NASL family CentOS Local Security Checks
    NASL id CENTOS_RHSA-2014-1075.NASL
    description Updated qemu-kvm packages that fix two security issues and three bugs are now available for Red Hat Enterprise Linux 6. Red Hat Product Security has rated this update as having Moderate security impact. Common Vulnerability Scoring System (CVSS) base scores, which give detailed severity ratings, are available for each vulnerability from the CVE links in the References section. KVM (Kernel-based Virtual Machine) is a full virtualization solution for Linux on AMD64 and Intel 64 systems. The qemu-kvm package provides the user-space component for running virtual machines using KVM. Two integer overflow flaws were found in the QEMU block driver for QCOW version 1 disk images. A user able to alter the QEMU disk image files loaded by a guest could use either of these flaws to corrupt QEMU process memory on the host, which could potentially result in arbitrary code execution on the host with the privileges of the QEMU process. (CVE-2014-0222, CVE-2014-0223) Red Hat would like to thank NSA for reporting these issues. This update also fixes the following bugs : * In certain scenarios, when performing live incremental migration, the disk size could be expanded considerably due to the transfer of unallocated sectors past the end of the base image. With this update, the bdrv_is_allocated() function has been fixed to no longer return 'True' for unallocated sectors, and the disk size no longer changes after performing live incremental migration. (BZ#1109715) * This update enables ioeventfd in virtio-scsi-pci. This allows QEMU to process I/O requests outside of the vCPU thread, reducing the latency of submitting requests and improving single task throughput. (BZ#1123271) * Prior to this update, vendor-specific SCSI commands issued from a KVM guest did not reach the target device due to QEMU considering such commands as invalid. This update fixes this bug by properly propagating vendor-specific SCSI commands to the target device. (BZ#1125131) All qemu-kvm users are advised to upgrade to these updated packages, which contain backported patches to correct these issues. After installing this update, shut down all running virtual machines. Once all virtual machines have shut down, start them again for this update to take effect.
    last seen 2019-02-21
    modified 2018-11-10
    plugin id 77286
    published 2014-08-21
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=77286
    title CentOS 6 : qemu-kvm (CESA-2014:1075)
  • NASL family Red Hat Local Security Checks
    NASL id REDHAT-RHSA-2014-1075.NASL
    description Updated qemu-kvm packages that fix two security issues and three bugs are now available for Red Hat Enterprise Linux 6. Red Hat Product Security has rated this update as having Moderate security impact. Common Vulnerability Scoring System (CVSS) base scores, which give detailed severity ratings, are available for each vulnerability from the CVE links in the References section. KVM (Kernel-based Virtual Machine) is a full virtualization solution for Linux on AMD64 and Intel 64 systems. The qemu-kvm package provides the user-space component for running virtual machines using KVM. Two integer overflow flaws were found in the QEMU block driver for QCOW version 1 disk images. A user able to alter the QEMU disk image files loaded by a guest could use either of these flaws to corrupt QEMU process memory on the host, which could potentially result in arbitrary code execution on the host with the privileges of the QEMU process. (CVE-2014-0222, CVE-2014-0223) Red Hat would like to thank NSA for reporting these issues. This update also fixes the following bugs : * In certain scenarios, when performing live incremental migration, the disk size could be expanded considerably due to the transfer of unallocated sectors past the end of the base image. With this update, the bdrv_is_allocated() function has been fixed to no longer return 'True' for unallocated sectors, and the disk size no longer changes after performing live incremental migration. (BZ#1109715) * This update enables ioeventfd in virtio-scsi-pci. This allows QEMU to process I/O requests outside of the vCPU thread, reducing the latency of submitting requests and improving single task throughput. (BZ#1123271) * Prior to this update, vendor-specific SCSI commands issued from a KVM guest did not reach the target device due to QEMU considering such commands as invalid. This update fixes this bug by properly propagating vendor-specific SCSI commands to the target device. (BZ#1125131) All qemu-kvm users are advised to upgrade to these updated packages, which contain backported patches to correct these issues. After installing this update, shut down all running virtual machines. Once all virtual machines have shut down, start them again for this update to take effect.
    last seen 2019-02-21
    modified 2018-11-10
    plugin id 77271
    published 2014-08-20
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=77271
    title RHEL 6 : qemu-kvm (RHSA-2014:1075)
  • NASL family Scientific Linux Local Security Checks
    NASL id SL_20140819_QEMU_KVM_ON_SL6_X.NASL
    description Two integer overflow flaws were found in the QEMU block driver for QCOW version 1 disk images. A user able to alter the QEMU disk image files loaded by a guest could use either of these flaws to corrupt QEMU process memory on the host, which could potentially result in arbitrary code execution on the host with the privileges of the QEMU process. (CVE-2014-0222, CVE-2014-0223) This update also fixes the following bugs : - In certain scenarios, when performing live incremental migration, the disk size could be expanded considerably due to the transfer of unallocated sectors past the end of the base image. With this update, the bdrv_is_allocated() function has been fixed to no longer return 'True' for unallocated sectors, and the disk size no longer changes after performing live incremental migration. - This update enables ioeventfd in virtio-scsi-pci. This allows QEMU to process I/O requests outside of the vCPU thread, reducing the latency of submitting requests and improving single task throughput. - Prior to this update, vendor-specific SCSI commands issued from a KVM guest did not reach the target device due to QEMU considering such commands as invalid. This update fixes this bug by properly propagating vendor-specific SCSI commands to the target device. After installing this update, shut down all running virtual machines. Once all virtual machines have shut down, start them again for this update to take effect.
