Debian Qemu vulnerabilities

CVE-2020-35506 [MEDIUM] CVE-2020-35506: qemu - A use-after-free vulnerability was found in the am53c974 SCSI host bus adapter e... A use-after-free vulnerability was found in the am53c974 SCSI host bus adapter emulation of QEMU in versions before 6.0.0 during the handling of the 'Information Transfer' command (CMD_TI). This flaw allows a privileged guest user to crash the QEMU process on the host, resulting in a denial of service or potential code execution with the privileges of the QEMU proces

CVE-2020-10702 [MEDIUM] CVE-2020-10702: qemu - A flaw was found in QEMU in the implementation of the Pointer Authentication (PA... A flaw was found in QEMU in the implementation of the Pointer Authentication (PAuth) support for ARM introduced in version 4.0 and fixed in version 5.0.0. A general failure of the signature generation process caused every PAuth-enforced pointer to be signed with the same signature. A local attacker could obtain the signature of a protected pointer and abuse this flaw

CVE-2020-13800 [MEDIUM] CVE-2020-13800: qemu - ati-vga in hw/display/ati.c in QEMU 4.2.0 allows guest OS users to trigger infin... ati-vga in hw/display/ati.c in QEMU 4.2.0 allows guest OS users to trigger infinite recursion via a crafted mm_index value during an ati_mm_read or ati_mm_write call. Scope: local bookworm: resolved (fixed in 1:5.0-6) bullseye: resolved (fixed in 1:5.0-6) forky: resolved (fixed in 1:5.0-6) sid: resolved (fixed in 1:5.0-6) trixie: resolved (fixed in 1:5.0-6)

CVE-2020-27617 [MEDIUM] CVE-2020-27617: qemu - eth_get_gso_type in net/eth.c in QEMU 4.2.1 allows guest OS users to trigger an ... eth_get_gso_type in net/eth.c in QEMU 4.2.1 allows guest OS users to trigger an assertion failure. A guest can crash the QEMU process via packet data that lacks a valid Layer 3 protocol. Scope: local bookworm: resolved (fixed in 1:5.2+dfsg-1) bullseye: resolved (fixed in 1:5.2+dfsg-1) forky: resolved (fixed in 1:5.2+dfsg-1) sid: resolved (fixed in 1:5.2+dfsg-1) trixi

CVE-2020-8608 [MEDIUM] CVE-2020-8608: libslirp - In libslirp 4.1.0, as used in QEMU 4.2.0, tcp_subr.c misuses snprintf return val... In libslirp 4.1.0, as used in QEMU 4.2.0, tcp_subr.c misuses snprintf return values, leading to a buffer overflow in later code. Scope: local bookworm: resolved (fixed in 4.2.0-1) bullseye: resolved (fixed in 4.2.0-1) forky: resolved (fixed in 4.2.0-1) sid: resolved (fixed in 4.2.0-1) trixie: resolved (fixed in 4.2.0-1)

CVE-2020-10756 [MEDIUM] CVE-2020-10756: libslirp - An out-of-bounds read vulnerability was found in the SLiRP networking implementa... An out-of-bounds read vulnerability was found in the SLiRP networking implementation of the QEMU emulator. This flaw occurs in the icmp6_send_echoreply() routine while replying to an ICMP echo request, also known as ping. This flaw allows a malicious guest to leak the contents of the host memory, resulting in possible information disclosure. This flaw affects ver

CVE-2020-10761 [MEDIUM] CVE-2020-10761: qemu - An assertion failure issue was found in the Network Block Device(NBD) Server in ... An assertion failure issue was found in the Network Block Device(NBD) Server in all QEMU versions before QEMU 5.0.1. This flaw occurs when an nbd-client sends a spec-compliant request that is near the boundary of maximum permitted request length. A remote nbd-client could use this flaw to crash the qemu-nbd server resulting in a denial of service. Scope: local bookwo

