SUSE-SU-2015:0349-1: moderate: Security update for qemu

sle-security-updates at lists.suse.com sle-security-updates at lists.suse.com
Mon Feb 23 02:04:56 MST 2015


   SUSE Security Update: Security update for qemu
______________________________________________________________________________

Announcement ID:    SUSE-SU-2015:0349-1
Rating:             moderate
References:         #905097 #907805 #908380 
Cross-References:   CVE-2014-7840 CVE-2014-8106
Affected Products:
                    SUSE Linux Enterprise Server 12
                    SUSE Linux Enterprise Desktop 12
______________________________________________________________________________

   An update that solves two vulnerabilities and has one
   errata is now available.

Description:


   QEMU was updated to fix various bugs and security issues.

   Following security issues were fixed: CVE-2014-8106: Heap-based buffer
   overflow in the Cirrus VGA emulator (hw/display/cirrus_vga.c) in QEMU
   allowed local guest users to execute arbitrary code via vectors related to
   blit regions.

   CVE-2014-7840: The host_from_stream_offset function in arch_init.c in
   QEMU, when loading RAM during migration, allowed remote attackers to
   execute arbitrary code via a crafted (1) offset or (2) length value in
   savevm data.

   Also a bug was fixed where qemu-img convert could occasionaly corrupt
   images. (bsc#908380)


Patch Instructions:

   To install this SUSE Security Update use YaST online_update.
   Alternatively you can run the command listed for your product:

   - SUSE Linux Enterprise Server 12:

      zypper in -t patch SUSE-SLE-SERVER-12-2015-88=1

   - SUSE Linux Enterprise Desktop 12:

      zypper in -t patch SUSE-SLE-DESKTOP-12-2015-88=1

   To bring your system up-to-date, use "zypper patch".


Package List:

   - SUSE Linux Enterprise Server 12 (ppc64le s390x x86_64):

      qemu-2.0.2-42.1
      qemu-block-curl-2.0.2-42.1
      qemu-block-curl-debuginfo-2.0.2-42.1
      qemu-debugsource-2.0.2-42.1
      qemu-guest-agent-2.0.2-42.1
      qemu-guest-agent-debuginfo-2.0.2-42.1
      qemu-lang-2.0.2-42.1
      qemu-tools-2.0.2-42.1
      qemu-tools-debuginfo-2.0.2-42.1

   - SUSE Linux Enterprise Server 12 (s390x x86_64):

      qemu-kvm-2.0.2-42.1

   - SUSE Linux Enterprise Server 12 (ppc64le):

      qemu-ppc-2.0.2-42.1
      qemu-ppc-debuginfo-2.0.2-42.1

   - SUSE Linux Enterprise Server 12 (noarch):

      qemu-ipxe-1.0.0-42.1
      qemu-seabios-1.7.4-42.1
      qemu-sgabios-8-42.1
      qemu-vgabios-1.7.4-42.1

   - SUSE Linux Enterprise Server 12 (x86_64):

      qemu-x86-2.0.2-42.1
      qemu-x86-debuginfo-2.0.2-42.1

   - SUSE Linux Enterprise Server 12 (s390x):

      qemu-s390-2.0.2-42.1
      qemu-s390-debuginfo-2.0.2-42.1

   - SUSE Linux Enterprise Desktop 12 (x86_64):

      qemu-2.0.2-42.1
      qemu-block-curl-2.0.2-42.1
      qemu-block-curl-debuginfo-2.0.2-42.1
      qemu-debugsource-2.0.2-42.1
      qemu-kvm-2.0.2-42.1
      qemu-tools-2.0.2-42.1
      qemu-tools-debuginfo-2.0.2-42.1
      qemu-x86-2.0.2-42.1
      qemu-x86-debuginfo-2.0.2-42.1

   - SUSE Linux Enterprise Desktop 12 (noarch):

      qemu-ipxe-1.0.0-42.1
      qemu-seabios-1.7.4-42.1
      qemu-sgabios-8-42.1
      qemu-vgabios-1.7.4-42.1


References:

   http://support.novell.com/security/cve/CVE-2014-7840.html
   http://support.novell.com/security/cve/CVE-2014-8106.html
   https://bugzilla.suse.com/905097
   https://bugzilla.suse.com/907805
   https://bugzilla.suse.com/908380



More information about the sle-security-updates mailing list