qemu-kvm-1.5.3-175.el7.3

エラータID: AXSA:2021-1371:01

Release date: 
Wednesday, February 3, 2021 - 04:47
Subject: 
qemu-kvm-1.5.3-175.el7.3
Affected Channels: 
Asianux Server 7 for x86_64
Severity: 
Moderate
Description: 

Kernel-based Virtual Machine (KVM) is a full virtualization solution for Linux on a variety of architectures. The qemu-kvm packages provide the user-space component for running virtual machines that use KVM.

Security Fix(es):

* QEMU: loader: OOB access while loading registered ROM may lead to code execution (CVE-2020-13765)

* QEMU: reachable assertion failure in net_tx_pkt_add_raw_fragment() in hw/net/net_tx_pkt.c (CVE-2020-16092)

For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.

Bug Fix(es):

* qemu-kvm FTBFS

CVE-2020-13765
rom_copy() in hw/core/loader.c in QEMU 4.0 and 4.1.0 does not validate the relationship between two addresses, which allows attackers to trigger an invalid memory copy operation.
CVE-2020-16092
In QEMU through 5.0.0, an assertion failure can occur in the network packet processing. This issue affects the e1000e and vmxnet3 network devices. A malicious guest user/process could use this flaw to abort the QEMU process on the host, resulting in a denial of service condition in net_tx_pkt_add_raw_fragment in hw/net/net_tx_pkt.c.

Solution: 

Update packages.

CVEs: 
CVE-2020-13765
rom_copy() in hw/core/loader.c in QEMU 4.0 and 4.1.0 does not validate the relationship between two addresses, which allows attackers to trigger an invalid memory copy operation.
CVE-2020-16092
In QEMU through 5.0.0, an assertion failure can occur in the network packet processing. This issue affects the e1000e and vmxnet3 network devices. A malicious guest user/process could use this flaw to abort the QEMU process on the host, resulting in a denial of service condition in net_tx_pkt_add_raw_fragment in hw/net/net_tx_pkt.c.
Additional Info: 

N/A

Download: 

SRPMS
  1. qemu-kvm-1.5.3-175.el7.3.src.rpm
    MD5: c6178622e4c0dbf5b7a0bdc7046d3536
    SHA-256: 557218f6ab112ca014dd007c7c16162ee6d408dc63efb0df9e9235db5b851e36
    Size: 14.96 MB

Asianux Server 7 for x86_64
  1. qemu-img-1.5.3-175.el7.3.x86_64.rpm
    MD5: 84afd8edad41f1303b8309909a71c5da
    SHA-256: 84a4b203bc5a83cef87ca85e2d1cc7983a85c9a05ad3914a96f569d753d9e999
    Size: 703.34 kB
  2. qemu-kvm-1.5.3-175.el7.3.x86_64.rpm
    MD5: 074ae7c198be63ad11eb39b75b406aec
    SHA-256: dad4a9cd2482110fbaa756853452413f3af04dd9ed31feb886ed56bfed213fd7
    Size: 1.91 MB
  3. qemu-kvm-common-1.5.3-175.el7.3.x86_64.rpm
    MD5: 8be1a9bb306ee3741182ce0555cd1a70
    SHA-256: f15a18b88fe308ec710ed081150cc164fa328b639ae9f339f200e720165965dd
    Size: 439.16 kB
  4. qemu-kvm-tools-1.5.3-175.el7.3.x86_64.rpm
    MD5: a0ad329c8e7a0666643de26ad40b99ee
    SHA-256: fcb2cc8f3a8673956086271dd41577b09c8e6058357c36d84e65a53f20f05e73
    Size: 237.20 kB