Security update for qemu

Announcement ID:	SUSE-SU-2016:2589-1
Rating:	important
References:	bsc#1000048 bsc#967012 bsc#967013 bsc#982017 bsc#982018 bsc#982019 bsc#982222 bsc#982223 bsc#982285 bsc#982959 bsc#983961 bsc#983982 bsc#991080 bsc#991466 bsc#994760 bsc#994771 bsc#994774 bsc#996441 bsc#997858 bsc#997859
Cross-References:	CVE-2016-2391 CVE-2016-2392 CVE-2016-4453 CVE-2016-4454 CVE-2016-5105 CVE-2016-5106 CVE-2016-5107 CVE-2016-5126 CVE-2016-5238 CVE-2016-5337 CVE-2016-5338 CVE-2016-5403 CVE-2016-6490 CVE-2016-6833 CVE-2016-6836 CVE-2016-6888 CVE-2016-7116 CVE-2016-7155 CVE-2016-7156
CVSS scores:	CVE-2016-2391 ( NVD ): 5.0 CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:U/C:N/I:N/A:H CVE-2016-2391 ( NVD ): 5.0 CVSS:3.0/AV:L/AC:L/PR:L/UI:R/S:U/C:N/I:N/A:H CVE-2016-2392 ( NVD ): 6.5 CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:C/C:N/I:N/A:H CVE-2016-4453 ( NVD ): 4.4 CVSS:3.0/AV:L/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H CVE-2016-4454 ( NVD ): 6.0 CVSS:3.0/AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:H CVE-2016-5105 ( NVD ): 4.1 CVSS:3.0/AV:L/AC:H/PR:H/UI:N/S:U/C:H/I:N/A:N CVE-2016-5106 ( NVD ): 5.3 CVSS:3.0/AV:L/AC:H/PR:H/UI:N/S:C/C:N/I:N/A:H CVE-2016-5107 ( NVD ): 5.3 CVSS:3.0/AV:L/AC:H/PR:H/UI:N/S:C/C:N/I:N/A:H CVE-2016-5126 ( NVD ): 7.8 CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H CVE-2016-5126 ( NVD ): 7.8 CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H CVE-2016-5238 ( NVD ): 5.5 CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H CVE-2016-5337 ( NVD ): 5.5 CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N CVE-2016-5337 ( NVD ): 5.5 CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N CVE-2016-5338 ( NVD ): 7.8 CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H CVE-2016-5338 ( NVD ): 7.8 CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H CVE-2016-5403 ( NVD ): 5.5 CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H CVE-2016-6490 ( NVD ): 4.4 CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H CVE-2016-6490 ( NVD ): 4.4 CVSS:3.0/AV:L/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H CVE-2016-6833 ( NVD ): 4.4 CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H CVE-2016-6833 ( NVD ): 4.4 CVSS:3.0/AV:L/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H CVE-2016-6836 ( NVD ): 6.0 CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:C/C:H/I:N/A:N CVE-2016-6836 ( NVD ): 6.0 CVSS:3.0/AV:L/AC:L/PR:H/UI:N/S:C/C:H/I:N/A:N CVE-2016-6888 ( NVD ): 4.4 CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H CVE-2016-6888 ( NVD ): 4.4 CVSS:3.0/AV:L/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H CVE-2016-7116 ( NVD ): 6.0 CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:C/C:H/I:N/A:N CVE-2016-7116 ( NVD ): 6.0 CVSS:3.0/AV:L/AC:L/PR:H/UI:N/S:C/C:H/I:N/A:N CVE-2016-7155 ( NVD ): 4.4 CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H CVE-2016-7155 ( NVD ): 4.4 CVSS:3.0/AV:L/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H CVE-2016-7156 ( NVD ): 4.4 CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H CVE-2016-7156 ( NVD ): 4.4 CVSS:3.0/AV:L/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H
Affected Products:	SUSE Linux Enterprise Desktop 12 SP1 SUSE Linux Enterprise Server 12 SP1 SUSE Linux Enterprise Server for SAP Applications 12 SP1

An update that solves 19 vulnerabilities and has one security fix can now be installed.

