SUSE-SU-2014:1278-1: moderate: Security update for kvm

sle-security-updates at lists.suse.com sle-security-updates at lists.suse.com
Wed Oct 8 16:04:41 MDT 2014


   SUSE Security Update: Security update for kvm
______________________________________________________________________________

Announcement ID:    SUSE-SU-2014:1278-1
Rating:             moderate
References:         #876842 #877642 #877645 #878541 #886535 
Cross-References:   CVE-2014-0222 CVE-2014-0223 CVE-2014-3461
                   
Affected Products:
                    SUSE Linux Enterprise Server 11 SP3
                    SUSE Linux Enterprise Desktop 11 SP3
______________________________________________________________________________

   An update that solves three vulnerabilities and has two
   fixes is now available. It includes one version update.

Description:


   kvm has been updated to fix issues in the embedded qemu:

       *

         CVE-2014-0223: An integer overflow flaw was found in the QEMU block
   driver for QCOW version 1 disk images. A user able to alter the QEMU disk
   image files loaded by a guest could have used this flaw to corrupt QEMU
   process memory on the host, which could potentially have resulted in
   arbitrary code execution on the host with the privileges
         of the QEMU process.

       *

         CVE-2014-3461: A user able to alter the savevm data (either on the
   disk or over the wire during migration) could have used this flaw to to
   corrupt QEMU process memory on the (destination) host, which could have
   potentially resulted in arbitrary code execution on the host with the
   privileges of the QEMU process.

       *

         CVE-2014-0222: An integer overflow flaw was found in the QEMU block
   driver for QCOW version 1 disk images. A user able to alter the QEMU disk
   image files loaded by a guest could have used this flaw to corrupt QEMU
   process memory on the host, which could have potentially resulted in
   arbitrary code execution on the host with the privileges
         of the QEMU process.

   Non-security bugs fixed:

       * Fix exceeding IRQ routes that could have caused freezes of guests.
         (bnc#876842)
       * Fix CPUID emulation bugs that may have broken Windows guests with
         newer -cpu types (bnc#886535)

   Security Issues:

       * CVE-2014-0222
         <http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-0222>
       * CVE-2014-0223
         <http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-0223>
       * CVE-2014-3461
         <http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-3461>


Patch Instructions:

   To install this SUSE Security Update use YaST online_update.
   Alternatively you can run the command listed for your product:

   - SUSE Linux Enterprise Server 11 SP3:

      zypper in -t patch slessp3-kvm-9739

   - SUSE Linux Enterprise Desktop 11 SP3:

      zypper in -t patch sledsp3-kvm-9739

   To bring your system up-to-date, use "zypper patch".


Package List:

   - SUSE Linux Enterprise Server 11 SP3 (i586 s390x x86_64) [New Version: 1.4.2]:

      kvm-1.4.2-0.17.1

   - SUSE Linux Enterprise Desktop 11 SP3 (i586 x86_64) [New Version: 1.4.2]:

      kvm-1.4.2-0.17.1


References:

   http://support.novell.com/security/cve/CVE-2014-0222.html
   http://support.novell.com/security/cve/CVE-2014-0223.html
   http://support.novell.com/security/cve/CVE-2014-3461.html
   https://bugzilla.suse.com/show_bug.cgi?id=876842
   https://bugzilla.suse.com/show_bug.cgi?id=877642
   https://bugzilla.suse.com/show_bug.cgi?id=877645
   https://bugzilla.suse.com/show_bug.cgi?id=878541
   https://bugzilla.suse.com/show_bug.cgi?id=886535
   http://download.suse.com/patch/finder/?keywords=edfe5d595d3bf57ca949f09aec30ca76



More information about the sle-security-updates mailing list