Debian Qemu vulnerabilities

CVE-2013-6399 [HIGH] CVE-2013-6399: qemu - Array index error in the virtio_load function in hw/virtio/virtio.c in QEMU befo... Array index error in the virtio_load function in hw/virtio/virtio.c in QEMU before 1.7.2 allows remote attackers to execute arbitrary code via a crafted savevm image. Scope: local bookworm: resolved (fixed in 2.1+dfsg-1) bullseye: resolved (fixed in 2.1+dfsg-1) forky: resolved (fixed in 2.1+dfsg-1) sid: resolved (fixed in 2.1+dfsg-1) trixie: resolved (fixed in 2.1+dfsg-1

CVE-2013-4527 [HIGH] CVE-2013-4527: qemu - Buffer overflow in hw/timer/hpet.c in QEMU before 1.7.2 might allow remote attac... Buffer overflow in hw/timer/hpet.c in QEMU before 1.7.2 might allow remote attackers to execute arbitrary code via vectors related to the number of timers. Scope: local bookworm: resolved (fixed in 2.1+dfsg-1) bullseye: resolved (fixed in 2.1+dfsg-1) forky: resolved (fixed in 2.1+dfsg-1) sid: resolved (fixed in 2.1+dfsg-1) trixie: resolved (fixed in 2.1+dfsg-1)

CVE-2013-4529 [HIGH] CVE-2013-4529: qemu - Buffer overflow in hw/pci/pcie_aer.c in QEMU before 1.7.2 allows remote attacker... Buffer overflow in hw/pci/pcie_aer.c in QEMU before 1.7.2 allows remote attackers to cause a denial of service and possibly execute arbitrary code via a large log_num value in a savevm image. Scope: local bookworm: resolved (fixed in 2.1+dfsg-1) bullseye: resolved (fixed in 2.1+dfsg-1) forky: resolved (fixed in 2.1+dfsg-1) sid: resolved (fixed in 2.1+dfsg-1) trixie: reso

CVE-2013-4534 [HIGH] CVE-2013-4534: qemu - Buffer overflow in hw/intc/openpic.c in QEMU before 1.7.2 allows remote attacker... Buffer overflow in hw/intc/openpic.c in QEMU before 1.7.2 allows remote attackers to cause a denial of service or possibly execute arbitrary code via vectors related to IRQDest elements. Scope: local bookworm: resolved (fixed in 2.1+dfsg-1) bullseye: resolved (fixed in 2.1+dfsg-1) forky: resolved (fixed in 2.1+dfsg-1) sid: resolved (fixed in 2.1+dfsg-1) trixie: resolved

CVE-2013-2007 [MEDIUM] CVE-2013-2007: qemu - The qemu guest agent in Qemu 1.4.1 and earlier, as used by Xen, when started in ... The qemu guest agent in Qemu 1.4.1 and earlier, as used by Xen, when started in daemon mode, uses weak permissions for certain files, which allows local users to read and write to these files. Scope: local bookworm: resolved bullseye: resolved forky: resolved sid: resolved trixie: resolved

CVE-2013-4540 [HIGH] CVE-2013-4540: qemu - Buffer overflow in scoop_gpio_handler_update in QEMU before 1.7.2 might allow re... Buffer overflow in scoop_gpio_handler_update in QEMU before 1.7.2 might allow remote attackers to execute arbitrary code via a large (1) prev_level, (2) gpio_level, or (3) gpio_dir value in a savevm image. Scope: local bookworm: resolved (fixed in 2.1+dfsg-1) bullseye: resolved (fixed in 2.1+dfsg-1) forky: resolved (fixed in 2.1+dfsg-1) sid: resolved (fixed in 2.1+dfsg-1

CVE-2013-4526 [HIGH] CVE-2013-4526: qemu - Buffer overflow in hw/ide/ahci.c in QEMU before 1.7.2 allows remote attackers to... Buffer overflow in hw/ide/ahci.c in QEMU before 1.7.2 allows remote attackers to cause a denial of service and possibly execute arbitrary code via vectors related to migrating ports. Scope: local bookworm: resolved (fixed in 2.1+dfsg-1) bullseye: resolved (fixed in 2.1+dfsg-1) forky: resolved (fixed in 2.1+dfsg-1) sid: resolved (fixed in 2.1+dfsg-1) trixie: resolved (fix

