Debian Qemu vulnerabilities

CVE-2015-8701 [MEDIUM] CVE-2015-8701: qemu - QEMU (aka Quick Emulator) built with the Rocker switch emulation support is vuln... QEMU (aka Quick Emulator) built with the Rocker switch emulation support is vulnerable to an off-by-one error. It happens while processing transmit (tx) descriptors in 'tx_consume' routine, if a descriptor was to have more than allowed (ROCKER_TX_FRAGS_MAX=16) fragments. A privileged user inside guest could use this flaw to cause memory leakage on the host or crash the

CVE-2015-5239 [MEDIUM] CVE-2015-5239: qemu - Integer overflow in the VNC display driver in QEMU before 2.1.0 allows attachers... Integer overflow in the VNC display driver in QEMU before 2.1.0 allows attachers to cause a denial of service (process crash) via a CLIENT_CUT_TEXT message, which triggers an infinite loop. Scope: local bookworm: resolved (fixed in 2.1+dfsg-1) bullseye: resolved (fixed in 2.1+dfsg-1) forky: resolved (fixed in 2.1+dfsg-1) sid: resolved (fixed in 2.1+dfsg-1) trixie: reso

CVE-2015-8345 [MEDIUM] CVE-2015-8345: qemu - The eepro100 emulator in QEMU qemu-kvm blank allows local guest users to cause a... The eepro100 emulator in QEMU qemu-kvm blank allows local guest users to cause a denial of service (application crash and infinite loop) via vectors involving the command block list. Scope: local bookworm: resolved (fixed in 1:2.5+dfsg-1) bullseye: resolved (fixed in 1:2.5+dfsg-1) forky: resolved (fixed in 1:2.5+dfsg-1) sid: resolved (fixed in 1:2.5+dfsg-1) trixie: res

CVE-2015-8744 [MEDIUM] CVE-2015-8744: qemu - QEMU (aka Quick Emulator) built with a VMWARE VMXNET3 paravirtual NIC emulator s... QEMU (aka Quick Emulator) built with a VMWARE VMXNET3 paravirtual NIC emulator support is vulnerable to crash issue. It occurs when a guest sends a Layer-2 packet smaller than 22 bytes. A privileged (CAP_SYS_RAWIO) guest user could use this flaw to crash the QEMU process instance resulting in DoS. Scope: local bookworm: resolved (fixed in 1:2.5+dfsg-1) bullseye: resolv

CVE-2015-8568 [MEDIUM] CVE-2015-8568: qemu - Memory leak in QEMU, when built with a VMWARE VMXNET3 paravirtual NIC emulator s... Memory leak in QEMU, when built with a VMWARE VMXNET3 paravirtual NIC emulator support, allows local guest users to cause a denial of service (host memory consumption) by trying to activate the vmxnet3 device repeatedly. Scope: local bookworm: resolved (fixed in 1:2.5+dfsg-3) bullseye: resolved (fixed in 1:2.5+dfsg-3) forky: resolved (fixed in 1:2.5+dfsg-3) sid: resolv

CVE-2015-8613 [MEDIUM] CVE-2015-8613: qemu - Stack-based buffer overflow in the megasas_ctrl_get_info function in QEMU, when ... Stack-based buffer overflow in the megasas_ctrl_get_info function in QEMU, when built with SCSI MegaRAID SAS HBA emulation support, allows local guest users to cause a denial of service (QEMU instance crash) via a crafted SCSI controller CTRL_GET_INFO command. Scope: local bookworm: resolved (fixed in 1:2.5+dfsg-3) bullseye: resolved (fixed in 1:2.5+dfsg-3) forky: reso

CVE-2015-8817 [MEDIUM] CVE-2015-8817: qemu - QEMU (aka Quick Emulator) built to use 'address_space_translate' to map an addre... QEMU (aka Quick Emulator) built to use 'address_space_translate' to map an address to a MemoryRegionSection is vulnerable to an OOB r/w access issue. It could occur while doing pci_dma_read/write calls. Affects QEMU versions >= 1.6.0 and <= 2.3.1. A privileged user inside guest could use this flaw to crash the guest instance resulting in DoS. Scope: local bookworm: res

CVE-2015-4106 [MEDIUM] CVE-2015-4106: qemu - QEMU does not properly restrict write access to the PCI config space for certain... QEMU does not properly restrict write access to the PCI config space for certain PCI pass-through devices, which might allow local x86 HVM guests to gain privileges, cause a denial of service (host crash), obtain sensitive information, or possibly have other unspecified impact via unknown vectors. Scope: local bookworm: resolved (fixed in 1:2.3+dfsg-5) bullseye: resolv

CVE-2015-4105 [MEDIUM] CVE-2015-4105: qemu - Xen 3.3.x through 4.5.x enables logging for PCI MSI-X pass-through error message... Xen 3.3.x through 4.5.x enables logging for PCI MSI-X pass-through error messages, which allows local x86 HVM guests to cause a denial of service (host disk consumption) via certain invalid operations. Scope: local bookworm: resolved (fixed in 1:2.3+dfsg-5) bullseye: resolved (fixed in 1:2.3+dfsg-5) forky: resolved (fixed in 1:2.3+dfsg-5) sid: resolved (fixed in 1:2.3+

CVE-2015-7295 [MEDIUM] CVE-2015-7295: qemu - hw/virtio/virtio.c in the Virtual Network Device (virtio-net) support in QEMU, w... hw/virtio/virtio.c in the Virtual Network Device (virtio-net) support in QEMU, when big or mergeable receive buffers are not supported, allows remote attackers to cause a denial of service (guest network consumption) via a flood of jumbo frames on the (1) tuntap or (2) macvtap interface. Scope: local bookworm: resolved (fixed in 1:2.4+dfsg-4) bullseye: resolved (fixed