    last seen 2019-02-21
    modified 2018-12-28
    plugin id 77272
    published 2014-08-20
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=77272
    title Scientific Linux Security Update : qemu-kvm on SL6.x i386/x86_64
  • NASL family Mandriva Local Security Checks
    NASL id MANDRIVA_MDVSA-2014-220.NASL
    description Updated qemu packages fix security vulnerabilities : Michael S. Tsirkin discovered that QEMU incorrectly handled vmxnet3 devices. A local guest could possibly use this issue to cause a denial of service, or possibly execute arbitrary code on the host (CVE-2013-4544). Multiple integer overflow, input validation, logic error, and buffer overflow flaws were discovered in various QEMU block drivers. An attacker able to modify a disk image file loaded by a guest could use these flaws to crash the guest, or corrupt QEMU process memory on the host, potentially resulting in arbitrary code execution on the host with the privileges of the QEMU process (CVE-2014-0143, CVE-2014-0144, CVE-2014-0145, CVE-2014-0147). A buffer overflow flaw was found in the way the virtio_net_handle_mac() function of QEMU processed guest requests to update the table of MAC addresses. A privileged guest user could use this flaw to corrupt QEMU process memory on the host, potentially resulting in arbitrary code execution on the host with the privileges of the QEMU process (CVE-2014-0150). A divide-by-zero flaw was found in the seek_to_sector() function of the parallels block driver in QEMU. An attacker able to modify a disk image file loaded by a guest could use this flaw to crash the guest (CVE-2014-0142). A NULL pointer dereference flaw was found in the QCOW2 block driver in QEMU. An attacker able to modify a disk image file loaded by a guest could use this flaw to crash the guest (CVE-2014-0146). It was found that the block driver for Hyper-V VHDX images did not correctly calculate BAT (Block Allocation Table) entries due to a missing bounds check. An attacker able to modify a disk image file loaded by a guest could use this flaw to crash the guest (CVE-2014-0148). An out-of-bounds memory access flaw was found in the way QEMU's IDE device driver handled the execution of SMART EXECUTE OFFLINE commands. A privileged guest user could use this flaw to corrupt QEMU process memory on the host, which could potentially result in arbitrary code execution on the host with the privileges of the QEMU process (CVE-2014-2894). Two integer overflow flaws were found in the QEMU block driver for QCOW version 1 disk images. A user able to alter the QEMU disk image files loaded by a guest could use either of these flaws to corrupt QEMU process memory on the host, which could potentially result in arbitrary code execution on the host with the privileges of the QEMU process (CVE-2014-0222, CVE-2014-0223). Multiple buffer overflow, input validation, and out-of-bounds write flaws were found in the way the virtio, virtio-net, virtio-scsi, and usb drivers of QEMU handled state loading after migration. A user able to alter the savevm data (either on the disk or over the wire during migration) could use either of these flaws to corrupt QEMU process memory on the (destination) host, which could potentially result in arbitrary code execution on the host with the privileges of the QEMU process (CVE-2013-4148, CVE-2013-4151, CVE-2013-4535, CVE-2013-4536, CVE-2013-4541, CVE-2013-4542, CVE-2013-6399, CVE-2014-0182, CVE-2014-3461). An information leak flaw was found in the way QEMU's VGA emulator accessed frame buffer memory for high resolution displays. A privileged guest user could use this flaw to leak memory contents of the host to the guest by setting the display to use a high resolution in the guest (CVE-2014-3615). When guest sends udp packet with source port and source addr 0, uninitialized socket is picked up when looking for matching and already created udp sockets, and later passed to sosendto() where NULL pointer dereference is hit during so->slirp->vnetwork_mask.s_addr access Only guests using qemu user networking are affected (CVE-2014-3640). The Advanced Threat Research team at Intel Security reported that guest provided parameter were insufficiently validated in rectangle functions in the vmware-vga driver. A privileged guest user could use this flaw to write into qemu address space on the host, potentially escalating their privileges to those of the qemu host process (CVE-2014-3689). It was discovered that QEMU incorrectly handled USB xHCI controller live migration. An attacker could possibly use this issue to cause a denial of service, or possibly execute arbitrary code (CVE-2014-5263). James Spadaro of Cisco reported insufficiently sanitized bits_per_pixel from the client in the QEMU VNC display driver. An attacker having access to the guest's VNC console could use this flaw to crash the guest (CVE-2014-7815). Additionally qemu-1.6+ requires usbredir-0.6+ for USB redirection support which is also being provided with this advisory.
