-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

===========================================================================
             AUSCERT External Security Bulletin Redistribution

                               ESB-2016.1480
              SUSE Security Update: Security update for qemu
                               14 June 2016

===========================================================================

        AusCERT Security Bulletin Summary
        ---------------------------------

Product:          qemu
Publisher:        SUSE
Operating System: SUSE
Impact/Access:    Execute Arbitrary Code/Commands -- Existing Account            
                  Increased Privileges            -- Existing Account            
                  Create Arbitrary Files          -- Existing Account            
                  Cross-site Request Forgery      -- Remote with User Interaction
                  Denial of Service               -- Existing Account            
                  Access Confidential Data        -- Existing Account            
Resolution:       Patch/Upgrade
CVE Names:        CVE-2016-4952 CVE-2016-4441 CVE-2016-4439
                  CVE-2016-4037 CVE-2016-4020 CVE-2016-4002
                  CVE-2016-4001 CVE-2016-3712 CVE-2016-3710
                  CVE-2016-2858 CVE-2016-2857 CVE-2016-2841
                  CVE-2016-2538 CVE-2016-2198 CVE-2016-1981
                  CVE-2016-1922 CVE-2016-1714 CVE-2016-1568
                  CVE-2015-8818 CVE-2015-8817 CVE-2015-8745
                  CVE-2015-8744 CVE-2015-8743 CVE-2015-8619
                  CVE-2015-8613 CVE-2015-8568 CVE-2015-8567
                  CVE-2015-8558 CVE-2015-8504 CVE-2015-7549
                  CVE-2015-7295 CVE-2015-5745 CVE-2015-5239
                  CVE-2015-3214 CVE-2014-9718 CVE-2014-3689
                  CVE-2014-3615  

Reference:        ESB-2015.1304
                  ESB-2014.2083.2
                  ESB-2014.1772

- --------------------------BEGIN INCLUDED TEXT--------------------

   SUSE Security Update: Security update for qemu
______________________________________________________________________________

Announcement ID:    SUSE-SU-2016:1560-1
Rating:             important
References:         #886378 #895528 #901508 #928393 #934069 #940929 
                    #944463 #947159 #958491 #958917 #959005 #959386 
                    #960334 #960708 #960725 #960835 #961332 #961333 
                    #961358 #961556 #961691 #962320 #963782 #964413 
                    #967969 #969121 #969122 #969350 #970036 #970037 
                    #975128 #975136 #975700 #976109 #978158 #978160 
                    #980711 #980723 #981266 
Cross-References:   CVE-2014-3615 CVE-2014-3689 CVE-2014-9718
                    CVE-2015-3214 CVE-2015-5239 CVE-2015-5745
                    CVE-2015-7295 CVE-2015-7549 CVE-2015-8504
                    CVE-2015-8558 CVE-2015-8567 CVE-2015-8568
                    CVE-2015-8613 CVE-2015-8619 CVE-2015-8743
                    CVE-2015-8744 CVE-2015-8745 CVE-2015-8817
                    CVE-2015-8818 CVE-2016-1568 CVE-2016-1714
                    CVE-2016-1922 CVE-2016-1981 CVE-2016-2198
                    CVE-2016-2538 CVE-2016-2841 CVE-2016-2857
                    CVE-2016-2858 CVE-2016-3710 CVE-2016-3712
                    CVE-2016-4001 CVE-2016-4002 CVE-2016-4020
                    CVE-2016-4037 CVE-2016-4439 CVE-2016-4441
                    CVE-2016-4952
Affected Products:
                    SUSE Linux Enterprise Server 12
                    SUSE Linux Enterprise Desktop 12
______________________________________________________________________________

   An update that solves 37 vulnerabilities and has two fixes
   is now available.

Description:

   qemu was updated to fix 37 security issues.

