安全公告详情

NS-SA-2019-0005

2019-07-17 14:54:04

简介

important: qemu-kvm/procmail security update

严重级别

important

主题

An update for qemu-kvm/procmail is now available for NewStart CGSL MAIN 5.04.
NewStart Security has rated this update as having a security impact of important. A Common Vunlnerability Scoring System(CVSS)base score, which gives a detailed severity rating, is available for each vulnerability from the CVElink(s) in the References section.

详细描述

procmail: Procmail can be used to create mail-servers, mailing lists, sort your incoming mail into separate folders/files (real convenient when subscribing to one or more mailing lists or for prioritising your mail), preprocess your mail, start any programs upon mail arrival (e.g. to generate different chimes on your workstation for different types of mail) or selectively forward certain incoming mail automatically to someone.


Security Fix(es):
qemu-kvm: Quick Emulator (QEMU), compiled with the PC System Emulator with multiboot feature support, is vulnerable to an OOB r/w memory access issue. The issue could occur due to an integer overflow while loading a kernel image during a guest boot. A user or process could use this flaw to potentially achieve arbitrary code execution on a host.(CVE-2017-14167)
qemu-kvm: Quick emulator (QEMU), compiled with the Cirrus CLGD 54xx VGA Emulator support, is vulnerable to an OOB write access issue. The issue could occur while writing to VGA memory via mode4and5 write functions. A privileged user inside guest could use this flaw to crash the QEMU process resulting in Denial of Serivce (DoS).(CVE-2017-15289)
qemu-kvm: bugfix
procmail: A heap-based buffer overflow flaw was found in procmail's formail utility. A remote attacker could send a specially crafted email that, when processed by formail, could cause formail to crash or, possibly, execute arbitrary code as the user running formail.(CVE-2017-16844)
procmail: bugfix


Solution:
For details on how to apply this update, which includes the changes described in this advisory, refer to:
http://security.gd-linux.com/how_to_apply_patch.html
Remember the build tag is 5.04.F1.

影响组件

  • qemu-kvm
  • procmail

影响产品

  • CGSL MAIN 5.04

更新包

{"fix":[{"product":"CGSL MAIN 5.04","pkgs":[{"binary":["qemu-img-1.5.3-141.el7_4.4.x86_64.rpm","qemu-kvm-1.5.3-141.el7_4.4.x86_64.rpm","qemu-kvm-common-1.5.3-141.el7_4.4.x86_64.rpm","qemu-kvm-debuginfo-1.5.3-141.el7_4.4.x86_64.rpm","qemu-kvm-tools-1.5.3-141.el7_4.4.x86_64.rpm"],"source":"qemu-kvm-1.5.3-141.el7_4.4.src.rpm"},{"binary":["procmail-3.22-36.el7_4.1.x86_64.rpm","procmail-debuginfo-3.22-36.el7_4.1.x86_64.rpm"],"source":"procmail-3.22-36.el7_4.1.src.rpm"}]}]}

CVE

参考