    last seen 2019-02-21
    modified 2018-07-19
    plugin id 79407
    published 2014-11-23
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=79407
    title Mandriva Linux Security Advisory : qemu (MDVSA-2014:220)
  • NASL family Ubuntu Local Security Checks
    NASL id UBUNTU_USN-2342-1.NASL
    description Michael S. Tsirkin, Anthony Liguori, and Michael Roth discovered multiple issues with QEMU state loading after migration. An attacker able to modify the state data could use these issues to cause a denial of service, or possibly execute arbitrary code. (CVE-2013-4148, CVE-2013-4149, CVE-2013-4150, CVE-2013-4151, CVE-2013-4526, CVE-2013-4527, CVE-2013-4529, CVE-2013-4530, CVE-2013-4531, CVE-2013-4532, CVE-2013-4533, CVE-2013-4534, CVE-2013-4535, CVE-2013-4536, CVE-2013-4537, CVE-2013-4538, CVE-2013-4539, CVE-2013-4540, CVE-2013-4541, CVE-2013-4542, CVE-2013-6399, CVE-2014-0182, CVE-2014-3461) Kevin Wolf, Stefan Hajnoczi, Fam Zheng, Jeff Cody, Stefan Hajnoczi, and others discovered multiple issues in the QEMU block drivers. An attacker able to modify disk images could use these issues to cause a denial of service, or possibly execute arbitrary code. (CVE-2014-0142, CVE-2014-0143, CVE-2014-0144, CVE-2014-0145, CVE-2014-0146, CVE-2014-0147, CVE-2014-0222, CVE-2014-0223) It was discovered that QEMU incorrectly handled certain PCIe bus hotplug operations. A malicious guest could use this issue to crash the QEMU host, resulting in a denial of service. (CVE-2014-3471). Note that Tenable Network Security has extracted the preceding description block directly from the Ubuntu security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen 2019-02-21
    modified 2018-12-01
    plugin id 77570
    published 2014-09-09
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=77570
    title Ubuntu 10.04 LTS / 12.04 LTS / 14.04 LTS : qemu, qemu-kvm vulnerabilities (USN-2342-1)
  • NASL family SuSE Local Security Checks
    NASL id SUSE_11_KVM-140919.NASL
    description kvm has been updated to fix issues in the embedded qemu : - An integer overflow flaw was found in the QEMU block driver for QCOW version 1 disk images. A user able to alter the QEMU disk image files loaded by a guest could have used this flaw to corrupt QEMU process memory on the host, which could potentially have resulted in arbitrary code execution on the host with the privileges of the QEMU process. (CVE-2014-0223) - A user able to alter the savevm data (either on the disk or over the wire during migration) could have used this flaw to to corrupt QEMU process memory on the (destination) host, which could have potentially resulted in arbitrary code execution on the host with the privileges of the QEMU process. (CVE-2014-3461) - An integer overflow flaw was found in the QEMU block driver for QCOW version 1 disk images. A user able to alter the QEMU disk image files loaded by a guest could have used this flaw to corrupt QEMU process memory on the host, which could have potentially resulted in arbitrary code execution on the host with the privileges of the QEMU process. (CVE-2014-0222) Non-security bugs fixed : - Fix exceeding IRQ routes that could have caused freezes of guests. (bnc#876842) - Fix CPUID emulation bugs that may have broken Windows guests with newer -cpu types (bnc#886535)
    last seen 2019-02-21
    modified 2014-11-06
    plugin id 78105
    published 2014-10-09
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=78105
    title SuSE 11.3 Security Update : kvm (SAT Patch Number 9739)
  • NASL family Red Hat Local Security Checks
    NASL id REDHAT-RHSA-2014-1168.NASL
    description An updated rhev-hypervisor6 package that fixes three security issues and one bug is now available. Red Hat Product Security has rated this update as having Important security impact. Common Vulnerability Scoring System (CVSS) base scores, which give detailed severity ratings, are available for each vulnerability from the CVE links in the References section. The rhev-hypervisor6 package provides a Red Hat Enterprise Virtualization Hypervisor ISO disk image. The Red Hat Enterprise Virtualization Hypervisor is a dedicated Kernel-based Virtual Machine (KVM) hypervisor. It includes everything necessary to run and manage virtual machines: a subset of the Red Hat Enterprise Linux operating environment and the Red Hat Enterprise Virtualization Agent. Note: Red Hat Enterprise Virtualization Hypervisor is only available for the Intel 64 and AMD64 architectures with virtualization extensions. A NULL pointer dereference flaw was found in the way the Linux kernel's networking implementation handled logging while processing certain invalid packets coming in via a VxLAN interface. A remote attacker could use this flaw to crash the system by sending a specially crafted packet to such an interface. (CVE-2014-3535) Two integer overflow flaws were found in the QEMU block driver for QCOW version 1 disk images. A user able to alter the QEMU disk image files loaded by a guest could use either of these flaws to corrupt QEMU process memory on the host, which could potentially result in arbitrary code execution on the host with the privileges of the QEMU process. (CVE-2014-0222, CVE-2014-0223) Red Hat would like to thank NSA for reporting CVE-2014-0222 and CVE-2014-0223. This update also fixes the following bug : * Previously, an updated version of Qlogic firmware was not supported in the Red Hat Enterprise Virtualization Hypervisor 6.5 image and an error message returned when users were using a newer version of Qlogic firmware. This update includes the latest Qlogic firmware package in the Red Hat Enterprise Virtualization Hypervisor 6.5 image so no firmware errors are returned. (BZ#1135780) This updated package also provides updated components that include fixes for various security issues. These issues have no security impact on Red Hat Enterprise Virtualization Hypervisor itself, however. The security fixes included in this update address the following CVE numbers : CVE-2012-6647, CVE-2013-7339, CVE-2014-2672, CVE-2014-2678, CVE-2014-2706, CVE-2014-2851, CVE-2014-3144, CVE-2014-3145, CVE-2014-0205, CVE-2014-3917, and CVE-2014-4667 (kernel issues) Users of the Red Hat Enterprise Virtualization Hypervisor are advised to upgrade to this updated package.
