Security update for qemu

Announcement ID:	SUSE-SU-2017:0625-1
Rating:	important
References:	bsc#1014702 bsc#1015169 bsc#1016779 bsc#1017081 bsc#1017084 bsc#1020491 bsc#1020589 bsc#1020928 bsc#1021129 bsc#1021195 bsc#1021481 bsc#1022541 bsc#1023004 bsc#1023053 bsc#1023073 bsc#1023907 bsc#1024972 bsc#1026583 bsc#977027
Cross-References:	CVE-2016-10028 CVE-2016-10029 CVE-2016-10155 CVE-2016-9921 CVE-2016-9922 CVE-2017-2615 CVE-2017-2620 CVE-2017-5525 CVE-2017-5526 CVE-2017-5552 CVE-2017-5578 CVE-2017-5667 CVE-2017-5856 CVE-2017-5857 CVE-2017-5898
CVSS scores:	CVE-2016-10028 ( SUSE ): 5.4 CVSS:3.1/AV:A/AC:L/PR:L/UI:N/S:C/C:N/I:L/A:L CVE-2016-10028 ( NVD ): 5.5 CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H CVE-2016-10028 ( NVD ): 5.5 CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H CVE-2016-10029 ( SUSE ): 5.4 CVSS:3.1/AV:A/AC:L/PR:L/UI:N/S:C/C:L/I:N/A:L CVE-2016-10029 ( NVD ): 5.5 CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H CVE-2016-10029 ( NVD ): 5.5 CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H CVE-2016-10155 ( NVD ): 6.0 CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:C/C:N/I:N/A:H CVE-2016-10155 ( NVD ): 6.0 CVSS:3.0/AV:L/AC:L/PR:H/UI:N/S:C/C:N/I:N/A:H CVE-2016-9921 ( NVD ): 6.5 CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:N/I:N/A:H CVE-2016-9921 ( NVD ): 6.5 CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:C/C:N/I:N/A:H CVE-2016-9922 ( NVD ): 5.5 CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H CVE-2016-9922 ( NVD ): 5.5 CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H CVE-2017-2615 ( NVD ): 5.5 CVSS:3.0/AV:A/AC:H/PR:L/UI:N/S:C/C:L/I:L/A:L CVE-2017-2620 ( NVD ): 9.9 CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H CVE-2017-5525 ( NVD ): 6.5 CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:N/I:N/A:H CVE-2017-5525 ( NVD ): 6.5 CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:C/C:N/I:N/A:H CVE-2017-5526 ( NVD ): 6.5 CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:N/I:N/A:H CVE-2017-5526 ( NVD ): 6.5 CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:C/C:N/I:N/A:H CVE-2017-5552 ( NVD ): 6.5 CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:N/I:N/A:H CVE-2017-5552 ( NVD ): 6.5 CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:C/C:N/I:N/A:H CVE-2017-5578 ( NVD ): 6.5 CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:N/I:N/A:H CVE-2017-5578 ( NVD ): 6.5 CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:C/C:N/I:N/A:H CVE-2017-5667 ( NVD ): 6.5 CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:N/I:N/A:H CVE-2017-5667 ( NVD ): 6.5 CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:C/C:N/I:N/A:H CVE-2017-5856 ( NVD ): 6.5 CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:N/I:N/A:H CVE-2017-5856 ( NVD ): 6.5 CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:C/C:N/I:N/A:H CVE-2017-5857 ( NVD ): 6.5 CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:N/I:N/A:H CVE-2017-5857 ( NVD ): 6.5 CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:C/C:N/I:N/A:H CVE-2017-5898 ( NVD ): 5.5 CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H CVE-2017-5898 ( NVD ): 5.5 CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
Affected Products:	SUSE Linux Enterprise Desktop 12 SP2 SUSE Linux Enterprise High Performance Computing 12 SP2 SUSE Linux Enterprise Server 12 SP2 SUSE Linux Enterprise Server for SAP Applications 12 SP2 SUSE Linux Enterprise Server for the Raspberry Pi 12-SP2

An update that solves 15 vulnerabilities and has four security fixes can now be installed.

Description:

This update for qemu fixes several issues.

