Debian Qemu vulnerabilities

CVE-2016-6834 [MEDIUM] CVE-2016-6834: qemu - The net_tx_pkt_do_sw_fragmentation function in hw/net/net_tx_pkt.c in QEMU (aka ... The net_tx_pkt_do_sw_fragmentation function in hw/net/net_tx_pkt.c in QEMU (aka Quick Emulator) allows local guest OS administrators to cause a denial of service (infinite loop and QEMU process crash) via a zero length for the current fragment length. Scope: local bookworm: resolved (fixed in 1:2.6+dfsg-3.1) bullseye: resolved (fixed in 1:2.6+dfsg-3.1) forky: resolved

CVE-2016-9912 [MEDIUM] CVE-2016-9912: qemu - Quick Emulator (Qemu) built with the Virtio GPU Device emulator support is vulne... Quick Emulator (Qemu) built with the Virtio GPU Device emulator support is vulnerable to a memory leakage issue. It could occur while destroying gpu resource object in 'virtio_gpu_resource_destroy'. A guest user/process could use this flaw to leak host memory bytes, resulting in DoS for a host. Scope: local bookworm: resolved (fixed in 1:2.8+dfsg-1) bullseye: resolved

CVE-2016-7116 [MEDIUM] CVE-2016-7116: qemu - Directory traversal vulnerability in hw/9pfs/9p.c in QEMU (aka Quick Emulator) a... Directory traversal vulnerability in hw/9pfs/9p.c in QEMU (aka Quick Emulator) allows local guest OS administrators to access host files outside the export path via a .. (dot dot) in an unspecified string. Scope: local bookworm: resolved (fixed in 1:2.6+dfsg-3.1) bullseye: resolved (fixed in 1:2.6+dfsg-3.1) forky: resolved (fixed in 1:2.6+dfsg-3.1) sid: resolved (fixed

CVE-2016-7466 [MEDIUM] CVE-2016-7466: qemu - Memory leak in the usb_xhci_exit function in hw/usb/hcd-xhci.c in QEMU (aka Quic... Memory leak in the usb_xhci_exit function in hw/usb/hcd-xhci.c in QEMU (aka Quick Emulator), when the xhci uses msix, allows local guest OS administrators to cause a denial of service (memory consumption and possibly QEMU process crash) by repeatedly unplugging a USB device. Scope: local bookworm: resolved (fixed in 1:2.7+dfsg-1) bullseye: resolved (fixed in 1:2.7+dfsg

CVE-2016-7155 [MEDIUM] CVE-2016-7155: qemu - hw/scsi/vmw_pvscsi.c in QEMU (aka Quick Emulator) allows local guest OS administ... hw/scsi/vmw_pvscsi.c in QEMU (aka Quick Emulator) allows local guest OS administrators to cause a denial of service (out-of-bounds access or infinite loop, and QEMU process crash) via a crafted page count for descriptor rings. Scope: local bookworm: resolved (fixed in 1:2.6+dfsg-3.1) bullseye: resolved (fixed in 1:2.6+dfsg-3.1) forky: resolved (fixed in 1:2.6+dfsg-3.1)

CVE-2016-4439 [MEDIUM] CVE-2016-4439: qemu - The esp_reg_write function in hw/scsi/esp.c in the 53C9X Fast SCSI Controller (F... The esp_reg_write function in hw/scsi/esp.c in the 53C9X Fast SCSI Controller (FSC) support in QEMU does not properly check command buffer length, which allows local guest OS administrators to cause a denial of service (out-of-bounds write and QEMU process crash) or potentially execute arbitrary code on the QEMU host via unspecified vectors. Scope: local bookworm: reso

CVE-2016-9106 [MEDIUM] CVE-2016-9106: qemu - Memory leak in the v9fs_write function in hw/9pfs/9p.c in QEMU (aka Quick Emulat... Memory leak in the v9fs_write function in hw/9pfs/9p.c in QEMU (aka Quick Emulator) allows local guest OS administrators to cause a denial of service (memory consumption) by leveraging failure to free an IO vector. Scope: local bookworm: resolved (fixed in 1:2.8+dfsg-1) bullseye: resolved (fixed in 1:2.8+dfsg-1) forky: resolved (fixed in 1:2.8+dfsg-1) sid: resolved (fi

