[RHSA-2010:0622-01] Important: rhev-hypervisor security and bug fix update

bugzilla at redhat.com bugzilla at redhat.com
Thu Aug 19 22:14:10 UTC 2010 

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

=====================================================================
                   Red Hat Security Advisory

Synopsis:          Important: rhev-hypervisor security and bug fix update
Advisory ID:       RHSA-2010:0622-01
Product:           Red Hat Enterprise Virtualization
Advisory URL:      https://rhn.redhat.com/errata/RHSA-2010-0622.html
Issue date:        2010-08-19
CVE Names:         CVE-2010-0428 CVE-2010-0429 CVE-2010-0431 
                   CVE-2010-0435 CVE-2010-2784 CVE-2010-2811 
=====================================================================

1. Summary:

Updated rhev-hypervisor packages that fix multiple security issues and two
bugs are now available.

The Red Hat Security Response Team has rated this update as having
important security impact. Common Vulnerability Scoring System (CVSS) base
scores, which give detailed severity ratings, are available for each
vulnerability from the CVE links in the References section.

2. Relevant releases/architectures:

Red Hat Enterprise Virtualization Hypervisor 5 - noarch

3. Description:

The rhev-hypervisor package provides a Red Hat Enterprise Virtualization
Hypervisor ISO disk image. The Red Hat Enterprise Virtualization Hypervisor
is a dedicated Kernel-based Virtual Machine (KVM) hypervisor. It includes
everything necessary to run and manage virtual machines: A subset of the
Red Hat Enterprise Linux operating environment and the Red Hat Enterprise
Virtualization Agent.

Note: Red Hat Enterprise Virtualization Hypervisor is only available for
the Intel 64 and AMD64 architectures with virtualization extensions.

It was found that the libspice component of QEMU-KVM on the host did not
validate all pointers provided from a guest system's QXL graphics card
driver. A privileged guest user could use this flaw to cause the host to
dereference an invalid pointer, causing the guest to crash (denial of
service) or, possibly, resulting in the privileged guest user escalating
their privileges on the host. (CVE-2010-0428)

It was found that the libspice component of QEMU-KVM on the host could be
forced to perform certain memory management operations on memory addresses
controlled by a guest. A privileged guest user could use this flaw to crash
the guest (denial of service) or, possibly, escalate their privileges on
the host. (CVE-2010-0429)

It was found that QEMU-KVM on the host did not validate all pointers
provided from a guest system's QXL graphics card driver. A privileged guest
user could use this flaw to cause the host to dereference an invalid
pointer, causing the guest to crash (denial of service) or, possibly,
resulting in the privileged guest user escalating their privileges on the
host. (CVE-2010-0431)

A flaw was found in QEMU-KVM, allowing the guest some control over the
index used to access the callback array during sub-page MMIO
initialization. A privileged guest user could use this flaw to crash the
guest (denial of service) or, possibly, escalate their privileges on the
host. (CVE-2010-2784)

A NULL pointer dereference flaw was found when Red Hat Enterprise
Virtualization Hypervisor was run on a system that has a processor with the
Intel VT-x extension enabled. A privileged guest user could use this flaw
to trick the host into emulating a certain instruction, which could crash
the host (denial of service). (CVE-2010-0435)

A flaw was found in the way VDSM accepted SSL connections. An attacker
could trigger this flaw by creating a crafted SSL connection to VDSM,
preventing VDSM from accepting SSL connections from other users.
(CVE-2010-2811)

These updated packages provide updated components that include fixes for
security issues; however, these issues have no security impact for Red Hat
Enterprise Virtualization Hypervisor. These fixes are for avahi issues
CVE-2009-0758 and CVE-2010-2244; freetype issues CVE-2010-1797,
CVE-2010-2498, CVE-2010-2499, CVE-2010-2500, CVE-2010-2519, CVE-2010-2527,
and CVE-2010-2541; kernel issues CVE-2010-1084, CVE-2010-2066,
CVE-2010-2070, CVE-2010-2226, CVE-2010-2248, CVE-2010-2521, and
CVE-2010-2524; and openldap issues CVE-2010-0211 and CVE-2010-0212.

These updated rhev-hypervisor packages also fix two bugs. Documentation for
these bug fixes will be available shortly from
http://docs.redhat.com/docs/en-US/Red_Hat_Enterprise_Virtualization_for_Ser
vers/2.2/html/Technical_Notes/index.html

As Red Hat Enterprise Virtualization Hypervisor is based on KVM, the bug
fixes from the KVM update RHSA-2010:0627 have been included in this update.
Also included are the bug fixes from the VDSM update RHSA-2010:0628.

KVM: https://rhn.redhat.com/errata/RHSA-2010-0627.html
VDSM: https://rhn.redhat.com/errata/RHSA-2010-0628.html

Users of Red Hat Enterprise Virtualization Hypervisor are advised to
upgrade to these updated rhev-hypervisor packages, which resolve these
issues.

4. Solution:

Before applying this update, make sure all previously-released errata
relevant to your system have been applied.

This update is available via the Red Hat Network. Details on how to
use the Red Hat Network to apply this update are available at
http://kbase.redhat.com/faq/docs/DOC-11259

5. Bugs fixed (http://bugzilla.redhat.com/):

568699 - CVE-2010-0428 libspice: Insufficient guest provided pointers validation
568701 - CVE-2010-0429 libspice: Relying on guest provided data structures to indicate memory allocation
568809 - CVE-2010-0431 qemu: Insufficient guest provided pointers validation
570528 - CVE-2010-0435 kvm: vmx null pointer dereference
619411 - CVE-2010-2784 qemu: insufficient constraints checking in exec.c:subpage_register()
622928 - CVE-2010-2811 vdsm: SSL accept() blocks on a non-blocking Connection

6. Package List:

Red Hat Enterprise Virtualization Hypervisor 5:

Source:
rhev-hypervisor-5.5-2.2.6.1.el5_5rhev2_2.src.rpm

noarch:
rhev-hypervisor-5.5-2.2.6.1.el5_5rhev2_2.noarch.rpm
rhev-hypervisor-pxe-5.5-2.2.6.1.el5_5rhev2_2.noarch.rpm

These packages are GPG signed by Red Hat for security.  Our key and 
details on how to verify the signature are available from
https://www.redhat.com/security/team/key/#package

7. References:

https://www.redhat.com/security/data/cve/CVE-2010-0428.html
https://www.redhat.com/security/data/cve/CVE-2010-0429.html
https://www.redhat.com/security/data/cve/CVE-2010-0431.html
https://www.redhat.com/security/data/cve/CVE-2010-0435.html
https://www.redhat.com/security/data/cve/CVE-2010-2784.html
https://www.redhat.com/security/data/cve/CVE-2010-2811.html
http://www.redhat.com/security/updates/classification/#important
http://docs.redhat.com/docs/en-US/Red_Hat_Enterprise_Virtualization_for_Servers/2.2/html/Technical_Notes/index.html

8. Contact:

The Red Hat security contact is <secalert at redhat.com>.  More contact
details at https://www.redhat.com/security/team/contact/

Copyright 2010 Red Hat, Inc.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.4 (GNU/Linux)

iD8DBQFMbax7XlSAg2UNWIIRAs1dAKC+Aw8pQm0UArmWQFnQy6Ils9AF4wCbBqhS
HU6TUfQpofSPFwp/iZD5XJo=
=Cr2o
-----END PGP SIGNATURE-----

More information about the rhev-watch-list mailing list