These security issues were fixed:

• CVE-2017-5898: The CCID Card device emulator support was vulnerable to an integer overflow flaw allowing a privileged user to crash the Qemu process on the host resulting in DoS (bsc#1023907).
• CVE-2017-5857: The Virtio GPU Device emulator support was vulnerable to a host memory leakage issue allowing a guest user to leak host memory resulting in DoS (bsc#1023073).
• CVE-2017-2620: In CIRRUS_BLTMODE_MEMSYSSRC mode the bitblit copy routine cirrus_bitblt_cputovideo failed to check the memory region, allowing for an out-of-bounds write that allows for privilege escalation (bsc#1024972)
• CVE-2017-2615: An error in the bitblt copy operation could have allowed a malicious guest administrator to cause an out of bounds memory access, possibly leading to information disclosure or privilege escalation (bsc#1023004)
• CVE-2017-5856: The MegaRAID SAS 8708EM2 Host Bus Adapter emulation support was vulnerable to a memory leakage issue allowing a privileged user to leak host memory resulting in DoS (bsc#1023053)
• CVE-2016-9921: The Cirrus CLGD 54xx VGA Emulator support was vulnerable to a divide by zero issue while copying VGA data. A privileged user inside guest could have used this flaw to crash the process instance on the host, resulting in DoS (bsc#1014702)
• CVE-2016-9922: The Cirrus CLGD 54xx VGA Emulator support was vulnerable to a divide by zero issue while copying VGA data. A privileged user inside guest could have used this flaw to crash the process instance on the host, resulting in DoS (bsc#1014702)
• CVE-2016-10029: The Virtio GPU Device emulator support was vulnerable to an OOB read issue allowing a guest user to crash the Qemu process instance resulting in Dos (bsc#1017081).
• CVE-2016-10028: The Virtio GPU Device emulator support was vulnerable to an out of bounds memory access issue allowing a guest user to crash the Qemu process instance on a host, resulting in DoS (bsc#1017084).
• CVE-2016-10155: The virtual hardware watchdog 'wdt_i6300esb' was vulnerable to a memory leakage issue allowing a privileged user to cause a DoS and/or potentially crash the Qemu process on the host (bsc#1021129)
• CVE-2017-5552: The Virtio GPU Device emulator support was vulnerable to a memory leakage issue allowing a guest user to leak host memory resulting in DoS (bsc#1021195).
• CVE-2017-5578: The Virtio GPU Device emulator support was vulnerable to a memory leakage issue allowing a guest user to leak host memory resulting in DoS (bsc#1021481).
• CVE-2017-5526: The ES1370 audio device emulation support was vulnerable to a memory leakage issue allowing a privileged user inside the guest to cause a DoS and/or potentially crash the Qemu process on the host (bsc#1020589).
• CVE-2017-5525: The ac97 audio device emulation support was vulnerable to a memory leakage issue allowing a privileged user inside the guest to cause a DoS and/or potentially crash the Qemu process on the host (bsc#1020491).
• CVE-2017-5667: The SDHCI device emulation support was vulnerable to an OOB heap access issue allowing a privileged user inside the guest to crash the Qemu process resulting in DoS or potentially execute arbitrary code with privileges of the Qemu process on the host (bsc#1022541).
• CVE-2017-5898: The CCID Card device emulator support was vulnerable to an integer overflow allowing a privileged user inside the guest to crash the Qemu process resulting in DoS (bnc#1023907)

These non-security issues were fixed:

• Fix name of s390x specific sysctl configuration file to end with .conf (bsc#1026583)
• XHCI fixes (bsc#977027)
• Fixed rare race during s390x guest reboot
• Fixed various inaccuracies in cirrus vga device emulation
• Fixed cause of infrequent migration failures from bad virtio device state (bsc#1020928)
• Fixed graphical update errors introduced by previous security fix (bsc#1016779)

Patch Instructions:

To install this SUSE update use the SUSE recommended installation methods like YaST online_update or "zypper patch".
Alternatively you can run the command listed for your product:

• SUSE Linux Enterprise Desktop 12 SP2
  zypper in -t patch SUSE-SLE-DESKTOP-12-SP2-2017-336=1
• SUSE Linux Enterprise Server for the Raspberry Pi 12-SP2
  zypper in -t patch SUSE-SLE-RPI-12-SP2-2017-336=1
• SUSE Linux Enterprise High Performance Computing 12 SP2
  zypper in -t patch SUSE-SLE-SERVER-12-SP2-2017-336=1
• SUSE Linux Enterprise Server 12 SP2
  zypper in -t patch SUSE-SLE-SERVER-12-SP2-2017-336=1
• SUSE Linux Enterprise Server for SAP Applications 12 SP2
  zypper in -t patch SUSE-SLE-SERVER-12-SP2-2017-336=1

Package List:

• SUSE Linux Enterprise Desktop 12 SP2 (x86_64)
  • qemu-x86-2.6.2-41.9.1
  • qemu-2.6.2-41.9.1
  • qemu-tools-2.6.2-41.9.1
  • qemu-debugsource-2.6.2-41.9.1
  • qemu-kvm-2.6.2-41.9.1
  • qemu-tools-debuginfo-2.6.2-41.9.1
  • qemu-block-curl-2.6.2-41.9.1
  • qemu-block-curl-debuginfo-2.6.2-41.9.1
• SUSE Linux Enterprise Desktop 12 SP2 (noarch)
  • qemu-sgabios-8-41.9.1
  • qemu-seabios-1.9.1-41.9.1
  • qemu-vgabios-1.9.1-41.9.1
  • qemu-ipxe-1.0.0-41.9.1
• SUSE Linux Enterprise Server for the Raspberry Pi 12-SP2 (aarch64)
  • qemu-arm-2.6.2-41.9.1
  • qemu-lang-2.6.2-41.9.1
  • qemu-2.6.2-41.9.1
  • qemu-guest-agent-2.6.2-41.9.1
  • qemu-block-ssh-debuginfo-2.6.2-41.9.1
  • qemu-arm-debuginfo-2.6.2-41.9.1
  • qemu-debugsource-2.6.2-41.9.1
  • qemu-tools-2.6.2-41.9.1
  • qemu-guest-agent-debuginfo-2.6.2-41.9.1
  • qemu-block-rbd-2.6.2-41.9.1
  • qemu-block-ssh-2.6.2-41.9.1
  • qemu-tools-debuginfo-2.6.2-41.9.1
  • qemu-block-curl-2.6.2-41.9.1
  • qemu-block-rbd-debuginfo-2.6.2-41.9.1
  • qemu-block-curl-debuginfo-2.6.2-41.9.1
• SUSE Linux Enterprise Server for the Raspberry Pi 12-SP2 (noarch)
  • qemu-ipxe-1.0.0-41.9.1
• SUSE Linux Enterprise High Performance Computing 12 SP2 (aarch64 x86_64)
  • qemu-lang-2.6.2-41.9.1
  • qemu-2.6.2-41.9.1
  • qemu-guest-agent-2.6.2-41.9.1
  • qemu-block-ssh-debuginfo-2.6.2-41.9.1
  • qemu-tools-2.6.2-41.9.1
  • qemu-debugsource-2.6.2-41.9.1
  • qemu-guest-agent-debuginfo-2.6.2-41.9.1
  • qemu-block-rbd-2.6.2-41.9.1
  • qemu-block-ssh-2.6.2-41.9.1
  • qemu-tools-debuginfo-2.6.2-41.9.1
  • qemu-block-curl-2.6.2-41.9.1
  • qemu-block-rbd-debuginfo-2.6.2-41.9.1
  • qemu-block-curl-debuginfo-2.6.2-41.9.1
• SUSE Linux Enterprise High Performance Computing 12 SP2 (aarch64)
  • qemu-arm-debuginfo-2.6.2-41.9.1
  • qemu-arm-2.6.2-41.9.1
• SUSE Linux Enterprise High Performance Computing 12 SP2 (noarch)
  • qemu-sgabios-8-41.9.1
  • qemu-seabios-1.9.1-41.9.1
  • qemu-vgabios-1.9.1-41.9.1
  • qemu-ipxe-1.0.0-41.9.1
• SUSE Linux Enterprise High Performance Computing 12 SP2 (x86_64)
  • qemu-kvm-2.6.2-41.9.1
  • qemu-x86-2.6.2-41.9.1
• SUSE Linux Enterprise Server 12 SP2 (aarch64 ppc64le s390x x86_64)
  • qemu-lang-2.6.2-41.9.1
  • qemu-2.6.2-41.9.1
  • qemu-guest-agent-2.6.2-41.9.1
  • qemu-block-ssh-debuginfo-2.6.2-41.9.1
  • qemu-tools-2.6.2-41.9.1
  • qemu-debugsource-2.6.2-41.9.1
  • qemu-guest-agent-debuginfo-2.6.2-41.9.1
  • qemu-block-ssh-2.6.2-41.9.1
  • qemu-tools-debuginfo-2.6.2-41.9.1
  • qemu-block-curl-2.6.2-41.9.1
  • qemu-block-curl-debuginfo-2.6.2-41.9.1
• SUSE Linux Enterprise Server 12 SP2 (aarch64)
  • qemu-arm-debuginfo-2.6.2-41.9.1
  • qemu-arm-2.6.2-41.9.1
• SUSE Linux Enterprise Server 12 SP2 (aarch64 x86_64)
  • qemu-block-rbd-debuginfo-2.6.2-41.9.1
  • qemu-block-rbd-2.6.2-41.9.1
• SUSE Linux Enterprise Server 12 SP2 (noarch)
  • qemu-sgabios-8-41.9.1
  • qemu-seabios-1.9.1-41.9.1
  • qemu-vgabios-1.9.1-41.9.1
  • qemu-ipxe-1.0.0-41.9.1
• SUSE Linux Enterprise Server 12 SP2 (ppc64le)
  • qemu-ppc-debuginfo-2.6.2-41.9.1
  • qemu-ppc-2.6.2-41.9.1
• SUSE Linux Enterprise Server 12 SP2 (s390x x86_64)
  • qemu-kvm-2.6.2-41.9.1
• SUSE Linux Enterprise Server 12 SP2 (s390x)
  • qemu-s390-2.6.2-41.9.1
  • qemu-s390-debuginfo-2.6.2-41.9.1
• SUSE Linux Enterprise Server 12 SP2 (x86_64)
  • qemu-x86-2.6.2-41.9.1
• SUSE Linux Enterprise Server for SAP Applications 12 SP2 (ppc64le x86_64)
  • qemu-lang-2.6.2-41.9.1
  • qemu-2.6.2-41.9.1
  • qemu-guest-agent-2.6.2-41.9.1
  • qemu-block-ssh-debuginfo-2.6.2-41.9.1
  • qemu-tools-2.6.2-41.9.1
  • qemu-debugsource-2.6.2-41.9.1
  • qemu-guest-agent-debuginfo-2.6.2-41.9.1
  • qemu-block-ssh-2.6.2-41.9.1
  • qemu-tools-debuginfo-2.6.2-41.9.1
  • qemu-block-curl-2.6.2-41.9.1
  • qemu-block-curl-debuginfo-2.6.2-41.9.1
• SUSE Linux Enterprise Server for SAP Applications 12 SP2 (ppc64le)
  • qemu-ppc-debuginfo-2.6.2-41.9.1
  • qemu-ppc-2.6.2-41.9.1
• SUSE Linux Enterprise Server for SAP Applications 12 SP2 (x86_64)
  • qemu-x86-2.6.2-41.9.1
  • qemu-kvm-2.6.2-41.9.1
  • qemu-block-rbd-debuginfo-2.6.2-41.9.1
  • qemu-block-rbd-2.6.2-41.9.1
• SUSE Linux Enterprise Server for SAP Applications 12 SP2 (noarch)
  • qemu-sgabios-8-41.9.1
  • qemu-seabios-1.9.1-41.9.1
  • qemu-vgabios-1.9.1-41.9.1
  • qemu-ipxe-1.0.0-41.9.1

