[arch-security] [ASA-201507-21] qemu: multiple issues
anthraxx at archlinux.org
Wed Jul 29 01:12:38 UTC 2015
Arch Linux Security Advisory ASA-201507-21
Date : 2015-07-29
CVE-ID : CVE-2015-3214 CVE-2015-5154 CVE-2015-5158
Package : qemu
Type : multiple issues
Remote : Yes
Link : https://wiki.archlinux.org/index.php/CVE
The package qemu before version 2.3.0-5 is vulnerable to multiple issues
including arbitrary code execution, information disclosure and denial of
Upgrade to 2.3.0-5.
# pacman -Syu "qemu>=2.3.0-5"
The problems have been fixed upstream but no release is available yet.
- CVE-2015-3214 (information disclosure, arbitrary code execution)
An out-of-bounds memory access flaw, leading to memory corruption or
possibly an information leak, was found in QEMU's pit_ioport_read()
function. A privileged guest user in a QEMU guest, which had QEMU PIT
emulation enabled, could potentially, in rare cases, use this flaw to
execute arbitrary code on the host with the privileges of the hosting
- CVE-2015-5154 (arbitrary code execution)
A heap overflow flaw was found in the way QEMU's IDE subsystem handled
I/O buffer access while processing certain ATAPI commands. A privileged
guest user in a guest with CDROM drive enabled could potentially use
this flaw to execute arbitrary code on the host with the privileges of
the host's QEMU process corresponding to the guest.
- CVE-2015-5158 (denial of service)
This is a guest-triggerable buffer overflow. The scsi_cdb_length returns
-1 as an error value, but the caller does not check it. Luckily, the
massive overflow means that QEMU will just SIGSEGV, leading to denial of
service of the guest system.
A remote attacker is able to execute arbitrary code and take over the
qemu process elevating its privilege to that of the qemu process or
perform a denial of service attack to crash the guest system.
-------------- next part --------------
A non-text attachment was scrubbed...
Size: 819 bytes
Desc: OpenPGP digital signature
More information about the arch-security