Debian Qemu vulnerabilities

CVE-2016-2841 [MEDIUM] CVE-2016-2841: qemu - The ne2000_receive function in the NE2000 NIC emulation support (hw/net/ne2000.c... The ne2000_receive function in the NE2000 NIC emulation support (hw/net/ne2000.c) in QEMU before 2.5.1 allows local guest OS administrators to cause a denial of service (infinite loop and QEMU process crash) via crafted values for the PSTART and PSTOP registers, involving ring buffer control. Scope: local bookworm: resolved (fixed in 1:2.6+dfsg-1) bullseye: resolved (f

CVE-2016-5105 [MEDIUM] CVE-2016-5105: qemu - The megasas_dcmd_cfg_read function in hw/scsi/megasas.c in QEMU, when built with... The megasas_dcmd_cfg_read function in hw/scsi/megasas.c in QEMU, when built with MegaRAID SAS 8708EM2 Host Bus Adapter emulation support, uses an uninitialized variable, which allows local guest administrators to read host memory via vectors involving a MegaRAID Firmware Interface (MFI) command. Scope: local bookworm: resolved (fixed in 1:2.6+dfsg-2) bullseye: resolved

CVE-2016-9914 [MEDIUM] CVE-2016-9914: qemu - Memory leak in hw/9pfs/9p.c in QEMU (aka Quick Emulator) allows local privileged... Memory leak in hw/9pfs/9p.c in QEMU (aka Quick Emulator) allows local privileged guest OS users to cause a denial of service (host memory consumption and possibly QEMU process crash) by leveraging a missing cleanup operation in FileOperations. Scope: local bookworm: resolved (fixed in 1:2.8+dfsg-1) bullseye: resolved (fixed in 1:2.8+dfsg-1) forky: resolved (fixed in 1:

CVE-2016-1981 [MEDIUM] CVE-2016-1981: qemu - QEMU (aka Quick Emulator) built with the e1000 NIC emulation support is vulnerab... QEMU (aka Quick Emulator) built with the e1000 NIC emulation support is vulnerable to an infinite loop issue. It could occur while processing data via transmit or receive descriptors, provided the initial receive/transmit descriptor head (TDH/RDH) is set outside the allocated descriptor buffer. A privileged user inside guest could use this flaw to crash the QEMU instan

CVE-2016-8909 [MEDIUM] CVE-2016-8909: qemu - The intel_hda_xfer function in hw/audio/intel-hda.c in QEMU (aka Quick Emulator)... The intel_hda_xfer function in hw/audio/intel-hda.c in QEMU (aka Quick Emulator) allows local guest OS administrators to cause a denial of service (infinite loop and CPU consumption) via an entry with the same value for buffer length and pointer position. Scope: local bookworm: resolved (fixed in 1:2.8+dfsg-1) bullseye: resolved (fixed in 1:2.8+dfsg-1) forky: resolved

CVE-2016-7422 [MEDIUM] CVE-2016-7422: qemu - The virtqueue_map_desc function in hw/virtio/virtio.c in QEMU (aka Quick Emulato... The virtqueue_map_desc function in hw/virtio/virtio.c in QEMU (aka Quick Emulator) allows local guest OS administrators to cause a denial of service (NULL pointer dereference and QEMU process crash) via a large I/O descriptor buffer length value. Scope: local bookworm: resolved (fixed in 1:2.7+dfsg-1) bullseye: resolved (fixed in 1:2.7+dfsg-1) forky: resolved (fixed in

CVE-2016-6833 [MEDIUM] CVE-2016-6833: qemu - Use-after-free vulnerability in the vmxnet3_io_bar0_write function in hw/net/vmx... Use-after-free vulnerability in the vmxnet3_io_bar0_write function in hw/net/vmxnet3.c in QEMU (aka Quick Emulator) allows local guest OS administrators to cause a denial of service (QEMU instance crash) by leveraging failure to check if the device is active. Scope: local bookworm: resolved (fixed in 1:2.6+dfsg-3.1) bullseye: resolved (fixed in 1:2.6+dfsg-3.1) forky: r