   These security issues were fixed:
   - CVE-2016-4439: Avoid OOB access in 53C9X emulation (bsc#980711)
   - CVE-2016-4441: Avoid OOB access in 53C9X emulation (bsc#980723)
   - CVE-2016-4952: Avoid OOB access in Vmware PV SCSI emulation (bsc#981266)
   - CVE-2015-8817: Avoid OOB access in PCI DMA I/O (bsc#969121)
   - CVE-2015-8818: Avoid OOB access in PCI DMA I/O (bsc#969122)
   - CVE-2016-3710: Fixed VGA emulation based OOB access with potential for
     guest escape (bsc#978158)
   - CVE-2016-3712: Fixed VGa emulation based DOS and OOB read access exploit
     (bsc#978160)
   - CVE-2016-4037: Fixed USB ehci based DOS (bsc#976109)
   - CVE-2016-2538: Fixed potential OOB access in USB net device emulation
     (bsc#967969)
   - CVE-2016-2841: Fixed OOB access / hang in ne2000 emulation (bsc#969350)
   - CVE-2016-2858: Avoid potential DOS when using QEMU pseudo random number
     generator (bsc#970036)
   - CVE-2016-2857: Fixed OOB access when processing IP checksums (bsc#970037)
   - CVE-2016-4001: Fixed OOB access in Stellaris enet emulated nic
     (bsc#975128)
   - CVE-2016-4002: Fixed OOB access in MIPSnet emulated controller
     (bsc#975136)
   - CVE-2016-4020: Fixed possible host data leakage to guest from TPR access
     (bsc#975700)
   - CVE-2015-3214: Fixed OOB read in i8254 PIC (bsc#934069)
   - CVE-2014-9718: Fixed the handling of malformed or short ide PRDTs to
     avoid any opportunity for guest to cause DoS by abusing that interface
     (bsc#928393)
   - CVE-2014-3689: Fixed insufficient parameter validation in rectangle
     functions (bsc#901508)
   - CVE-2014-3615: The VGA emulator in QEMU allowed local guest users to
     read host memory by setting the display to a high resolution
     (bsc#895528).
   - CVE-2015-5239: Integer overflow in vnc_client_read() and
     protocol_client_msg() (bsc#944463).
   - CVE-2015-5745: Buffer overflow in virtio-serial (bsc#940929).
   - CVE-2015-7295: hw/virtio/virtio.c in the Virtual Network Device
     (virtio-net) support in QEMU, when big or mergeable receive buffers are
     not supported, allowed remote attackers to cause a denial of service
     (guest network consumption) via a flood of jumbo frames on the (1)
     tuntap or (2) macvtap interface (bsc#947159).
   - CVE-2015-7549: PCI null pointer dereferences (bsc#958917).
   - CVE-2015-8504: VNC floating point exception (bsc#958491).
   - CVE-2015-8558: Infinite loop in ehci_advance_state resulting in DoS
     (bsc#959005).
   - CVE-2015-8567: A guest repeatedly activating a vmxnet3 device can leak
     host memory (bsc#959386).
   - CVE-2015-8568: A guest repeatedly activating a vmxnet3 device can leak
     host memory (bsc#959386).
   - CVE-2015-8613: Wrong sized memset in megasas command handler
     (bsc#961358).
   - CVE-2015-8619: Potential DoS for long HMP sendkey command argument
     (bsc#960334).
   - CVE-2015-8743: OOB memory access in ne2000 ioport r/w functions
     (bsc#960725).
   - CVE-2015-8744: Incorrect l2 header validation could have lead to a crash
     via assert(2) call (bsc#960835).
   - CVE-2015-8745: Reading IMR registers could have lead to a crash via
     assert(2) call (bsc#960708).
   - CVE-2016-1568: AHCI use-after-free in aio port commands (bsc#961332).
   - CVE-2016-1714: Potential OOB memory access in processing firmware
     configuration (bsc#961691).
   - CVE-2016-1922: NULL pointer dereference when processing hmp i/o command
     (bsc#962320).
   - CVE-2016-1981: Potential DoS (infinite loop) in e1000 device emulation
     by malicious privileged user within guest (bsc#963782).
   - CVE-2016-2198: Malicious privileged guest user were able to cause DoS by
     writing to read-only EHCI capabilities registers (bsc#964413).

   This non-security issue was fixed
   - bsc#886378: qemu truncates vhd images in virt-rescue


Patch Instructions:

   To install this SUSE Security Update use YaST online_update.
   Alternatively you can run the command listed for your product:

   - SUSE Linux Enterprise Server 12:

      zypper in -t patch SUSE-SLE-SERVER-12-2016-924=1

   - SUSE Linux Enterprise Desktop 12:

      zypper in -t patch SUSE-SLE-DESKTOP-12-2016-924=1

   To bring your system up-to-date, use "zypper patch".


