Debian Qemu vulnerabilities

CVE-2020-13765 [MEDIUM] CVE-2020-13765: qemu - rom_copy() in hw/core/loader.c in QEMU 4.0 and 4.1.0 does not validate the relat... rom_copy() in hw/core/loader.c in QEMU 4.0 and 4.1.0 does not validate the relationship between two addresses, which allows attackers to trigger an invalid memory copy operation. Scope: local bookworm: resolved (fixed in 1:4.2-1) bullseye: resolved (fixed in 1:4.2-1) forky: resolved (fixed in 1:4.2-1) sid: resolved (fixed in 1:4.2-1) trixie: resolved (fixed in 1:4.2-

CVE-2020-35505 [MEDIUM] CVE-2020-35505: qemu - A NULL pointer dereference flaw was found in the am53c974 SCSI host bus adapter ... A NULL pointer dereference flaw was found in the am53c974 SCSI host bus adapter emulation of QEMU in versions before 6.0.0. This issue occurs while handling the 'Information Transfer' command. This flaw allows a privileged guest user to crash the QEMU process on the host, resulting in a denial of service. The highest threat from this vulnerability is to system availa

CVE-2020-7039 [MEDIUM] CVE-2020-7039: libslirp - tcp_emu in tcp_subr.c in libslirp 4.1.0, as used in QEMU 4.2.0, mismanages memor... tcp_emu in tcp_subr.c in libslirp 4.1.0, as used in QEMU 4.2.0, mismanages memory, as demonstrated by IRC DCC commands in EMU_IRC. This can cause a heap-based buffer overflow or other out-of-bounds access which can lead to a DoS or potential execute arbitrary code. Scope: local bookworm: resolved (fixed in 4.1.0-2) bullseye: resolved (fixed in 4.1.0-2) forky: resol

CVE-2020-15469 [LOW] CVE-2020-15469: qemu - In QEMU 4.2.0, a MemoryRegionOps object may lack read/write callback methods, le... In QEMU 4.2.0, a MemoryRegionOps object may lack read/write callback methods, leading to a NULL pointer dereference. Scope: local bookworm: resolved (fixed in 1:6.0+dfsg-3) bullseye: open forky: resolved (fixed in 1:6.0+dfsg-3) sid: resolved (fixed in 1:6.0+dfsg-3) trixie: resolved (fixed in 1:6.0+dfsg-3)

CVE-2020-13361 [LOW] CVE-2020-13361: qemu - In QEMU 5.0.0 and earlier, es1370_transfer_audio in hw/audio/es1370.c does not p... In QEMU 5.0.0 and earlier, es1370_transfer_audio in hw/audio/es1370.c does not properly validate the frame count, which allows guest OS users to trigger an out-of-bounds access during an es1370_write() operation. Scope: local bookworm: resolved (fixed in 1:5.0-6) bullseye: resolved (fixed in 1:5.0-6) forky: resolved (fixed in 1:5.0-6) sid: resolved (fixed in 1:5.0-6) tr

CVE-2020-25723 [LOW] CVE-2020-25723: qemu - A reachable assertion issue was found in the USB EHCI emulation code of QEMU. It... A reachable assertion issue was found in the USB EHCI emulation code of QEMU. It could occur while processing USB requests due to missing handling of DMA memory map failure. A malicious privileged user within the guest may abuse this flaw to send bogus USB requests and crash the QEMU process on the host, resulting in a denial of service. Scope: local bookworm: resolved

CVE-2020-10717 [LOW] CVE-2020-10717: qemu - A potential DoS flaw was found in the virtio-fs shared file system daemon (virti... A potential DoS flaw was found in the virtio-fs shared file system daemon (virtiofsd) implementation of the QEMU version >= v5.0. Virtio-fs is meant to share a host file system directory with a guest via virtio-fs device. If the guest opens the maximum number of file descriptors under the shared directory, a denial of service may occur. This flaw allows a guest user/pro

CVE-2020-16092 [LOW] CVE-2020-16092: qemu - In QEMU through 5.0.0, an assertion failure can occur in the network packet proc... In QEMU through 5.0.0, an assertion failure can occur in the network packet processing. This issue affects the e1000e and vmxnet3 network devices. A malicious guest user/process could use this flaw to abort the QEMU process on the host, resulting in a denial of service condition in net_tx_pkt_add_raw_fragment in hw/net/net_tx_pkt.c. Scope: local bookworm: resolved (fixe

CVE-2020-15859 [LOW] CVE-2020-15859: qemu - QEMU 4.2.0 has a use-after-free in hw/net/e1000e_core.c because a guest OS user ... QEMU 4.2.0 has a use-after-free in hw/net/e1000e_core.c because a guest OS user can trigger an e1000e packet with the data's address set to the e1000e's MMIO address. Scope: local bookworm: resolved (fixed in 1:5.2+dfsg-1) bullseye: resolved (fixed in 1:5.2+dfsg-1) forky: resolved (fixed in 1:5.2+dfsg-1) sid: resolved (fixed in 1:5.2+dfsg-1) trixie: resolved (fixed in 1

CVE-2020-12829 [LOW] CVE-2020-12829: qemu - In QEMU through 5.0.0, an integer overflow was found in the SM501 display driver... In QEMU through 5.0.0, an integer overflow was found in the SM501 display driver implementation. This flaw occurs in the COPY_AREA macro while handling MMIO write operations through the sm501_2d_engine_write() callback. A local attacker could abuse this flaw to crash the QEMU process in sm501_2d_operation() in hw/display/sm501.c on the host, resulting in a denial of ser

