Debian Qemu vulnerabilities

CVE-2016-7170 [MEDIUM] CVE-2016-7170: qemu - The vmsvga_fifo_run function in hw/display/vmware_vga.c in QEMU (aka Quick Emula... The vmsvga_fifo_run function in hw/display/vmware_vga.c in QEMU (aka Quick Emulator) allows local guest OS administrators to cause a denial of service (out-of-bounds write and QEMU process crash) via vectors related to cursor.mask[] and cursor.image[] array sizes when processing a DEFINE_CURSOR svga command. Scope: local bookworm: resolved (fixed in 1:2.8+dfsg-1) bulls

CVE-2016-8668 [MEDIUM] CVE-2016-8668: qemu - The rocker_io_writel function in hw/net/rocker/rocker.c in QEMU (aka Quick Emula... The rocker_io_writel function in hw/net/rocker/rocker.c in QEMU (aka Quick Emulator) allows local guest OS administrators to cause a denial of service (out-of-bounds read and QEMU process crash) by leveraging failure to limit DMA buffer size. Scope: local bookworm: resolved (fixed in 1:2.8+dfsg-1) bullseye: resolved (fixed in 1:2.8+dfsg-1) forky: resolved (fixed in 1:2

CVE-2016-7995 [MEDIUM] CVE-2016-7995: qemu - Memory leak in the ehci_process_itd function in hw/usb/hcd-ehci.c in QEMU (aka Q... Memory leak in the ehci_process_itd function in hw/usb/hcd-ehci.c in QEMU (aka Quick Emulator) allows local guest OS administrators to cause a denial of service (memory consumption) via a large number of crafted buffer page select (PG) indexes. Scope: local bookworm: resolved (fixed in 1:2.8+dfsg-1) bullseye: resolved (fixed in 1:2.8+dfsg-1) forky: resolved (fixed in 1

CVE-2016-5106 [MEDIUM] CVE-2016-5106: qemu - The megasas_dcmd_set_properties function in hw/scsi/megasas.c in QEMU, when buil... The megasas_dcmd_set_properties function in hw/scsi/megasas.c in QEMU, when built with MegaRAID SAS 8708EM2 Host Bus Adapter emulation support, allows local guest administrators to cause a denial of service (out-of-bounds write access) via vectors involving a MegaRAID Firmware Interface (MFI) command. Scope: local bookworm: resolved (fixed in 1:2.6+dfsg-2) bullseye: re

CVE-2016-7157 [MEDIUM] CVE-2016-7157: qemu - The (1) mptsas_config_manufacturing_1 and (2) mptsas_config_ioc_0 functions in h... The (1) mptsas_config_manufacturing_1 and (2) mptsas_config_ioc_0 functions in hw/scsi/mptconfig.c in QEMU (aka Quick Emulator) allow local guest OS administrators to cause a denial of service (QEMU process crash) via vectors involving MPTSAS_CONFIG_PACK. Scope: local bookworm: resolved (fixed in 1:2.6+dfsg-3.1) bullseye: resolved (fixed in 1:2.6+dfsg-3.1) forky: resol

CVE-2016-7909 [MEDIUM] CVE-2016-7909: qemu - The pcnet_rdra_addr function in hw/net/pcnet.c in QEMU (aka Quick Emulator) allo... The pcnet_rdra_addr function in hw/net/pcnet.c in QEMU (aka Quick Emulator) allows local guest OS administrators to cause a denial of service (infinite loop and QEMU process crash) by setting the (1) receive or (2) transmit descriptor ring length to 0. Scope: local bookworm: resolved (fixed in 1:2.8+dfsg-1) bullseye: resolved (fixed in 1:2.8+dfsg-1) forky: resolved (fi

