QEMU 'hw/display/cirrus_vga.c'远程代码执行漏洞(CVE-2017-2615)
漏洞描述
QEMU是一款开源模拟器软件。
qemu若支持Cirrus CLGD 54xx VGA模拟器,则在反向模式中,通过位块传送复制VGA数据中存在安全漏洞,可导致越界内存访问,造成信息泄露或权限提升。
解决方法
以下是各Linux/Unix发行版系统针对此漏洞发布的安全公告,可以参考对应系统的安全公告修复该漏洞:
Ubuntu
----------------
USN-3261-1: [USN-3261-1] QEMU vulnerabilities
链接: https://www.ubuntu.com/usn/usn-3261-1
Red Hat Enterprise Linux
----------------
链接: https://access.redhat.com/security/cve/CVE-2017-2615
CentOS
----------------
CESA-2017:0396: CESA-2017:0396 Important CentOS 7 qemu-kvm Security Update
链接: https://lists.centos.org/pipermail/centos-announce/2017-March/022321.html
CESA-2017:0454: CESA-2017:0454 Important CentOS 5 kvm Security Update
链接: https://lists.centos.org/pipermail/centos-announce/2017-March/022325.html
CESA-2017:0309: CESA-2017:0309 Important CentOS 6 qemu-kvm Security Update
链接: https://lists.centos.org/pipermail/centos-announce/2017-February/022287.html
Gentoo
----------------
GLSA-201702-28: QEMU: Multiple vulnerabilities
链接: https://security.gentoo.org/glsa/201702-28
GLSA-201702-27: Xen: Multiple vulnerabilities
链接: https://security.gentoo.org/glsa/201702-27
FreeBSD
----------------
a73aba9a-effe-11e6-ae1b-002590263bf5: xen-tools -- oob access in cirrus bitblt copy
链接: http://vuxml.freebsd.org/freebsd/a73aba9a-effe-11e6-ae1b-002590263bf5.html
openSUSE
----------------
openSUSE-SU-2017:0707-1: openSUSE Security Update: Security update for qemu
链接: https://lists.opensuse.org/opensuse-security-announce/2017-03/msg00011.html
openSUSE-SU-2017:0665-1: openSUSE Security Update: Security update for xen
链接: https://lists.opensuse.org/opensuse-security-announce/2017-03/msg00008.html
openSUSE-SU-2017:1312-1: openSUSE Security Update: Security update for qemu
链接: https://lists.opensuse.org/opensuse-updates/2017-05/msg00058.html
SUSE
----------------
链接: https://www.suse.com/security/cve/CVE-2017-2615/
Fedora
----------------
FEDORA-2017-62ac1230f7: Fedora 24 Update: qemu-2.6.2-7.fc24
链接: https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/X3M6HH35GUTRSIKPUWQYKAFUOT25GJXE/
FEDORA-2017-31b976672b: Fedora 25 Update: qemu-2.7.1-4.fc25
链接: https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/MYFUMFAMU5GEQUVDAYGEUWAHFPUP2DN6/
FEDORA-2017-d4ee7018c1: Fedora 24 Update: xen-4.6.4-7.fc24
链接: https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/FLOJWGUX5PRXPIOTKRMBPC5ZL663K4G6/
FEDORA-2017-cdb53b04e0: Fedora 25 Update: xen-4.7.1-7.fc25
链接: https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/F5O4BC6JBTCWJE7JLE2REW5KQNTWSDCU/
Oracle Linux
----------------
链接: https://linux.oracle.com/cve/CVE-2017-2615.html
EulerOS
----------------
链接: http://developer.huawei.com/ict/cn/site-euleros/euleros/cve/CVE-2017-2615
浙公网安备 33010602011771号