CVE-2020-25085 [MEDIUM] CVE-2020-25085: qemu - QEMU 5.0.0 has a heap-based Buffer Overflow in flatview_read_continue in exec.c ... QEMU 5.0.0 has a heap-based Buffer Overflow in flatview_read_continue in exec.c because hw/sd/sdhci.c mishandles a write operation in the SDHC_BLKSIZE case. Scope: local bookworm: resolved (fixed in 1:5.2+dfsg-1) bullseye: resolved (fixed in 1:5.2+dfsg-1) forky: resolved (fixed in 1:5.2+dfsg-1) sid: resolved (fixed in 1:5.2+dfsg-1) trixie: resolved (fixed in 1:5.2+df

CVE-2020-25624 [MEDIUM] CVE-2020-25624: qemu - hw/usb/hcd-ohci.c in QEMU 5.0.0 has a stack-based buffer over-read via values ob... hw/usb/hcd-ohci.c in QEMU 5.0.0 has a stack-based buffer over-read via values obtained from the host controller driver. Scope: local bookworm: resolved (fixed in 1:5.2+dfsg-1) bullseye: resolved (fixed in 1:5.2+dfsg-1) forky: resolved (fixed in 1:5.2+dfsg-1) sid: resolved (fixed in 1:5.2+dfsg-1) trixie: resolved (fixed in 1:5.2+dfsg-1)

CVE-2020-13791 [MEDIUM] CVE-2020-13791: qemu - hw/pci/pci.c in QEMU 4.2.0 allows guest OS users to trigger an out-of-bounds acc... hw/pci/pci.c in QEMU 4.2.0 allows guest OS users to trigger an out-of-bounds access by providing an address near the end of the PCI configuration space. Scope: local bookworm: resolved (fixed in 1:5.0-6) bullseye: resolved (fixed in 1:5.0-6) forky: resolved (fixed in 1:5.0-6) sid: resolved (fixed in 1:5.0-6) trixie: resolved (fixed in 1:5.0-6)

CVE-2020-13754 [MEDIUM] CVE-2020-13754: qemu - hw/pci/msix.c in QEMU 4.2.0 allows guest OS users to trigger an out-of-bounds ac... hw/pci/msix.c in QEMU 4.2.0 allows guest OS users to trigger an out-of-bounds access via a crafted address in an msi-x mmio operation. Scope: local bookworm: resolved (fixed in 1:5.0-6) bullseye: resolved (fixed in 1:5.0-6) forky: resolved (fixed in 1:5.0-6) sid: resolved (fixed in 1:5.0-6) trixie: resolved (fixed in 1:5.0-6)

CVE-2020-13253 [MEDIUM] CVE-2020-13253: qemu - sd_wp_addr in hw/sd/sd.c in QEMU 4.2.0 uses an unvalidated address, which leads ... sd_wp_addr in hw/sd/sd.c in QEMU 4.2.0 uses an unvalidated address, which leads to an out-of-bounds read during sdhci_write() operations. A guest OS user can crash the QEMU process. Scope: local bookworm: resolved (fixed in 1:5.0-8) bullseye: resolved (fixed in 1:5.0-8) forky: resolved (fixed in 1:5.0-8) sid: resolved (fixed in 1:5.0-8) trixie: resolved (fixed in 1:5

CVE-2020-35504 [MEDIUM] CVE-2020-35504: qemu - A NULL pointer dereference flaw was found in the SCSI emulation support of QEMU ... A NULL pointer dereference flaw was found in the SCSI emulation support of QEMU in versions before 6.0.0. This flaw allows a privileged guest user to crash the QEMU process on the host, resulting in a denial of service. The highest threat from this vulnerability is to system availability. Scope: local bookworm: resolved (fixed in 1:6.0+dfsg-3) bullseye: open forky: r

