Headline
Ubuntu Security Notice USN-6167-1
Ubuntu Security Notice 6167-1 - It was discovered that QEMU did not properly manage the guest drivers when shared buffers are not allocated. A malicious guest driver could use this issue to cause QEMU to crash, resulting in a denial of service, or possibly execute arbitrary code. This issue only affected Ubuntu 20.04 LTS, Ubuntu 22.04 LTS and Ubuntu 22.10. It was discovered that QEMU did not properly check the size of the structure pointed to by the guest physical address pqxl. A malicious guest attacker could use this issue to cause QEMU to crash, resulting in a denial of service. This issue only affected Ubuntu 14.04 LTS, Ubuntu 16.04 LTS, Ubuntu 18.04 LTS, Ubuntu 20.04 LTS, Ubuntu 22.04 LTS and Ubuntu 22.10.
==========================================================================
Ubuntu Security Notice USN-6167-1
June 19, 2023
qemu vulnerabilities
A security issue affects these releases of Ubuntu and its derivatives:
- Ubuntu 23.04
- Ubuntu 22.10
- Ubuntu 22.04 LTS
- Ubuntu 20.04 LTS
- Ubuntu 18.04 LTS (Available with Ubuntu Pro)
- Ubuntu 16.04 LTS (Available with Ubuntu Pro)
- Ubuntu 14.04 LTS (Available with Ubuntu Pro)
Summary:
Several security issues were fixed in QEMU.
Software Description:
- qemu: Machine emulator and virtualizer
Details:
It was discovered that QEMU did not properly manage the guest drivers when
shared buffers are not allocated. A malicious guest driver could use this
issue to cause QEMU to crash, resulting in a denial of service, or possibly
execute arbitrary code. This issue only affected Ubuntu 20.04 LTS, Ubuntu
22.04 LTS and Ubuntu 22.10. (CVE-2022-1050)
It was discovered that QEMU did not properly check the size of the
structure pointed to by the guest physical address pqxl. A malicious guest
attacker could use this issue to cause QEMU to crash, resulting in a denial
of service. This issue only affected Ubuntu 14.04 LTS, Ubuntu 16.04 LTS,
Ubuntu 18.04 LTS, Ubuntu 20.04 LTS, Ubuntu 22.04 LTS and Ubuntu 22.10.
(CVE-2022-4144)
It was discovered that QEMU did not properly manage memory in the ACPI
Error Record Serialization Table (ERST) device. A malicious guest attacker
could use this issue to cause QEMU to crash, resulting in a denial of
service. This issue only affected Ubuntu 22.10. (CVE-2022-4172)
It was discovered that QEMU did not properly manage memory when DMA memory
writes happen repeatedly in the lsi53c895a device. A malicious guest
attacker could use this issue to cause QEMU to crash, resulting in a denial
of service. (CVE-2023-0330)
Update instructions:
The problem can be corrected by updating your system to the following
package versions:
Ubuntu 23.04:
qemu-guest-agent 1:7.2+dfsg-5ubuntu2.2
qemu-system 1:7.2+dfsg-5ubuntu2.2
qemu-system-arm 1:7.2+dfsg-5ubuntu2.2
qemu-system-common 1:7.2+dfsg-5ubuntu2.2
qemu-system-data 1:7.2+dfsg-5ubuntu2.2
qemu-system-gui 1:7.2+dfsg-5ubuntu2.2
qemu-system-mips 1:7.2+dfsg-5ubuntu2.2
qemu-system-misc 1:7.2+dfsg-5ubuntu2.2
qemu-system-ppc 1:7.2+dfsg-5ubuntu2.2
qemu-system-s390x 1:7.2+dfsg-5ubuntu2.2
qemu-system-sparc 1:7.2+dfsg-5ubuntu2.2
qemu-system-x86 1:7.2+dfsg-5ubuntu2.2
qemu-system-x86-xen 1:7.2+dfsg-5ubuntu2.2
qemu-system-xen 1:7.2+dfsg-5ubuntu2.2
Ubuntu 22.10:
qemu-guest-agent 1:7.0+dfsg-7ubuntu2.6
qemu-system 1:7.0+dfsg-7ubuntu2.6
qemu-system-arm 1:7.0+dfsg-7ubuntu2.6
qemu-system-common 1:7.0+dfsg-7ubuntu2.6
qemu-system-data 1:7.0+dfsg-7ubuntu2.6