CVE-2016-8578 [MEDIUM] CVE-2016-8578: qemu - The v9fs_iov_vunmarshal function in fsdev/9p-iov-marshal.c in QEMU (aka Quick Em... The v9fs_iov_vunmarshal function in fsdev/9p-iov-marshal.c in QEMU (aka Quick Emulator) allows local guest OS administrators to cause a denial of service (NULL pointer dereference and QEMU process crash) by sending an empty string parameter to a 9P operation. Scope: local bookworm: resolved (fixed in 1:2.8+dfsg-1) bullseye: resolved (fixed in 1:2.8+dfsg-1) forky: resol

CVE-2016-9103 [MEDIUM] CVE-2016-9103: qemu - The v9fs_xattrcreate function in hw/9pfs/9p.c in QEMU (aka Quick Emulator) allow... The v9fs_xattrcreate function in hw/9pfs/9p.c in QEMU (aka Quick Emulator) allows local guest OS administrators to obtain sensitive host heap memory information by reading xattribute values before writing to them. Scope: local bookworm: resolved (fixed in 1:2.8+dfsg-1) bullseye: resolved (fixed in 1:2.8+dfsg-1) forky: resolved (fixed in 1:2.8+dfsg-1) sid: resolved (fix

CVE-2016-9907 [MEDIUM] CVE-2016-9907: qemu - Quick Emulator (Qemu) built with the USB redirector usb-guest support is vulnera... Quick Emulator (Qemu) built with the USB redirector usb-guest support is vulnerable to a memory leakage flaw. It could occur while destroying the USB redirector in 'usbredir_handle_destroy'. A guest user/process could use this issue to leak host memory, resulting in DoS for a host. Scope: local bookworm: resolved (fixed in 1:2.8+dfsg-1) bullseye: resolved (fixed in 1:2

CVE-2016-8667 [MEDIUM] CVE-2016-8667: qemu - The rc4030_write function in hw/dma/rc4030.c in QEMU (aka Quick Emulator) allows... The rc4030_write function in hw/dma/rc4030.c in QEMU (aka Quick Emulator) allows local guest OS administrators to cause a denial of service (divide-by-zero error and QEMU process crash) via a large interval timer reload value. Scope: local bookworm: resolved (fixed in 1:2.8+dfsg-4) bullseye: resolved (fixed in 1:2.8+dfsg-4) forky: resolved (fixed in 1:2.8+dfsg-4) sid:

CVE-2016-6490 [MEDIUM] CVE-2016-6490: qemu - The virtqueue_map_desc function in hw/virtio/virtio.c in QEMU (aka Quick Emulato... The virtqueue_map_desc function in hw/virtio/virtio.c in QEMU (aka Quick Emulator) allows local guest OS administrators to cause a denial of service (infinite loop and QEMU process crash) via a zero length for the descriptor buffer. Scope: local bookworm: resolved (fixed in 1:2.6+dfsg-3.1) bullseye: resolved (fixed in 1:2.6+dfsg-3.1) forky: resolved (fixed in 1:2.6+dfs

CVE-2016-4453 [MEDIUM] CVE-2016-4453: qemu - The vmsvga_fifo_run function in hw/display/vmware_vga.c in QEMU allows local gue... The vmsvga_fifo_run function in hw/display/vmware_vga.c in QEMU allows local guest OS administrators to cause a denial of service (infinite loop and QEMU process crash) via a VGA command. Scope: local bookworm: resolved (fixed in 1:2.6+dfsg-3) bullseye: resolved (fixed in 1:2.6+dfsg-3) forky: resolved (fixed in 1:2.6+dfsg-3) sid: resolved (fixed in 1:2.6+dfsg-3) trixie

CVE-2016-9603 [MEDIUM] CVE-2016-9603: qemu - A heap buffer overflow flaw was found in QEMU's Cirrus CLGD 54xx VGA emulator's ... A heap buffer overflow flaw was found in QEMU's Cirrus CLGD 54xx VGA emulator's VNC display driver support before 2.9; the issue could occur when a VNC client attempted to update its display after a VGA operation is performed by a guest. A privileged user/process inside a guest could use this flaw to crash the QEMU process or, potentially, execute arbitrary code on the

