17.49.33
[SECURITY] [DSA-1962-1] New kvm packages fix several vulnerabilities
Hash: SHA1

- ------------------------------
------------------------------------------
Debian Security Advisory DSA-1962                  security@debian.org
http://www.debian.org/security/                      Giuseppe Iuculano
December 23, 2009                   http://www.debian.org/security/faq
- ------------------------------------------------------------------------

Package        : kvm
Vulnerability  : several vulnerabilities
Problem type   : local
Debian-specific: no
Debian bugs    : 557739 562075 562076
CVE Ids        : CVE-2009-3638 CVE-2009-3722 CVE-2009-4031


Several vulnerabilities have been discovered in kvm, a full virtualization system.
The Common Vulnerabilities and Exposures project identifies the
following problems:

CVE-2009-3638

It was discovered an Integer overflow in the kvm_dev_ioctl_get_supported_cpuid
function. This allows local users to have an unspecified impact via a
KVM_GET_SUPPORTED_CPUID request to the kvm_arch_dev_ioctl function.


CVE-2009-3722

It was discovered that the handle_dr function in the KVM subsystem does not
properly verify the Current Privilege Level (CPL) before accessing a debug
register, which allows guest OS users to cause a denial of service (trap) on the
host OS via a crafted application.


CVE-2009-4031

It was discovered that the do_insn_fetch function in the x86 emulator in the KVM
subsystem tries to interpret instructions that contain too many bytes to be
valid, which allows guest OS users to cause a denial of service (increased
scheduling latency) on the host OS via unspecified manipulations related to SMP
support.


For the stable distribution (lenny), these problems have been fixed in version
72+dfsg-5~lenny4.

For the testing distribution (squeeze), and the unstable distribution (sid),
these problems will be fixed soon.


We recommend that you upgrade your kvm package.

Upgrade instructions
- --------------------

wget url
       will fetch the file for you
dpkg -i file.deb
       will install the referenced file.

If you are using the apt-get package manager, use the line for
sources.list as given below:

apt-get update
       will update the internal database
apt-get upgrade
       will install corrected packages

You may use an automated update by adding the resources from the
footer to the proper configuration.


Debian GNU/Linux 5.0 alias lenny
- --------------------------------

Debian (stable)
- ---------------

Stable updates are available for alpha, amd64, arm, armel, hppa, i386, ia64,
mips, mipsel, powerpc, s390 and sparc.
Views: 924 | Added by: b1zz4rd | Rating: 0.0/0
Total comments: 0
Name *:
Email *:
Code *:
close