Mirantis OpenStack

[CVE-2016-3710] Multiple Qemu security vulnerabilities

Series 9.x
Bug #1584662

Bug #1584662 reported by Adam Heczko on 2016-05-23

280

This bug affects 1 person

	Status	Importance	Assigned to	Milestone
Mirantis OpenStack	Status tracked in 10.0.x
10.0.x	Invalid	High	MOS Linux	Mirantis OpenStack 10.0
6.0.x	Won't Fix	High	MOS Maintenance	Mirantis OpenStack 6.0-updates
6.1.x	Invalid	High	MOS Maintenance	Mirantis OpenStack 6.1-updates
7.0.x	Invalid	High	MOS Maintenance	Mirantis OpenStack 7.0-updates
8.0.x	Invalid	High	MOS Maintenance	Mirantis OpenStack 8.0-updates
9.x	Fix Released	High	Albert Syriy	Mirantis OpenStack 9.0

Bug Description

Detailed bug description:
It was observed that Qemu and Qemu-kvm packages are affected by multiple security vulnerabilities.
Zuozhi Fzz discovered that QEMU incorrectly handled USB OHCI emulation
support. A privileged attacker inside the guest could use this issue to
cause QEMU to crash, resulting in a denial of service. (CVE-2016-2391)

Qinghao Tang discovered that QEMU incorrectly handled USB Net emulation
support. A privileged attacker inside the guest could use this issue to
cause QEMU to crash, resulting in a denial of service. (CVE-2016-2392)

Hongke Yang discovered that QEMU incorrectly handled NE2000 emulation
support. A privileged attacker inside the guest could use this issue to
cause QEMU to crash, resulting in a denial of service. (CVE-2016-2841)

Ling Liu discovered that QEMU incorrectly handled IP checksum routines. An
attacker inside the guest could use this issue to cause QEMU to crash,
resulting in a denial of service, or possibly leak host memory bytes.
(CVE-2016-2857)

It was discovered that QEMU incorrectly handled the PRNG back-end support.
An attacker inside the guest could use this issue to cause QEMU to crash,
resulting in a denial of service. This issue only applied to Ubuntu 14.04
LTS, Ubuntu 15.10 and Ubuntu 16.04 LTS. (CVE-2016-2858)

Wei Xiao and Qinghao Tang discovered that QEMU incorrectly handled access
in the VGA module. A privileged attacker inside the guest could use this
issue to cause QEMU to crash, resulting in a denial of service, or possibly
execute arbitrary code on the host. In the default installation, when QEMU
is used with libvirt, attackers would be isolated by the libvirt AppArmor
profile. (CVE-2016-3710)

Zuozhi Fzz discovered that QEMU incorrectly handled access in the VGA
module. A privileged attacker inside the guest could use this issue to
cause QEMU to crash, resulting in a denial of service, or possibly
execute arbitrary code on the host. In the default installation, when QEMU
is used with libvirt, attackers would be isolated by the libvirt AppArmor
profile. (CVE-2016-3712)

Oleksandr Bazhaniuk discovered that QEMU incorrectly handled Luminary
Micro Stellaris ethernet controller emulation. A remote attacker could use
this issue to cause QEMU to crash, resulting in a denial of service.
(CVE-2016-4001)

Oleksandr Bazhaniuk discovered that QEMU incorrectly handled MIPSnet
controller emulation. A remote attacker could use this issue to cause QEMU
to crash, resulting in a denial of service. (CVE-2016-4002)

Donghai Zdh discovered that QEMU incorrectly handled the Task Priority
Register(TPR). A privileged attacker inside the guest could use this issue
to possibly leak host memory bytes. This issue only applied to Ubuntu 14.04
LTS, Ubuntu 15.10 and Ubuntu 16.04 LTS. (CVE-2016-4020)

Du Shaobo discovered that QEMU incorrectly handled USB EHCI emulation
support. A privileged attacker inside the guest could use this issue to
cause QEMU to consume resources, resulting in a denial of service.
(CVE-2016-4037)

Upstream bug reports:
http://www.ubuntu.com/usn/usn-2974-1/
https://access.redhat.com/errata/RHSA-2016:1019
https://access.redhat.com/errata/RHSA-2016:0997

Solution proposal:
Apply appropriate security patches, recompile and publish updated qemu and qemu-kvm packages for MOS.

Tags:

CVE References

Adam Heczko (aheczko-mirantis) on 2016-05-23

Changed in mos:
assignee:	MOS Linux (mos-linux) → MOS Maintenance (mos-maintenance)

Revision history for this message

Denis Meltsaykin (dmeltsaykin) wrote on 2016-05-23:

Setting as Invalid for 6.1 and 7.0 as they use upstream qemu.