    last seen 2019-02-21
    modified 2018-11-26
    plugin id 79048
    published 2014-11-08
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=79048
    title RHEL 6 : rhev-hypervisor6 (RHSA-2014:1168)
  • NASL family Debian Local Security Checks
    NASL id DEBIAN_DSA-3044.NASL
    description Several vulnerabilities were discovered in qemu-kvm, a full virtualization solution on x86 hardware : - Various security issues have been found in the block qemu drivers. Malformed disk images might result in the execution of arbitrary code. - A NULL pointer dereference in SLIRP may result in denial of service - An information leak was discovered in the VGA emulation
    last seen 2019-02-21
    modified 2018-11-10
    plugin id 78045
    published 2014-10-06
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=78045
    title Debian DSA-3044-1 : qemu-kvm - security update
  • NASL family CentOS Local Security Checks
    NASL id CENTOS_RHSA-2014-0927.NASL
    description Updated qemu-kvm packages that fix multiple security issues and various bugs are now available for Red Hat Enterprise Linux 7. The Red Hat Security Response Team has rated this update as having Moderate security impact. Common Vulnerability Scoring System (CVSS) base scores, which give detailed severity ratings, are available for each vulnerability from the CVE links in the References section. KVM (Kernel-based Virtual Machine) is a full virtualization solution for Linux on AMD64 and Intel 64 systems. The qemu-kvm package provides the user-space component for running virtual machines using KVM. Two integer overflow flaws were found in the QEMU block driver for QCOW version 1 disk images. A user able to alter the QEMU disk image files loaded by a guest could use either of these flaws to corrupt QEMU process memory on the host, which could potentially result in arbitrary code execution on the host with the privileges of the QEMU process. (CVE-2014-0222, CVE-2014-0223) Multiple buffer overflow, input validation, and out-of-bounds write flaws were found in the way virtio, virtio-net, virtio-scsi, usb, and hpet drivers of QEMU handled state loading after migration. A user able to alter the savevm data (either on the disk or over the wire during migration) could use either of these flaws to corrupt QEMU process memory on the (destination) host, which could potentially result in arbitrary code execution on the host with the privileges of the QEMU process. (CVE-2013-4148, CVE-2013-4149, CVE-2013-4150, CVE-2013-4151, CVE-2013-4527, CVE-2013-4529, CVE-2013-4535, CVE-2013-4536, CVE-2013-4541, CVE-2013-4542, CVE-2013-6399, CVE-2014-0182, CVE-2014-3461) These issues were discovered by Michael S. Tsirkin, Anthony Liguori and Michael Roth of Red Hat: CVE-2013-4148, CVE-2013-4149, CVE-2013-4150, CVE-2013-4151, CVE-2013-4527, CVE-2013-4529, CVE-2013-4535, CVE-2013-4536, CVE-2013-4541, CVE-2013-4542, CVE-2013-6399, CVE-2014-0182, and CVE-2014-3461. This update also fixes the following bugs : * Previously, QEMU did not free pre-allocated zero clusters correctly and the clusters under some circumstances leaked. With this update, pre-allocated zero clusters are freed appropriately and the cluster leaks no longer occur. (BZ#1110188) * Prior to this update, the QEMU command interface did not properly handle resizing of cache memory during guest migration, causing QEMU to terminate unexpectedly with a segmentation fault and QEMU to fail. This update fixes the related code and QEMU no longer crashes in the described situation. (BZ#1110191) * Previously, when a guest device was hot unplugged, QEMU correctly removed the corresponding file descriptor watch but did not re-create it after the device was re-connected. As a consequence, the guest became unable to receive any data from the host over this device. With this update, the file descriptor's watch is re-created and the guest in the above scenario can communicate with the host as expected. (BZ#1110219) * Previously, the QEMU migration code did not account for the gaps caused by hot unplugged devices and thus expected more memory to be transferred during migrations. As a consequence, guest migration failed to complete after multiple devices were hot unplugged. In addition, the migration info text displayed erroneous values for the 'remaining ram' item. With this update, QEMU calculates memory after a device has been unplugged correctly, and any subsequent guest migrations proceed as expected. (BZ#1110189) All qemu-kvm users are advised to upgrade to these updated packages, which contain backported patches to correct these issues. After installing this update, shut down all running virtual machines. Once all virtual machines have shut down, start them again for this update to take effect.
    last seen 2019-02-21
    modified 2018-11-10
    plugin id 76839
    published 2014-07-26
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=76839
    title CentOS 7 : qemu-kvm (CESA-2014:0927)
  • NASL family Oracle Linux Local Security Checks
    NASL id ORACLELINUX_ELSA-2014-1075.NASL
    description From Red Hat Security Advisory 2014:1075 : Updated qemu-kvm packages that fix two security issues and three bugs are now available for Red Hat Enterprise Linux 6. Red Hat Product Security has rated this update as having Moderate security impact. Common Vulnerability Scoring System (CVSS) base scores, which give detailed severity ratings, are available for each vulnerability from the CVE links in the References section. KVM (Kernel-based Virtual Machine) is a full virtualization solution for Linux on AMD64 and Intel 64 systems. The qemu-kvm package provides the user-space component for running virtual machines using KVM. Two integer overflow flaws were found in the QEMU block driver for QCOW version 1 disk images. A user able to alter the QEMU disk image files loaded by a guest could use either of these flaws to corrupt QEMU process memory on the host, which could potentially result in arbitrary code execution on the host with the privileges of the QEMU process. (CVE-2014-0222, CVE-2014-0223) Red Hat would like to thank NSA for reporting these issues. This update also fixes the following bugs : * In certain scenarios, when performing live incremental migration, the disk size could be expanded considerably due to the transfer of unallocated sectors past the end of the base image. With this update, the bdrv_is_allocated() function has been fixed to no longer return 'True' for unallocated sectors, and the disk size no longer changes after performing live incremental migration. (BZ#1109715) * This update enables ioeventfd in virtio-scsi-pci. This allows QEMU to process I/O requests outside of the vCPU thread, reducing the latency of submitting requests and improving single task throughput. (BZ#1123271) * Prior to this update, vendor-specific SCSI commands issued from a KVM guest did not reach the target device due to QEMU considering such commands as invalid. This update fixes this bug by properly propagating vendor-specific SCSI commands to the target device. (BZ#1125131) All qemu-kvm users are advised to upgrade to these updated packages, which contain backported patches to correct these issues. After installing this update, shut down all running virtual machines. Once all virtual machines have shut down, start them again for this update to take effect.
