Debian Qemu vulnerabilities

CVE-2014-0143 [HIGH] CVE-2014-0143: qemu - Multiple integer overflows in the block drivers in QEMU, possibly before 2.0.0, ... Multiple integer overflows in the block drivers in QEMU, possibly before 2.0.0, allow local users to cause a denial of service (crash) via a crafted catalog size in (1) the parallels_open function in block/parallels.c or (2) bochs_open function in bochs.c, a large L1 table in the (3) qcow2_snapshot_load_tmp in qcow2-snapshot.c or (4) qcow2_grow_l1_table function in qcow2

CVE-2014-8106 [HIGH] CVE-2014-8106: qemu - Heap-based buffer overflow in the Cirrus VGA emulator (hw/display/cirrus_vga.c) ... Heap-based buffer overflow in the Cirrus VGA emulator (hw/display/cirrus_vga.c) in QEMU before 2.2.0 allows local guest users to execute arbitrary code via vectors related to blit regions. NOTE: this vulnerability exists because an incomplete fix for CVE-2007-1320. Scope: local bookworm: resolved (fixed in 2.1+dfsg-9) bullseye: resolved (fixed in 2.1+dfsg-9) forky: resol

CVE-2014-3689 [HIGH] CVE-2014-3689: qemu - The vmware-vga driver (hw/display/vmware_vga.c) in QEMU allows local guest users... The vmware-vga driver (hw/display/vmware_vga.c) in QEMU allows local guest users to write to qemu memory locations and gain privileges via unspecified parameters related to rectangle handling. Scope: local bookworm: resolved (fixed in 2.1+dfsg-6) bullseye: resolved (fixed in 2.1+dfsg-6) forky: resolved (fixed in 2.1+dfsg-6) sid: resolved (fixed in 2.1+dfsg-6) trixie: res

CVE-2014-3461 [MEDIUM] CVE-2014-3461: qemu - hw/usb/bus.c in QEMU 1.6.2 allows remote attackers to execute arbitrary code via... hw/usb/bus.c in QEMU 1.6.2 allows remote attackers to execute arbitrary code via crafted savevm data, which triggers a heap-based buffer overflow, related to "USB post load checks." Scope: local bookworm: resolved (fixed in 2.1+dfsg-1) bullseye: resolved (fixed in 2.1+dfsg-1) forky: resolved (fixed in 2.1+dfsg-1) sid: resolved (fixed in 2.1+dfsg-1) trixie: resolved (fi

CVE-2014-0150 [MEDIUM] CVE-2014-0150: qemu - Integer overflow in the virtio_net_handle_mac function in hw/net/virtio-net.c in... Integer overflow in the virtio_net_handle_mac function in hw/net/virtio-net.c in QEMU 2.0 and earlier allows local guest users to execute arbitrary code via a MAC addresses table update request, which triggers a heap-based buffer overflow. Scope: local bookworm: resolved (fixed in 1.7.0+dfsg-8) bullseye: resolved (fixed in 1.7.0+dfsg-8) forky: resolved (fixed in 1.7.0+

CVE-2014-0223 [MEDIUM] CVE-2014-0223: qemu - Integer overflow in the qcow_open function in block/qcow.c in QEMU before 1.7.2 ... Integer overflow in the qcow_open function in block/qcow.c in QEMU before 1.7.2 allows local users to cause a denial of service (crash) and possibly execute arbitrary code via a large image size, which triggers a buffer overflow or out-of-bounds read. Scope: local bookworm: resolved (fixed in 2.0.0+dfsg-6) bullseye: resolved (fixed in 2.0.0+dfsg-6) forky: resolved (fix

CVE-2014-3471 [MEDIUM] CVE-2014-3471: qemu - Use-after-free vulnerability in hw/pci/pcie.c in QEMU (aka Quick Emulator) allow... Use-after-free vulnerability in hw/pci/pcie.c in QEMU (aka Quick Emulator) allows local guest OS users to cause a denial of service (QEMU instance crash) via hotplug and hotunplug operations of Virtio block devices. Scope: local bookworm: resolved (fixed in 2.1+dfsg-1) bullseye: resolved (fixed in 2.1+dfsg-1) forky: resolved (fixed in 2.1+dfsg-1) sid: resolved (fixed i

CVE-2014-5263 [MEDIUM] CVE-2014-5263: qemu - vmstate_xhci_event in hw/usb/hcd-xhci.c in QEMU 1.6.0 does not terminate the lis... vmstate_xhci_event in hw/usb/hcd-xhci.c in QEMU 1.6.0 does not terminate the list with the VMSTATE_END_OF_LIST macro, which allows attackers to cause a denial of service (out-of-bounds access, infinite loop, and memory corruption) and possibly gain privileges via unspecified vectors. Scope: local bookworm: resolved (fixed in 2.1+dfsg-1) bullseye: resolved (fixed in 2.1

CVE-2014-0146 [MEDIUM] CVE-2014-0146: qemu - The qcow2_open function in the (block/qcow2.c) in QEMU before 1.7.2 and 2.x befo... The qcow2_open function in the (block/qcow2.c) in QEMU before 1.7.2 and 2.x before 2.0.0 allows local users to cause a denial of service (NULL pointer dereference) via a crafted image which causes an error, related to the initialization of the snapshot_offset and nb_snapshots fields. Scope: local bookworm: resolved (fixed in 2.0.0+dfsg-1) bullseye: resolved (fixed in 2

CVE-2014-0147 [MEDIUM] CVE-2014-0147: qemu - Qemu before 1.6.2 block diver for the various disk image formats used by Bochs a... Qemu before 1.6.2 block diver for the various disk image formats used by Bochs and for the QCOW version 2 format, are vulnerable to a possible crash caused by signed data types or a logic error while creating QCOW2 snapshots, which leads to incorrectly calling update_refcount() routine. Scope: local bookworm: resolved (fixed in 2.0.0+dfsg-1) bullseye: resolved (fixed i

