Debian Qemu vulnerabilities

CVE-2013-4533 [HIGH] CVE-2013-4533: qemu - Buffer overflow in the pxa2xx_ssp_load function in hw/arm/pxa2xx.c in QEMU befor... Buffer overflow in the pxa2xx_ssp_load function in hw/arm/pxa2xx.c in QEMU before 1.7.2 allows remote attackers to cause a denial of service or possibly execute arbitrary code via a crafted s->rx_level value in a savevm image. Scope: local bookworm: resolved (fixed in 2.1+dfsg-1) bullseye: resolved (fixed in 2.1+dfsg-1) forky: resolved (fixed in 2.1+dfsg-1) sid: resolved

CVE-2013-4538 [HIGH] CVE-2013-4538: qemu - Multiple buffer overflows in the ssd0323_load function in hw/display/ssd0323.c i... Multiple buffer overflows in the ssd0323_load function in hw/display/ssd0323.c in QEMU before 1.7.2 allow remote attackers to cause a denial of service (memory corruption) or possibly execute arbitrary code via crafted (1) cmd_len, (2) row, or (3) col values; (4) row_start and row_end values; or (5) col_star and col_end values in a savevm image. Scope: local bookworm: re

CVE-2013-4539 [HIGH] CVE-2013-4539: qemu - Multiple buffer overflows in the tsc210x_load function in hw/input/tsc210x.c in ... Multiple buffer overflows in the tsc210x_load function in hw/input/tsc210x.c in QEMU before 1.7.2 might allow remote attackers to execute arbitrary code via a crafted (1) precision, (2) nextprecision, (3) function, or (4) nextfunction value in a savevm image. Scope: local bookworm: resolved (fixed in 2.1+dfsg-1) bullseye: resolved (fixed in 2.1+dfsg-1) forky: resolved (f

CVE-2013-4151 [HIGH] CVE-2013-4151: qemu - The virtio_load function in virtio/virtio.c in QEMU 1.x before 1.7.2 allows remo... The virtio_load function in virtio/virtio.c in QEMU 1.x before 1.7.2 allows remote attackers to execute arbitrary code via a crafted savevm image, which triggers an out-of-bounds write. Scope: local bookworm: resolved (fixed in 2.1+dfsg-1) bullseye: resolved (fixed in 2.1+dfsg-1) forky: resolved (fixed in 2.1+dfsg-1) sid: resolved (fixed in 2.1+dfsg-1) trixie: resolved (

CVE-2013-4535 [HIGH] CVE-2013-4535: qemu - The virtqueue_map_sg function in hw/virtio/virtio.c in QEMU before 1.7.2 allows ... The virtqueue_map_sg function in hw/virtio/virtio.c in QEMU before 1.7.2 allows remote attackers to execute arbitrary files via a crafted savevm image, related to virtio-block or virtio-serial read. Scope: local bookworm: resolved (fixed in 2.1+dfsg-1) bullseye: resolved (fixed in 2.1+dfsg-1) forky: resolved (fixed in 2.1+dfsg-1) sid: resolved (fixed in 2.1+dfsg-1) trixi

CVE-2013-2231 [HIGH] CVE-2013-2231: qemu - Unquoted Windows search path vulnerability in the QEMU Guest Agent service for R... Unquoted Windows search path vulnerability in the QEMU Guest Agent service for Red Hat Enterprise Linux Desktop 6, HPC Node 6, Server 6, Workstation 6, Desktop Supplementary 6, Server Supplementary 6, Supplementary AUS 6.4, Supplementary EUS 6.4.z, and Workstation Supplementary 6, when installing on Windows, allows local users to gain privileges via a crafted program in

CVE-2013-4530 [HIGH] CVE-2013-4530: qemu - Buffer overflow in hw/ssi/pl022.c in QEMU before 1.7.2 allows remote attackers t... Buffer overflow in hw/ssi/pl022.c in QEMU before 1.7.2 allows remote attackers to cause a denial of service or possibly execute arbitrary code via crafted tx_fifo_head and rx_fifo_head values in a savevm image. Scope: local bookworm: resolved (fixed in 2.1+dfsg-1) bullseye: resolved (fixed in 2.1+dfsg-1) forky: resolved (fixed in 2.1+dfsg-1) sid: resolved (fixed in 2.1+d

CVE-2012-6075 [CRITICAL] CVE-2012-6075: qemu - Buffer overflow in the e1000_receive function in the e1000 device driver (hw/e10... Buffer overflow in the e1000_receive function in the e1000 device driver (hw/e1000.c) in QEMU 1.3.0-rc2 and other versions, when the SBP and LPE flags are disabled, allows remote attackers to cause a denial of service (guest OS crash) and possibly execute arbitrary guest code via a large packet. Scope: local bookworm: resolved (fixed in 1.1.2+dfsg-4) bullseye: resolv

CVE-2012-3515 [HIGH] CVE-2012-3515: qemu - Qemu, as used in Xen 4.0, 4.1 and possibly other products, when emulating certai... Qemu, as used in Xen 4.0, 4.1 and possibly other products, when emulating certain devices with a virtual console backend, allows local OS guest users to gain privileges via a crafted escape VT100 sequence that triggers the overwrite of a "device model's address space." Scope: local bookworm: resolved (fixed in 1.1.2+dfsg-1) bullseye: resolved (fixed in 1.1.2+dfsg-1) fork

CVE-2012-2652 [MEDIUM] CVE-2012-2652: qemu - The bdrv_open function in Qemu 1.0 does not properly handle the failure of the m... The bdrv_open function in Qemu 1.0 does not properly handle the failure of the mkstemp function, when in snapshot node, which allows local users to overwrite or read arbitrary files via a symlink attack on an unspecified temporary file. Scope: local bookworm: resolved (fixed in 1.1.0+dfsg-1) bullseye: resolved (fixed in 1.1.0+dfsg-1) forky: resolved (fixed in 1.1.0+dfs