Description:

qemu was updated to fix 19 security issues.

These security issues were fixed: - CVE-2016-2392: The is_rndis function in the USB Net device emulator (hw/usb/dev-network.c) in QEMU did not properly validate USB configuration descriptor objects, which allowed local guest OS administrators to cause a denial of service (NULL pointer dereference and QEMU process crash) via vectors involving a remote NDIS control message packet (bsc#967012) - CVE-2016-2391: The ohci_bus_start function in the USB OHCI emulation support (hw/usb/hcd-ohci.c) in QEMU allowed local guest OS administrators to cause a denial of service (NULL pointer dereference and QEMU process crash) via vectors related to multiple eof_timers (bsc#967013) - CVE-2016-5106: The megasas_dcmd_set_properties function in hw/scsi/megasas.c in QEMU, when built with MegaRAID SAS 8708EM2 Host Bus Adapter emulation support, allowed local guest administrators to cause a denial of service (out-of-bounds write access) via vectors involving a MegaRAID Firmware Interface (MFI) command (bsc#982018) - CVE-2016-5105: The megasas_dcmd_cfg_read function in hw/scsi/megasas.c in QEMU, when built with MegaRAID SAS 8708EM2 Host Bus Adapter emulation support, used an uninitialized variable, which allowed local guest administrators to read host memory via vectors involving a MegaRAID Firmware Interface (MFI) command (bsc#982017) - CVE-2016-5107: The megasas_lookup_frame function in QEMU, when built with MegaRAID SAS 8708EM2 Host Bus Adapter emulation support, allowed local guest OS administrators to cause a denial of service (out-of-bounds read and crash) via unspecified vectors (bsc#982019) - CVE-2016-5126: Heap-based buffer overflow in the iscsi_aio_ioctl function in block/iscsi.c in QEMU allowed local guest OS users to cause a denial of service (QEMU process crash) or possibly execute arbitrary code via a crafted iSCSI asynchronous I/O ioctl call (bsc#982285) - CVE-2016-4454: The vmsvga_fifo_read_raw function in hw/display/vmware_vga.c in QEMU allowed local guest OS administrators to obtain sensitive host memory information or cause a denial of service (QEMU process crash) by changing FIFO registers and issuing a VGA command, which triggers an out-of-bounds read (bsc#982222) - CVE-2016-4453: The vmsvga_fifo_run function in hw/display/vmware_vga.c in QEMU allowed local guest OS administrators to cause a denial of service (infinite loop and QEMU process crash) via a VGA command (bsc#982223) - CVE-2016-5338: The (1) esp_reg_read and (2) esp_reg_write functions in hw/scsi/esp.c in QEMU allowed local guest OS administrators to cause a denial of service (QEMU process crash) or execute arbitrary code on the QEMU host via vectors related to the information transfer buffer (bsc#983982) - CVE-2016-5337: The megasas_ctrl_get_info function in hw/scsi/megasas.c in QEMU allowed local guest OS administrators to obtain sensitive host memory information via vectors related to reading device control information (bsc#983961) - CVE-2016-5238: The get_cmd function in hw/scsi/esp.c in QEMU allowed local guest OS administrators to cause a denial of service (out-of-bounds write and QEMU process crash) via vectors related to reading from the information transfer buffer in non-DMA mode (bsc#982959) - CVE-2016-5403: The virtqueue_pop function in hw/virtio/virtio.c in QEMU allowed local guest OS administrators to cause a denial of service (memory consumption and QEMU process crash) by submitting requests without waiting for completion (bsc#991080) - CVE-2016-6490: Infinite loop in the virtio framework. A privileged user inside the guest could have used this flaw to crash the Qemu instance on the host resulting in DoS (bsc#991466) - CVE-2016-6888: Integer overflow in packet initialisation in VMXNET3 device driver. A privileged user inside guest could have used this flaw to crash the Qemu instance resulting in DoS (bsc#994771) - CVE-2016-6833: Use-after-free issue in the VMWARE VMXNET3 NIC device support. A privileged user inside guest could have used this issue to crash the Qemu instance resulting in DoS (bsc#994774) - CVE-2016-7116: Host directory sharing via Plan 9 File System(9pfs) was vulnerable to a directory/path traversal issue. A privileged user inside guest could have used this flaw to access undue files on the host (bsc#996441) - CVE-2016-6836: VMWARE VMXNET3 NIC device support was leaging information leakage. A privileged user inside guest could have used this to leak host memory bytes to a guest (bsc#994760) - CVE-2016-7155: In the VMWARE PVSCSI paravirtual SCSI bus a OOB access and/or infinite loop issue could have allowed a privileged user inside guest to crash the Qemu process resulting in DoS (bsc#997858) - CVE-2016-7156: In the VMWARE PVSCSI paravirtual SCSI bus a infinite loop issue could have allowed a privileged user inside guest to crash the Qemu process resulting in DoS (bsc#997859)