    last seen 2019-02-21
    modified 2018-07-18
    plugin id 77270
    published 2014-08-20
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=77270
    title Oracle Linux 6 : qemu-kvm (ELSA-2014-1075)
  • NASL family Red Hat Local Security Checks
    NASL id REDHAT-RHSA-2014-1076.NASL
    description Updated qemu-kvm-rhev packages that fix two security issues and one bug are now available for Red Hat Enterprise Virtualization. Red Hat Product Security has rated this update as having Moderate security impact. Common Vulnerability Scoring System (CVSS) base scores, which give detailed severity ratings, are available for each vulnerability from the CVE links in the References section. KVM (Kernel-based Virtual Machine) is a full virtualization solution for Linux on AMD64 and Intel 64 systems. The qemu-kvm-rhev package provides the user-space component for running virtual machines using KVM in environments managed by Red Hat Enterprise Virtualization Manager. Two integer overflow flaws were found in the QEMU block driver for QCOW version 1 disk images. A user able to alter the QEMU disk image files loaded by a guest could use either of these flaws to corrupt QEMU process memory on the host, which could potentially result in arbitrary code execution on the host with the privileges of the QEMU process. (CVE-2014-0222, CVE-2014-0223) Red Hat would like to thank NSA for reporting these issues. This update also fixes the following bug : * In certain scenarios, when performing live incremental migration, the disk size could be expanded considerably due to the transfer of unallocated sectors past the end of the base image. With this update, the bdrv_is_allocated() function has been fixed to no longer return 'True' for unallocated sectors, and the disk size no longer changes after performing live incremental migration. (BZ#1110681) All users of qemu-kvm-rhev are advised to upgrade to these updated packages, which contain backported patches to correct these issues. After installing this update, shut down all running virtual machines. Once all virtual machines have shut down, start them again for this update to take effect.
    last seen 2019-02-21
    modified 2018-11-10
    plugin id 79041
    published 2014-11-08
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=79041
    title RHEL 6 : qemu-kvm-rhev (RHSA-2014:1076)
  • NASL family SuSE Local Security Checks
    NASL id SUSE_SU-2015-0929-1.NASL
    description KVM was updated to fix the following security issues : CVE-2015-3456: Buffer overflow in the floppy drive emulation, which could be used to carry out denial of service attacks or potential code execution against the host. This vulnerability is also known as VENOM. CVE-2014-0222: Integer overflow in the qcow_open function in block/qcow.c in QEMU allowed remote attackers to cause a denial of service (crash) via a large L2 table in a QCOW version 1 image. CVE-2014-0223: Integer overflow in the qcow_open function in block/qcow.c in QEMU allowed local users to cause a denial of service (crash) and possibly execute arbitrary code via a large image size, which triggers a buffer overflow or out-of-bounds read. Note that Tenable Network Security has extracted the preceding description block directly from the SUSE security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen 2019-02-21
    modified 2018-11-29
    plugin id 83854
    published 2015-05-27
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=83854
    title SUSE SLES11 Security Update : KVM (SUSE-SU-2015:0929-1) (Venom)
  • NASL family Oracle Linux Local Security Checks
    NASL id ORACLELINUX_ELSA-2014-0927.NASL
    description From Red Hat Security Advisory 2014:0927 : Updated qemu-kvm packages that fix multiple security issues and various bugs are now available for Red Hat Enterprise Linux 7. The Red Hat Security Response Team has rated this update as having Moderate security impact. Common Vulnerability Scoring System (CVSS) base scores, which give detailed severity ratings, are available for each vulnerability from the CVE links in the References section. KVM (Kernel-based Virtual Machine) is a full virtualization solution for Linux on AMD64 and Intel 64 systems. The qemu-kvm package provides the user-space component for running virtual machines using KVM. Two integer overflow flaws were found in the QEMU block driver for QCOW version 1 disk images. A user able to alter the QEMU disk image files loaded by a guest could use either of these flaws to corrupt QEMU process memory on the host, which could potentially result in arbitrary code execution on the host with the privileges of the QEMU process. (CVE-2014-0222, CVE-2014-0223) Multiple buffer overflow, input validation, and out-of-bounds write flaws were found in the way virtio, virtio-net, virtio-scsi, usb, and hpet drivers of QEMU handled state loading after migration. A user able to alter the savevm data (either on the disk or over the wire during migration) could use either of these flaws to corrupt QEMU process memory on the (destination) host, which could potentially result in arbitrary code execution on the host with the privileges of the QEMU process. (CVE-2013-4148, CVE-2013-4149, CVE-2013-4150, CVE-2013-4151, CVE-2013-4527, CVE-2013-4529, CVE-2013-4535, CVE-2013-4536, CVE-2013-4541, CVE-2013-4542, CVE-2013-6399, CVE-2014-0182, CVE-2014-3461) These issues were discovered by Michael S. Tsirkin, Anthony Liguori and Michael Roth of Red Hat: CVE-2013-4148, CVE-2013-4149, CVE-2013-4150, CVE-2013-4151, CVE-2013-4527, CVE-2013-4529, CVE-2013-4535, CVE-2013-4536, CVE-2013-4541, CVE-2013-4542, CVE-2013-6399, CVE-2014-0182, and CVE-2014-3461. This update also fixes the following bugs : * Previously, QEMU did not free pre-allocated zero clusters correctly and the clusters under some circumstances leaked. With this update, pre-allocated zero clusters are freed appropriately and the cluster leaks no longer occur. (BZ#1110188) * Prior to this update, the QEMU command interface did not properly handle resizing of cache memory during guest migration, causing QEMU to terminate unexpectedly with a segmentation fault and QEMU to