SUSE-SU-2015:0870-1

Source
https://www.suse.com/support/update/announcement/2015/suse-su-20150870-1/
Import Source
https://ftp.suse.com/pub/projects/security/osv/SUSE-SU-2015:0870-1.json
JSON Data
https://api.osv.dev/v1/vulns/SUSE-SU-2015:0870-1
Related
Published
2014-09-19T14:41:45Z
Modified
2014-09-19T14:41:45Z
Summary
Security update for kvm
Details

kvm has been updated to fix issues in the embedded qemu:

* 

  CVE-2014-0223: An integer overflow flaw was found in the QEMU block
  driver for QCOW version 1 disk images. A user able to alter the QEMU
  disk image files loaded by a guest could have used this flaw to
  corrupt QEMU process memory on the host, which could potentially have
  resulted in arbitrary code execution on the host with the privileges
  of the QEMU process.

* 

  CVE-2014-3461: A user able to alter the savevm data (either on the
  disk or over the wire during migration) could have used this flaw to
  to corrupt QEMU process memory on the (destination) host, which could
  have potentially resulted in arbitrary code execution on the host
  with the privileges of the QEMU process.

* 

  CVE-2014-0222: An integer overflow flaw was found in the QEMU block
  driver for QCOW version 1 disk images. A user able to alter the QEMU
  disk image files loaded by a guest could have used this flaw to
  corrupt QEMU process memory on the host, which could have potentially
  resulted in arbitrary code execution on the host with the privileges
  of the QEMU process.

Non-security bugs fixed:

* Fix exceeding IRQ routes that could have caused freezes of guests.
  (bnc#876842)
* Fix CPUID emulation bugs that may have broken Windows guests with
  newer -cpu types (bnc#886535)

Security Issues:

* CVE-2014-0222
  <http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-0222>
* CVE-2014-0223
  <http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-0223>
* CVE-2014-3461
  <http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-3461>
References

Affected packages