==========================================================================
Ubuntu Security Notice USN-2692-1
July 28, 2015

qemu vulnerabilities
==========================================================================

A security issue affects these releases of Ubuntu and its derivatives:

– Ubuntu 15.04
– Ubuntu 14.04 LTS

Summary:

Several security issues were fixed in QEMU.

Software Description:
– qemu: Machine emulator and virtualizer

Details:

Matt Tait discovered that QEMU incorrectly handled PIT emulation. In a
non-default configuration, a malicious guest could use this issue to cause
a denial of service, or possibly execute arbitrary code on the host as the
user running the QEMU process. In the default installation, when QEMU is
used with libvirt, attackers would be isolated by the libvirt AppArmor
profile. (CVE-2015-3214)

Kevin Wolf discovered that QEMU incorrectly handled processing ATAPI
commands. A malicious guest could use this issue to cause a denial of
service, or possibly execute arbitrary code on the host as the user running
the QEMU process. In the default installation, when QEMU is used with
libvirt, attackers would be isolated by the libvirt AppArmor profile.
(CVE-2015-5154)

Zhu Donghai discovered that QEMU incorrectly handled the SCSI driver. A
malicious guest could use this issue to cause a denial of service, or
possibly execute arbitrary code on the host as the user running the QEMU
process. In the default installation, when QEMU is used with libvirt,
attackers would be isolated by the libvirt AppArmor profile. This issue
only affected Ubuntu 15.04. (CVE-2015-5158)

Update instructions:

The problem can be corrected by updating your system to the following
package versions:

Ubuntu 15.04:
qemu-system 1:2.2+dfsg-5expubuntu9.3
qemu-system-aarch64 1:2.2+dfsg-5expubuntu9.3
qemu-system-arm 1:2.2+dfsg-5expubuntu9.3
qemu-system-mips 1:2.2+dfsg-5expubuntu9.3
qemu-system-misc 1:2.2+dfsg-5expubuntu9.3
qemu-system-ppc 1:2.2+dfsg-5expubuntu9.3
qemu-system-sparc 1:2.2+dfsg-5expubuntu9.3
qemu-system-x86 1:2.2+dfsg-5expubuntu9.3

Ubuntu 14.04 LTS:
qemu-system 2.0.0+dfsg-2ubuntu1.15
qemu-system-aarch64 2.0.0+dfsg-2ubuntu1.15
qemu-system-arm 2.0.0+dfsg-2ubuntu1.15
qemu-system-mips 2.0.0+dfsg-2ubuntu1.15
qemu-system-misc 2.0.0+dfsg-2ubuntu1.15
qemu-system-ppc 2.0.0+dfsg-2ubuntu1.15
qemu-system-sparc 2.0.0+dfsg-2ubuntu1.15
qemu-system-x86 2.0.0+dfsg-2ubuntu1.15

After a standard system update you need to restart all QEMU virtual
machines to make all the necessary changes.

References:
http://www.ubuntu.com/usn/usn-2692-1
CVE-2015-3214, CVE-2015-5154, CVE-2015-5158

Package Information:
https://launchpad.net/ubuntu/+source/qemu/1:2.2+dfsg-5expubuntu9.3
https://launchpad.net/ubuntu/+source/qemu/2.0.0+dfsg-2ubuntu1.15

—–BEGIN PGP SIGNATURE—–
Version: GnuPG v1

iQIcBAEBCgAGBQJVt7EFAAoJEGVp2FWnRL6TAOYQAJaudq+tp9MiOFKvV0QiSAbq
mWbxhfJuACwbJ6VkKnmwOvU6oq+k5Wxm38r2MDGDaCA7V5wbUnZWqAyiW2dHsYAo
pwTBGgUAjZYHNKGXQtuk96uPYhrxGb8e7bvv5MAmO/2C3w7VJTLeaJySIMHqWeB5
EMKvFP+yeCG394x/FBua8IB9N5vUjIwuTc2hrIjon5AjWrVAHF0Pcj3s67jWiZrT
FU+AEm5zd2fvBhm/6pTtqyF5PcnQqJC918EuU0MH4FPVqHpkJzt9XHIAi1HJ952Q
AwMOMxOOoBQpaJ7CmE9sugw3K0hWn8Q6FIFkAIUWzkDW7efgWyaDZ7OhrnWt+Inm
tcAV13Agh4COPNcrS0XnJIaXWygXn/NOp1y5c78IyObLRSiJXjgqc65rd35HrrST
qqdo+JnnZmBHKvli+L6FDGf2EqUQDqynLkwrsLlGKYaxazctQVdlB3N887QDibKi
HQANTx4iZF84wCShbMyydBmRnvnyuPKX3Lich8Sd2n1g6KVKt8B77HWu8ZanqaDM
zRvP1R7okuHSlngMI3XufpEScMfh4UrRjCOXUD8T8EonquD5DWBqUJgWaUuKhswK
viSTCB+ehTA2AHYF9+6HVD64gYgiwxNNSMFFLoWQgxFVQNbereG9jUWfI+ven3mU
kFaiKgjSHZqyYXGPgOPy
=txio
—–END PGP SIGNATURE—–
—