SecurityTracker.com
    Home    |    View Topics    |    Search    |    Contact Us    |   

SecurityTracker
Archives


 


Category:   Application (Generic)  >   QEMU Vendors:   QEMU.org
(Oracle Issues Fix for Oracle Linux) QEMU IDE Heap Overflow Lets Local Users on a Guest System Gain Elevated Privileges on the Host System
SecurityTracker Alert ID:  1033085
SecurityTracker URL:  http://securitytracker.com/id/1033085
CVE Reference:   CVE-2015-5154   (Links to External Site)
Date:  Jul 28 2015
Impact:   User access via local system
Fix Available:  Yes  Vendor Confirmed:  Yes  

Description:   A vulnerability was reported in QEMU. A local user on the guest system can gain elevated privileges on the host system.

A local privileged user on a guest system that has a CDROM drive enabled can issue specially crafted ATAPI commands to trigger a heap overflow in the IDE subsystem to execute arbitrary code on the host systems. The code will run on the host with the privileges of the QEMU process assigned to the guest system.

Kevin Wolf of Red Hat reported this vulnerability.

Impact:   A local privileged user on the guest system can gain elevated privileges on the host system.
Solution:   Oracle has issued a fix for Oracle Linux.

The Oracle advisory is available at:

http://linux.oracle.com/errata/ELSA-2015-1507.html

Vendor URL:  wiki.qemu.org/Main_Page (Links to External Site)
Cause:   Boundary error
Underlying OS:  Linux (Oracle)
Underlying OS Comments:  7

Message History:   This archive entry is a follow-up to the message listed below.
Jul 27 2015 QEMU IDE Heap Overflow Lets Local Users on a Guest System Gain Elevated Privileges on the Host System



 Source Message Contents

Subject:  [El-errata] ELSA-2015-1507 Important: Oracle Linux 7 qemu-kvm security and bug fix update

Oracle Linux Security Advisory ELSA-2015-1507

http://linux.oracle.com/errata/ELSA-2015-1507.html

The following updated rpms for Oracle Linux 7 have been uploaded to the 
Unbreakable Linux Network:

x86_64:
libcacard-1.5.3-86.el7_1.5.i686.rpm
libcacard-1.5.3-86.el7_1.5.x86_64.rpm
libcacard-devel-1.5.3-86.el7_1.5.i686.rpm
libcacard-devel-1.5.3-86.el7_1.5.x86_64.rpm
libcacard-tools-1.5.3-86.el7_1.5.x86_64.rpm
qemu-img-1.5.3-86.el7_1.5.x86_64.rpm
qemu-kvm-1.5.3-86.el7_1.5.x86_64.rpm
qemu-kvm-common-1.5.3-86.el7_1.5.x86_64.rpm
qemu-kvm-tools-1.5.3-86.el7_1.5.x86_64.rpm


SRPMS:
http://oss.oracle.com/ol7/SRPMS-updates/qemu-kvm-1.5.3-86.el7_1.5.src.rpm



Description of changes:

[1.5.3-86.el7_1.5]
- kvm-i8254-fix-out-of-bounds-memory-access-in-pit_ioport_.patch 
[bz#1243726]
- Resolves: bz#1243726
   (CVE-2015-3214 qemu-kvm: qemu: i8254: out-of-bounds memory access in 
pit_ioport_read function [rhel-7.1.z])

[1.5.3-86.el7_1.4]
- kvm-ide-Check-array-bounds-before-writing-to-io_buffer-C.patch 
[bz#1243689]
- kvm-ide-atapi-Fix-START-STOP-UNIT-command-completion.patch [bz#1243689]
- kvm-ide-Clear-DRQ-after-handling-all-expected-accesses.patch [bz#1243689]
- Resolves: bz#1243689
   (EMBARGOED CVE-2015-5154 qemu-kvm: qemu: ide: atapi: heap overflow 
during I/O buffer memory access [rhel-7.1.z])

[1.5.3-86.el7_1.3]
- kvm-atomics-add-explicit-compiler-fence-in-__atomic-memo.patch 
[bz#1233643]
- Resolves: bz#1233643
   ([abrt] qemu-kvm: bdrv_error_action(): qemu-kvm killed by SIGABRT)


_______________________________________________
El-errata mailing list
El-errata@oss.oracle.com
https://oss.oracle.com/mailman/listinfo/el-errata
 
 


Go to the Top of This SecurityTracker Archive Page





Home   |    View Topics   |    Search   |    Contact Us

This web site uses cookies for web analytics. Learn More

Copyright 2022, SecurityGlobal.net LLC