CVE-2014-0148 [MEDIUM] CVE-2014-0148: qemu - Qemu before 2.0 block driver for Hyper-V VHDX Images is vulnerable to infinite l... Qemu before 2.0 block driver for Hyper-V VHDX Images is vulnerable to infinite loops and other potential issues when calculating BAT entries, due to missing bounds checks for block_size and logical_sector_size variables. These are used to derive other fields like 'sectors_per_block' etc. A user able to alter the Qemu disk image could ise this flaw to crash the Qemu ins

CVE-2014-7815 [MEDIUM] CVE-2014-7815: qemu - The set_pixel_format function in ui/vnc.c in QEMU allows remote attackers to cau... The set_pixel_format function in ui/vnc.c in QEMU allows remote attackers to cause a denial of service (crash) via a small bytes_per_pixel value. Scope: local bookworm: resolved (fixed in 2.1+dfsg-7) bullseye: resolved (fixed in 2.1+dfsg-7) forky: resolved (fixed in 2.1+dfsg-7) sid: resolved (fixed in 2.1+dfsg-7) trixie: resolved (fixed in 2.1+dfsg-7)

CVE-2014-0142 [MEDIUM] CVE-2014-0142: qemu - QEMU, possibly before 2.0.0, allows local users to cause a denial of service (di... QEMU, possibly before 2.0.0, allows local users to cause a denial of service (divide-by-zero error and crash) via a zero value in the (1) tracks field to the seek_to_sector function in block/parallels.c or (2) extent_size field in the bochs function in block/bochs.c. Scope: local bookworm: resolved (fixed in 2.0.0+dfsg-1) bullseye: resolved (fixed in 2.0.0+dfsg-1) fork

CVE-2014-5388 [MEDIUM] CVE-2014-5388: qemu - Off-by-one error in the pci_read function in the ACPI PCI hotplug interface (hw/... Off-by-one error in the pci_read function in the ACPI PCI hotplug interface (hw/acpi/pcihp.c) in QEMU allows local guest users to obtain sensitive information and have other unspecified impact related to a crafted PCI device that triggers memory corruption. Scope: local bookworm: resolved (fixed in 2.1+dfsg-5) bullseye: resolved (fixed in 2.1+dfsg-5) forky: resolved (f

CVE-2014-7840 [HIGH] CVE-2014-7840: qemu - The host_from_stream_offset function in arch_init.c in QEMU, when loading RAM du... The host_from_stream_offset function in arch_init.c in QEMU, when loading RAM during migration, allows remote attackers to execute arbitrary code via a crafted (1) offset or (2) length value in savevm data. Scope: local bookworm: resolved (fixed in 2.1+dfsg-8) bullseye: resolved (fixed in 2.1+dfsg-8) forky: resolved (fixed in 2.1+dfsg-8) sid: resolved (fixed in 2.1+dfsg-

CVE-2014-3615 [LOW] CVE-2014-3615: qemu - The VGA emulator in QEMU allows local guest users to read host memory by setting... The VGA emulator in QEMU allows local guest users to read host memory by setting the display to a high resolution. Scope: local bookworm: resolved (fixed in 2.1+dfsg-5) bullseye: resolved (fixed in 2.1+dfsg-5) forky: resolved (fixed in 2.1+dfsg-5) sid: resolved (fixed in 2.1+dfsg-5) trixie: resolved (fixed in 2.1+dfsg-5)

CVE-2014-3640 [LOW] CVE-2014-3640: qemu - The sosendto function in slirp/udp.c in QEMU before 2.1.2 allows local users to ... The sosendto function in slirp/udp.c in QEMU before 2.1.2 allows local users to cause a denial of service (NULL pointer dereference) by sending a udp packet with a value of 0 in the source port and address, which triggers access of an uninitialized socket. Scope: local bookworm: resolved (fixed in 2.1+dfsg-5) bullseye: resolved (fixed in 2.1+dfsg-5) forky: resolved (fixed

CVE-2014-9718 [MEDIUM] CVE-2014-9718: qemu - The (1) BMDMA and (2) AHCI HBA interfaces in the IDE functionality in QEMU 1.0 t... The (1) BMDMA and (2) AHCI HBA interfaces in the IDE functionality in QEMU 1.0 through 2.1.3 have multiple interpretations of a function's return value, which allows guest OS users to cause a host OS denial of service (memory consumption or infinite loop, and system crash) via a PRDT with zero complete sectors, related to the bmdma_prepare_buf and ahci_dma_prepare_buf

CVE-2013-2016 [HIGH] CVE-2013-2016: qemu - A flaw was found in the way qemu v1.3.0 and later (virtio-rng) validates address... A flaw was found in the way qemu v1.3.0 and later (virtio-rng) validates addresses when guest accesses the config space of a virtio device. If the virtio device has zero/small sized config space, such as virtio-rng, a privileged guest user could use this flaw to access the matching host's qemu address space and thus increase their privileges on the host. Scope: local boo

CVE-2013-4544 [MEDIUM] CVE-2013-4544: qemu - hw/net/vmxnet3.c in QEMU 2.0.0-rc0, 1.7.1, and earlier allows local guest users ... hw/net/vmxnet3.c in QEMU 2.0.0-rc0, 1.7.1, and earlier allows local guest users to cause a denial of service or possibly execute arbitrary code via vectors related to (1) RX or (2) TX queue numbers or (3) interrupt indices. NOTE: some of these details are obtained from third party information. Scope: local bookworm: resolved (fixed in 2.0.0+dfsg-1) bullseye: resolved (