==========================================================================
Ubuntu Security Notice USN-2342-1
September 08, 2014

qemu, qemu-kvm vulnerabilities
==========================================================================

A security issue affects these releases of Ubuntu and its derivatives:

– Ubuntu 14.04 LTS
– Ubuntu 12.04 LTS
– Ubuntu 10.04 LTS

Summary:

Several security issues were fixed in QEMU.

Software Description:
– qemu: Machine emulator and virtualizer
– qemu-kvm: Machine emulator and virtualizer

Details:

Michael S. Tsirkin, Anthony Liguori, and Michael Roth discovered multiple
issues with QEMU state loading after migration. An attacker able to modify
the state data could use these issues to cause a denial of service, or
possibly execute arbitrary code. (CVE-2013-4148, CVE-2013-4149,
CVE-2013-4150, CVE-2013-4151, CVE-2013-4526, CVE-2013-4527, CVE-2013-4529,
CVE-2013-4530, CVE-2013-4531, CVE-2013-4532, CVE-2013-4533, CVE-2013-4534,
CVE-2013-4535, CVE-2013-4536, CVE-2013-4537, CVE-2013-4538, CVE-2013-4539,
CVE-2013-4540, CVE-2013-4541, CVE-2013-4542, CVE-2013-6399, CVE-2014-0182,
CVE-2014-3461)

Kevin Wolf, Stefan Hajnoczi, Fam Zheng, Jeff Cody, Stefan Hajnoczi, and
others discovered multiple issues in the QEMU block drivers. An attacker
able to modify disk images could use these issues to cause a denial of
service, or possibly execute arbitrary code. (CVE-2014-0142, CVE-2014-0143,
CVE-2014-0144, CVE-2014-0145, CVE-2014-0146, CVE-2014-0147, CVE-2014-0222,
CVE-2014-0223)

It was discovered that QEMU incorrectly handled certain PCIe bus hotplug
operations. A malicious guest could use this issue to crash the QEMU host,
resulting in a denial of service. (CVE-2014-3471)

Update instructions:

The problem can be corrected by updating your system to the following
package versions:

Ubuntu 14.04 LTS:
qemu-system 2.0.0+dfsg-2ubuntu1.3
qemu-system-aarch64 2.0.0+dfsg-2ubuntu1.3
qemu-system-arm 2.0.0+dfsg-2ubuntu1.3
qemu-system-mips 2.0.0+dfsg-2ubuntu1.3
qemu-system-misc 2.0.0+dfsg-2ubuntu1.3
qemu-system-ppc 2.0.0+dfsg-2ubuntu1.3
qemu-system-sparc 2.0.0+dfsg-2ubuntu1.3
qemu-system-x86 2.0.0+dfsg-2ubuntu1.3

Ubuntu 12.04 LTS:
qemu-kvm 1.0+noroms-0ubuntu14.17

Ubuntu 10.04 LTS:
qemu-kvm 0.12.3+noroms-0ubuntu9.24

After a standard system update you need to reboot your computer to make
all the necessary changes.

References:
http://www.ubuntu.com/usn/usn-2342-1
CVE-2013-4148, CVE-2013-4149, CVE-2013-4150, CVE-2013-4151,
CVE-2013-4526, CVE-2013-4527, CVE-2013-4529, CVE-2013-4530,
CVE-2013-4531, CVE-2013-4532, CVE-2013-4533, CVE-2013-4534,
CVE-2013-4535, CVE-2013-4536, CVE-2013-4537, CVE-2013-4538,
CVE-2013-4539, CVE-2013-4540, CVE-2013-4541, CVE-2013-4542,
CVE-2013-6399, CVE-2014-0142, CVE-2014-0143, CVE-2014-0144,
CVE-2014-0145, CVE-2014-0146, CVE-2014-0147, CVE-2014-0182,
CVE-2014-0222, CVE-2014-0223, CVE-2014-3461, CVE-2014-3471

Package Information:
https://launchpad.net/ubuntu/+source/qemu/2.0.0+dfsg-2ubuntu1.3
https://launchpad.net/ubuntu/+source/qemu-kvm/1.0+noroms-0ubuntu14.17
https://launchpad.net/ubuntu/+source/qemu-kvm/0.12.3+noroms-0ubuntu9.24

—–BEGIN PGP SIGNATURE—–
Version: GnuPG v1

iQIcBAEBCgAGBQJUDew2AAoJEGVp2FWnRL6T0YcQALha5ujuG1V6u1gwIPCTtDDM
OWSQbtWCTB25YYTa3KQfdkg+LhmxywzHZOQWykSwdYCc8W4cXRFe9YIIxP6qzuoK
IY8GHy0H7n1nBP+Ptpa681vSb2w6qWElFYxVF9SsB5qAyjPPMvQ4kmNdCbrnaExD
TdPYYn7drwGXEzBVnJZhlpo4XrhjFGGBg974YnyO/0WYbitzEQUfP9ymPXGa57k5
rGMF40mLTeBykWmlUHdVw0NraKqIXbsfyQP4YVb2Hu3pGIqwUBN8mtN0AGbve2jC
LtT9HFBLHO90DywRW75Eg4PiJKqOnRfuX7X8x3/oPkIiZ5+AtkHKxD3Gf+9Ya+p1
U38rfhxOd5QpEFPxlGt2dNe0PT/kkX8wrMpHFYLLFgytQILEO0UZS9yMN5L4QUV7
04ZxLhpqD5ocDfj/PnwfnwhKkwJN4+QsJfYiNKgiMvcWy53q+aGLhkOM5xrwOpLg
4P7yRBegqxff5dWlZbzojDMNIKcWkEgjEGfzAFH75Xcqa73sSyHxcw0ct1fkNbFH
//EdpImjSGlTw7q+7kKuSONDvgWh4J95sHCdplxLt0VM5Bb6+iOJJz0PwTJEGfYs
Uyln8pTbnQeYjCgUgvIEY5gJqmppQi5ePui/LvWvkVap1t1vOI0oqx3VobqDRbbV
jvGPQcHvakNkj4L6Tpf+
=Or7V
—–END PGP SIGNATURE—–
—