fail. This update fixes the related code and QEMU no longer crashes in the described situation. (BZ#1110191) * Previously, when a guest device was hot unplugged, QEMU correctly removed the corresponding file descriptor watch but did not re-create it after the device was re-connected. As a consequence, the guest became unable to receive any data from the host over this device. With this update, the file descriptor's watch is re-created and the guest in the above scenario can communicate with the host as expected. (BZ#1110219) * Previously, the QEMU migration code did not account for the gaps caused by hot unplugged devices and thus expected more memory to be transferred during migrations. As a consequence, guest migration failed to complete after multiple devices were hot unplugged. In addition, the migration info text displayed erroneous values for the 'remaining ram' item. With this update, QEMU calculates memory after a device has been unplugged correctly, and any subsequent guest migrations proceed as expected. (BZ#1110189) All qemu-kvm users are advised to upgrade to these updated packages, which contain backported patches to correct these issues. After installing this update, shut down all running virtual machines. Once all virtual machines have shut down, start them again for this update to take effect.
    last seen 2019-02-21
    modified 2018-07-18
    plugin id 76748
    published 2014-07-24
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=76748
    title Oracle Linux 7 : qemu-kvm (ELSA-2014-0927)
  • NASL family Gentoo Local Security Checks
    NASL id GENTOO_GLSA-201408-17.NASL
    description The remote host is affected by the vulnerability described in GLSA-201408-17 (QEMU: Multiple vulnerabilities) Multiple vulnerabilities have been discovered in QEMU. Please review the CVE identifiers referenced below for details. Impact : A local attacker could possibly execute arbitrary code with the privileges of the process, or cause a Denial of Service condition. Workaround : There is no known workaround at this time.
    last seen 2019-02-21
    modified 2018-07-12
    plugin id 77461
    published 2014-08-30
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=77461
    title GLSA-201408-17 : QEMU: Multiple vulnerabilities
  • NASL family Red Hat Local Security Checks
    NASL id REDHAT-RHSA-2014-0927.NASL
    description Updated qemu-kvm packages that fix multiple security issues and various bugs are now available for Red Hat Enterprise Linux 7. The Red Hat Security Response Team has rated this update as having Moderate security impact. Common Vulnerability Scoring System (CVSS) base scores, which give detailed severity ratings, are available for each vulnerability from the CVE links in the References section. KVM (Kernel-based Virtual Machine) is a full virtualization solution for Linux on AMD64 and Intel 64 systems. The qemu-kvm package provides the user-space component for running virtual machines using KVM. Two integer overflow flaws were found in the QEMU block driver for QCOW version 1 disk images. A user able to alter the QEMU disk image files loaded by a guest could use either of these flaws to corrupt QEMU process memory on the host, which could potentially result in arbitrary code execution on the host with the privileges of the QEMU process. (CVE-2014-0222, CVE-2014-0223) Multiple buffer overflow, input validation, and out-of-bounds write flaws were found in the way virtio, virtio-net, virtio-scsi, usb, and hpet drivers of QEMU handled state loading after migration. A user able to alter the savevm data (either on the disk or over the wire during migration) could use either of these flaws to corrupt QEMU process memory on the (destination) host, which could potentially result in arbitrary code execution on the host with the privileges of the QEMU process. (CVE-2013-4148, CVE-2013-4149, CVE-2013-4150, CVE-2013-4151, CVE-2013-4527, CVE-2013-4529, CVE-2013-4535, CVE-2013-4536, CVE-2013-4541, CVE-2013-4542, CVE-2013-6399, CVE-2014-0182, CVE-2014-3461) These issues were discovered by Michael S. Tsirkin, Anthony Liguori and Michael Roth of Red Hat: CVE-2013-4148, CVE-2013-4149, CVE-2013-4150, CVE-2013-4151, CVE-2013-4527, CVE-2013-4529, CVE-2013-4535, CVE-2013-4536, CVE-2013-4541, CVE-2013-4542, CVE-2013-6399, CVE-2014-0182, and CVE-2014-3461. This update also fixes the following bugs : * Previously, QEMU did not free pre-allocated zero clusters correctly and the clusters under some circumstances leaked. With this update, pre-allocated zero clusters are freed appropriately and the cluster leaks no longer occur. (BZ#1110188) * Prior to this update, the QEMU command interface did not properly handle resizing of cache memory during guest migration, causing QEMU to terminate unexpectedly with a segmentation fault and QEMU to fail. This update fixes the related code and QEMU no longer crashes in the described situation. (BZ#1110191) * Previously, when a guest device was hot unplugged, QEMU correctly removed the corresponding file descriptor watch but did not re-create it after the device was re-connected. As a consequence, the guest became unable to receive any data from the host over this device. With this update, the file descriptor's watch is re-created and the guest in the above scenario can communicate with the host as expected. (BZ#1110219) * Previously, the QEMU migration code did not account for the gaps caused by hot unplugged devices and thus expected more memory to be transferred during migrations. As a consequence, guest migration failed to complete after multiple devices were hot unplugged. In addition, the migration info text displayed erroneous values for the 'remaining ram' item. With this update, QEMU calculates memory after a device has been unplugged correctly, and any subsequent guest migrations proceed as expected. (BZ#1110189) All qemu-kvm users are advised to upgrade to these updated packages, which contain backported patches to correct these issues. After installing this update, shut down all running virtual machines. Once all virtual machines have shut down, start them again for this update to take effect.
