[USN-3826-1] QEMU vulnerabilities

This is an OpenPGP/MIME signed message (RFC 4880 and 3156)

protocol=”application/pgp-signature”;
boundary=”P3QkwmJY0PoXDsAWDDHB4ETL0VStgX1Gq”

This is an OpenPGP/MIME signed message (RFC 4880 and 3156)
–P3QkwmJY0PoXDsAWDDHB4ETL0VStgX1Gq

protected-headers=”v1″
From: Marc Deslauriers
Reply-To: Ubuntu Security
To: ubuntu-security-announce@lists.ubuntu.com
Message-ID:
Subject: [USN-3826-1] QEMU vulnerabilities

–3CDM2GdXR4btxaUryrte9SOqqKgBrbH3f

Content-Language: en-CA
Content-Transfer-Encoding: quoted-printable

=
=

Ubuntu Security Notice USN-3826-1
November 26, 2018

qemu vulnerabilities
=
=

A security issue affects these releases of Ubuntu and its derivatives:

– Ubuntu 18.10
– Ubuntu 18.04 LTS
– Ubuntu 16.04 LTS
– Ubuntu 14.04 LTS

Summary:

Several security issues were fixed in QEMU.

Software Description:
– qemu: Machine emulator and virtualizer

Details:

Daniel Shapira and Arash Tohidi discovered that QEMU incorrectly handled
NE2000 device emulation. An attacker inside the guest could use this issu=
e
to cause QEMU to crash, resulting in a denial of service. (CVE-2018-10839=
)

It was discovered that QEMU incorrectly handled the Slirp networking
back-end. A privileged attacker inside the guest could use this issue to
cause QEMU to crash, resulting in a denial of service, or possibly execut=
e
arbitrary code on the host. In the default installation, when QEMU is use=
d
with libvirt, attackers would be isolated by the libvirt AppArmor profile=
=2E
This issue only affected Ubuntu 14.04 LTS, Ubuntu 16.04 LTS and Ubuntu
18.04 LTS. (CVE-2018-11806)

Fakhri Zulkifli discovered that the QEMU guest agent incorrectly handled
certain QMP commands. An attacker could possibly use this issue to crash
the QEMU guest agent, resulting in a denial of service. (CVE-2018-12617)

Li Qiang discovered that QEMU incorrectly handled NVM Express Controller
emulation. An attacker inside the guest could use this issue to cause QEM=
U
to crash, resulting in a denial of service, or possibly execute arbitrary=

code on the host. In the default installation, when QEMU is used with
libvirt, attackers would be isolated by the libvirt AppArmor profile. Thi=
s
issue only affected Ubuntu 18.04 LTS and Ubuntu 18.10. (CVE-2018-16847)

Daniel Shapira and Arash Tohidi discovered that QEMU incorrectly handled
RTL8139 device emulation. An attacker inside the guest could use this iss=
ue
to cause QEMU to crash, resulting in a denial of service. (CVE-2018-17958=
)

Daniel Shapira and Arash Tohidi discovered that QEMU incorrectly handled
PCNET device emulation. An attacker inside the guest could use this issue=

to cause QEMU to crash, resulting in a denial of service. (CVE-2018-17962=
)

Daniel Shapira discovered that QEMU incorrectly handled large packet size=
s.
An attacker inside the guest could use this issue to cause QEMU to crash,=

resulting in a denial of service. (CVE-2018-17963)

It was discovered that QEMU incorrectly handled LSI53C895A device
emulation. An attacker inside the guest could use this issue to cause QEM=
U
to crash, resulting in a denial of service. (CVE-2018-18849)

Moguofang discovered that QEMU incorrectly handled the IPowerNV LPC
controller. An attacker inside the guest could use this issue to cause QE=
MU
to crash, resulting in a denial of service. This issue only affected Ubun=
tu
18.04 LTS and Ubuntu 18.10. (CVE-2018-18954)

Zhibin Hu discovered that QEMU incorrectly handled the Plan 9 File System=

support. An attacker inside the guest could use this issue to cause QEMU
to crash, resulting in a denial of service. (CVE-2018-19364)

Update instructions:

The problem can be corrected by updating your system to the following
package versions:

Ubuntu 18.10:
qemu-system 1:2.12+dfsg-3ubuntu8.1
qemu-system-arm 1:2.12+dfsg-3ubuntu8.1
qemu-system-mips 1:2.12+dfsg-3ubuntu8.1
qemu-system-misc 1:2.12+dfsg-3ubuntu8.1
qemu-system-ppc 1:2.12+dfsg-3ubuntu8.1
qemu-system-s390x 1:2.12+dfsg-3ubuntu8.1
qemu-system-sparc 1:2.12+dfsg-3ubuntu8.1
qemu-system-x86 1:2.12+dfsg-3ubuntu8.1

Ubuntu 18.04 LTS:
qemu-system 1:2.11+dfsg-1ubuntu7.8
qemu-system-arm 1:2.11+dfsg-1ubuntu7.8
qemu-system-mips 1:2.11+dfsg-1ubuntu7.8
qemu-system-misc 1:2.11+dfsg-1ubuntu7.8
qemu-system-ppc 1:2.11+dfsg-1ubuntu7.8
qemu-system-s390x 1:2.11+dfsg-1ubuntu7.8
qemu-system-sparc 1:2.11+dfsg-1ubuntu7.8
qemu-system-x86 1:2.11+dfsg-1ubuntu7.8