CVE-2020-27616 [MEDIUM] CVE-2020-27616: qemu - ati_2d_blt in hw/display/ati_2d.c in QEMU 4.2.1 can encounter an outside-limits ... ati_2d_blt in hw/display/ati_2d.c in QEMU 4.2.1 can encounter an outside-limits situation in a calculation. A guest can crash the QEMU process. Scope: local bookworm: resolved (fixed in 1:5.2+dfsg-1) bullseye: resolved (fixed in 1:5.2+dfsg-1) forky: resolved (fixed in 1:5.2+dfsg-1) sid: resolved (fixed in 1:5.2+dfsg-1) trixie: resolved (fixed in 1:5.2+dfsg-1)

CVE-2020-15863 [MEDIUM] CVE-2020-15863: qemu - hw/net/xgmac.c in the XGMAC Ethernet controller in QEMU before 07-20-2020 has a ... hw/net/xgmac.c in the XGMAC Ethernet controller in QEMU before 07-20-2020 has a buffer overflow. This occurs during packet transmission and affects the highbank and midway emulated machines. A guest user or process could use this flaw to crash the QEMU process on the host, resulting in a denial of service or potential privileged code execution. This was fixed in comm

CVE-2020-11102 [MEDIUM] CVE-2020-11102: qemu - hw/net/tulip.c in QEMU 4.2.0 has a buffer overflow during the copying of tx/rx b... hw/net/tulip.c in QEMU 4.2.0 has a buffer overflow during the copying of tx/rx buffers because the frame size is not validated against the r/w data length. Scope: local bookworm: resolved (fixed in 1:4.2-4) bullseye: resolved (fixed in 1:4.2-4) forky: resolved (fixed in 1:4.2-4) sid: resolved (fixed in 1:4.2-4) trixie: resolved (fixed in 1:4.2-4)

CVE-2020-28916 [MEDIUM] CVE-2020-28916: qemu - hw/net/e1000e_core.c in QEMU 5.0.0 has an infinite loop via an RX descriptor wit... hw/net/e1000e_core.c in QEMU 5.0.0 has an infinite loop via an RX descriptor with a NULL buffer address. Scope: local bookworm: resolved (fixed in 1:5.2+dfsg-1) bullseye: resolved (fixed in 1:5.2+dfsg-1) forky: resolved (fixed in 1:5.2+dfsg-1) sid: resolved (fixed in 1:5.2+dfsg-1) trixie: resolved (fixed in 1:5.2+dfsg-1)

CVE-2020-35503 [MEDIUM] CVE-2020-35503: qemu - A NULL pointer dereference flaw was found in the megasas-gen2 SCSI host bus adap... A NULL pointer dereference flaw was found in the megasas-gen2 SCSI host bus adapter emulation of QEMU in versions before and including 6.0. This issue occurs in the megasas_command_cancelled() callback function while dropping a SCSI request. This flaw allows a privileged guest user to crash the QEMU process on the host, resulting in a denial of service. The highest t

CVE-2020-27661 [MEDIUM] CVE-2020-27661: qemu - A divide-by-zero issue was found in dwc2_handle_packet in hw/usb/hcd-dwc2.c in t... A divide-by-zero issue was found in dwc2_handle_packet in hw/usb/hcd-dwc2.c in the hcd-dwc2 USB host controller emulation of QEMU. A malicious guest could use this flaw to crash the QEMU process on the host, resulting in a denial of service. Scope: local bookworm: resolved (fixed in 1:5.2+dfsg-1) bullseye: resolved (fixed in 1:5.2+dfsg-1) forky: resolved (fixed in 1:

CVE-2020-14364 [MEDIUM] CVE-2020-14364: qemu - An out-of-bounds read/write access flaw was found in the USB emulator of the QEM... An out-of-bounds read/write access flaw was found in the USB emulator of the QEMU in versions before 5.2.0. This issue occurs while processing USB packets from a guest when USBDevice 'setup_len' exceeds its 'data_buf[4096]' in the do_token_in, do_token_out routines. This flaw allows a guest user to crash the QEMU process, resulting in a denial of service, or the pote