Debian Qemu vulnerabilities

CVE-2016-4454 [MEDIUM] CVE-2016-4454: qemu - The vmsvga_fifo_read_raw function in hw/display/vmware_vga.c in QEMU allows loca... The vmsvga_fifo_read_raw function in hw/display/vmware_vga.c in QEMU allows local guest OS administrators to obtain sensitive host memory information or cause a denial of service (QEMU process crash) by changing FIFO registers and issuing a VGA command, which triggers an out-of-bounds read. Scope: local bookworm: resolved (fixed in 1:2.6+dfsg-3) bullseye: resolved (fix

CVE-2016-7421 [MEDIUM] CVE-2016-7421: qemu - The pvscsi_ring_pop_req_descr function in hw/scsi/vmw_pvscsi.c in QEMU (aka Quic... The pvscsi_ring_pop_req_descr function in hw/scsi/vmw_pvscsi.c in QEMU (aka Quick Emulator) allows local guest OS administrators to cause a denial of service (infinite loop and QEMU process crash) by leveraging failure to limit process IO loop to the ring size. Scope: local bookworm: resolved (fixed in 1:2.7+dfsg-1) bullseye: resolved (fixed in 1:2.7+dfsg-1) forky: res

CVE-2016-7908 [MEDIUM] CVE-2016-7908: qemu - The mcf_fec_do_tx function in hw/net/mcf_fec.c in QEMU (aka Quick Emulator) does... The mcf_fec_do_tx function in hw/net/mcf_fec.c in QEMU (aka Quick Emulator) does not properly limit the buffer descriptor count when transmitting packets, which allows local guest OS administrators to cause a denial of service (infinite loop and QEMU process crash) via vectors involving a buffer descriptor with a length of 0 and crafted values in bd.flags. Scope: local

CVE-2016-2391 [MEDIUM] CVE-2016-2391: qemu - The ohci_bus_start function in the USB OHCI emulation support (hw/usb/hcd-ohci.c... The ohci_bus_start function in the USB OHCI emulation support (hw/usb/hcd-ohci.c) in QEMU allows local guest OS administrators to cause a denial of service (NULL pointer dereference and QEMU process crash) via vectors related to multiple eof_timers. Scope: local bookworm: resolved (fixed in 1:2.6+dfsg-1) bullseye: resolved (fixed in 1:2.6+dfsg-1) forky: resolved (fixed

CVE-2016-4964 [MEDIUM] CVE-2016-4964: qemu - The mptsas_fetch_requests function in hw/scsi/mptsas.c in QEMU (aka Quick Emulat... The mptsas_fetch_requests function in hw/scsi/mptsas.c in QEMU (aka Quick Emulator) allows local guest OS administrators to cause a denial of service (infinite loop, and CPU consumption or QEMU process crash) via vectors involving s->state. Scope: local bookworm: resolved (fixed in 1:2.6+dfsg-2) bullseye: resolved (fixed in 1:2.6+dfsg-2) forky: resolved (fixed in 1:2.6

CVE-2016-2198 [MEDIUM] CVE-2016-2198: qemu - QEMU (aka Quick Emulator) built with the USB EHCI emulation support is vulnerabl... QEMU (aka Quick Emulator) built with the USB EHCI emulation support is vulnerable to a null pointer dereference flaw. It could occur when an application attempts to write to EHCI capabilities registers. A privileged user inside quest could use this flaw to crash the QEMU process instance resulting in DoS. Scope: local bookworm: resolved (fixed in 1:2.6+dfsg-1) bullseye

CVE-2016-9105 [MEDIUM] CVE-2016-9105: qemu - Memory leak in the v9fs_link function in hw/9pfs/9p.c in QEMU (aka Quick Emulato... Memory leak in the v9fs_link function in hw/9pfs/9p.c in QEMU (aka Quick Emulator) allows local guest OS administrators to cause a denial of service (memory consumption) via vectors involving a reference to the source fid object. Scope: local bookworm: resolved (fixed in 1:2.8+dfsg-1) bullseye: resolved (fixed in 1:2.8+dfsg-1) forky: resolved (fixed in 1:2.8+dfsg-1) si