CVE-2016-10029 [MEDIUM] CVE-2016-10029: qemu - The virtio_gpu_set_scanout function in QEMU (aka Quick Emulator) built with Virt... The virtio_gpu_set_scanout function in QEMU (aka Quick Emulator) built with Virtio GPU Device emulator support allows local guest OS users to cause a denial of service (out-of-bounds read and process crash) via a scanout id in a VIRTIO_GPU_CMD_SET_SCANOUT command larger than num_scanouts. Scope: local bookworm: resolved (fixed in 1:2.7+dfsg-1) bullseye: resolved (fix

CVE-2016-9104 [MEDIUM] CVE-2016-9104: qemu - Multiple integer overflows in the (1) v9fs_xattr_read and (2) v9fs_xattr_write f... Multiple integer overflows in the (1) v9fs_xattr_read and (2) v9fs_xattr_write functions in hw/9pfs/9p.c in QEMU (aka Quick Emulator) allow local guest OS administrators to cause a denial of service (QEMU process crash) via a crafted offset, which triggers an out-of-bounds access. Scope: local bookworm: resolved (fixed in 1:2.8+dfsg-1) bullseye: resolved (fixed in 1:2.

CVE-2016-9846 [MEDIUM] CVE-2016-9846: qemu - QEMU (aka Quick Emulator) built with the Virtio GPU Device emulator support is v... QEMU (aka Quick Emulator) built with the Virtio GPU Device emulator support is vulnerable to a memory leakage issue. It could occur while updating the cursor data in update_cursor_data_virgl. A guest user/process could use this flaw to leak host memory bytes, resulting in DoS for a host. Scope: local bookworm: resolved (fixed in 1:2.8+dfsg-1) bullseye: resolved (fixed

CVE-2016-10155 [MEDIUM] CVE-2016-10155: qemu - Memory leak in hw/watchdog/wdt_i6300esb.c in QEMU (aka Quick Emulator) allows lo... Memory leak in hw/watchdog/wdt_i6300esb.c in QEMU (aka Quick Emulator) allows local guest OS privileged users to cause a denial of service (host memory consumption and QEMU process crash) via a large number of device unplug operations. Scope: local bookworm: resolved (fixed in 1:2.8+dfsg-2) bullseye: resolved (fixed in 1:2.8+dfsg-2) forky: resolved (fixed in 1:2.8+df

CVE-2016-9908 [LOW] CVE-2016-9908: qemu - Quick Emulator (Qemu) built with the Virtio GPU Device emulator support is vulne... Quick Emulator (Qemu) built with the Virtio GPU Device emulator support is vulnerable to an information leakage issue. It could occur while processing 'VIRTIO_GPU_CMD_GET_CAPSET' command. A guest user/process could use this flaw to leak contents of the host memory bytes. Scope: local bookworm: resolved (fixed in 1:2.8+dfsg-1) bullseye: resolved (fixed in 1:2.8+dfsg-1) for

CVE-2016-10028 [MEDIUM] CVE-2016-10028: qemu - The virgl_cmd_get_capset function in hw/display/virtio-gpu-3d.c in QEMU (aka Qui... The virgl_cmd_get_capset function in hw/display/virtio-gpu-3d.c in QEMU (aka Quick Emulator) built with Virtio GPU Device emulator support allows local guest OS users to cause a denial of service (out-of-bounds read and process crash) via a VIRTIO_GPU_CMD_GET_CAPSET command with a maximum capabilities size with a value of 0. Scope: local bookworm: resolved (fixed in

