Debian Qemu vulnerabilities

CVE-2017-5552 [MEDIUM] CVE-2017-5552: qemu - Memory leak in the virgl_resource_attach_backing function in hw/display/virtio-g... Memory leak in the virgl_resource_attach_backing function in hw/display/virtio-gpu-3d.c in QEMU (aka Quick Emulator) allows local guest OS users to cause a denial of service (host memory consumption) via a large number of VIRTIO_GPU_CMD_RESOURCE_ATTACH_BACKING commands. Scope: local bookworm: resolved (fixed in 1:2.10.0-1) bullseye: resolved (fixed in 1:2.10.0-1) forky

CVE-2017-8284 [HIGH] CVE-2017-8284: qemu - The disas_insn function in target/i386/translate.c in QEMU before 2.9.0, when TC... The disas_insn function in target/i386/translate.c in QEMU before 2.9.0, when TCG mode without hardware acceleration is used, does not limit the instruction size, which allows local users to gain privileges by creating a modified basic block that injects code into a setuid program, as demonstrated by procmail. NOTE: the vendor has stated "this bug does not violate any se

CVE-2017-13672 [MEDIUM] CVE-2017-13672: qemu - QEMU (aka Quick Emulator), when built with the VGA display emulator support, all... QEMU (aka Quick Emulator), when built with the VGA display emulator support, allows local guest OS privileged users to cause a denial of service (out-of-bounds read and QEMU process crash) via vectors involving display update. Scope: local bookworm: resolved (fixed in 1:2.10.0-1) bullseye: resolved (fixed in 1:2.10.0-1) forky: resolved (fixed in 1:2.10.0-1) sid: reso

CVE-2017-7539 [MEDIUM] CVE-2017-7539: qemu - An assertion-failure flaw was found in Qemu before 2.10.1, in the Network Block ... An assertion-failure flaw was found in Qemu before 2.10.1, in the Network Block Device (NBD) server's initial connection negotiation, where the I/O coroutine was undefined. This could crash the qemu-nbd server if a client sent unexpected data during connection negotiation. A remote user or process could use this flaw to crash the qemu-nbd server resulting in denial of

CVE-2017-9060 [MEDIUM] CVE-2017-9060: qemu - Memory leak in the virtio_gpu_set_scanout function in hw/display/virtio-gpu.c in... Memory leak in the virtio_gpu_set_scanout function in hw/display/virtio-gpu.c in QEMU (aka Quick Emulator) allows local guest OS users to cause a denial of service (memory consumption) via a large number of "VIRTIO_GPU_CMD_SET_SCANOUT:" commands. Scope: local bookworm: resolved (fixed in 1:2.10.0-1) bullseye: resolved (fixed in 1:2.10.0-1) forky: resolved (fixed in 1:2

CVE-2017-5578 [MEDIUM] CVE-2017-5578: qemu - Memory leak in the virtio_gpu_resource_attach_backing function in hw/display/vir... Memory leak in the virtio_gpu_resource_attach_backing function in hw/display/virtio-gpu.c in QEMU (aka Quick Emulator) allows local guest OS users to cause a denial of service (host memory consumption) via a large number of VIRTIO_GPU_CMD_RESOURCE_ATTACH_BACKING commands. Scope: local bookworm: resolved (fixed in 1:2.10.0-1) bullseye: resolved (fixed in 1:2.10.0-1) for

CVE-2016-7161 [CRITICAL] CVE-2016-7161: qemu - Heap-based buffer overflow in the .receive callback of xlnx.xps-ethernetlite in ... Heap-based buffer overflow in the .receive callback of xlnx.xps-ethernetlite in QEMU (aka Quick Emulator) allows attackers to execute arbitrary code on the QEMU host via a large ethlite packet. Scope: local bookworm: resolved (fixed in 1:2.7+dfsg-1) bullseye: resolved (fixed in 1:2.7+dfsg-1) forky: resolved (fixed in 1:2.7+dfsg-1) sid: resolved (fixed in 1:2.7+dfsg-1

CVE-2016-4002 [CRITICAL] CVE-2016-4002: qemu - Buffer overflow in the mipsnet_receive function in hw/net/mipsnet.c in QEMU, whe... Buffer overflow in the mipsnet_receive function in hw/net/mipsnet.c in QEMU, when the guest NIC is configured to accept large packets, allows remote attackers to cause a denial of service (memory corruption and QEMU crash) or possibly execute arbitrary code via a packet larger than 1514 bytes. Scope: local bookworm: resolved (fixed in 1:2.6+dfsg-2) bullseye: resolved

CVE-2016-1568 [HIGH] CVE-2016-1568: qemu - Use-after-free vulnerability in hw/ide/ahci.c in QEMU, when built with IDE AHCI ... Use-after-free vulnerability in hw/ide/ahci.c in QEMU, when built with IDE AHCI Emulation support, allows guest OS users to cause a denial of service (instance crash) or possibly execute arbitrary code via an invalid AHCI Native Command Queuing (NCQ) AIO command. Scope: local bookworm: resolved (fixed in 1:2.5+dfsg-2) bullseye: resolved (fixed in 1:2.5+dfsg-2) forky: res

CVE-2016-2857 [HIGH] CVE-2016-2857: qemu - The net_checksum_calculate function in net/checksum.c in QEMU allows local guest... The net_checksum_calculate function in net/checksum.c in QEMU allows local guest OS users to cause a denial of service (out-of-bounds heap read and crash) via the payload length in a crafted packet. Scope: local bookworm: resolved (fixed in 1:2.6+dfsg-1) bullseye: resolved (fixed in 1:2.6+dfsg-1) forky: resolved (fixed in 1:2.6+dfsg-1) sid: resolved (fixed in 1:2.6+dfsg-