    last seen 2019-02-21
    modified 2018-11-10
    plugin id 76907
    published 2014-07-30
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=76907
    title RHEL 7 : qemu-kvm (RHSA-2014:0927)
  • NASL family Fedora Local Security Checks
    NASL id FEDORA_2014-6970.NASL
    description - QCOW1 validation CVEs: CVE-2014-0222, CVE-2014-0223 (bz #1097232, bz #1097238, bz #1097222, bz #1097216) - CVE-2014-3461: Issues in USB post load checks (bz #1097260, bz #1096821) Note that Tenable Network Security has extracted the preceding description block directly from the Fedora security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen 2019-02-21
    modified 2015-10-19
    plugin id 74414
    published 2014-06-10
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=74414
    title Fedora 20 : qemu-1.6.2-6.fc20 (2014-6970)
  • NASL family Debian Local Security Checks
    NASL id DEBIAN_DSA-3045.NASL
    description Several vulnerabilities were discovered in qemu, a fast processor emulator : - Various security issues have been found in the block qemu drivers. Malformed disk images might result in the execution of arbitrary code. - A NULL pointer dereference in SLIRP may result in denial of service - An information leak was discovered in the VGA emulation
    last seen 2019-02-21
    modified 2018-11-10
    plugin id 78046
    published 2014-10-06
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=78046
    title Debian DSA-3045-1 : qemu - security update
  • NASL family Mandriva Local Security Checks
    NASL id MANDRIVA_MDVSA-2015-061.NASL
    description Updated qemu packages fix multiple security vulnerabilities : Sibiao Luo discovered that QEMU incorrectly handled device hot-unplugging. A local user could possibly use this flaw to cause a denial of service (CVE-2013-4377). Michael S. Tsirkin discovered that QEMU incorrectly handled vmxnet3 devices. A local guest could possibly use this issue to cause a denial of service, or possibly execute arbitrary code on the host (CVE-2013-4544). Multiple integer overflow, input validation, logic error, and buffer overflow flaws were discovered in various QEMU block drivers. An attacker able to modify a disk image file loaded by a guest could use these flaws to crash the guest, or corrupt QEMU process memory on the host, potentially resulting in arbitrary code execution on the host with the privileges of the QEMU process (CVE-2014-0143, CVE-2014-0144, CVE-2014-0145, CVE-2014-0147). A buffer overflow flaw was found in the way the virtio_net_handle_mac() function of QEMU processed guest requests to update the table of MAC addresses. A privileged guest user could use this flaw to corrupt QEMU process memory on the host, potentially resulting in arbitrary code execution on the host with the privileges of the QEMU process (CVE-2014-0150). A divide-by-zero flaw was found in the seek_to_sector() function of the parallels block driver in QEMU. An attacker able to modify a disk image file loaded by a guest could use this flaw to crash the guest (CVE-2014-0142). A NULL pointer dereference flaw was found in the QCOW2 block driver in QEMU. An attacker able to modify a disk image file loaded by a guest could use this flaw to crash the guest (CVE-2014-0146). It was found that the block driver for Hyper-V VHDX images did not correctly calculate BAT (Block Allocation Table) entries due to a missing bounds check. An attacker able to modify a disk image file loaded by a guest could use this flaw to crash the guest (CVE-2014-0148). An out-of-bounds memory access flaw was found in the way QEMU's IDE device driver handled the execution of SMART EXECUTE OFFLINE commands. A privileged guest user could use this flaw to corrupt QEMU process memory on the host, which could potentially result in arbitrary code execution on the host with the privileges of the QEMU process (CVE-2014-2894). Two integer overflow flaws were found in the QEMU block driver for QCOW version 1 disk images. A user able to alter the QEMU disk image files loaded by a guest could use either of these flaws to corrupt QEMU process memory on the host, which could potentially result in arbitrary code execution on the host with the privileges of the QEMU process (CVE-2014-0222, CVE-2014-0223). Multiple buffer overflow, input validation, and out-of-bounds write flaws were found in the way the virtio, virtio-net, virtio-scsi, and usb drivers of QEMU handled state loading after migration. A user able to alter the savevm data (either on the disk or over the wire during migration) could use either of these flaws to corrupt QEMU process memory on the (destination) host, which could potentially result in arbitrary code execution on the host with the privileges of the QEMU process (CVE-2013-4148, CVE-2013-4151, CVE-2013-4535, CVE-2013-4536, CVE-2013-4541, CVE-2013-4542, CVE-2013-6399, CVE-2014-0182, CVE-2014-3461). An information leak flaw was found in the way QEMU's VGA emulator accessed frame buffer