Fix for VENOM vulnerability (CVE-2015-3456)

[danmcd]

Three variants-on-a-theme patches were issued via the oss-security list this morning. This is a direct application of xsa133-qemuu.patch (using "patch < xsa133-qemuu.patch" with PWD=illumos-kvm-cmd/hw).

[rmustacc]

Resolved in 407546e. Thanks Dan!

[misterbisson]

Thanks for the quick patch @danmcd.

It's been noted elsewhere, but worth repeating here:

From Alex:

One other thing to note is that the qemu process on SmartOS runs inside a zone, so escaping the qemu just gets you root in a zone that has basically nothing in it except the qemu binary and some config.

You would need an additional kernel privesc vuln to escape that zone and take control over the entire box.

And from Robert

This is correct, the processes in there are running in a stripped privilege environment. It cannot fork.

tl;dr: this vulnerability poses no risk on SmartOS.

[misterbisson]

Support statement regarding Joyent's public and private cloud offerings posted earlier today: https://help.joyent.com/entries/68099220-Security-Advisory-on-Venom-CVE-2015-3456-in-KVM-QEMU