CVE-2016-4001 [HIGH] CVE-2016-4001: qemu - Buffer overflow in the stellaris_enet_receive function in hw/net/stellaris_enet.... Buffer overflow in the stellaris_enet_receive function in hw/net/stellaris_enet.c in QEMU, when the Stellaris ethernet controller is configured to accept large packets, allows remote attackers to cause a denial of service (QEMU crash) via a large packet. Scope: local bookworm: resolved (fixed in 1:2.6+dfsg-1) bullseye: resolved (fixed in 1:2.6+dfsg-1) forky: resolved (fi

CVE-2016-3710 [HIGH] CVE-2016-3710: qemu - The VGA module in QEMU improperly performs bounds checking on banked access to v... The VGA module in QEMU improperly performs bounds checking on banked access to video memory, which allows local guest OS administrators to execute arbitrary code on the host by changing access modes after setting the bank register, aka the "Dark Portal" issue. Scope: local bookworm: resolved (fixed in 1:2.6+dfsg-1) bullseye: resolved (fixed in 1:2.6+dfsg-1) forky: resolv

CVE-2016-2538 [HIGH] CVE-2016-2538: qemu - Multiple integer overflows in the USB Net device emulator (hw/usb/dev-network.c)... Multiple integer overflows in the USB Net device emulator (hw/usb/dev-network.c) in QEMU before 2.5.1 allow local guest OS administrators to cause a denial of service (QEMU process crash) or obtain sensitive host memory information via a remote NDIS control message packet that is mishandled in the (1) rndis_query_response, (2) rndis_set_response, or (3) usb_net_handle_da

CVE-2016-1714 [HIGH] CVE-2016-1714: qemu - The (1) fw_cfg_write and (2) fw_cfg_read functions in hw/nvram/fw_cfg.c in QEMU ... The (1) fw_cfg_write and (2) fw_cfg_read functions in hw/nvram/fw_cfg.c in QEMU before 2.4, when built with the Firmware Configuration device emulation support, allow guest OS users with the CAP_SYS_RAWIO privilege to cause a denial of service (out-of-bounds read or write access and process crash) or possibly execute arbitrary code via an invalid current entry value in a

CVE-2016-9602 [HIGH] CVE-2016-9602: qemu - Qemu before version 2.9 is vulnerable to an improper link following when built w... Qemu before version 2.9 is vulnerable to an improper link following when built with the VirtFS. A privileged user inside guest could use this flaw to access host file system beyond the shared folder and potentially escalating their privileges on a host. Scope: local bookworm: resolved (fixed in 1:2.8+dfsg-3) bullseye: resolved (fixed in 1:2.8+dfsg-3) forky: resolved (fix

CVE-2016-5126 [HIGH] CVE-2016-5126: qemu - Heap-based buffer overflow in the iscsi_aio_ioctl function in block/iscsi.c in Q... Heap-based buffer overflow in the iscsi_aio_ioctl function in block/iscsi.c in QEMU allows local guest OS users to cause a denial of service (QEMU process crash) or possibly execute arbitrary code via a crafted iSCSI asynchronous I/O ioctl call. Scope: local bookworm: resolved (fixed in 1:2.6+dfsg-2) bullseye: resolved (fixed in 1:2.6+dfsg-2) forky: resolved (fixed in 1:

CVE-2016-5338 [HIGH] CVE-2016-5338: qemu - The (1) esp_reg_read and (2) esp_reg_write functions in hw/scsi/esp.c in QEMU al... The (1) esp_reg_read and (2) esp_reg_write functions in hw/scsi/esp.c in QEMU allow local guest OS administrators to cause a denial of service (QEMU process crash) or execute arbitrary code on the QEMU host via vectors related to the information transfer buffer. Scope: local bookworm: resolved (fixed in 1:2.6+dfsg-2) bullseye: resolved (fixed in 1:2.6+dfsg-2) forky: reso

CVE-2016-2392 [MEDIUM] CVE-2016-2392: qemu - The is_rndis function in the USB Net device emulator (hw/usb/dev-network.c) in Q... The is_rndis function in the USB Net device emulator (hw/usb/dev-network.c) in QEMU before 2.5.1 does not properly validate USB configuration descriptor objects, which allows local guest OS administrators to cause a denial of service (NULL pointer dereference and QEMU process crash) via vectors involving a remote NDIS control message packet. Scope: local bookworm: reso

CVE-2016-8669 [MEDIUM] CVE-2016-8669: qemu - The serial_update_parameters function in hw/char/serial.c in QEMU (aka Quick Emu... The serial_update_parameters function in hw/char/serial.c in QEMU (aka Quick Emulator) allows local guest OS administrators to cause a denial of service (divide-by-zero error and QEMU process crash) via vectors involving a value of divider greater than baud base. Scope: local bookworm: resolved (fixed in 1:2.8+dfsg-1) bullseye: resolved (fixed in 1:2.8+dfsg-1) forky: r

CVE-2016-8577 [MEDIUM] CVE-2016-8577: qemu - Memory leak in the v9fs_read function in hw/9pfs/9p.c in QEMU (aka Quick Emulato... Memory leak in the v9fs_read function in hw/9pfs/9p.c in QEMU (aka Quick Emulator) allows local guest OS administrators to cause a denial of service (memory consumption) via vectors related to an I/O read operation. Scope: local bookworm: resolved (fixed in 1:2.8+dfsg-1) bullseye: resolved (fixed in 1:2.8+dfsg-1) forky: resolved (fixed in 1:2.8+dfsg-1) sid: resolved (f