qemu-system-gui 1:7.0+dfsg-7ubuntu2.6
qemu-system-mips 1:7.0+dfsg-7ubuntu2.6
qemu-system-misc 1:7.0+dfsg-7ubuntu2.6
qemu-system-ppc 1:7.0+dfsg-7ubuntu2.6
qemu-system-s390x 1:7.0+dfsg-7ubuntu2.6
qemu-system-sparc 1:7.0+dfsg-7ubuntu2.6
qemu-system-x86 1:7.0+dfsg-7ubuntu2.6
qemu-system-x86-xen 1:7.0+dfsg-7ubuntu2.6
qemu-system-xen 1:7.0+dfsg-7ubuntu2.6
Ubuntu 22.04 LTS:
qemu 1:6.2+dfsg-2ubuntu6.11
qemu-guest-agent 1:6.2+dfsg-2ubuntu6.11
qemu-system 1:6.2+dfsg-2ubuntu6.11
qemu-system-arm 1:6.2+dfsg-2ubuntu6.11
qemu-system-common 1:6.2+dfsg-2ubuntu6.11
qemu-system-data 1:6.2+dfsg-2ubuntu6.11
qemu-system-gui 1:6.2+dfsg-2ubuntu6.11
qemu-system-mips 1:6.2+dfsg-2ubuntu6.11
qemu-system-misc 1:6.2+dfsg-2ubuntu6.11
qemu-system-ppc 1:6.2+dfsg-2ubuntu6.11
qemu-system-s390x 1:6.2+dfsg-2ubuntu6.11
qemu-system-sparc 1:6.2+dfsg-2ubuntu6.11
qemu-system-x86 1:6.2+dfsg-2ubuntu6.11
qemu-system-x86-microvm 1:6.2+dfsg-2ubuntu6.11
qemu-system-x86-xen 1:6.2+dfsg-2ubuntu6.11
Ubuntu 20.04 LTS:
qemu 1:4.2-3ubuntu6.27
qemu-guest-agent 1:4.2-3ubuntu6.27
qemu-kvm 1:4.2-3ubuntu6.27
qemu-system 1:4.2-3ubuntu6.27
qemu-system-arm 1:4.2-3ubuntu6.27
qemu-system-common 1:4.2-3ubuntu6.27
qemu-system-data 1:4.2-3ubuntu6.27
qemu-system-gui 1:4.2-3ubuntu6.27
qemu-system-mips 1:4.2-3ubuntu6.27
qemu-system-misc 1:4.2-3ubuntu6.27
qemu-system-ppc 1:4.2-3ubuntu6.27
qemu-system-s390x 1:4.2-3ubuntu6.27
qemu-system-sparc 1:4.2-3ubuntu6.27
qemu-system-x86 1:4.2-3ubuntu6.27
qemu-system-x86-microvm 1:4.2-3ubuntu6.27
qemu-system-x86-xen 1:4.2-3ubuntu6.27
Ubuntu 18.04 LTS (Available with Ubuntu Pro):
qemu 1:2.11+dfsg-1ubuntu7.42+esm1
qemu-guest-agent 1:2.11+dfsg-1ubuntu7.42+esm1
qemu-kvm 1:2.11+dfsg-1ubuntu7.42+esm1
qemu-system 1:2.11+dfsg-1ubuntu7.42+esm1
qemu-system-arm 1:2.11+dfsg-1ubuntu7.42+esm1
qemu-system-common 1:2.11+dfsg-1ubuntu7.42+esm1
qemu-system-mips 1:2.11+dfsg-1ubuntu7.42+esm1
qemu-system-misc 1:2.11+dfsg-1ubuntu7.42+esm1
qemu-system-ppc 1:2.11+dfsg-1ubuntu7.42+esm1
qemu-system-s390x 1:2.11+dfsg-1ubuntu7.42+esm1
qemu-system-sparc 1:2.11+dfsg-1ubuntu7.42+esm1
qemu-system-x86 1:2.11+dfsg-1ubuntu7.42+esm1
Ubuntu 16.04 LTS (Available with Ubuntu Pro):
qemu 1:2.5+dfsg-5ubuntu10.51+esm2
qemu-guest-agent 1:2.5+dfsg-5ubuntu10.51+esm2
qemu-kvm 1:2.5+dfsg-5ubuntu10.51+esm2
qemu-system 1:2.5+dfsg-5ubuntu10.51+esm2
qemu-system-aarch64 1:2.5+dfsg-5ubuntu10.51+esm2
qemu-system-arm 1:2.5+dfsg-5ubuntu10.51+esm2
qemu-system-common 1:2.5+dfsg-5ubuntu10.51+esm2
qemu-system-mips 1:2.5+dfsg-5ubuntu10.51+esm2
qemu-system-misc 1:2.5+dfsg-5ubuntu10.51+esm2
qemu-system-ppc 1:2.5+dfsg-5ubuntu10.51+esm2
qemu-system-s390x 1:2.5+dfsg-5ubuntu10.51+esm2
qemu-system-sparc 1:2.5+dfsg-5ubuntu10.51+esm2
qemu-system-x86 1:2.5+dfsg-5ubuntu10.51+esm2
Ubuntu 14.04 LTS (Available with Ubuntu Pro):
qemu 2.0.0+dfsg-2ubuntu1.47+esm3
qemu-common 2.0.0+dfsg-2ubuntu1.47+esm3
qemu-guest-agent 2.0.0+dfsg-2ubuntu1.47+esm3
qemu-kvm 2.0.0+dfsg-2ubuntu1.47+esm3
qemu-system 2.0.0+dfsg-2ubuntu1.47+esm3
qemu-system-aarch64 2.0.0+dfsg-2ubuntu1.47+esm3
qemu-system-arm 2.0.0+dfsg-2ubuntu1.47+esm3
qemu-system-common 2.0.0+dfsg-2ubuntu1.47+esm3
qemu-system-mips 2.0.0+dfsg-2ubuntu1.47+esm3
qemu-system-misc 2.0.0+dfsg-2ubuntu1.47+esm3
qemu-system-ppc 2.0.0+dfsg-2ubuntu1.47+esm3
qemu-system-sparc 2.0.0+dfsg-2ubuntu1.47+esm3
qemu-system-x86 2.0.0+dfsg-2ubuntu1.47+esm3
After a standard system update you need to restart all QEMU virtual
machines to make all the necessary changes.