CVE-2016-9637 [HIGH] CVE-2016-9637: qemu - The (1) ioport_read and (2) ioport_write functions in Xen, when qemu is used as ... The (1) ioport_read and (2) ioport_write functions in Xen, when qemu is used as a device model within Xen, might allow local x86 HVM guest OS administrators to gain qemu process privileges via vectors involving an out-of-range ioport access. Scope: local bookworm: resolved bullseye: resolved forky: resolved sid: resolved trixie: resolved

CVE-2015-5165 [CRITICAL] CVE-2015-5165: qemu - The C+ mode offload emulation in the RTL8139 network card device model in QEMU, ... The C+ mode offload emulation in the RTL8139 network card device model in QEMU, as used in Xen 4.5.x and earlier, allows remote attackers to read process heap memory via unspecified vectors. Scope: local bookworm: resolved (fixed in 1:2.4+dfsg-1a) bullseye: resolved (fixed in 1:2.4+dfsg-1a) forky: resolved (fixed in 1:2.4+dfsg-1a) sid: resolved (fixed in 1:2.4+dfsg-1

CVE-2015-7512 [CRITICAL] CVE-2015-7512: qemu - Buffer overflow in the pcnet_receive function in hw/net/pcnet.c in QEMU, when a ... Buffer overflow in the pcnet_receive function in hw/net/pcnet.c in QEMU, when a guest NIC has a larger MTU, allows remote attackers to cause a denial of service (guest OS crash) or execute arbitrary code via a large packet. Scope: local bookworm: resolved (fixed in 1:2.5+dfsg-1) bullseye: resolved (fixed in 1:2.5+dfsg-1) forky: resolved (fixed in 1:2.5+dfsg-1) sid: r

CVE-2015-3456 [HIGH] CVE-2015-3456: qemu - The Floppy Disk Controller (FDC) in QEMU, as used in Xen 4.5.x and earlier and K... The Floppy Disk Controller (FDC) in QEMU, as used in Xen 4.5.x and earlier and KVM, allows local guest users to cause a denial of service (out-of-bounds write and guest crash) or possibly execute arbitrary code via the (1) FD_CMD_READ_ID, (2) FD_CMD_DRIVE_SPECIFICATION_COMMAND, or other unspecified commands, aka VENOM. Scope: local bookworm: resolved (fixed in 1:2.3+dfsg

CVE-2015-5154 [HIGH] CVE-2015-5154: qemu - Heap-based buffer overflow in the IDE subsystem in QEMU, as used in Xen 4.5.x an... Heap-based buffer overflow in the IDE subsystem in QEMU, as used in Xen 4.5.x and earlier, when the container has a CDROM drive enabled, allows local guest users to execute arbitrary code on the host via unspecified ATAPI commands. Scope: local bookworm: resolved (fixed in 1:2.4+dfsg-1a) bullseye: resolved (fixed in 1:2.4+dfsg-1a) forky: resolved (fixed in 1:2.4+dfsg-1a)

CVE-2015-8743 [HIGH] CVE-2015-8743: qemu - QEMU (aka Quick Emulator) built with the NE2000 device emulation support is vuln... QEMU (aka Quick Emulator) built with the NE2000 device emulation support is vulnerable to an OOB r/w access issue. It could occur while performing 'ioport' r/w operations. A privileged (CAP_SYS_RAWIO) user/process could use this flaw to leak or corrupt QEMU memory bytes. Scope: local bookworm: resolved (fixed in 1:2.5+dfsg-2) bullseye: resolved (fixed in 1:2.5+dfsg-2) fo

CVE-2015-3209 [HIGH] CVE-2015-3209: qemu - Heap-based buffer overflow in the PCNET controller in QEMU allows remote attacke... Heap-based buffer overflow in the PCNET controller in QEMU allows remote attackers to execute arbitrary code by sending a packet with TXSTATUS_STARTPACKET set and then a crafted packet with TXSTATUS_DEVICEOWNS set. Scope: local bookworm: resolved (fixed in 1:2.3+dfsg-6) bullseye: resolved (fixed in 1:2.3+dfsg-6) forky: resolved (fixed in 1:2.3+dfsg-6) sid: resolved (fixe