Ubuntu 16.04 LTS:
qemu-system 1:2.5+dfsg-5ubuntu10.33
qemu-system-aarch64 1:2.5+dfsg-5ubuntu10.33
qemu-system-arm 1:2.5+dfsg-5ubuntu10.33
qemu-system-mips 1:2.5+dfsg-5ubuntu10.33
qemu-system-misc 1:2.5+dfsg-5ubuntu10.33
qemu-system-ppc 1:2.5+dfsg-5ubuntu10.33
qemu-system-s390x 1:2.5+dfsg-5ubuntu10.33
qemu-system-sparc 1:2.5+dfsg-5ubuntu10.33
qemu-system-x86 1:2.5+dfsg-5ubuntu10.33

Ubuntu 14.04 LTS:
qemu-system 2.0.0+dfsg-2ubuntu1.44
qemu-system-aarch64 2.0.0+dfsg-2ubuntu1.44
qemu-system-arm 2.0.0+dfsg-2ubuntu1.44
qemu-system-mips 2.0.0+dfsg-2ubuntu1.44
qemu-system-misc 2.0.0+dfsg-2ubuntu1.44
qemu-system-ppc 2.0.0+dfsg-2ubuntu1.44
qemu-system-sparc 2.0.0+dfsg-2ubuntu1.44
qemu-system-x86 2.0.0+dfsg-2ubuntu1.44

After a standard system update you need to restart all QEMU virtual
machines to make all the necessary changes.

References:
https://usn.ubuntu.com/usn/usn-3826-1
CVE-2018-10839, CVE-2018-11806, CVE-2018-12617, CVE-2018-16847,
CVE-2018-17958, CVE-2018-17962, CVE-2018-17963, CVE-2018-18849,
CVE-2018-18954, CVE-2018-19364

Package Information:
https://launchpad.net/ubuntu/+source/qemu/1:2.12+dfsg-3ubuntu8.1
https://launchpad.net/ubuntu/+source/qemu/1:2.11+dfsg-1ubuntu7.8
https://launchpad.net/ubuntu/+source/qemu/1:2.5+dfsg-5ubuntu10.33
https://launchpad.net/ubuntu/+source/qemu/2.0.0+dfsg-2ubuntu1.44

–3CDM2GdXR4btxaUryrte9SOqqKgBrbH3f–

–P3QkwmJY0PoXDsAWDDHB4ETL0VStgX1Gq

Content-Description: OpenPGP digital signature
Content-Disposition: attachment; filename=”signature.asc”

—–BEGIN PGP SIGNATURE—–

iQIzBAEBCgAdFiEEUMSg3c8x5FLOsZtRZWnYVadEvpMFAlv8DasACgkQZWnYVadE
vpN5KQ/+JpmkzxvqgCIIH/uuwJvgCakW1wetzVdbKY+1J5hS9g86Wlagoy4UkROa
1Lpcqo53bBHYTPt1lMxMwrGD7UjibBPALP2rlDVSgWo32ScCusH0NfgKdcXQ6UWg
8LP5eAE1TKEyZFuBVUuS/dl3CF7MudYoSNO+Hy8IkvqABDkqYq2TuGpG7lQWynZA
OYuhiuqOr5cZNBUgPTcrc/AptB9851QLzvuf/l0bujJxTP0I0fWiVvA+nfjQYIyC
4mdEos800dAgKPLc8jjlwKrqn5TKoZVgJiDzXd5ge1S4M6krYB2cALZzfbu24nHl
j3P9c5w3l2r6KnpUQP1RNQBEU6H7qDfWHDSQBEGxUrzsdunT2Nl1tcXD31cKCveB
hgZ8MMxuNU/rvS0RZUiXh5WVciBgCQx9gZux9YUm/JQp4v/dZXuc4OsIUsJTeAqE
0eO6D0/Osunn4psRwIt3uV3gM/j4izZ8Qw10rPI72CtG/15M/FrfIBfsBn+v0BNk
zi+qDNlbEph5Tk2FFrejdw5Zm2Anb7u/q1KJaKA2jo5IgQRpoX1BR10Fgs8n0GP1
s3bC9GRKWL3BrhNswM5pCZkYTDgR/x3IX2HFRNxamNUospCOT7yLIeIgrn77NZmO
ldrnwoK/lH3HbctKg8S29RdB3I/tDyDE/OdLj02Cz8iH6q4SB80=
=GGMX
—–END PGP SIGNATURE—–

–P3QkwmJY0PoXDsAWDDHB4ETL0VStgX1Gq–

MIME-Version: 1.0
Content-Transfer-Encoding: base64
Content-Disposition: inline

LS0gCnVidW50dS1zZWN1cml0eS1hbm5vdW5jZSBtYWlsaW5nIGxpc3QKdWJ1bnR1LXNlY3VyaXR5
LWFubm91bmNlQGxpc3RzLnVidW50dS5jb20KTW9kaWZ5IHNldHRpbmdzIG9yIHVuc3Vic2NyaWJl
IGF0OiBodHRwczovL2xpc3RzLnVidW50dS5jb20vbWFpbG1hbi9saXN0aW5mby91YnVudHUtc2Vj
dXJpdHktYW5ub3VuY2UK

—