Dina Belova (dbelova) on 2016-05-24

tags:

added: area-linux

Revision history for this message

Albert Syriy (asyriy) wrote on 2016-05-25:

The fix proposed https://review.fuel-infra.org/#/c/21235/

Revision history for this message

Albert Syriy (asyriy) wrote on 2016-05-25:

There is no QEMU sources in 8.0 branch (at all).

Revision history for this message

Albert Syriy (asyriy) wrote on 2016-05-25:

The fixes has been proposed to the Ubuntu 16.04 upstream, so bug is invalid due to using the upstream version of QEMU.

Revision history for this message

Fuel Devops McRobotson (fuel-devops-robot) wrote on 2016-05-27: Fix merged to packages/trusty/qemu (master)

Reviewed: https://review.fuel-infra.org/21235
Submitter: Pkgs Jenkins <email address hidden>
Branch: master

Commit: 5a1ecc38811fea0bde6c3c84bdd6f0b7260864b9
Author: Albert Syriy <email address hidden>
Date: Fri May 27 10:47:07 2016

CVE security fix(es) for QEMU ver 2.3 (has been fixed since QEMU ver 2.6)

Change-Id: I41ffc6ac13647fb69fb7e7ba29df6f993d08a699
Closes-Bug: #1584662

Revision history for this message

Fuel Devops McRobotson (fuel-devops-robot) wrote on 2016-05-30: Fix proposed to packages/trusty/qemu (9.0)

Fix proposed to branch: 9.0
Change author: Albert Syriy <email address hidden>
Review: https://review.fuel-infra.org/21359

Revision history for this message

Fuel Devops McRobotson (fuel-devops-robot) wrote on 2016-05-31: Fix merged to packages/trusty/qemu (9.0)

Reviewed: https://review.fuel-infra.org/21359
Submitter: Pkgs Jenkins <email address hidden>
Branch: 9.0

Commit: 08373f9f8cd03b10fd51435016fe1843dad43b67
Author: Albert Syriy <email address hidden>
Date: Mon May 30 08:15:47 2016

CVE security fix(es) for QEMU ver 2.3 (has been fixed since QEMU ver 2.6)

Change-Id: I41ffc6ac13647fb69fb7e7ba29df6f993d08a699
Closes-Bug: #1584662
(cherry picked from commit 5a1ecc38811fea0bde6c3c84bdd6f0b7260864b9)

Revision history for this message

Albert Syriy (asyriy) wrote on 2016-05-31:

Fix committed in the https://review.fuel-infra.org/#/c/21359/

Revision history for this message

Alexander Gubanov (ogubanov) wrote on 2016-06-08:

I've verified on MOS 9.0 (build 445) - packages were updated.
Details http://pastebin.com/a4fb9LDJ

Adam Heczko (aheczko-mirantis) on 2016-06-21

tags:

added: feature-security

Revision history for this message

Fuel Devops McRobotson (fuel-devops-robot) wrote on 2016-10-26: Related fix proposed to packages/trusty/qemu (9.0)

#10

Related fix proposed to branch: 9.0
Change author: Dmitry Teselkin <email address hidden>
Review: https://review.fuel-infra.org/27800

Revision history for this message

Fuel Devops McRobotson (fuel-devops-robot) wrote on 2016-10-28: Related fix merged to packages/trusty/qemu (9.0)

#11

Reviewed: https://review.fuel-infra.org/27800
Submitter: Pkgs Jenkins <email address hidden>
Branch: 9.0

Commit: d7e106a46b3b2771fb90b3c55dd650fc02a8c613
Author: Dmitry Teselkin <email address hidden>
Date: Wed Oct 26 08:49:10 2016

Merge with 'feature/nfv'

* Checkout from 110d4f1c5e7fedaa17973cbe0aa2bed5ae8c0673

* Cherry-pick from 5a1ecc38811fea0bde6c3c84bdd6f0b7260864b9)
CVE security fix(es) for QEMU ver 2.3 (has been fixed since QEMU ver 2.6)

Related-Bug: #1584662

* Cherry-pick from 07bf2cb1edb049271b5150d7c4f9b37e89c02ee0
QEMU security update

All patches listed in [0] except CVE-2016-5403
were applied.

[0] http://www.ubuntu.com/usn/usn-3047-2/

Related-Bug: #1615063

Change-Id: I27aca76840b1c81b21ee0f76a50cdae4200b3407

Revision history for this message

Alexey Stupnikov (astupnikov) wrote on 2017-05-29:

#12

MOS6.0 is no longer supported, moving to Won't Fix.

Report a bug

This report contains Public Security information

Everyone can see this security related information.

Duplicates of this bug

You are

Subscribing...

Edit bug mail

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.