Debian Qemu vulnerabilities

CVE-2018-20125 [HIGH] CVE-2018-20125: qemu - hw/rdma/vmw/pvrdma_cmd.c in QEMU allows attackers to cause a denial of service (... hw/rdma/vmw/pvrdma_cmd.c in QEMU allows attackers to cause a denial of service (NULL pointer dereference or excessive memory allocation) in create_cq_ring or create_qp_rings. Scope: local bookworm: resolved (fixed in 1:4.1-1) bullseye: resolved (fixed in 1:4.1-1) forky: resolved (fixed in 1:4.1-1) sid: resolved (fixed in 1:4.1-1) trixie: resolved (fixed in 1:4.1-1)

CVE-2018-20216 [HIGH] CVE-2018-20216: qemu - QEMU can have an infinite loop in hw/rdma/vmw/pvrdma_dev_ring.c because return v... QEMU can have an infinite loop in hw/rdma/vmw/pvrdma_dev_ring.c because return values are not checked (and -1 is mishandled). Scope: local bookworm: resolved (fixed in 1:4.1-1) bullseye: resolved (fixed in 1:4.1-1) forky: resolved (fixed in 1:4.1-1) sid: resolved (fixed in 1:4.1-1) trixie: resolved (fixed in 1:4.1-1)

CVE-2018-20123 [MEDIUM] CVE-2018-20123: qemu - pvrdma_realize in hw/rdma/vmw/pvrdma_main.c in QEMU has a Memory leak after an i... pvrdma_realize in hw/rdma/vmw/pvrdma_main.c in QEMU has a Memory leak after an initialisation error. Scope: local bookworm: resolved (fixed in 1:4.1-1) bullseye: resolved (fixed in 1:4.1-1) forky: resolved (fixed in 1:4.1-1) sid: resolved (fixed in 1:4.1-1) trixie: resolved (fixed in 1:4.1-1)

CVE-2018-20124 [MEDIUM] CVE-2018-20124: qemu - hw/rdma/rdma_backend.c in QEMU allows guest OS users to trigger out-of-bounds ac... hw/rdma/rdma_backend.c in QEMU allows guest OS users to trigger out-of-bounds access via a PvrdmaSqWqe ring element with a large num_sge value. Scope: local bookworm: resolved (fixed in 1:4.1-1) bullseye: resolved (fixed in 1:4.1-1) forky: resolved (fixed in 1:4.1-1) sid: resolved (fixed in 1:4.1-1) trixie: resolved (fixed in 1:4.1-1)

CVE-2018-19665 [MEDIUM] CVE-2018-19665: qemu - The Bluetooth subsystem in QEMU mishandles negative values for length variables,... The Bluetooth subsystem in QEMU mishandles negative values for length variables, leading to memory corruption. Scope: local bookworm: resolved (fixed in 1:3.1+dfsg-2) bullseye: resolved (fixed in 1:3.1+dfsg-2) forky: resolved (fixed in 1:3.1+dfsg-2) sid: resolved (fixed in 1:3.1+dfsg-2) trixie: resolved (fixed in 1:3.1+dfsg-2)

CVE-2018-15746 [MEDIUM] CVE-2018-15746: qemu - qemu-seccomp.c in QEMU might allow local OS guest users to cause a denial of ser... qemu-seccomp.c in QEMU might allow local OS guest users to cause a denial of service (guest crash) by leveraging mishandling of the seccomp policy for threads other than the main thread. Scope: local bookworm: resolved (fixed in 1:3.1+dfsg-1) bullseye: resolved (fixed in 1:3.1+dfsg-1) forky: resolved (fixed in 1:3.1+dfsg-1) sid: resolved (fixed in 1:3.1+dfsg-1) trixi