CVE-2020-25743 [LOW] CVE-2020-25743: qemu - hw/ide/pci.c in QEMU before 5.1.1 can trigger a NULL pointer dereference because... hw/ide/pci.c in QEMU before 5.1.1 can trigger a NULL pointer dereference because it lacks a pointer check before an ide_cancel_dma_sync call. Scope: local bookworm: open bullseye: open forky: open sid: open trixie: open

CVE-2020-13659 [LOW] CVE-2020-13659: qemu - address_space_map in exec.c in QEMU 4.2.0 can trigger a NULL pointer dereference... address_space_map in exec.c in QEMU 4.2.0 can trigger a NULL pointer dereference related to BounceBuffer. Scope: local bookworm: resolved (fixed in 1:5.0-6) bullseye: resolved (fixed in 1:5.0-6) forky: resolved (fixed in 1:5.0-6) sid: resolved (fixed in 1:5.0-6) trixie: resolved (fixed in 1:5.0-6)

CVE-2020-13362 [LOW] CVE-2020-13362: qemu - In QEMU 5.0.0 and earlier, megasas_lookup_frame in hw/scsi/megasas.c has an out-... In QEMU 5.0.0 and earlier, megasas_lookup_frame in hw/scsi/megasas.c has an out-of-bounds read via a crafted reply_queue_head field from a guest OS user. Scope: local bookworm: resolved (fixed in 1:5.0-6) bullseye: resolved (fixed in 1:5.0-6) forky: resolved (fixed in 1:5.0-6) sid: resolved (fixed in 1:5.0-6) trixie: resolved (fixed in 1:5.0-6)

CVE-2020-14415 [LOW] CVE-2020-14415: qemu - oss_write in audio/ossaudio.c in QEMU before 5.0.0 mishandles a buffer position. oss_write in audio/ossaudio.c in QEMU before 5.0.0 mishandles a buffer position. Scope: local bookworm: resolved (fixed in 1:5.0-1) bullseye: resolved (fixed in 1:5.0-1) forky: resolved (fixed in 1:5.0-1) sid: resolved (fixed in 1:5.0-1) trixie: resolved (fixed in 1:5.0-1)

CVE-2020-25084 [LOW] CVE-2020-25084: qemu - QEMU 5.0.0 has a use-after-free in hw/usb/hcd-xhci.c because the usb_packet_map ... QEMU 5.0.0 has a use-after-free in hw/usb/hcd-xhci.c because the usb_packet_map return value is not checked. Scope: local bookworm: resolved (fixed in 1:5.2+dfsg-1) bullseye: resolved (fixed in 1:5.2+dfsg-1) forky: resolved (fixed in 1:5.2+dfsg-1) sid: resolved (fixed in 1:5.2+dfsg-1) trixie: resolved (fixed in 1:5.2+dfsg-1)

CVE-2020-25741 [LOW] CVE-2020-25741: qemu - fdctrl_write_data in hw/block/fdc.c in QEMU 5.0.0 has a NULL pointer dereference... fdctrl_write_data in hw/block/fdc.c in QEMU 5.0.0 has a NULL pointer dereference via a NULL block pointer for the current drive. Scope: local bookworm: open bullseye: open forky: open sid: open trixie: open

CVE-2020-24352 [MEDIUM] CVE-2020-24352: qemu - An issue was discovered in QEMU through 5.1.0. An out-of-bounds memory access wa... An issue was discovered in QEMU through 5.1.0. An out-of-bounds memory access was found in the ATI VGA device implementation. This flaw occurs in the ati_2d_blt() routine in hw/display/ati_2d.c while handling MMIO write operations through the ati_mm_write() callback. A malicious guest could use this flaw to crash the QEMU process on the host, resulting in a denial of

CVE-2020-14394 [LOW] CVE-2020-14394: qemu - An infinite loop flaw was found in the USB xHCI controller emulation of QEMU whi... An infinite loop flaw was found in the USB xHCI controller emulation of QEMU while computing the length of the Transfer Request Block (TRB) Ring. This flaw allows a privileged guest user to hang the QEMU process on the host, resulting in a denial of service. Scope: local bookworm: resolved (fixed in 1:7.1+dfsg-1) bullseye: resolved (fixed in 1:5.2+dfsg-11+deb11u3) forky

CVE-2020-11869 [LOW] CVE-2020-11869: qemu - An integer overflow was found in QEMU 4.0.1 through 4.2.0 in the way it implemen... An integer overflow was found in QEMU 4.0.1 through 4.2.0 in the way it implemented ATI VGA emulation. This flaw occurs in the ati_2d_blt() routine in hw/display/ati-2d.c while handling MMIO write operations through the ati_mm_write() callback. A malicious guest could abuse this flaw to crash the QEMU process, resulting in a denial of service. Scope: local bookworm: res

CVE-2020-11947 [LOW] CVE-2020-11947: qemu - iscsi_aio_ioctl_cb in block/iscsi.c in QEMU 4.1.0 has a heap-based buffer over-r... iscsi_aio_ioctl_cb in block/iscsi.c in QEMU 4.1.0 has a heap-based buffer over-read that may disclose unrelated information from process memory to an attacker. Scope: local bookworm: resolved (fixed in 1:4.2-7) bullseye: resolved (fixed in 1:4.2-7) forky: resolved (fixed in 1:4.2-7) sid: resolved (fixed in 1:4.2-7) trixie: resolved (fixed in 1:4.2-7)