This non-security issue was fixed: - bsc#1000048: Fix migration failure where target host is a soon to be released SLES 12 SP2. Qemu's spice code gets an assertion.

Patch Instructions:

To install this SUSE update use the SUSE recommended installation methods like YaST online_update or "zypper patch".
Alternatively you can run the command listed for your product:

• SUSE Linux Enterprise Desktop 12 SP1
  zypper in -t patch SUSE-SLE-DESKTOP-12-SP1-2016-1523=1
• SUSE Linux Enterprise Server for SAP Applications 12 SP1
  zypper in -t patch SUSE-SLE-SERVER-12-SP1-2016-1523=1
• SUSE Linux Enterprise Server 12 SP1
  zypper in -t patch SUSE-SLE-SERVER-12-SP1-2016-1523=1

Package List:

• SUSE Linux Enterprise Desktop 12 SP1 (x86_64)
  • qemu-debugsource-2.3.1-21.1
  • qemu-tools-debuginfo-2.3.1-21.1
  • qemu-x86-2.3.1-21.1
  • qemu-2.3.1-21.1
  • qemu-block-curl-2.3.1-21.1
  • qemu-tools-2.3.1-21.1
  • qemu-kvm-2.3.1-21.1
  • qemu-block-curl-debuginfo-2.3.1-21.1
• SUSE Linux Enterprise Desktop 12 SP1 (noarch)
  • qemu-sgabios-8-21.1
  • qemu-ipxe-1.0.0-21.1
  • qemu-vgabios-1.8.1-21.1
  • qemu-seabios-1.8.1-21.1
• SUSE Linux Enterprise Server for SAP Applications 12 SP1 (ppc64le x86_64)
  • qemu-lang-2.3.1-21.1
  • qemu-debugsource-2.3.1-21.1
  • qemu-guest-agent-debuginfo-2.3.1-21.1
  • qemu-tools-debuginfo-2.3.1-21.1
  • qemu-2.3.1-21.1
  • qemu-block-curl-2.3.1-21.1
  • qemu-tools-2.3.1-21.1
  • qemu-guest-agent-2.3.1-21.1
  • qemu-block-curl-debuginfo-2.3.1-21.1
• SUSE Linux Enterprise Server for SAP Applications 12 SP1 (ppc64le)
  • qemu-ppc-debuginfo-2.3.1-21.1
  • qemu-ppc-2.3.1-21.1
• SUSE Linux Enterprise Server for SAP Applications 12 SP1 (x86_64)
  • qemu-x86-2.3.1-21.1
  • qemu-kvm-2.3.1-21.1
  • qemu-block-rbd-debuginfo-2.3.1-21.1
  • qemu-block-rbd-2.3.1-21.1
• SUSE Linux Enterprise Server for SAP Applications 12 SP1 (noarch)
  • qemu-sgabios-8-21.1
  • qemu-ipxe-1.0.0-21.1
  • qemu-vgabios-1.8.1-21.1
  • qemu-seabios-1.8.1-21.1
• SUSE Linux Enterprise Server 12 SP1 (ppc64le s390x x86_64)
  • qemu-lang-2.3.1-21.1
  • qemu-debugsource-2.3.1-21.1
  • qemu-guest-agent-debuginfo-2.3.1-21.1
  • qemu-tools-debuginfo-2.3.1-21.1
  • qemu-2.3.1-21.1
  • qemu-block-curl-2.3.1-21.1
  • qemu-tools-2.3.1-21.1
  • qemu-guest-agent-2.3.1-21.1
  • qemu-block-curl-debuginfo-2.3.1-21.1
• SUSE Linux Enterprise Server 12 SP1 (ppc64le)
  • qemu-ppc-debuginfo-2.3.1-21.1
  • qemu-ppc-2.3.1-21.1
• SUSE Linux Enterprise Server 12 SP1 (s390x x86_64)
  • qemu-kvm-2.3.1-21.1
• SUSE Linux Enterprise Server 12 SP1 (s390x)
  • qemu-s390-2.3.1-21.1
  • qemu-s390-debuginfo-2.3.1-21.1
• SUSE Linux Enterprise Server 12 SP1 (x86_64)
  • qemu-x86-2.3.1-21.1
  • qemu-block-rbd-debuginfo-2.3.1-21.1
  • qemu-block-rbd-2.3.1-21.1
• SUSE Linux Enterprise Server 12 SP1 (noarch)
  • qemu-sgabios-8-21.1
  • qemu-ipxe-1.0.0-21.1
  • qemu-vgabios-1.8.1-21.1
  • qemu-seabios-1.8.1-21.1