Package List:

   - SUSE Linux Enterprise Server 12 (ppc64le s390x x86_64):

      qemu-2.0.2-48.19.1
      qemu-block-curl-2.0.2-48.19.1
      qemu-block-curl-debuginfo-2.0.2-48.19.1
      qemu-debugsource-2.0.2-48.19.1
      qemu-guest-agent-2.0.2-48.19.1
      qemu-guest-agent-debuginfo-2.0.2-48.19.1
      qemu-lang-2.0.2-48.19.1
      qemu-tools-2.0.2-48.19.1
      qemu-tools-debuginfo-2.0.2-48.19.1

   - SUSE Linux Enterprise Server 12 (s390x x86_64):

      qemu-kvm-2.0.2-48.19.1

   - SUSE Linux Enterprise Server 12 (ppc64le):

      qemu-ppc-2.0.2-48.19.1
      qemu-ppc-debuginfo-2.0.2-48.19.1

   - SUSE Linux Enterprise Server 12 (x86_64):

      qemu-block-rbd-2.0.2-48.19.1
      qemu-block-rbd-debuginfo-2.0.2-48.19.1
      qemu-x86-2.0.2-48.19.1
      qemu-x86-debuginfo-2.0.2-48.19.1

   - SUSE Linux Enterprise Server 12 (noarch):

      qemu-ipxe-1.0.0-48.19.1
      qemu-seabios-1.7.4-48.19.1
      qemu-sgabios-8-48.19.1
      qemu-vgabios-1.7.4-48.19.1

   - SUSE Linux Enterprise Server 12 (s390x):

      qemu-s390-2.0.2-48.19.1
      qemu-s390-debuginfo-2.0.2-48.19.1

   - SUSE Linux Enterprise Desktop 12 (x86_64):

      qemu-2.0.2-48.19.1
      qemu-block-curl-2.0.2-48.19.1
      qemu-block-curl-debuginfo-2.0.2-48.19.1
      qemu-debugsource-2.0.2-48.19.1
      qemu-kvm-2.0.2-48.19.1
      qemu-tools-2.0.2-48.19.1
      qemu-tools-debuginfo-2.0.2-48.19.1
      qemu-x86-2.0.2-48.19.1
      qemu-x86-debuginfo-2.0.2-48.19.1

   - SUSE Linux Enterprise Desktop 12 (noarch):

      qemu-ipxe-1.0.0-48.19.1
      qemu-seabios-1.7.4-48.19.1
      qemu-sgabios-8-48.19.1
      qemu-vgabios-1.7.4-48.19.1


References:

   https://www.suse.com/security/cve/CVE-2014-3615.html
   https://www.suse.com/security/cve/CVE-2014-3689.html
   https://www.suse.com/security/cve/CVE-2014-9718.html
   https://www.suse.com/security/cve/CVE-2015-3214.html
   https://www.suse.com/security/cve/CVE-2015-5239.html
   https://www.suse.com/security/cve/CVE-2015-5745.html
   https://www.suse.com/security/cve/CVE-2015-7295.html
   https://www.suse.com/security/cve/CVE-2015-7549.html
   https://www.suse.com/security/cve/CVE-2015-8504.html
   https://www.suse.com/security/cve/CVE-2015-8558.html
   https://www.suse.com/security/cve/CVE-2015-8567.html
   https://www.suse.com/security/cve/CVE-2015-8568.html
   https://www.suse.com/security/cve/CVE-2015-8613.html
   https://www.suse.com/security/cve/CVE-2015-8619.html
   https://www.suse.com/security/cve/CVE-2015-8743.html
   https://www.suse.com/security/cve/CVE-2015-8744.html
   https://www.suse.com/security/cve/CVE-2015-8745.html
   https://www.suse.com/security/cve/CVE-2015-8817.html
   https://www.suse.com/security/cve/CVE-2015-8818.html
   https://www.suse.com/security/cve/CVE-2016-1568.html
   https://www.suse.com/security/cve/CVE-2016-1714.html
   https://www.suse.com/security/cve/CVE-2016-1922.html
   https://www.suse.com/security/cve/CVE-2016-1981.html
   https://www.suse.com/security/cve/CVE-2016-2198.html
   https://www.suse.com/security/cve/CVE-2016-2538.html
   https://www.suse.com/security/cve/CVE-2016-2841.html
   https://www.suse.com/security/cve/CVE-2016-2857.html
   https://www.suse.com/security/cve/CVE-2016-2858.html
   https://www.suse.com/security/cve/CVE-2016-3710.html
   https://www.suse.com/security/cve/CVE-2016-3712.html
   https://www.suse.com/security/cve/CVE-2016-4001.html
   https://www.suse.com/security/cve/CVE-2016-4002.html
   https://www.suse.com/security/cve/CVE-2016-4020.html
   https://www.suse.com/security/cve/CVE-2016-4037.html
   https://www.suse.com/security/cve/CVE-2016-4439.html
   https://www.suse.com/security/cve/CVE-2016-4441.html
   https://www.suse.com/security/cve/CVE-2016-4952.html
   https://bugzilla.suse.com/886378
   https://bugzilla.suse.com/895528
   https://bugzilla.suse.com/901508
   https://bugzilla.suse.com/928393
   https://bugzilla.suse.com/934069
   https://bugzilla.suse.com/940929
   https://bugzilla.suse.com/944463
   https://bugzilla.suse.com/947159
   https://bugzilla.suse.com/958491
   https://bugzilla.suse.com/958917
   https://bugzilla.suse.com/959005
   https://bugzilla.suse.com/959386
   https://bugzilla.suse.com/960334
   https://bugzilla.suse.com/960708
   https://bugzilla.suse.com/960725
   https://bugzilla.suse.com/960835
   https://bugzilla.suse.com/961332
   https://bugzilla.suse.com/961333
   https://bugzilla.suse.com/961358
   https://bugzilla.suse.com/961556
   https://bugzilla.suse.com/961691
   https://bugzilla.suse.com/962320
   https://bugzilla.suse.com/963782
   https://bugzilla.suse.com/964413
   https://bugzilla.suse.com/967969
   https://bugzilla.suse.com/969121
   https://bugzilla.suse.com/969122
   https://bugzilla.suse.com/969350
   https://bugzilla.suse.com/970036
   https://bugzilla.suse.com/970037
   https://bugzilla.suse.com/975128
   https://bugzilla.suse.com/975136
   https://bugzilla.suse.com/975700
   https://bugzilla.suse.com/976109
   https://bugzilla.suse.com/978158
   https://bugzilla.suse.com/978160
   https://bugzilla.suse.com/980711
   https://bugzilla.suse.com/980723
   https://bugzilla.suse.com/981266