CVE-2016-7907 [MEDIUM] CVE-2016-7907: qemu - The imx_fec_do_tx function in hw/net/imx_fec.c in QEMU (aka Quick Emulator) does... The imx_fec_do_tx function in hw/net/imx_fec.c in QEMU (aka Quick Emulator) does not properly limit the buffer descriptor count when transmitting packets, which allows local guest OS administrators to cause a denial of service (infinite loop and QEMU process crash) via vectors involving a buffer descriptor with a length of 0 and crafted values in bd.flags. Scope: local

CVE-2016-9922 [MEDIUM] CVE-2016-9922: qemu - The cirrus_do_copy function in hw/display/cirrus_vga.c in QEMU (aka Quick Emulat... The cirrus_do_copy function in hw/display/cirrus_vga.c in QEMU (aka Quick Emulator), when cirrus graphics mode is VGA, allows local guest OS privileged users to cause a denial of service (divide-by-zero error and QEMU process crash) via vectors involving blit pitch values. Scope: local bookworm: resolved (fixed in 1:2.8+dfsg-1) bullseye: resolved (fixed in 1:2.8+dfsg-1

CVE-2016-9921 [MEDIUM] CVE-2016-9921: qemu - Quick emulator (Qemu) built with the Cirrus CLGD 54xx VGA Emulator support is vu... Quick emulator (Qemu) built with the Cirrus CLGD 54xx VGA Emulator support is vulnerable to a divide by zero issue. It could occur while copying VGA data when cirrus graphics mode was set to be VGA. A privileged user inside guest could use this flaw to crash the Qemu process instance on the host, resulting in DoS. Scope: local bookworm: resolved (fixed in 1:2.8+dfsg-1)

CVE-2016-5238 [MEDIUM] CVE-2016-5238: qemu - The get_cmd function in hw/scsi/esp.c in QEMU might allow local guest OS adminis... The get_cmd function in hw/scsi/esp.c in QEMU might allow local guest OS administrators to cause a denial of service (out-of-bounds write and QEMU process crash) via vectors related to reading from the information transfer buffer in non-DMA mode. Scope: local bookworm: resolved (fixed in 1:2.6+dfsg-3) bullseye: resolved (fixed in 1:2.6+dfsg-3) forky: resolved (fixed in

CVE-2016-9911 [MEDIUM] CVE-2016-9911: qemu - Quick Emulator (Qemu) built with the USB EHCI Emulation support is vulnerable to... Quick Emulator (Qemu) built with the USB EHCI Emulation support is vulnerable to a memory leakage issue. It could occur while processing packet data in 'ehci_init_transfer'. A guest user/process could use this issue to leak host memory, resulting in DoS for a host. Scope: local bookworm: resolved (fixed in 1:2.8+dfsg-1) bullseye: resolved (fixed in 1:2.8+dfsg-1) forky:

CVE-2016-4020 [MEDIUM] CVE-2016-4020: qemu - The patch_instruction function in hw/i386/kvmvapic.c in QEMU does not initialize... The patch_instruction function in hw/i386/kvmvapic.c in QEMU does not initialize the imm32 variable, which allows local guest OS administrators to obtain sensitive information from host stack memory by accessing the Task Priority Register (TPR). Scope: local bookworm: resolved (fixed in 1:2.6+dfsg-2) bullseye: resolved (fixed in 1:2.6+dfsg-2) forky: resolved (fixed in

