RHSA-2015:0868 - Security Advisory

Overview
Updated Packages

Synopsis

Important: qemu-kvm-rhev security and bug fix update

Type/Severity

Security Advisory: Important

Red Hat Insights patch analysis

Identify and remediate systems affected by this advisory.

View affected systems

Topic

Updated qemu-kvm-rhev packages that fix one security issue and one bug are
now available for Red Hat Enterprise Virtualization.

Red Hat Product Security has rated this update as having Important security
impact. A Common Vulnerability Scoring System (CVSS) base score, which
gives a detailed severity rating, is available from the CVE link in the
References section.

Description

KVM (Kernel-based Virtual Machine) is a full virtualization solution for
Linux on AMD64 and Intel 64 systems. The qemu-kvm-rhev package provides the
user-space component for running virtual machines using KVM in environments
managed by Red Hat Enterprise Virtualization Manager.

It was found that the Cirrus blit region checks were insufficient. A
privileged guest user could use this flaw to write outside of
VRAM-allocated buffer boundaries in the host's QEMU process address space
with attacker-provided data. (CVE-2014-8106)

This issue was discovered by Paolo Bonzini of Red Hat.

This update also fixes the following bug:

Previously, the effective downtime during the last phase of a live

migration would sometimes be much higher than the maximum downtime
specified by 'migration_downtime' in vdsm.conf. This problem has been
corrected. The value of 'migration_downtime' is now honored and the
migration is aborted if the downtime cannot be achieved. (BZ#1142756)

All users of qemu-kvm-rhev are advised to upgrade to these updated
packages, which contain a backported patch to correct this issue. After
installing this update, shut down all running virtual machines. Once all
virtual machines have shut down, start them again for this update to take
effect.

Solution

Before applying this update, make sure all previously released errata
relevant to your system have been applied.

For details on how to apply this update, refer to:

https://access.redhat.com/articles/11258

Affected Products

Red Hat Virtualization 3 for RHEL 6 x86_64

Fixes

BZ - 1169454 - CVE-2014-8106 qemu: cirrus: insufficient blit region checks

CVEs

CVE-2014-8106

References

https://access.redhat.com/security/updates/classification/#important

Note: More recent versions of these packages may be available. Click a package name for more details.

Red Hat Virtualization 3 for RHEL 6

SRPM
qemu-kvm-rhev-0.12.1.2-2.448.el6_6.2.src.rpm	SHA-256: 7a1442d99ffa8bda8b8f31c3649407a043ca781eaaaddc0554dc3f3dade072a0
x86_64
qemu-img-rhev-0.12.1.2-2.448.el6_6.2.x86_64.rpm	SHA-256: 698844f500d9a30a1453d9dd1583b28fba0cae8a0b300fd2a84525caa9494e05
qemu-kvm-rhev-0.12.1.2-2.448.el6_6.2.x86_64.rpm	SHA-256: a11888aaeeae64bac2daeb0e1b859e35a9a11a929b7421b42fe63ac78befd6ad
qemu-kvm-rhev-debuginfo-0.12.1.2-2.448.el6_6.2.x86_64.rpm	SHA-256: d579821c725fe3a7a6a6719c4395b53edc0286acd1b8629054001a2a80526183
qemu-kvm-rhev-tools-0.12.1.2-2.448.el6_6.2.x86_64.rpm	SHA-256: 945821d5a5eb8d33bdc16dfa5805f01b48601491c091b0f9b9ab4d9667e4f478

The Red Hat security contact is secalert@redhat.com. More contact details at https://access.redhat.com/security/team/contact/.

Select Your Language

Infrastructure and Management

Cloud Computing

Storage

Runtimes

Integration and Automation