Debian Qemu vulnerabilities

CVE-2017-15124 [HIGH] CVE-2017-15124: qemu - VNC server implementation in Quick Emulator (QEMU) 2.11.0 and older was found to... VNC server implementation in Quick Emulator (QEMU) 2.11.0 and older was found to be vulnerable to an unbounded memory allocation issue, as it did not throttle the framebuffer updates sent to its client. If the client did not consume these updates, VNC server allocates growing memory to hold onto this data. A malicious remote VNC client could use this flaw to cause DoS

CVE-2017-8309 [HIGH] CVE-2017-8309: qemu - Memory leak in the audio/audio.c in QEMU (aka Quick Emulator) allows remote atta... Memory leak in the audio/audio.c in QEMU (aka Quick Emulator) allows remote attackers to cause a denial of service (memory consumption) by repeatedly starting and stopping audio capture. Scope: local bookworm: resolved (fixed in 1:2.8+dfsg-5) bullseye: resolved (fixed in 1:2.8+dfsg-5) forky: resolved (fixed in 1:2.8+dfsg-5) sid: resolved (fixed in 1:2.8+dfsg-5) trixie: r

CVE-2017-8379 [MEDIUM] CVE-2017-8379: qemu - Memory leak in the keyboard input event handlers support in QEMU (aka Quick Emul... Memory leak in the keyboard input event handlers support in QEMU (aka Quick Emulator) allows local guest OS privileged users to cause a denial of service (host memory consumption) by rapidly generating large keyboard events. Scope: local bookworm: resolved (fixed in 1:2.8+dfsg-5) bullseye: resolved (fixed in 1:2.8+dfsg-5) forky: resolved (fixed in 1:2.8+dfsg-5) sid: re

CVE-2017-18030 [MEDIUM] CVE-2017-18030: qemu - The cirrus_invalidate_region function in hw/display/cirrus_vga.c in Qemu allows ... The cirrus_invalidate_region function in hw/display/cirrus_vga.c in Qemu allows local OS guest privileged users to cause a denial of service (out-of-bounds array access and QEMU process crash) via vectors related to negative pitch. Scope: local bookworm: resolved (fixed in 1:2.8+dfsg-4) bullseye: resolved (fixed in 1:2.8+dfsg-4) forky: resolved (fixed in 1:2.8+dfsg-4

CVE-2017-5526 [MEDIUM] CVE-2017-5526: qemu - Memory leak in hw/audio/es1370.c in QEMU (aka Quick Emulator) allows local guest... Memory leak in hw/audio/es1370.c in QEMU (aka Quick Emulator) allows local guest OS privileged users to cause a denial of service (host memory consumption and QEMU process crash) via a large number of device unplug operations. Scope: local bookworm: resolved (fixed in 1:2.8+dfsg-2) bullseye: resolved (fixed in 1:2.8+dfsg-2) forky: resolved (fixed in 1:2.8+dfsg-2) sid:

CVE-2017-9373 [MEDIUM] CVE-2017-9373: qemu - Memory leak in QEMU (aka Quick Emulator), when built with IDE AHCI Emulation sup... Memory leak in QEMU (aka Quick Emulator), when built with IDE AHCI Emulation support, allows local guest OS privileged users to cause a denial of service (memory consumption) by repeatedly hot-unplugging the AHCI device. Scope: local bookworm: resolved (fixed in 1:2.8+dfsg-7) bullseye: resolved (fixed in 1:2.8+dfsg-7) forky: resolved (fixed in 1:2.8+dfsg-7) sid: resolv

CVE-2017-13673 [MEDIUM] CVE-2017-13673: qemu - The vga display update in mis-calculated the region for the dirty bitmap snapsho... The vga display update in mis-calculated the region for the dirty bitmap snapshot in case split screen mode is used causing a denial of service (assertion failure) in the cpu_physical_memory_snapshot_get_dirty function. Scope: local bookworm: resolved (fixed in 1:2.10.0+dfsg-2) bullseye: resolved (fixed in 1:2.10.0+dfsg-2) forky: resolved (fixed in 1:2.10.0+dfsg-2) s

CVE-2017-5856 [MEDIUM] CVE-2017-5856: qemu - Memory leak in the megasas_handle_dcmd function in hw/scsi/megasas.c in QEMU (ak... Memory leak in the megasas_handle_dcmd function in hw/scsi/megasas.c in QEMU (aka Quick Emulator) allows local guest OS privileged users to cause a denial of service (host memory consumption) via MegaRAID Firmware Interface (MFI) commands with the sglist size set to a value over 2 Gb. Scope: local bookworm: resolved (fixed in 1:2.8+dfsg-3) bullseye: resolved (fixed in

CVE-2017-5987 [MEDIUM] CVE-2017-5987: qemu - The sdhci_sdma_transfer_multi_blocks function in hw/sd/sdhci.c in QEMU (aka Quic... The sdhci_sdma_transfer_multi_blocks function in hw/sd/sdhci.c in QEMU (aka Quick Emulator) allows local OS guest privileged users to cause a denial of service (infinite loop and QEMU process crash) via vectors involving the transfer mode register during multi block transfer. Scope: local bookworm: resolved (fixed in 1:2.8+dfsg-3) bullseye: resolved (fixed in 1:2.8+dfs

CVE-2017-9310 [MEDIUM] CVE-2017-9310: qemu - QEMU (aka Quick Emulator), when built with the e1000e NIC emulation support, all... QEMU (aka Quick Emulator), when built with the e1000e NIC emulation support, allows local guest OS privileged users to cause a denial of service (infinite loop) via vectors related to setting the initial receive / transmit descriptor head (TDH/RDH) outside the allocated descriptor buffer. Scope: local bookworm: resolved (fixed in 1:2.8+dfsg-7) bullseye: resolved (fixed

CVE-2017-2633 [MEDIUM] CVE-2017-2633: qemu - An out-of-bounds memory access issue was found in Quick Emulator (QEMU) before 1... An out-of-bounds memory access issue was found in Quick Emulator (QEMU) before 1.7.2 in the VNC display driver. This flaw could occur while refreshing the VNC display surface area in the 'vnc_refresh_server_surface'. A user inside a guest could use this flaw to crash the QEMU process. Scope: local bookworm: resolved (fixed in 2.1+dfsg-1) bullseye: resolved (fixed in 2.