CVE-2018-18954 [MEDIUM] CVE-2018-18954: qemu - The pnv_lpc_do_eccb function in hw/ppc/pnv_lpc.c in Qemu before 3.1 allows out-o... The pnv_lpc_do_eccb function in hw/ppc/pnv_lpc.c in Qemu before 3.1 allows out-of-bounds write or read access to PowerNV memory. Scope: local bookworm: resolved (fixed in 1:3.1+dfsg-1) bullseye: resolved (fixed in 1:3.1+dfsg-1) forky: resolved (fixed in 1:3.1+dfsg-1) sid: resolved (fixed in 1:3.1+dfsg-1) trixie: resolved (fixed in 1:3.1+dfsg-1)

CVE-2017-16845 [CRITICAL] CVE-2017-16845: qemu - hw/input/ps2.c in Qemu does not validate 'rptr' and 'count' values during guest ... hw/input/ps2.c in Qemu does not validate 'rptr' and 'count' values during guest migration, leading to out-of-bounds access. Scope: local bookworm: resolved (fixed in 1:2.12~rc3+dfsg-1) bullseye: resolved (fixed in 1:2.12~rc3+dfsg-1) forky: resolved (fixed in 1:2.12~rc3+dfsg-1) sid: resolved (fixed in 1:2.12~rc3+dfsg-1) trixie: resolved (fixed in 1:2.12~rc3+dfsg-1)

CVE-2017-7471 [CRITICAL] CVE-2017-7471: qemu - Quick Emulator (Qemu) built with the VirtFS, host directory sharing via Plan 9 F... Quick Emulator (Qemu) built with the VirtFS, host directory sharing via Plan 9 File System (9pfs) support, is vulnerable to an improper access control issue. It could occur while accessing files on a shared host directory. A privileged user inside guest could use this flaw to access host file system beyond the shared folder and potentially escalating their privileges

CVE-2017-8380 [CRITICAL] CVE-2017-8380: qemu - Buffer overflow in the "megasas_mmio_write" function in Qemu 2.9.0 allows remote... Buffer overflow in the "megasas_mmio_write" function in Qemu 2.9.0 allows remote attackers to have unspecified impact via unknown vectors. Scope: local bookworm: resolved (fixed in 1:2.8+dfsg-5) bullseye: resolved (fixed in 1:2.8+dfsg-5) forky: resolved (fixed in 1:2.8+dfsg-5) sid: resolved (fixed in 1:2.8+dfsg-5) trixie: resolved (fixed in 1:2.8+dfsg-5)

CVE-2017-13711 [HIGH] CVE-2017-13711: qemu - Use-after-free vulnerability in the sofree function in slirp/socket.c in QEMU (a... Use-after-free vulnerability in the sofree function in slirp/socket.c in QEMU (aka Quick Emulator) allows attackers to cause a denial of service (QEMU instance crash) by leveraging failure to properly clear ifq_so from pending packets. Scope: local bookworm: resolved (fixed in 1:2.10.0-1) bullseye: resolved (fixed in 1:2.10.0-1) forky: resolved (fixed in 1:2.10.0-1) si

CVE-2017-9524 [HIGH] CVE-2017-9524: qemu - The qemu-nbd server in QEMU (aka Quick Emulator), when built with the Network Bl... The qemu-nbd server in QEMU (aka Quick Emulator), when built with the Network Block Device (NBD) Server support, allows remote attackers to cause a denial of service (segmentation fault and server crash) by leveraging failure to ensure that all initialization occurs before talking to a client in the nbd_negotiate function. Scope: local bookworm: resolved (fixed in 1:2.8+

CVE-2017-6058 [HIGH] CVE-2017-6058: qemu - Buffer overflow in NetRxPkt::ehdr_buf in hw/net/net_rx_pkt.c in QEMU (aka Quick ... Buffer overflow in NetRxPkt::ehdr_buf in hw/net/net_rx_pkt.c in QEMU (aka Quick Emulator), when the VLANSTRIP feature is enabled on the vmxnet3 device, allows remote attackers to cause a denial of service (out-of-bounds access and QEMU process crash) via vectors related to VLAN stripping. Scope: local bookworm: resolved (fixed in 1:2.8+dfsg-3) bullseye: resolved (fixed i