CVE-2016-9102 [MEDIUM] CVE-2016-9102: qemu - Memory leak in the v9fs_xattrcreate function in hw/9pfs/9p.c in QEMU (aka Quick ... Memory leak in the v9fs_xattrcreate function in hw/9pfs/9p.c in QEMU (aka Quick Emulator) allows local guest OS administrators to cause a denial of service (memory consumption and QEMU process crash) via a large number of Txattrcreate messages with the same fid number. Scope: local bookworm: resolved (fixed in 1:2.8+dfsg-1) bullseye: resolved (fixed in 1:2.8+dfsg-1) fo

CVE-2016-4037 [MEDIUM] CVE-2016-4037: qemu - The ehci_advance_state function in hw/usb/hcd-ehci.c in QEMU allows local guest ... The ehci_advance_state function in hw/usb/hcd-ehci.c in QEMU allows local guest OS administrators to cause a denial of service (infinite loop and CPU consumption) via a circular split isochronous transfer descriptor (siTD) list, a related issue to CVE-2015-8558. Scope: local bookworm: resolved (fixed in 1:2.6+dfsg-1) bullseye: resolved (fixed in 1:2.6+dfsg-1) forky: re

CVE-2016-9101 [MEDIUM] CVE-2016-9101: qemu - Memory leak in hw/net/eepro100.c in QEMU (aka Quick Emulator) allows local guest... Memory leak in hw/net/eepro100.c in QEMU (aka Quick Emulator) allows local guest OS administrators to cause a denial of service (memory consumption and QEMU process crash) by repeatedly unplugging an i8255x (PRO100) NIC device. Scope: local bookworm: resolved (fixed in 1:2.8+dfsg-1) bullseye: resolved (fixed in 1:2.8+dfsg-1) forky: resolved (fixed in 1:2.8+dfsg-1) sid:

CVE-2016-9776 [MEDIUM] CVE-2016-9776: qemu - QEMU (aka Quick Emulator) built with the ColdFire Fast Ethernet Controller emula... QEMU (aka Quick Emulator) built with the ColdFire Fast Ethernet Controller emulator support is vulnerable to an infinite loop issue. It could occur while receiving packets in 'mcf_fec_receive'. A privileged user/process inside guest could use this issue to crash the QEMU process on the host leading to DoS. Scope: local bookworm: resolved (fixed in 1:2.8+dfsg-1) bullsey

CVE-2016-6351 [MEDIUM] CVE-2016-6351: qemu - The esp_do_dma function in hw/scsi/esp.c in QEMU (aka Quick Emulator), when buil... The esp_do_dma function in hw/scsi/esp.c in QEMU (aka Quick Emulator), when built with ESP/NCR53C9x controller emulation support, allows local guest OS administrators to cause a denial of service (out-of-bounds write and QEMU process crash) or execute arbitrary code on the QEMU host via vectors involving DMA read into ESP command buffer. Scope: local bookworm: resolved

CVE-2016-6835 [MEDIUM] CVE-2016-6835: qemu - The vmxnet_tx_pkt_parse_headers function in hw/net/vmxnet_tx_pkt.c in QEMU (aka ... The vmxnet_tx_pkt_parse_headers function in hw/net/vmxnet_tx_pkt.c in QEMU (aka Quick Emulator) allows local guest OS administrators to cause a denial of service (buffer over-read) by leveraging failure to check IP header length. Scope: local bookworm: resolved (fixed in 1:2.6+dfsg-3.1) bullseye: resolved (fixed in 1:2.6+dfsg-3.1) forky: resolved (fixed in 1:2.6+dfsg-3