References:

• https://www.suse.com/security/cve/CVE-2016-2391.html
• https://www.suse.com/security/cve/CVE-2016-2392.html
• https://www.suse.com/security/cve/CVE-2016-4453.html
• https://www.suse.com/security/cve/CVE-2016-4454.html
• https://www.suse.com/security/cve/CVE-2016-5105.html
• https://www.suse.com/security/cve/CVE-2016-5106.html
• https://www.suse.com/security/cve/CVE-2016-5107.html
• https://www.suse.com/security/cve/CVE-2016-5126.html
• https://www.suse.com/security/cve/CVE-2016-5238.html
• https://www.suse.com/security/cve/CVE-2016-5337.html
• https://www.suse.com/security/cve/CVE-2016-5338.html
• https://www.suse.com/security/cve/CVE-2016-5403.html
• https://www.suse.com/security/cve/CVE-2016-6490.html
• https://www.suse.com/security/cve/CVE-2016-6833.html
• https://www.suse.com/security/cve/CVE-2016-6836.html
• https://www.suse.com/security/cve/CVE-2016-6888.html
• https://www.suse.com/security/cve/CVE-2016-7116.html
• https://www.suse.com/security/cve/CVE-2016-7155.html
• https://www.suse.com/security/cve/CVE-2016-7156.html
• https://bugzilla.suse.com/show_bug.cgi?id=1000048
• https://bugzilla.suse.com/show_bug.cgi?id=967012
• https://bugzilla.suse.com/show_bug.cgi?id=967013
• https://bugzilla.suse.com/show_bug.cgi?id=982017
• https://bugzilla.suse.com/show_bug.cgi?id=982018
• https://bugzilla.suse.com/show_bug.cgi?id=982019
• https://bugzilla.suse.com/show_bug.cgi?id=982222
• https://bugzilla.suse.com/show_bug.cgi?id=982223
• https://bugzilla.suse.com/show_bug.cgi?id=982285
• https://bugzilla.suse.com/show_bug.cgi?id=982959
• https://bugzilla.suse.com/show_bug.cgi?id=983961
• https://bugzilla.suse.com/show_bug.cgi?id=983982
• https://bugzilla.suse.com/show_bug.cgi?id=991080
• https://bugzilla.suse.com/show_bug.cgi?id=991466
• https://bugzilla.suse.com/show_bug.cgi?id=994760
• https://bugzilla.suse.com/show_bug.cgi?id=994771
• https://bugzilla.suse.com/show_bug.cgi?id=994774
• https://bugzilla.suse.com/show_bug.cgi?id=996441
• https://bugzilla.suse.com/show_bug.cgi?id=997858
• https://bugzilla.suse.com/show_bug.cgi?id=997859