References:

• https://www.suse.com/security/cve/CVE-2016-10028.html
• https://www.suse.com/security/cve/CVE-2016-10029.html
• https://www.suse.com/security/cve/CVE-2016-10155.html
• https://www.suse.com/security/cve/CVE-2016-9921.html
• https://www.suse.com/security/cve/CVE-2016-9922.html
• https://www.suse.com/security/cve/CVE-2017-2615.html
• https://www.suse.com/security/cve/CVE-2017-2620.html
• https://www.suse.com/security/cve/CVE-2017-5525.html
• https://www.suse.com/security/cve/CVE-2017-5526.html
• https://www.suse.com/security/cve/CVE-2017-5552.html
• https://www.suse.com/security/cve/CVE-2017-5578.html
• https://www.suse.com/security/cve/CVE-2017-5667.html
• https://www.suse.com/security/cve/CVE-2017-5856.html
• https://www.suse.com/security/cve/CVE-2017-5857.html
• https://www.suse.com/security/cve/CVE-2017-5898.html
• https://bugzilla.suse.com/show_bug.cgi?id=1014702
• https://bugzilla.suse.com/show_bug.cgi?id=1015169
• https://bugzilla.suse.com/show_bug.cgi?id=1016779
• https://bugzilla.suse.com/show_bug.cgi?id=1017081
• https://bugzilla.suse.com/show_bug.cgi?id=1017084
• https://bugzilla.suse.com/show_bug.cgi?id=1020491
• https://bugzilla.suse.com/show_bug.cgi?id=1020589
• https://bugzilla.suse.com/show_bug.cgi?id=1020928
• https://bugzilla.suse.com/show_bug.cgi?id=1021129
• https://bugzilla.suse.com/show_bug.cgi?id=1021195
• https://bugzilla.suse.com/show_bug.cgi?id=1021481
• https://bugzilla.suse.com/show_bug.cgi?id=1022541
• https://bugzilla.suse.com/show_bug.cgi?id=1023004
• https://bugzilla.suse.com/show_bug.cgi?id=1023053
• https://bugzilla.suse.com/show_bug.cgi?id=1023073
• https://bugzilla.suse.com/show_bug.cgi?id=1023907
• https://bugzilla.suse.com/show_bug.cgi?id=1024972
• https://bugzilla.suse.com/show_bug.cgi?id=1026583
• https://bugzilla.suse.com/show_bug.cgi?id=977027