RHSA-2011:1531 - Security Advisory

Topic

Updated qemu-kvm packages that fix one security issue, multiple bugs, and
add various enhancements are now available for Red Hat Enterprise Linux 6.

The Red Hat Security Response Team has rated this update as having moderate
security impact. A Common Vulnerability Scoring System (CVSS) base score,
which gives a detailed severity rating, is available from the CVE link in
the References section.

Description

KVM (Kernel-based Virtual Machine) is a full virtualization solution for
Linux on AMD64 and Intel 64 systems. qemu-kvm is the user-space component
for running virtual machines using KVM.

It was found that qemu-kvm did not properly drop supplemental group
privileges when the root user started guests from the command line
("/usr/libexec/qemu-kvm") with the "-runas" option. A qemu-kvm process
started this way could use this flaw to gain access to files on the host
that are accessible to the supplementary groups and not accessible to the
primary group. (CVE-2011-2527)

Note: This issue only affected qemu-kvm when it was started directly from
the command line. It did not affect the Red Hat Enterprise Virtualization
platform or applications that start qemu-kvm via libvirt, such as the
Virtual Machine Manager (virt-manager).

This update also fixes several bugs and adds various enhancements.
Documentation for these bug fixes and enhancements will be available
shortly from the Technical Notes document, linked to in the References
section.

All users of qemu-kvm are advised to upgrade to these updated packages,
which contain backported patches to correct these issues and add these
enhancements. After installing this update, shut down all running virtual
machines. Once all virtual machines have shut down, start them again for
this update to take effect.

Solution

Before applying this update, make sure all previously-released errata
relevant to your system have been applied.

This update is available via the Red Hat Network. Details on how to
use the Red Hat Network to apply this update are available at
https://access.redhat.com/kb/docs/DOC-11259

Affected Products

• Red Hat Enterprise Linux Server 6 x86_64
• Red Hat Enterprise Linux Desktop 6 x86_64
• Red Hat Enterprise Linux for Scientific Computing 6 x86_64
• Red Hat Enterprise Linux Server from RHUI 6 x86_64
• Red Hat Enterprise Linux Server - Extended Life Cycle Support 6 x86_64
• Red Hat Enterprise Linux Workstation 6 x86_64

