标签:open ebs span apr 解决 acl dtb 复制 for
漏洞描述
QEMU是一款开源模拟器软件。
QEMU在实现上存在越界访问漏洞,在cirrus_bitblt_cputovideo中复制VGA数据时会触发此漏洞,导致QEMU进程崩溃或执行任意代码。
解决方法
以下是各Linux/Unix发行版系统针对此漏洞发布的安全公告,可以参考对应系统的安全公告修复该漏洞:
Ubuntu
----------------
USN-3261-1: [USN-3261-1] QEMU vulnerabilities
链接: https://www.ubuntu.com/usn/usn-3261-1
Red Hat Enterprise Linux
----------------
链接: https://access.redhat.com/security/cve/CVE-2017-2620
CentOS
----------------
CESA-2017:0352: CESA-2017:0352 Important CentOS 6 qemu-kvm Security Update
链接: https://lists.centos.org/pipermail/centos-announce/2017-March/022294.html
CESA-2017:0396: CESA-2017:0396 Important CentOS 7 qemu-kvm Security Update
链接: https://lists.centos.org/pipermail/centos-announce/2017-March/022321.html
CESA-2017:0454: CESA-2017:0454 Important CentOS 5 kvm Security Update
链接: https://lists.centos.org/pipermail/centos-announce/2017-March/022325.html
Gentoo
----------------
GLSA-201704-01: QEMU: Multiple vulnerabilities
链接: https://security.gentoo.org/glsa/201704-01
GLSA-201703-07: Xen: Privilege Escalation
链接: https://security.gentoo.org/glsa/201703-07
FreeBSD
----------------
8cbd9c08-f8b9-11e6-ae1b-002590263bf5: xen-tools -- cirrus_bitblt_cputovideo does not check if memory region is safe
链接: http://vuxml.freebsd.org/freebsd/8cbd9c08-f8b9-11e6-ae1b-002590263bf5.html
openSUSE
----------------
openSUSE-SU-2017:0707-1: openSUSE Security Update: Security update for qemu
链接: https://lists.opensuse.org/opensuse-security-announce/2017-03/msg00011.html
openSUSE-SU-2017:0665-1: openSUSE Security Update: Security update for xen
链接: https://lists.opensuse.org/opensuse-security-announce/2017-03/msg00008.html
openSUSE-SU-2017:1312-1: openSUSE Security Update: Security update for qemu
链接: https://lists.opensuse.org/opensuse-updates/2017-05/msg00058.html
SUSE
----------------
链接: https://www.suse.com/security/cve/CVE-2017-2620/
Fedora
----------------
FEDORA-2017-62ac1230f7: Fedora 24 Update: qemu-2.6.2-7.fc24
链接: https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/X3M6HH35GUTRSIKPUWQYKAFUOT25GJXE/
FEDORA-2017-31b976672b: Fedora 25 Update: qemu-2.7.1-4.fc25
链接: https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/MYFUMFAMU5GEQUVDAYGEUWAHFPUP2DN6/
FEDORA-2017-1607a3a78e: Fedora 24 Update: xen-4.6.4-8.fc24
链接: https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/OIGV7IRUPTCLPEQ62PZGHOY6IVIGG4IS/
FEDORA-2017-266ab882cd: Fedora 25 Update: xen-4.7.1-9.fc25
链接: https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/JCEEPYGCOQ2S5SJYWOMZQDTBZ6RFLXUX/
Oracle Linux
----------------
链接: https://linux.oracle.com/cve/CVE-2017-2620.html
EulerOS
----------------
链接: http://developer.huawei.com/ict/cn/site-euleros/euleros/cve/CVE-2017-2620
Qemu 远程代码执行漏洞(CVE-2017-2620)
标签:open ebs span apr 解决 acl dtb 复制 for
原文地址:https://www.cnblogs.com/mrhonest/p/10910499.html