memory for high resolution displays. A privileged guest user could use this flaw to leak memory contents of the host to the guest by setting the display to use a high resolution in the guest (CVE-2014-3615). When guest sends udp packet with source port and source addr 0, uninitialized socket is picked up when looking for matching and already created udp sockets, and later passed to sosendto() where NULL pointer dereference is hit during so->slirp->vnetwork_mask.s_addr access Only guests using qemu user networking are affected (CVE-2014-3640). The Advanced Threat Research team at Intel Security reported that guest provided parameter were insufficiently validated in rectangle functions in the vmware-vga driver. A privileged guest user could use this flaw to write into qemu address space on the host, potentially escalating their privileges to those of the qemu host process (CVE-2014-3689). It was discovered that QEMU incorrectly handled USB xHCI controller live migration. An attacker could possibly use this issue to cause a denial of service, or possibly execute arbitrary code (CVE-2014-5263). James Spadaro of Cisco reported insufficiently sanitized bits_per_pixel from the client in the QEMU VNC display driver. An attacker having access to the guest's VNC console could use this flaw to crash the guest (CVE-2014-7815). During migration, the values read from migration stream during ram load are not validated. Especially offset in host_from_stream_offset() and also the length of the writes in the callers of the said function. A user able to alter the savevm data (either on the disk or over the wire during migration) could use either of these flaws to corrupt QEMU process memory on the (destination) host, which could potentially result in arbitrary code execution on the host with the privileges of the QEMU process (CVE-2014-7840). Paolo Bonzini of Red Hat discovered that the blit region checks were insufficient in the Cirrus VGA emulator in qemu. A privileged guest user could use this flaw to write into qemu address space on the host, potentially escalating their privileges to those of the qemu host process (CVE-2014-8106). This update also provides usbredirparser 0.6 as a prerequisite of qemu-1.6.2
    last seen 2019-02-21
    modified 2018-07-19
    plugin id 81944
    published 2015-03-19
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=81944
    title Mandriva Linux Security Advisory : qemu (MDVSA-2015:061)
redhat via4
advisories
bugzilla
id 1123271
title Enable ioenventfd for virtio-scsi-pci
oval
AND
  • OR
    • comment Red Hat Enterprise Linux 6 Client is installed
      oval oval:com.redhat.rhba:tst:20111656001
    • comment Red Hat Enterprise Linux 6 Server is installed
      oval oval:com.redhat.rhba:tst:20111656002
    • comment Red Hat Enterprise Linux 6 Workstation is installed
      oval oval:com.redhat.rhba:tst:20111656003
    • comment Red Hat Enterprise Linux 6 ComputeNode is installed
      oval oval:com.redhat.rhba:tst:20111656004
  • OR
    • AND
      • comment qemu-guest-agent is earlier than 2:0.12.1.2-2.415.el6_5.14
        oval oval:com.redhat.rhsa:tst:20141075007
      • comment qemu-guest-agent is signed with Red Hat redhatrelease2 key
        oval oval:com.redhat.rhsa:tst:20121234008
    • AND
      • comment qemu-img is earlier than 2:0.12.1.2-2.415.el6_5.14
        oval oval:com.redhat.rhsa:tst:20141075009
      • comment qemu-img is signed with Red Hat redhatrelease2 key
        oval oval:com.redhat.rhsa:tst:20110345008
    • AND
      • comment qemu-kvm is earlier than 2:0.12.1.2-2.415.el6_5.14
        oval oval:com.redhat.rhsa:tst:20141075005
      • comment qemu-kvm is signed with Red Hat redhatrelease2 key
        oval oval:com.redhat.rhsa:tst:20110345006
    • AND
      • comment qemu-kvm-tools is earlier than 2:0.12.1.2-2.415.el6_5.14
        oval oval:com.redhat.rhsa:tst:20141075011
      • comment qemu-kvm-tools is signed with Red Hat redhatrelease2 key
        oval oval:com.redhat.rhsa:tst:20110345010
rhsa
id RHSA-2014:1075
released 2014-08-19
severity Moderate
title RHSA-2014:1075: qemu-kvm security and bug fix update (Moderate)
rpms
  • libcacard-10:1.5.3-60.el7_0.5
  • libcacard-devel-10:1.5.3-60.el7_0.5
  • libcacard-tools-10:1.5.3-60.el7_0.5
  • qemu-guest-agent-10:1.5.3-60.el7_0.5
  • qemu-img-10:1.5.3-60.el7_0.5
  • qemu-kvm-10:1.5.3-60.el7_0.5
  • qemu-kvm-common-10:1.5.3-60.el7_0.5
  • qemu-kvm-tools-10:1.5.3-60.el7_0.5
  • qemu-guest-agent-2:0.12.1.2-2.415.el6_5.14
  • qemu-img-2:0.12.1.2-2.415.el6_5.14
  • qemu-kvm-2:0.12.1.2-2.415.el6_5.14
  • qemu-kvm-tools-2:0.12.1.2-2.415.el6_5.14
refmap via4
bid 67391
debian DSA-3044
fedora FEDORA-2014-6970
mlist
  • [Qemu-devel] 20140512 [PATCH 4/5] qcow1: Validate image size (CVE-2014-0223)
  • [Qemu-stable] 20140723 [ANNOUNCE] QEMU 1.7.2 Stable released
suse SUSE-SU-2015:0929
Last major update 28-11-2016 - 14:10
Published 04-11-2014 - 16:55
Last modified 03-11-2017 - 21:29
Back to Top