Nome do pacote
qemu
Data
2013-04-10
ID Alerta
MDVSA-2013:121
Versões afetadas
MBS1 x86_64

Descrição do problema

Updated qemu packages fix security vulnerability:

A flaw was found in how qemu, in snapshot mode (-snapshot command
line argument), handled the creation and opening of the temporary
file used to store the difference of the virtualized guest's read-only
image and the current state. In snapshot mode, bdrv_open() creates an
empty temporary file without checking for any mkstemp() or close()
failures; it also ignores the possibility of a buffer overrun
given an exceptionally long /tmp. Because qemu re-opens that file
after creation, it is possible to race qemu and insert a symbolic
link with the same expected name as the temporary file, pointing
to an attacker-chosen file. This can be used to either overwrite
the destination file with the privileges of the user running qemu
(typically root), or to point to an attacker-readable file that could
expose data from the guest to the attacker (CVE-2012-2652).

A flaw was found in the way QEMU handled VT100 terminal escape
sequences when emulating certain character devices. A guest user
with privileges to write to a character device that is emulated on
the host using a virtual console back-end could use this flaw to
crash the qemu-kvm process on the host or, possibly, escalate their
privileges on the host (CVE-2012-3515).

It was discovered that the e1000 emulation code in QEMU does not
enforce frame size limits in the same way as the real hardware
does. This could trigger buffer overflows in the guest operating system
driver for that network card, assuming that the host system does not
discard such frames (which it will by default) (CVE-2012-6075).

Pacotes atualizados

MBS1 x86_64

 2077322ff415a0f63921650be5b4d7fa  mbs1/x86_64/qemu-1.0-8.1.mbs1.x86_64.rpm
 a4741d08a3dedd1007296ac535ecce83  mbs1/x86_64/qemu-img-1.0-8.1.mbs1.x86_64.rpm 
 4e9cead8b0e57eec5c5e36abf0318efa  mbs1/SRPMS/qemu-1.0-8.1.mbs1.src.rpm

Referências