CVE-2017-7980 [HIGH] CVE-2017-7980: qemu - Heap-based buffer overflow in Cirrus CLGD 54xx VGA Emulator in Quick Emulator (Q... Heap-based buffer overflow in Cirrus CLGD 54xx VGA Emulator in Quick Emulator (Qemu) 2.8 and earlier allows local guest OS users to execute arbitrary code or cause a denial of service (crash) via vectors related to a VNC client updating its display after a VGA operation. Scope: local bookworm: resolved (fixed in 1:2.8+dfsg-4) bullseye: resolved (fixed in 1:2.8+dfsg-4) fo

CVE-2017-14167 [HIGH] CVE-2017-14167: qemu - Integer overflow in the load_multiboot function in hw/i386/multiboot.c in QEMU (... Integer overflow in the load_multiboot function in hw/i386/multiboot.c in QEMU (aka Quick Emulator) allows local guest OS users to execute arbitrary code on the host via crafted multiboot header address values, which trigger an out-of-bounds write. Scope: local bookworm: resolved (fixed in 1:2.10.0-1) bullseye: resolved (fixed in 1:2.10.0-1) forky: resolved (fixed in 1

CVE-2017-10664 [HIGH] CVE-2017-10664: qemu - qemu-nbd in QEMU (aka Quick Emulator) does not ignore SIGPIPE, which allows remo... qemu-nbd in QEMU (aka Quick Emulator) does not ignore SIGPIPE, which allows remote attackers to cause a denial of service (daemon crash) by disconnecting during a server-to-client reply attempt. Scope: local bookworm: resolved (fixed in 1:2.8+dfsg-7) bullseye: resolved (fixed in 1:2.8+dfsg-7) forky: resolved (fixed in 1:2.8+dfsg-7) sid: resolved (fixed in 1:2.8+dfsg-7)

CVE-2017-7493 [HIGH] CVE-2017-7493: qemu - Quick Emulator (Qemu) built with the VirtFS, host directory sharing via Plan 9 F... Quick Emulator (Qemu) built with the VirtFS, host directory sharing via Plan 9 File System(9pfs) support, is vulnerable to an improper access control issue. It could occur while accessing virtfs metadata files in mapped-file security mode. A guest user could use this flaw to escalate their privileges inside guest. Scope: local bookworm: resolved (fixed in 1:2.8+dfsg-6) b

CVE-2017-15118 [HIGH] CVE-2017-15118: qemu - A stack-based buffer overflow vulnerability was found in NBD server implementati... A stack-based buffer overflow vulnerability was found in NBD server implementation in qemu before 2.11 allowing a client to request an export name of size up to 4096 bytes, which in fact should be limited to 256 bytes, causing an out-of-bounds stack write in the qemu process. If NBD server requires TLS, the attacker cannot trigger the buffer overflow without first succ

CVE-2017-15268 [HIGH] CVE-2017-15268: qemu - Qemu through 2.10.0 allows remote attackers to cause a memory leak by triggering... Qemu through 2.10.0 allows remote attackers to cause a memory leak by triggering slow data-channel read operations, related to io/channel-websock.c. Scope: local bookworm: resolved (fixed in 1:2.11+dfsg-1) bullseye: resolved (fixed in 1:2.11+dfsg-1) forky: resolved (fixed in 1:2.11+dfsg-1) sid: resolved (fixed in 1:2.11+dfsg-1) trixie: resolved (fixed in 1:2.11+dfsg-1)

CVE-2017-5931 [HIGH] CVE-2017-5931: qemu - Integer overflow in hw/virtio/virtio-crypto.c in QEMU (aka Quick Emulator) allow... Integer overflow in hw/virtio/virtio-crypto.c in QEMU (aka Quick Emulator) allows local guest OS privileged users to cause a denial of service (QEMU process crash) or possibly execute arbitrary code on the host via a crafted virtio-crypto request, which triggers a heap-based buffer overflow. Scope: local bookworm: resolved (fixed in 1:2.8+dfsg-3) bullseye: resolved (fixe