CVE-2013-4344 [HIGH] CVE-2013-4344: qemu - Buffer overflow in the SCSI implementation in QEMU, as used in Xen, when a SCSI ... Buffer overflow in the SCSI implementation in QEMU, as used in Xen, when a SCSI controller has more than 256 attached devices, allows local users to gain privileges via a small transfer buffer in a REPORT LUNS command. Scope: local bookworm: resolved (fixed in 1.6.0+dfsg-2) bullseye: resolved (fixed in 1.6.0+dfsg-2) forky: resolved (fixed in 1.6.0+dfsg-2) sid: resolved (

CVE-2013-4541 [HIGH] CVE-2013-4541: qemu - The usb_device_post_load function in hw/usb/bus.c in QEMU before 1.7.2 might all... The usb_device_post_load function in hw/usb/bus.c in QEMU before 1.7.2 might allow remote attackers to execute arbitrary code via a crafted savevm image, related to a negative setup_len or setup_index value. Scope: local bookworm: resolved (fixed in 2.1+dfsg-1) bullseye: resolved (fixed in 2.1+dfsg-1) forky: resolved (fixed in 2.1+dfsg-1) sid: resolved (fixed in 2.1+dfsg

CVE-2013-1922 [MEDIUM] CVE-2013-1922: qemu - qemu-nbd in QEMU, as used in Xen 4.2.x, determines the format of a raw disk imag... qemu-nbd in QEMU, as used in Xen 4.2.x, determines the format of a raw disk image based on the header, which allows local guest OS administrators to read arbitrary files on the host by modifying the header to identify a different format, which is used when the guest is restarted, a different vulnerability than CVE-2008-2004. Scope: local bookworm: resolved (fixed in 1.

CVE-2013-4532 [HIGH] CVE-2013-4532: qemu - Qemu 1.1.2+dfsg to 2.1+dfsg suffers from a buffer overrun which could potentiall... Qemu 1.1.2+dfsg to 2.1+dfsg suffers from a buffer overrun which could potentially result in arbitrary code execution on the host with the privileges of the QEMU process. Scope: local bookworm: resolved (fixed in 2.1+dfsg-1) bullseye: resolved (fixed in 2.1+dfsg-1) forky: resolved (fixed in 2.1+dfsg-1) sid: resolved (fixed in 2.1+dfsg-1) trixie: resolved (fixed in 2.1+dfs

CVE-2013-4148 [HIGH] CVE-2013-4148: qemu - Integer signedness error in the virtio_net_load function in hw/net/virtio-net.c ... Integer signedness error in the virtio_net_load function in hw/net/virtio-net.c in QEMU 1.x before 1.7.2 allows remote attackers to execute arbitrary code via a crafted savevm image, which triggers a buffer overflow. Scope: local bookworm: resolved (fixed in 2.1+dfsg-1) bullseye: resolved (fixed in 2.1+dfsg-1) forky: resolved (fixed in 2.1+dfsg-1) sid: resolved (fixed in

CVE-2013-4150 [HIGH] CVE-2013-4150: qemu - The virtio_net_load function in hw/net/virtio-net.c in QEMU 1.5.0 through 1.7.x ... The virtio_net_load function in hw/net/virtio-net.c in QEMU 1.5.0 through 1.7.x before 1.7.2 allows remote attackers to cause a denial of service or possibly execute arbitrary code via vectors in which the value of curr_queues is greater than max_queues, which triggers an out-of-bounds write. Scope: local bookworm: resolved (fixed in 2.1+dfsg-1) bullseye: resolved (fixed