Fixes

• BZ - 561414 - Writes to virtual usb-storage produce I/O errors
• BZ - 599306 - Some strange behaviors on key's appearance viewed by using vnc
• BZ - 609342 - rhel3u9 install can't find package after inserting second CD, but install can continue
• BZ - 621482 - [RFE] Be able to get progress from qemu-img
• BZ - 624983 - QEMU should support the newer set of MSRs for kvmclock
• BZ - 627585 - Improve error messages for bad options in -drive and -device
• BZ - 633370 - [6.1 FEAT] Enhance QED image format to support streaming from remote systems
• BZ - 633380 - [6.2 FEAT] Include QED image format for KVM guests
• BZ - 645351 - Add support for USB 2.0 (EHCI) to QEMU
• BZ - 655719 - no error pops when change cd to non-exist file
• BZ - 656779 - Core dumped when hot plug/un-plug virtio serial port to the same chardev
• BZ - 658467 - kvm clock breaks migration result stability - for unit test propose
• BZ - 669581 - Migration Never end while Use firewall reject migration tcp port
• BZ - 676982 - RFE: no qmp command for live snapshot
• BZ - 678729 - Hotplug VF/PF with invalid addr value leading to qemu-kvm process quit with core dump
• BZ - 678731 - Update qemu-kvm -device pci-assign,? properties
• BZ - 680378 - no error message when loading zero size internal snapshot
• BZ - 681736 - Guest->Host communication stops for other ports after one port is unplugged
• BZ - 682227 - qemu-kvm doesn't exit when binding to specified port fails
• BZ - 693645 - RFE: add spice option to enable/disable copy paste
• BZ - 694373 - ballooning value reset to original value after setting a negative number
• BZ - 694378 - Core dump occurs when ballooning memory to 0
• BZ - 698537 - ide: core dump when stop/cont guest
• BZ - 700134 - [qemu-kvm] - qxl runs i/o requests synchronously
• BZ - 705070 - QMP: screendump command does not allow specification of monitor to capture
• BZ - 707130 - ACPI description of serial and parallel ports incorrect with -chardev/-device
• BZ - 709397 - virtio-serial unthrottling needs to use a bottomhalf to avoid recursion
• BZ - 710046 - qemu-kvm prints warning "Using CPU model [...]" (with patch)
• BZ - 711354 - Fix and enable enough of SCSI to make usb-storage work
• BZ - 712046 - Qemu allocates an existed macaddress to hotpluged nic
• BZ - 714773 - qemu missing marker for qemu.kvm.qemu_vmalloc
• BZ - 715017 - Report disk latency (read and write) for each storage device
• BZ - 715141 - Wrong Ethertype for RARP
• BZ - 715582 - qemu-kvm doesn't report error when supplied negative spice port value
• BZ - 717958 - qemu-kvm start vnc even though -spice ... is supplied
• BZ - 718664 - Migration from host RHEL6.1+ to host RHEL6.0.z failed with floppy
• BZ - 720237 - usb migration compatibility
• BZ - 720773 - CVE-2011-2527 qemu: when started as root, extra groups are not dropped correctly
• BZ - 720979 - do not use next as a variable name in qemu-kvm systemtap tapset
• BZ - 722728 - Update qemu-img convert/re-base man page
• BZ - 723270 - Report cdrom tray status in a monitor command such as info block
• BZ - 723858 - usb: add companion controller support
• BZ - 723863 - usb: fixes various issues.
• BZ - 723864 - usb: compile out the crap
• BZ - 723870 - tag devices without migration support
• BZ - 725565 - migration subsections are still broken
• BZ - 725625 - Hot unplug one virtio balloon device cause another balloon device unavailable
• BZ - 725965 - spice client mouse doesn't work after migration
• BZ - 726014 - Fix memleak on exit in virtio-balloon
• BZ - 726015 - Fix memleak on exit in virtio-blk
• BZ - 726020 - Fix memleaks in all virtio devices
• BZ - 726023 - Migration after hot-unplug virtio-balloon will not succeed
• BZ - 728120 - print error on usb speed mismatch between device and bus/port
• BZ - 728464 - QEMU does not honour '-no-shutdown' flag after the first shutdown attempt
• BZ - 729104 - qemu-kvm: pci needs multifunction property
• BZ - 729572 - qcow2: Loading internal snapshot can corrupt image
• BZ - 729621 - ASSERT worker->running failed on source qemu during migration with Spice session
• BZ - 729869 - qxl: primary surface not saved on migration
• BZ - 729969 - Make screendump command available in QMP
• BZ - 731759 - SPICE: migration fails with warning: error while loading state section id 4
• BZ - 732949 - Guest screen becomes abnormal after migration with spice
• BZ - 733010 - core dump when issue fdisk -l in guest which has two usb-storage attached
• BZ - 733993 - migration target can crash (assert(d->ssd.running))
• BZ - 734860 - qemu-kvm: segfault when missing host parameter for socket chardev
• BZ - 734995 - Core dump when hotplug three usb-hub into the same port under both uhci and ehci
• BZ - 735716 - QEMU should report the PID of the process that sent it signals for troubleshooting purposes
• BZ - 736975 - Qemu-kvm fails to unregister virtio-balloon-pci device when unplugging
• BZ - 737921 - Spice password on migration target expires before Spice client is connected
• BZ - 738487 - Fix termination by signal with -no-shutdown
• BZ - 738555 - Stop exposing -enable-nested
• BZ - 739480 - qemu-kvm core dumps when migration with reboot
• BZ - 740547 - qxl: migrating in vga mode causes a "panic: virtual address out of range"
• BZ - 741878 - USB tablet mouse does not work well when migrating between 6.2<->6.2 hosts and 6.1<->6.2 hosts
• BZ - 742401 - qemu-kvm disable live snapshot support
• BZ - 742458 - Tracker Bug:Big block layer backport
• BZ - 742469 - Drives can not be locked without media present
• BZ - 742476 - Make eject fail for non-removable drives even with -f
• BZ - 742480 - Don't let locked flag prevent medium load
• BZ - 742484 - should be also have snapshot on floppy
• BZ - 743269 - Hot unplug of snapshot device crashes
• BZ - 743342 - IDE CD-ROM tray state gets lost on migration
• BZ - 743391 - KVM guest limited to 40bit of physical address space
• BZ - 744518 - qemu-kvm core dumps when qxl-linux guest migrate with reboot
• BZ - 744780 - use-after-free in QEMU SCSI target code

CVEs

• CVE-2011-2527

References

• https://access.redhat.com/security/updates/classification/#moderate
• https://docs.redhat.com/docs/en-US/Red_Hat_Enterprise_Linux/6/html/6.2_Technical_Notes/qemu-kvm.html#RHSA-2011-1531