CVE-2016-6836 [MEDIUM] CVE-2016-6836: qemu - The vmxnet3_complete_packet function in hw/net/vmxnet3.c in QEMU (aka Quick Emul... The vmxnet3_complete_packet function in hw/net/vmxnet3.c in QEMU (aka Quick Emulator) allows local guest OS administrators to obtain sensitive host memory information by leveraging failure to initialize the txcq_descr object. Scope: local bookworm: resolved (fixed in 1:2.6+dfsg-3.1) bullseye: resolved (fixed in 1:2.6+dfsg-3.1) forky: resolved (fixed in 1:2.6+dfsg-3.1)

CVE-2016-9916 [MEDIUM] CVE-2016-9916: qemu - Memory leak in hw/9pfs/9p-proxy.c in QEMU (aka Quick Emulator) allows local priv... Memory leak in hw/9pfs/9p-proxy.c in QEMU (aka Quick Emulator) allows local privileged guest OS users to cause a denial of service (host memory consumption and possibly QEMU process crash) by leveraging a missing cleanup operation in the proxy backend. Scope: local bookworm: resolved (fixed in 1:2.8+dfsg-1) bullseye: resolved (fixed in 1:2.8+dfsg-1) forky: resolved (fi

CVE-2016-4441 [MEDIUM] CVE-2016-4441: qemu - The get_cmd function in hw/scsi/esp.c in the 53C9X Fast SCSI Controller (FSC) su... The get_cmd function in hw/scsi/esp.c in the 53C9X Fast SCSI Controller (FSC) support in QEMU does not properly check DMA length, which allows local guest OS administrators to cause a denial of service (out-of-bounds write and QEMU process crash) via unspecified vectors, involving an SCSI command. Scope: local bookworm: resolved (fixed in 1:2.6+dfsg-2) bullseye: resolv

CVE-2016-5403 [MEDIUM] CVE-2016-5403: qemu - The virtqueue_pop function in hw/virtio/virtio.c in QEMU allows local guest OS a... The virtqueue_pop function in hw/virtio/virtio.c in QEMU allows local guest OS administrators to cause a denial of service (memory consumption and QEMU process crash) by submitting requests without waiting for completion. Scope: local bookworm: resolved (fixed in 1:2.6+dfsg-3.1) bullseye: resolved (fixed in 1:2.6+dfsg-3.1) forky: resolved (fixed in 1:2.6+dfsg-3.1) sid:

CVE-2016-7994 [MEDIUM] CVE-2016-7994: qemu - Memory leak in the virtio_gpu_resource_create_2d function in hw/display/virtio-g... Memory leak in the virtio_gpu_resource_create_2d function in hw/display/virtio-gpu.c in QEMU (aka Quick Emulator) allows local guest OS administrators to cause a denial of service (memory consumption) via a large number of VIRTIO_GPU_CMD_RESOURCE_CREATE_2D commands. Scope: local bookworm: resolved (fixed in 1:2.8+dfsg-1) bullseye: resolved (fixed in 1:2.8+dfsg-1) forky

CVE-2016-2858 [MEDIUM] CVE-2016-2858: qemu - QEMU, when built with the Pseudo Random Number Generator (PRNG) back-end support... QEMU, when built with the Pseudo Random Number Generator (PRNG) back-end support, allows local guest OS users to cause a denial of service (process crash) via an entropy request, which triggers arbitrary stack based allocation and memory corruption. Scope: local bookworm: resolved (fixed in 1:2.6+dfsg-1) bullseye: resolved (fixed in 1:2.6+dfsg-1) forky: resolved (fixed

CVE-2016-9915 [MEDIUM] CVE-2016-9915: qemu - Memory leak in hw/9pfs/9p-handle.c in QEMU (aka Quick Emulator) allows local pri... Memory leak in hw/9pfs/9p-handle.c in QEMU (aka Quick Emulator) allows local privileged guest OS users to cause a denial of service (host memory consumption and possibly QEMU process crash) by leveraging a missing cleanup operation in the handle backend. Scope: local bookworm: resolved (fixed in 1:2.8+dfsg-1) bullseye: resolved (fixed in 1:2.8+dfsg-1) forky: resolved (