References:
https://ubuntu.com/security/notices/USN-6167-1
CVE-2022-1050, CVE-2022-4144, CVE-2022-4172, CVE-2023-0330
Package Information:
https://launchpad.net/ubuntu/+source/qemu/1:7.2+dfsg-5ubuntu2.2
https://launchpad.net/ubuntu/+source/qemu/1:7.0+dfsg-7ubuntu2.6
https://launchpad.net/ubuntu/+source/qemu/1:6.2+dfsg-2ubuntu6.11
https://launchpad.net/ubuntu/+source/qemu/1:4.2-3ubuntu6.27
Related news
Gentoo Linux Security Advisory 202408-18 - Multiple vulnerabilities have been discovered in QEMU, the worst of which could lead to a denial of service. Versions greater than or equal to 8.0.0 are affected.
An issue exists in SoftIron HyperCloud where compute nodes may come online immediately without following the correct initialization process. In this instance, workloads may be scheduled on these nodes and deploy to a failed or erroneous state, which impacts the availability of these workloads that may be deployed during this time window. This issue impacts HyperCloud versions from 2.0.0 to before 2.0.3.
An update for qemu-kvm is now available for Red Hat Enterprise Linux 9. Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original. Related CVEs: * CVE-2022-3165: An integer underflow issue was found in the QEMU VNC server while processing ClientCutText messages in the extended format. A malicious client could use this flaw to make QEMU unresponsive by sending a specially crafted payload message, resulting in a denial of service. * CVE-2022-4172: An integer overflow and buffer overflow issues were found in...
A vulnerability in the lsi53c895a device affects the latest version of qemu. A DMA-MMIO reentrancy problem may lead to memory corruption bugs like stack overflow or use-after-free.
Red Hat Security Advisory 2023-0432-01 - Kernel-based Virtual Machine offers a full virtualization solution for Linux on numerous hardware platforms. The virt:rhel module contains packages which provide user-space components used to run virtual machines using KVM. The packages also provide APIs for managing and interacting with the virtualized systems. Issues addressed include an out of bounds read vulnerability.
An update for the virt:rhel and virt-devel:rhel modules is now available for Red Hat Enterprise Linux 8.6 Extended Update Support. Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original. Related CVEs: * CVE-2022-4144: QEMU: QXL: qxl_phys2virt unsafe address translation can lead to out-of-bounds read
Red Hat Security Advisory 2023-0099-01 - Kernel-based Virtual Machine offers a full virtualization solution for Linux on numerous hardware platforms. The virt:rhel module contains packages which provide user-space components used to run virtual machines using KVM. The packages also provide APIs for managing and interacting with the virtualized systems. Issues addressed include an out of bounds read vulnerability.
An update for the virt:rhel and virt-devel:rhel modules is now available for Red Hat Enterprise Linux 8. Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original. Related CVEs: * CVE-2022-4144: QEMU: QXL: qxl_phys2virt unsafe address translation can lead to out-of-bounds read
An integer overflow and buffer overflow issues were found in the ACPI Error Record Serialization Table (ERST) device of QEMU in the read_erst_record() and write_erst_record() functions. Both issues may allow the guest to overrun the host buffer allocated for the ERST memory device. A malicious guest could use these flaws to crash the QEMU process on the host.
An out-of-bounds read flaw was found in the QXL display device emulation in QEMU. The qxl_phys2virt() function does not check the size of the structure pointed to by the guest physical address, potentially reading past the end of the bar space into adjacent pages. A malicious guest user could use this flaw to crash the QEMU process on the host causing a denial of service condition.
A flaw was found in the QEMU implementation of VMWare's paravirtual RDMA device. This flaw allows a crafted guest driver to execute HW commands when shared buffers are not yet allocated, potentially leading to a use-after-free condition.