========================================================================== Ubuntu Security Notice USN-1177-1 July 27, 2011 qemu-kvm vulnerability ========================================================================== A security issue affects these releases of Ubuntu and its derivatives: - Ubuntu 11.04 - Ubuntu 10.10 - Ubuntu 10.04 LTS Summary: QEMU could be made to run with adminstrator group privileges under certain circumstances. Software Description: - qemu-kvm: Machine emulator and virtualizer Details: Andrew Griffiths discovered that QEMU did not correctly drop privileges when using the 'runas' argument. Under certain circumstances a local attacker could exploit this to escalate privileges. Update instructions: The problem can be corrected by updating your system to the following package versions: Ubuntu 11.04: qemu-kvm 0.14.0+noroms-0ubuntu4.4 Ubuntu 10.10: qemu-kvm 0.12.5+noroms-0ubuntu7.10 qemu-kvm-extras 0.12.5+noroms-0ubuntu7.10 qemu-kvm-extras-static 0.12.5+noroms-0ubuntu7.10 Ubuntu 10.04 LTS: qemu-kvm 0.12.3+noroms-0ubuntu9.15 qemu-kvm-extras 0.12.3+noroms-0ubuntu9.15 qemu-kvm-extras-static 0.12.3+noroms-0ubuntu9.15 In general, a standard system update will make all the necessary changes. References: http://www.ubuntu.com/usn/usn-1177-1 CVE-2011-2527 Package Information: https://launchpad.net/ubuntu/+source/qemu-kvm/0.14.0+noroms-0ubuntu4.4 https://launchpad.net/ubuntu/+source/qemu-kvm/0.12.5+noroms-0ubuntu7.10 https://launchpad.net/ubuntu/+source/qemu-kvm/0.12.3+noroms-0ubuntu9.15