{"id":"MGASA-2016-0176","summary":"Updated qemu packages fix security vulnerabilities","details":"Updated qemu packages fix security vulnerabilities:\n\nAn out-of-bounds flaw was found in the QEMU emulator built using\n'address_space_translate' to map an address to a MemoryRegionSection. The\nflaw could occur while doing pci_dma_read/write calls, resulting in an\nout-of-bounds read-write access error. A privileged user inside a guest could\nuse this flaw to crash the guest instance (denial of service) (CVE-2015-8817,\nCVE-2015-8818).\n\nA NULL-pointer dereference flaw was found in the QEMU emulator built with TPR\noptimization for 32-bit Windows guests support. The flaw occurs when doing\nI/O-port write operations from the HMP interface. The 'current_cpu' value\nremains null because it is not called from the cpu_exec() loop, and\ndereferencing it results in the flaw. An attacker with access to the HMP\ninterface could use this flaw to crash the QEMU instance (denial of service)\n(CVE-2016-1922).\n\nIt was discovered that QEMU incorrectly handled the e1000 device. An\nattacker inside the guest could use this issue to cause QEMU to crash,\nresulting in a denial of service (CVE-2016-1981).\n\nZuozhi Fzz discovered that QEMU incorrectly handled IDE AHCI emulation. An\nattacker inside the guest could use this issue to cause QEMU to crash,\nresulting in a denial of service (CVE-2016-2197).\n\nZuozhi Fzz discovered that QEMU incorrectly handled USB EHCI emulation. An\nattacker inside the guest could use this issue to cause QEMU to crash,\nresulting in a denial of service (CVE-2016-2198).\n\nZuozhi Fzz discovered that QEMU incorrectly handled USB OHCI emulation\nsupport. A privileged attacker inside the guest could use this issue to\ncause QEMU to crash, resulting in a denial of service (CVE-2016-2391).\n\nQinghao Tang discovered that QEMU incorrectly handled USB Net emulation\nsupport. A privileged attacker inside the guest could use this issue to\ncause QEMU to crash, resulting in a denial of service (CVE-2016-2392).\n\nQinghao Tang discovered that QEMU incorrectly handled USB Net emulation\nsupport. A privileged attacker inside the guest could use this issue to\ncause QEMU to crash, resulting in a denial of service, or possibly leak\nhost memory bytes (CVE-2016-2538).\n\nHongke Yang discovered that QEMU incorrectly handled NE2000 emulation\nsupport. A privileged attacker inside the guest could use this issue to\ncause QEMU to crash, resulting in a denial of service (CVE-2016-2841).\n\nLing Liu discovered that QEMU incorrectly handled IP checksum routines. An\nattacker inside the guest could use this issue to cause QEMU to crash,\nresulting in a denial of service, or possibly leak host memory bytes\n(CVE-2016-2857).\n\nIt was discovered that QEMU incorrectly handled the PRNG back-end support.\nAn attacker inside the guest could use this issue to cause QEMU to crash,\nresulting in a denial of service (CVE-2016-2858).\n\nWei Xiao and Qinghao Tang discovered that QEMU incorrectly handled access\nin the VGA module. A privileged attacker inside the guest could use this\nissue to cause QEMU to crash, resulting in a denial of service, or possibly\nexecute arbitrary code on the host. In the default installation, when QEMU\nis used with libvirt, attackers would be isolated by the libvirt AppArmor\nprofile (CVE-2016-3710).\n\nZuozhi Fzz discovered that QEMU incorrectly handled access in the VGA\nmodule. A privileged attacker inside the guest could use this issue to\ncause QEMU to crash, resulting in a denial of service, or possibly\nexecute arbitrary code on the host. In the default installation, when QEMU\nis used with libvirt, attackers would be isolated by the libvirt AppArmor\nprofile (CVE-2016-3712).\n\nOleksandr Bazhaniuk discovered that QEMU incorrectly handled Luminary\nMicro Stellaris ethernet controller emulation. A remote attacker could use\nthis issue to cause QEMU to crash, resulting in a denial of service\n(CVE-2016-4001).\n\nOleksandr Bazhaniuk discovered that QEMU incorrectly handled MIPSnet\ncontroller emulation. A remote attacker could use this issue to cause QEMU\nto crash, resulting in a denial of service (CVE-2016-4002).\n\nDonghai Zdh discovered that QEMU incorrectly handled the Task Priority\nRegister(TPR). A privileged attacker inside the guest could use this issue\nto possibly leak host memory bytes (CVE-2016-4020).\n\nDu Shaobo discovered that QEMU incorrectly handled USB EHCI emulation\nsupport. A privileged attacker inside the guest could use this issue to\ncause QEMU to consume resources, resulting in a denial of service\n(CVE-2016-4037).\n\nThe qemu package has been updated to version 2.4.1 and patched to fix these\nissues.\n","modified":"2026-02-04T02:33:45.600709Z","published":"2016-05-18T20:14:22Z","related":["CVE-2015-8817","CVE-2015-8818","CVE-2016-1922","CVE-2016-1981","CVE-2016-2197","CVE-2016-2198","CVE-2016-2391","CVE-2016-2392","CVE-2016-2538","CVE-2016-2841","CVE-2016-2857","CVE-2016-2858","CVE-2016-3710","CVE-2016-3712","CVE-2016-4001","CVE-2016-4002","CVE-2016-4020","CVE-2016-4037"],"references":[{"type":"ADVISORY","url":"https://advisories.mageia.org/MGASA-2016-0176.html"},{"type":"REPORT","url":"https://bugs.mageia.org/show_bug.cgi?id=17534"},{"type":"REPORT","url":"http://wiki.qemu.org/ChangeLog/2.2"},{"type":"REPORT","url":"http://wiki.qemu.org/ChangeLog/2.3"},{"type":"REPORT","url":"http://wiki.qemu.org/ChangeLog/2.4"},{"type":"REPORT","url":"https://bugzilla.redhat.com/show_bug.cgi?id=1300771"},{"type":"REPORT","url":"https://bugzilla.redhat.com/show_bug.cgi?id=1283934"},{"type":"REPORT","url":"http://www.ubuntu.com/usn/usn-2891-1/"},{"type":"REPORT","url":"http://www.ubuntu.com/usn/usn-2974-1/"}],"affected":[{"package":{"name":"qemu","ecosystem":"Mageia:5","purl":"pkg:rpm/mageia/qemu?arch=source&distro=mageia-5"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"0"},{"fixed":"2.4.1-5.mga5"}]}],"ecosystem_specific":{"section":"core"},"database_specific":{"source":"https://advisories.mageia.org/MGASA-2016-0176.json"}}],"schema_version":"1.7.3","credits":[{"name":"Mageia","contact":["https://wiki.mageia.org/en/Packages_Security_Team"],"type":"COORDINATOR"}]}