CVE-2016-7423 [MEDIUM] CVE-2016-7423: qemu - The mptsas_process_scsi_io_request function in QEMU (aka Quick Emulator), when b... The mptsas_process_scsi_io_request function in QEMU (aka Quick Emulator), when built with LSI SAS1068 Host Bus emulation support, allows local guest OS administrators to cause a denial of service (out-of-bounds write and QEMU process crash) via vectors involving MPTSASRequest objects. Scope: local bookworm: resolved (fixed in 1:2.7+dfsg-1) bullseye: resolved (fixed in

CVE-2016-7156 [MEDIUM] CVE-2016-7156: qemu - The pvscsi_convert_sglist function in hw/scsi/vmw_pvscsi.c in QEMU (aka Quick Em... The pvscsi_convert_sglist function in hw/scsi/vmw_pvscsi.c in QEMU (aka Quick Emulator) allows local guest OS administrators to cause a denial of service (infinite loop and QEMU process crash) by leveraging an incorrect cast. Scope: local bookworm: resolved (fixed in 1:2.6+dfsg-3.1) bullseye: resolved (fixed in 1:2.6+dfsg-3.1) forky: resolved (fixed in 1:2.6+dfsg-3.1)

CVE-2016-9913 [MEDIUM] CVE-2016-9913: qemu - Memory leak in the v9fs_device_unrealize_common function in hw/9pfs/9p.c in QEMU... Memory leak in the v9fs_device_unrealize_common function in hw/9pfs/9p.c in QEMU (aka Quick Emulator) allows local privileged guest OS users to cause a denial of service (host memory consumption and possibly QEMU process crash) via vectors involving the order of resource cleanup. Scope: local bookworm: resolved (fixed in 1:2.8+dfsg-1) bullseye: resolved (fixed in 1:2.8

CVE-2016-8576 [MEDIUM] CVE-2016-8576: qemu - The xhci_ring_fetch function in hw/usb/hcd-xhci.c in QEMU (aka Quick Emulator) a... The xhci_ring_fetch function in hw/usb/hcd-xhci.c in QEMU (aka Quick Emulator) allows local guest OS administrators to cause a denial of service (infinite loop and QEMU process crash) by leveraging failure to limit the number of link Transfer Request Blocks (TRB) to process. Scope: local bookworm: resolved (fixed in 1:2.8+dfsg-1) bullseye: resolved (fixed in 1:2.8+dfsg

CVE-2016-3712 [MEDIUM] CVE-2016-3712: qemu - Integer overflow in the VGA module in QEMU allows local guest OS users to cause ... Integer overflow in the VGA module in QEMU allows local guest OS users to cause a denial of service (out-of-bounds read and QEMU process crash) by editing VGA registers in VBE mode. Scope: local bookworm: resolved (fixed in 1:2.6+dfsg-1) bullseye: resolved (fixed in 1:2.6+dfsg-1) forky: resolved (fixed in 1:2.6+dfsg-1) sid: resolved (fixed in 1:2.6+dfsg-1) trixie: reso

CVE-2016-1922 [MEDIUM] CVE-2016-1922: qemu - QEMU (aka Quick Emulator) built with the TPR optimization for 32-bit Windows gue... QEMU (aka Quick Emulator) built with the TPR optimization for 32-bit Windows guests support is vulnerable to a null pointer dereference flaw. It occurs while doing I/O port write operations via hmp interface. In that, 'current_cpu' remains null, which leads to the null pointer dereference. A user or process could use this flaw to crash the QEMU instance, resulting in D

CVE-2016-2197 [MEDIUM] CVE-2016-2197: qemu - QEMU (aka Quick Emulator) built with an IDE AHCI emulation support is vulnerable... QEMU (aka Quick Emulator) built with an IDE AHCI emulation support is vulnerable to a null pointer dereference flaw. It occurs while unmapping the Frame Information Structure (FIS) and Command List Block (CLB) entries. A privileged user inside guest could use this flaw to crash the QEMU process instance resulting in DoS. Scope: local bookworm: resolved (fixed in 1:2.6+