qemu security update

2016-08-09T20:30:28
ID CESA-2016:1585
Type centos
Reporter CentOS Project
Modified 2016-08-09T20:30:28

Description

CentOS Errata and Security Advisory CESA-2016:1585

KVM (Kernel-based Virtual Machine) is a full virtualization solution for Linux on AMD64 and Intel 64 systems. The qemu-kvm packages provide the user-space component for running virtual machines using KVM.

Security Fix(es):

  • Quick emulator(Qemu) built with the virtio framework is vulnerable to an unbounded memory allocation issue. It was found that a malicious guest user could submit more requests than the virtqueue size permits. Processing a request allocates a VirtQueueElement and therefore causes unbounded memory allocation on the host controlled by the guest. (CVE-2016-5403)

Red Hat would like to thank hongzhenhao (Marvel Team) for reporting this issue.

Merged security bulletin from advisories: http://lists.centos.org/pipermail/centos-announce/2016-August/034068.html

Affected packages: qemu-guest-agent qemu-img qemu-kvm qemu-kvm-tools

Upstream details at: https://rhn.redhat.com/errata/RHSA-2016-1585.html