CVE-2017-8112 [MEDIUM] CVE-2017-8112: qemu - hw/scsi/vmw_pvscsi.c in QEMU (aka Quick Emulator) allows local guest OS privileg... hw/scsi/vmw_pvscsi.c in QEMU (aka Quick Emulator) allows local guest OS privileged users to cause a denial of service (infinite loop and CPU consumption) via the message ring page count. Scope: local bookworm: resolved (fixed in 1:2.8+dfsg-5) bullseye: resolved (fixed in 1:2.8+dfsg-5) forky: resolved (fixed in 1:2.8+dfsg-5) sid: resolved (fixed in 1:2.8+dfsg-5) trixie:

CVE-2017-10911 [MEDIUM] CVE-2017-10911: linux - The make_response function in drivers/block/xen-blkback/blkback.c in the Linux k... The make_response function in drivers/block/xen-blkback/blkback.c in the Linux kernel before 4.11.8 allows guest OS users to obtain sensitive information from host OS (or other guest OS) kernel memory by leveraging the copying of uninitialized padding fields in Xen block-interface response structures, aka XSA-216. Scope: local bookworm: resolved (fixed in 4.11.11-1)

CVE-2017-5898 [MEDIUM] CVE-2017-5898: qemu - Integer overflow in the emulated_apdu_from_guest function in usb/dev-smartcard-r... Integer overflow in the emulated_apdu_from_guest function in usb/dev-smartcard-reader.c in Quick Emulator (Qemu), when built with the CCID Card device emulator support, allows local users to cause a denial of service (application crash) via a large Application Protocol Data Units (APDU) unit. Scope: local bookworm: resolved (fixed in 1:2.8+dfsg-3) bullseye: resolved (f

CVE-2017-11334 [MEDIUM] CVE-2017-11334: qemu - The address_space_write_continue function in exec.c in QEMU (aka Quick Emulator)... The address_space_write_continue function in exec.c in QEMU (aka Quick Emulator) allows local guest OS privileged users to cause a denial of service (out-of-bounds access and guest instance crash) by leveraging use of qemu_map_ram_ptr to access guest ram block area. Scope: local bookworm: resolved (fixed in 1:2.8+dfsg-7) bullseye: resolved (fixed in 1:2.8+dfsg-7) for

CVE-2017-2630 [MEDIUM] CVE-2017-2630: qemu - A stack buffer overflow flaw was found in the Quick Emulator (QEMU) before 2.9 b... A stack buffer overflow flaw was found in the Quick Emulator (QEMU) before 2.9 built with the Network Block Device (NBD) client support. The flaw could occur while processing server's response to a 'NBD_OPT_LIST' request. A malicious NBD server could use this issue to crash a remote NBD client resulting in DoS or potentially execute arbitrary code on client host with p

CVE-2017-11434 [MEDIUM] CVE-2017-11434: qemu - The dhcp_decode function in slirp/bootp.c in QEMU (aka Quick Emulator) allows lo... The dhcp_decode function in slirp/bootp.c in QEMU (aka Quick Emulator) allows local guest OS users to cause a denial of service (out-of-bounds read and QEMU process crash) via a crafted DHCP options string. Scope: local bookworm: resolved (fixed in 1:2.8+dfsg-7) bullseye: resolved (fixed in 1:2.8+dfsg-7) forky: resolved (fixed in 1:2.8+dfsg-7) sid: resolved (fixed in

CVE-2017-15289 [MEDIUM] CVE-2017-15289: qemu - The mode4and5 write functions in hw/display/cirrus_vga.c in Qemu allow local OS ... The mode4and5 write functions in hw/display/cirrus_vga.c in Qemu allow local OS guest privileged users to cause a denial of service (out-of-bounds write access and Qemu process crash) via vectors related to dst calculation. Scope: local bookworm: resolved (fixed in 1:2.11+dfsg-1) bullseye: resolved (fixed in 1:2.11+dfsg-1) forky: resolved (fixed in 1:2.11+dfsg-1) sid

CVE-2017-2620 [MEDIUM] CVE-2017-2620: qemu - Quick emulator (QEMU) before 2.8 built with the Cirrus CLGD 54xx VGA Emulator su... Quick emulator (QEMU) before 2.8 built with the Cirrus CLGD 54xx VGA Emulator support is vulnerable to an out-of-bounds access issue. The issue could occur while copying VGA data in cirrus_bitblt_cputovideo. A privileged user inside guest could use this flaw to crash the QEMU process OR potentially execute arbitrary code on host with privileges of the QEMU process. Sco

CVE-2017-15119 [MEDIUM] CVE-2017-15119: qemu - The Network Block Device (NBD) server in Quick Emulator (QEMU) before 2.11 is vu... The Network Block Device (NBD) server in Quick Emulator (QEMU) before 2.11 is vulnerable to a denial of service issue. It could occur if a client sent large option requests, making the server waste CPU time on reading up to 4GB per request. A client could use this flaw to keep the NBD server from serving other requests, resulting in DoS. Scope: local bookworm: resolv