CVE-2011-4111 [MEDIUM] CVE-2011-4111: qemu - Buffer overflow in the ccid_card_vscard_handle_message function in hw/ccid-card-... Buffer overflow in the ccid_card_vscard_handle_message function in hw/ccid-card-passthru.c in QEMU before 0.15.2 and 1.x before 1.0-rc4 allows remote attackers to cause a denial of service (crash) and possibly execute arbitrary code via a crafted VSC_ATR message. Scope: local bookworm: resolved (fixed in 0.15.1+dfsg-2) bullseye: resolved (fixed in 0.15.1+dfsg-2) forky:

CVE-2009-3616 [CRITICAL] CVE-2009-3616: qemu - Multiple use-after-free vulnerabilities in vnc.c in the VNC server in QEMU 0.10.... Multiple use-after-free vulnerabilities in vnc.c in the VNC server in QEMU 0.10.6 and earlier might allow guest OS users to execute arbitrary code on the host OS by establishing a connection from a VNC client and then (1) disconnecting during data transfer, (2) sending a message using incorrect integer data types, or (3) using the Fuzzy Screen Mode protocol, related

CVE-2008-2382 [MEDIUM] CVE-2008-2382: qemu - The protocol_client_msg function in vnc.c in the VNC server in (1) Qemu 0.9.1 an... The protocol_client_msg function in vnc.c in the VNC server in (1) Qemu 0.9.1 and earlier and (2) KVM kvm-79 and earlier allows remote attackers to cause a denial of service (infinite loop) via a certain message. Scope: local bookworm: resolved (fixed in 0.9.1-9) bullseye: resolved (fixed in 0.9.1-9) forky: resolved (fixed in 0.9.1-9) sid: resolved (fixed in 0.9.1-9) t

CVE-2008-2004 [MEDIUM] CVE-2008-2004: qemu - The drive_init function in QEMU 0.9.1 determines the format of a raw disk image ... The drive_init function in QEMU 0.9.1 determines the format of a raw disk image based on the header, which allows local guest users to read arbitrary files on the host by modifying the header to identify a different format, which is used when the guest is restarted. Scope: local bookworm: resolved (fixed in 0.9.1-5) bullseye: resolved (fixed in 0.9.1-5) forky: resolved

CVE-2008-4539 [HIGH] CVE-2008-4539: qemu - Heap-based buffer overflow in the Cirrus VGA implementation in (1) KVM before kv... Heap-based buffer overflow in the Cirrus VGA implementation in (1) KVM before kvm-82 and (2) QEMU on Debian GNU/Linux and Ubuntu might allow local users to gain privileges by using the VNC console for a connection, aka the LGD-54XX "bitblt" heap overflow. NOTE: this issue exists because of an incorrect fix for CVE-2007-1320. Scope: local bookworm: resolved (fixed in 0.9.

CVE-2008-0928 [MEDIUM] CVE-2008-0928: qemu - Qemu 0.9.1 and earlier does not perform range checks for block device read or wr... Qemu 0.9.1 and earlier does not perform range checks for block device read or write requests, which allows guest host users with root privileges to access arbitrary memory and escape the virtual machine. Scope: local bookworm: resolved (fixed in 0.9.1+svn20081207-1) bullseye: resolved (fixed in 0.9.1+svn20081207-1) forky: resolved (fixed in 0.9.1+svn20081207-1) sid: re

CVE-2008-1945 [LOW] CVE-2008-1945: qemu - QEMU 0.9.0 does not properly handle changes to removable media, which allows gue... QEMU 0.9.0 does not properly handle changes to removable media, which allows guest OS users to read arbitrary files on the host OS by using the diskformat: parameter in the -usbdevice option to modify the disk-image header to identify a different format, a related issue to CVE-2008-2004. Scope: local bookworm: resolved (fixed in 0.9.1-5) bullseye: resolved (fixed in 0.9.1

CVE-2008-4553 [HIGH] CVE-2008-4553: qemu - qemu-make-debian-root in qemu 0.9.1-5 on Debian GNU/Linux allows local users to ... qemu-make-debian-root in qemu 0.9.1-5 on Debian GNU/Linux allows local users to overwrite arbitrary files via a symlink attack on temporary files and directories. Scope: local bookworm: resolved (fixed in 0.9.1-6) bullseye: resolved (fixed in 0.9.1-6) forky: resolved (fixed in 0.9.1-6) sid: resolved (fixed in 0.9.1-6) trixie: resolved (fixed in 0.9.1-6)

CVE-2008-5714 [HIGH] CVE-2008-5714: qemu - Off-by-one error in monitor.c in Qemu 0.9.1 might make it easier for remote atta... Off-by-one error in monitor.c in Qemu 0.9.1 might make it easier for remote attackers to guess the VNC password, which is limited to seven characters where eight was intended. Scope: local bookworm: resolved (fixed in 0.9.1-10) bullseye: resolved (fixed in 0.9.1-10) forky: resolved (fixed in 0.9.1-10) sid: resolved (fixed in 0.9.1-10) trixie: resolved (fixed in 0.9.1-10)

CVE-2007-1321 [HIGH] CVE-2007-1321: qemu - Integer signedness error in the NE2000 emulator in QEMU 0.8.2, as used in Xen an... Integer signedness error in the NE2000 emulator in QEMU 0.8.2, as used in Xen and possibly other products, allows local users to trigger a heap-based buffer overflow via certain register values that bypass sanity checks, aka QEMU NE2000 "receive" integer signedness error. NOTE: this identifier was inadvertently used by some sources to cover multiple issues that were labe