kmod, kvm security update

CentOS Errata and Security Advisory CESA-2016:1943

KVM (for Kernel-based Virtual Machine) is a full virtualization solution for
Linux on x86 hardware. Using KVM, one can run multiple virtual machines running
unmodified Linux or Windows images. Each virtual machine has private virtualized
hardware: a network card, disk, graphics adapter, etc.

Security Fix(es):

• An out-of-bounds read/write access flaw was found in the way QEMU’s VGA
  emulation with VESA BIOS Extensions (VBE) support performed read/write
  operations using I/O port methods. A privileged guest user could use this flaw
  to execute arbitrary code on the host with the privileges of the host’s QEMU
  process. (CVE-2016-3710)

• Quick Emulator(QEMU) built with the virtio framework is vulnerable to an
  unbounded memory allocation issue. It was found that a malicious guest user
  could submit more requests than the virtqueue size permits. Processing a request
  allocates a VirtQueueElement results in unbounded memory allocation on the host
  controlled by the guest. (CVE-2016-5403)

Red Hat would like to thank Wei Xiao (360 Marvel Team) and Qinghao Tang (360
Marvel Team) for reporting CVE-2016-3710 and hongzhenhao (Marvel Team) for
reporting CVE-2016-5403.

Merged security bulletin from advisories:
https://lists.centos.org/pipermail/centos-announce/2016-September/084253.html

Affected packages:
kmod-kvm
kmod-kvm-debug
kvm
kvm-qemu-img
kvm-tools

Upstream details at:
https://access.redhat.com/errata/RHSA-2016:1943