- --------------------------END INCLUDED TEXT--------------------

You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.

NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members.  As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.

NOTE: This is only the original release of the security bulletin.  It may
not be updated when updates to the original are made.  If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.

Contact information for the authors of the original document is included
in the Security Bulletin above.  If you have any questions or need further
information, please contact them directly.

Previous advisories and external security bulletins can be retrieved from:

        http://www.auscert.org.au/render.html?cid=1980

===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072

Internet Email: auscert@auscert.org.au
Facsimile:      (07) 3365 7031
Telephone:      (07) 3365 4417 (International: +61 7 3365 4417)
                AusCERT personnel answer during Queensland business hours
                which are GMT+10:00 (AEST).
                On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967

iQIVAwUBV19ouYx+lLeg9Ub1AQhHCw//S4w+YMcIkWE1hkouG4qfqlHZlnB8V/jE
zh9MYHXXI1KOugYxadxfYcfWg/f2Aniey0H9RFJs80h+imf19DOucYOAL38vyN6T
UPi6RLSBcrF3qtMjbHgvjpHlQIaQowSBlu4c1mBbgEmeM2Sjl3txK37+3JdVqNr+
jHKzin595kTWcRllWpghj0JrjGFlBFAegz9KN+De8dZu0oZWvyH0IK+K8vTMPyHv
mplHrdfMQJkaAI6MDLb5hvutD4dy43lL1Io2qD2mV4vVQaFMoH5H22tOLlpLNr4p
9kJa/qzPivFgxkkSh8yp5FZfGqZ+mkgVAPetNjZL35ikmoQ7NEKAZW4XJxhpYEkg
6ssg7BKFdzyeoKb56uL50C9Cpqe0eiVHTxKcFxnzTWUksqrqPQTAanXAXFq8w/JN
QpK219ZDoOgVJRELc8xQb0ZUXDlfNzd3+jMax4/RLw0khLFkMbshJso5v1w4Ovg0
69geOM/cjJRZQkG6Wrp36xcG7ky7d8XhQxQrdZUTdtfJZtIYtxrjI3QwYIL2tzz/
OV/4khvqxn8/tgAb3ccjgEyXrnNSRPf4SOhItT5qidGR67VggJFwQFLlSK+05PO+
vZ9WAWevHsAMUbglrFtzLFHYrzl6DDEeBSemr3YFzpSkn+F1eINlQhCQj9/R8FNA
q5dtss7hsQs=
=6haq
-----END PGP SIGNATURE-----