libcacard, qemu security update

CentOS Errata and Security Advisory CESA-2014:0927

KVM (Kernel-based Virtual Machine) is a full virtualization solution for
Linux on AMD64 and Intel 64 systems. The qemu-kvm package provides the
user-space component for running virtual machines using KVM.

Two integer overflow flaws were found in the QEMU block driver for QCOW
version 1 disk images. A user able to alter the QEMU disk image files
loaded by a guest could use either of these flaws to corrupt QEMU process
memory on the host, which could potentially result in arbitrary code
execution on the host with the privileges of the QEMU process.
(CVE-2014-0222, CVE-2014-0223)

Multiple buffer overflow, input validation, and out-of-bounds write flaws
were found in the way virtio, virtio-net, virtio-scsi, usb, and hpet
drivers of QEMU handled state loading after migration. A user able to alter
the savevm data (either on the disk or over the wire during migration)
could use either of these flaws to corrupt QEMU process memory on the
(destination) host, which could potentially result in arbitrary code
execution on the host with the privileges of the QEMU process.
(CVE-2013-4148, CVE-2013-4149, CVE-2013-4150, CVE-2013-4151, CVE-2013-4527,
CVE-2013-4529, CVE-2013-4535, CVE-2013-4536, CVE-2013-4541, CVE-2013-4542,
CVE-2013-6399, CVE-2014-0182, CVE-2014-3461)

These issues were discovered by Michael S. Tsirkin, Anthony Liguori and
Michael Roth of Red Hat: CVE-2013-4148, CVE-2013-4149, CVE-2013-4150,
CVE-2013-4151, CVE-2013-4527, CVE-2013-4529, CVE-2013-4535, CVE-2013-4536,
CVE-2013-4541, CVE-2013-4542, CVE-2013-6399, CVE-2014-0182, and
CVE-2014-3461.

This update also fixes the following bugs:

• Previously, QEMU did not free pre-allocated zero clusters correctly and
  the clusters under some circumstances leaked. With this update,
  pre-allocated zero clusters are freed appropriately and the cluster leaks
  no longer occur. (BZ#1110188)

• Prior to this update, the QEMU command interface did not properly handle
  resizing of cache memory during guest migration, causing QEMU to terminate
  unexpectedly with a segmentation fault and QEMU to fail. This update fixes
  the related code and QEMU no longer crashes in the described situation.
  (BZ#1110191)

• Previously, when a guest device was hot unplugged, QEMU correctly removed
  the corresponding file descriptor watch but did not re-create it after the
  device was re-connected. As a consequence, the guest became unable to
  receive any data from the host over this device. With this update, the file
  descriptor’s watch is re-created and the guest in the above scenario can
  communicate with the host as expected. (BZ#1110219)

• Previously, the QEMU migration code did not account for the gaps caused
  by hot unplugged devices and thus expected more memory to be transferred
  during migrations. As a consequence, guest migration failed to complete
  after multiple devices were hot unplugged. In addition, the migration info
  text displayed erroneous values for the “remaining ram” item. With this
  update, QEMU calculates memory after a device has been unplugged correctly,
  and any subsequent guest migrations proceed as expected. (BZ#1110189)

All qemu-kvm users are advised to upgrade to these updated packages, which
contain backported patches to correct these issues. After installing this
update, shut down all running virtual machines. Once all virtual machines
have shut down, start them again for this update to take effect.

Merged security bulletin from advisories:
https://lists.centos.org/pipermail/centos-announce/2014-July/082609.html

Affected packages:
libcacard
libcacard-devel
libcacard-tools
qemu-guest-agent
qemu-img
qemu-kvm
qemu-kvm-common
qemu-kvm-tools

Upstream details at:
https://access.redhat.com/errata/RHSA-2014:0927