CVE-2016-5107 [MEDIUM] CVE-2016-5107: qemu - The megasas_lookup_frame function in QEMU, when built with MegaRAID SAS 8708EM2 ... The megasas_lookup_frame function in QEMU, when built with MegaRAID SAS 8708EM2 Host Bus Adapter emulation support, allows local guest OS administrators to cause a denial of service (out-of-bounds read and crash) via unspecified vectors. Scope: local bookworm: resolved (fixed in 1:2.6+dfsg-2) bullseye: resolved (fixed in 1:2.6+dfsg-2) forky: resolved (fixed in 1:2.6+df

CVE-2016-8910 [MEDIUM] CVE-2016-8910: qemu - The rtl8139_cplus_transmit function in hw/net/rtl8139.c in QEMU (aka Quick Emula... The rtl8139_cplus_transmit function in hw/net/rtl8139.c in QEMU (aka Quick Emulator) allows local guest OS administrators to cause a denial of service (infinite loop and CPU consumption) by leveraging failure to limit the ring descriptor count. Scope: local bookworm: resolved (fixed in 1:2.8+dfsg-1) bullseye: resolved (fixed in 1:2.8+dfsg-1) forky: resolved (fixed in 1

CVE-2016-6888 [MEDIUM] CVE-2016-6888: qemu - Integer overflow in the net_tx_pkt_init function in hw/net/net_tx_pkt.c in QEMU ... Integer overflow in the net_tx_pkt_init function in hw/net/net_tx_pkt.c in QEMU (aka Quick Emulator) allows local guest OS administrators to cause a denial of service (QEMU process crash) via the maximum fragmentation count, which triggers an unchecked multiplication and NULL pointer dereference. Scope: local bookworm: resolved (fixed in 1:2.6+dfsg-3.1) bullseye: resol

CVE-2016-9923 [MEDIUM] CVE-2016-9923: qemu - Quick Emulator (Qemu) built with the 'chardev' backend support is vulnerable to ... Quick Emulator (Qemu) built with the 'chardev' backend support is vulnerable to a use after free issue. It could occur while hotplug and unplugging the device in the guest. A guest user/process could use this flaw to crash a Qemu process on the host resulting in DoS. Scope: local bookworm: resolved (fixed in 1:2.8+dfsg-1) bullseye: resolved (fixed in 1:2.8+dfsg-1) fork

CVE-2016-4952 [MEDIUM] CVE-2016-4952: qemu - QEMU (aka Quick Emulator), when built with VMWARE PVSCSI paravirtual SCSI bus em... QEMU (aka Quick Emulator), when built with VMWARE PVSCSI paravirtual SCSI bus emulation support, allows local guest OS administrators to cause a denial of service (out-of-bounds array access) via vectors related to the (1) PVSCSI_CMD_SETUP_RINGS or (2) PVSCSI_CMD_SETUP_MSG_RING SCSI command. Scope: local bookworm: resolved (fixed in 1:2.6+dfsg-2) bullseye: resolved (fi

CVE-2016-9845 [MEDIUM] CVE-2016-9845: qemu - QEMU (aka Quick Emulator) built with the Virtio GPU Device emulator support is v... QEMU (aka Quick Emulator) built with the Virtio GPU Device emulator support is vulnerable to an information leakage issue. It could occur while processing 'VIRTIO_GPU_CMD_GET_CAPSET_INFO' command. A guest user/process could use this flaw to leak contents of the host memory bytes. Scope: local bookworm: resolved (fixed in 1:2.8+dfsg-1) bullseye: resolved (fixed in 1:2.8

CVE-2016-5337 [MEDIUM] CVE-2016-5337: qemu - The megasas_ctrl_get_info function in hw/scsi/megasas.c in QEMU allows local gue... The megasas_ctrl_get_info function in hw/scsi/megasas.c in QEMU allows local guest OS administrators to obtain sensitive host memory information via vectors related to reading device control information. Scope: local bookworm: resolved (fixed in 1:2.6+dfsg-2) bullseye: resolved (fixed in 1:2.6+dfsg-2) forky: resolved (fixed in 1:2.6+dfsg-2) sid: resolved (fixed in 1:2.