Skip to navigation

Security Advisory Important: qemu-kvm-rhev security update

Advisory: RHSA-2013:0610-1
Type: Security Advisory
Severity: Important
Issued on: 2013-03-07
Last updated on: 2013-03-07
Affected Products: Red Hat Enterprise Virtualization 3
CVEs (cve.mitre.org): CVE-2012-6075

Details

Updated qemu-kvm-rhev packages that fix one security issue are now
available for Red Hat Enterprise Linux 6.

The Red Hat Security Response Team has rated this update as having
important security impact. A Common Vulnerability Scoring System (CVSS)
base score, which gives a detailed severity rating, is available from the
CVE link in the References section.

KVM (Kernel-based Virtual Machine) is a full virtualization solution for
Linux on AMD64 and Intel 64 systems. The qemu-kvm-rhev packages form the
user-space component for running virtual machines using KVM.

A flaw was found in the way QEMU-KVM emulated the e1000 network interface
card when the host was configured to accept jumbo network frames, and a
guest using the e1000 emulated driver was not. A remote attacker could use
this flaw to crash the guest or, potentially, execute arbitrary code with
root privileges in the guest. (CVE-2012-6075)

All users of qemu-kvm-rhev are advised to upgrade to these updated
packages, which correct this issue. After installing this update, shut down
all running virtual machines. Once all virtual machines have shut down,
start them again for this update to take effect.


Solution

Before applying this update, make sure all previously-released errata
relevant to your system have been applied.

This update is available via the Red Hat Network. Details on how to
use the Red Hat Network to apply this update are available at
https://access.redhat.com/knowledge/articles/11258

Updated packages

Red Hat Enterprise Virtualization 3

SRPMS:
qemu-kvm-rhev-0.12.1.2-2.355.el6_4.2.src.rpm
File outdated by:  RHBA-2014:0357
    MD5: dde1b15ae171b5b902372ad09aeefe29
SHA-256: cb0c7dd4708424fff64c2c0ca4f30a0055420fcee9f40da122619adea1e2969a
 
x86_64:
qemu-img-rhev-0.12.1.2-2.355.el6_4.2.x86_64.rpm
File outdated by:  RHBA-2014:0357
    MD5: cabf16cbb3ef797c3a088e3ac7552060
SHA-256: 7cd04acf89fef4210b94ab1c74beee38e37763cdd8ab29d38264fd73543637d9
qemu-kvm-rhev-0.12.1.2-2.355.el6_4.2.x86_64.rpm
File outdated by:  RHBA-2014:0357
    MD5: a1c954aea995c7a9eccf0bc88e488e28
SHA-256: c47df072bf2986eb5aca2f640d558f83a7d8858ea959a204abfa9ac30d67a9c9
qemu-kvm-rhev-debuginfo-0.12.1.2-2.355.el6_4.2.x86_64.rpm
File outdated by:  RHBA-2014:0357
    MD5: ad46f7d0813b7158e6cd41f4f06ebba0
SHA-256: 7b30f21cbf42ff8241752580d8b3284f20f733a110344ca76b5374b29faf41f9
qemu-kvm-rhev-tools-0.12.1.2-2.355.el6_4.2.x86_64.rpm
File outdated by:  RHBA-2014:0357
    MD5: b31d1828ff313fc0e31925e3c25bbdcc
SHA-256: ddeaff00f1dae97caa54131e5df47eae492590ffc33706001223f251900cc8b9
 
(The unlinked packages above are only available from the Red Hat Network)

Bugs fixed (see bugzilla for more information)

889301 - CVE-2012-6075 qemu: e1000 driver buffer overflow when processing large packets when SBP and LPE flags are disabled


References



These packages are GPG signed by Red Hat for security. Our key and details on how to verify the signature are available from:
https://www.redhat.com/security/team/key/#package

The Red Hat security contact is secalert@redhat.com. More contact details at http://www.redhat.com/security/team/contact/