CVE-2013-4149 [HIGH] CVE-2013-4149: qemu - Buffer overflow in virtio_net_load function in net/virtio-net.c in QEMU 1.3.0 th... Buffer overflow in virtio_net_load function in net/virtio-net.c in QEMU 1.3.0 through 1.7.x before 1.7.2 might allow remote attackers to execute arbitrary code via a large MAC table. Scope: local bookworm: resolved (fixed in 2.1+dfsg-1) bullseye: resolved (fixed in 2.1+dfsg-1) forky: resolved (fixed in 2.1+dfsg-1) sid: resolved (fixed in 2.1+dfsg-1) trixie: resolved (fix

CVE-2013-4536 [HIGH] CVE-2013-4536: qemu - An user able to alter the savevm data (either on the disk or over the wire durin... An user able to alter the savevm data (either on the disk or over the wire during migration) could use this flaw to to corrupt QEMU process memory on the (destination) host, which could potentially result in arbitrary code execution on the host with the privileges of the QEMU process. Scope: local bookworm: resolved (fixed in 2.1+dfsg-1) bullseye: resolved (fixed in 2.1+

CVE-2013-4377 [LOW] CVE-2013-4377: qemu - Use-after-free vulnerability in the virtio-pci implementation in Qemu 1.4.0 thro... Use-after-free vulnerability in the virtio-pci implementation in Qemu 1.4.0 through 1.6.0 allows local users to cause a denial of service (daemon crash) by "hot-unplugging" a virtio device. Scope: local bookworm: resolved (fixed in 1.7.0+dfsg-4) bullseye: resolved (fixed in 1.7.0+dfsg-4) forky: resolved (fixed in 1.7.0+dfsg-4) sid: resolved (fixed in 1.7.0+dfsg-4) trixie:

CVE-2013-4531 [HIGH] CVE-2013-4531: qemu - Buffer overflow in target-arm/machine.c in QEMU before 1.7.2 allows remote attac... Buffer overflow in target-arm/machine.c in QEMU before 1.7.2 allows remote attackers to cause a denial of service and possibly execute arbitrary code via a negative value in cpreg_vmstate_array_len in a savevm image. Scope: local bookworm: resolved (fixed in 2.1+dfsg-1) bullseye: resolved (fixed in 2.1+dfsg-1) forky: resolved (fixed in 2.1+dfsg-1) sid: resolved (fixed in

CVE-2013-4375 [LOW] CVE-2013-4375: qemu - The qdisk PV disk backend in qemu-xen in Xen 4.2.x and 4.3.x before 4.3.1, and q... The qdisk PV disk backend in qemu-xen in Xen 4.2.x and 4.3.x before 4.3.1, and qemu 1.1 and other versions, allows local HVM guests to cause a denial of service (domain grant reference consumption) via unspecified vectors. Scope: local bookworm: resolved (fixed in 1.7.0+dfsg-1) bullseye: resolved (fixed in 1.7.0+dfsg-1) forky: resolved (fixed in 1.7.0+dfsg-1) sid: resolve

CVE-2013-4537 [HIGH] CVE-2013-4537: qemu - The ssi_sd_transfer function in hw/sd/ssi-sd.c in QEMU before 1.7.2 allows remot... The ssi_sd_transfer function in hw/sd/ssi-sd.c in QEMU before 1.7.2 allows remote attackers to execute arbitrary code via a crafted arglen value in a savevm image. Scope: local bookworm: resolved (fixed in 2.1+dfsg-1) bullseye: resolved (fixed in 2.1+dfsg-1) forky: resolved (fixed in 2.1+dfsg-1) sid: resolved (fixed in 2.1+dfsg-1) trixie: resolved (fixed in 2.1+dfsg-1)

CVE-2013-4542 [HIGH] CVE-2013-4542: qemu - The virtio_scsi_load_request function in hw/scsi/scsi-bus.c in QEMU before 1.7.2... The virtio_scsi_load_request function in hw/scsi/scsi-bus.c in QEMU before 1.7.2 might allow remote attackers to execute arbitrary code via a crafted savevm image, which triggers an out-of-bounds array access. Scope: local bookworm: resolved (fixed in 2.1+dfsg-1) bullseye: resolved (fixed in 2.1+dfsg-1) forky: resolved (fixed in 2.1+dfsg-1) sid: resolved (fixed in 2.1+df