CVE-2015-5745 [MEDIUM] CVE-2015-5745: qemu - Buffer overflow in the send_control_msg function in hw/char/virtio-serial-bus.c ... Buffer overflow in the send_control_msg function in hw/char/virtio-serial-bus.c in QEMU before 2.4.0 allows guest users to cause a denial of service (QEMU process crash) via a crafted virtio control message. Scope: local bookworm: resolved (fixed in 1:2.4+dfsg-1a) bullseye: resolved (fixed in 1:2.4+dfsg-1a) forky: resolved (fixed in 1:2.4+dfsg-1a) sid: resolved (fixed

CVE-2015-6815 [LOW] CVE-2015-6815: qemu - The process_tx_desc function in hw/net/e1000.c in QEMU before 2.4.0.1 does not p... The process_tx_desc function in hw/net/e1000.c in QEMU before 2.4.0.1 does not properly process transmit descriptor data when sending a network packet, which allows attackers to cause a denial of service (infinite loop and guest crash) via unspecified vectors. Scope: local bookworm: resolved (fixed in 1:2.4+dfsg-2) bullseye: resolved (fixed in 1:2.4+dfsg-2) forky: resolve

CVE-2015-3214 [MEDIUM] CVE-2015-3214: linux - The pit_ioport_read in i8254.c in the Linux kernel before 2.6.33 and QEMU before... The pit_ioport_read in i8254.c in the Linux kernel before 2.6.33 and QEMU before 2.3.1 does not distinguish between read lengths and write lengths, which might allow guest OS users to execute arbitrary code on the host OS by triggering use of an invalid index. Scope: local bookworm: resolved bullseye: resolved forky: resolved sid: resolved trixie: resolved

CVE-2015-4037 [LOW] CVE-2015-4037: qemu - The slirp_smb function in net/slirp.c in QEMU 2.3.0 and earlier creates temporar... The slirp_smb function in net/slirp.c in QEMU 2.3.0 and earlier creates temporary files with predictable names, which allows local users to cause a denial of service (instantiation failure) by creating /tmp/qemu-smb.*-* files before the program. Scope: local bookworm: resolved (fixed in 1:2.3+dfsg-5) bullseye: resolved (fixed in 1:2.3+dfsg-5) forky: resolved (fixed in 1:2

CVE-2015-8556 [CRITICAL] CVE-2015-8556: qemu - Local privilege escalation vulnerability in the Gentoo QEMU package before 2.5.0... Local privilege escalation vulnerability in the Gentoo QEMU package before 2.5.0-r1. Scope: local bookworm: resolved bullseye: resolved forky: resolved sid: resolved trixie: resolved

CVE-2014-0144 [HIGH] CVE-2014-0144: qemu - QEMU before 2.0.0 block drivers for CLOOP, QCOW2 version 2 and various other ima... QEMU before 2.0.0 block drivers for CLOOP, QCOW2 version 2 and various other image formats are vulnerable to potential memory corruptions, integer/buffer overflows or crash caused by missing input validations which could allow a remote user to execute arbitrary code on the host with the privileges of the QEMU process. Scope: local bookworm: resolved (fixed in 2.0.0+dfsg-

CVE-2014-0145 [HIGH] CVE-2014-0145: qemu - Multiple buffer overflows in QEMU before 1.7.2 and 2.x before 2.0.0, allow local... Multiple buffer overflows in QEMU before 1.7.2 and 2.x before 2.0.0, allow local users to cause a denial of service (crash) or possibly execute arbitrary code via a large (1) L1 table in the qcow2_snapshot_load_tmp in the QCOW 2 block driver (block/qcow2-snapshot.c) or (2) uncompressed chunk, (3) chunk length, or (4) number of sectors in the DMG block driver (block/dmg.c

CVE-2014-0182 [HIGH] CVE-2014-0182: qemu - Heap-based buffer overflow in the virtio_load function in hw/virtio/virtio.c in ... Heap-based buffer overflow in the virtio_load function in hw/virtio/virtio.c in QEMU before 1.7.2 might allow remote attackers to execute arbitrary code via a crafted config length in a savevm image. Scope: local bookworm: resolved (fixed in 2.1+dfsg-1) bullseye: resolved (fixed in 2.1+dfsg-1) forky: resolved (fixed in 2.1+dfsg-1) sid: resolved (fixed in 2.1+dfsg-1) trix

CVE-2014-0222 [HIGH] CVE-2014-0222: qemu - Integer overflow in the qcow_open function in block/qcow.c in QEMU before 1.7.2 ... Integer overflow in the qcow_open function in block/qcow.c in QEMU before 1.7.2 allows remote attackers to cause a denial of service (crash) via a large L2 table in a QCOW version 1 image. Scope: local bookworm: resolved (fixed in 2.0.0+dfsg-6) bullseye: resolved (fixed in 2.0.0+dfsg-6) forky: resolved (fixed in 2.0.0+dfsg-6) sid: resolved (fixed in 2.0.0+dfsg-6) trixie:

CVE-2014-2894 [HIGH] CVE-2014-2894: qemu - Off-by-one error in the cmd_smart function in the smart self test in hw/ide/core... Off-by-one error in the cmd_smart function in the smart self test in hw/ide/core.c in QEMU before 2.0 allows local users to have unspecified impact via a SMART EXECUTE OFFLINE command that triggers a buffer underflow and memory corruption. Scope: local bookworm: resolved (fixed in 2.0.0+dfsg-1) bullseye: resolved (fixed in 2.0.0+dfsg-1) forky: resolved (fixed in 2.0.0+df