Debian Qemu vulnerabilities

CVE-2020-25742 [LOW] CVE-2020-25742: qemu - pci_change_irq_level in hw/pci/pci.c in QEMU before 5.1.1 has a NULL pointer der... pci_change_irq_level in hw/pci/pci.c in QEMU before 5.1.1 has a NULL pointer dereference because pci_get_bus() might not return a valid pointer. Scope: local bookworm: open bullseye: open forky: open sid: open trixie: open

CVE-2020-29443 [LOW] CVE-2020-29443: qemu - ide_atapi_cmd_reply_end in hw/ide/atapi.c in QEMU 5.1.0 allows out-of-bounds rea... ide_atapi_cmd_reply_end in hw/ide/atapi.c in QEMU 5.1.0 allows out-of-bounds read access because a buffer index is not validated. Scope: local bookworm: resolved (fixed in 1:5.2+dfsg-11) bullseye: resolved (fixed in 1:5.2+dfsg-11) forky: resolved (fixed in 1:5.2+dfsg-11) sid: resolved (fixed in 1:5.2+dfsg-11) trixie: resolved (fixed in 1:5.2+dfsg-11)

CVE-2019-13164 [HIGH] CVE-2019-13164: qemu - qemu-bridge-helper.c in QEMU 3.1 and 4.0.0 does not ensure that a network interf... qemu-bridge-helper.c in QEMU 3.1 and 4.0.0 does not ensure that a network interface name (obtained from bridge.conf or a --br=bridge option) is limited to the IFNAMSIZ size, which can lead to an ACL bypass. Scope: local bookworm: resolved (fixed in 1:4.1-1) bullseye: resolved (fixed in 1:4.1-1) forky: resolved (fixed in 1:4.1-1) sid: resolved (fixed in 1:4.1-1) trixie:

CVE-2019-15890 [HIGH] CVE-2019-15890: qemu - libslirp 4.0.0, as used in QEMU 4.1.0, has a use-after-free in ip_reass in ip_in... libslirp 4.0.0, as used in QEMU 4.1.0, has a use-after-free in ip_reass in ip_input.c. Scope: local bookworm: resolved (fixed in 1:4.1-2) bullseye: resolved (fixed in 1:4.1-2) forky: resolved (fixed in 1:4.1-2) sid: resolved (fixed in 1:4.1-2) trixie: resolved (fixed in 1:4.1-2)

CVE-2019-6778 [HIGH] CVE-2019-6778: qemu - In QEMU 3.0.0, tcp_emu in slirp/tcp_subr.c has a heap-based buffer overflow. In QEMU 3.0.0, tcp_emu in slirp/tcp_subr.c has a heap-based buffer overflow. Scope: local bookworm: resolved (fixed in 1:3.1+dfsg-3) bullseye: resolved (fixed in 1:3.1+dfsg-3) forky: resolved (fixed in 1:3.1+dfsg-3) sid: resolved (fixed in 1:3.1+dfsg-3) trixie: resolved (fixed in 1:3.1+dfsg-3)

CVE-2019-12155 [HIGH] CVE-2019-12155: qemu - interface_release_resource in hw/display/qxl.c in QEMU 3.1.x through 4.0.0 has a... interface_release_resource in hw/display/qxl.c in QEMU 3.1.x through 4.0.0 has a NULL pointer dereference. Scope: local bookworm: resolved (fixed in 1:3.1+dfsg-8) bullseye: resolved (fixed in 1:3.1+dfsg-8) forky: resolved (fixed in 1:3.1+dfsg-8) sid: resolved (fixed in 1:3.1+dfsg-8) trixie: resolved (fixed in 1:3.1+dfsg-8)

CVE-2019-14378 [HIGH] CVE-2019-14378: qemu - ip_reass in ip_input.c in libslirp 4.0.0 has a heap-based buffer overflow via a ... ip_reass in ip_input.c in libslirp 4.0.0 has a heap-based buffer overflow via a large packet because it mishandles a case involving the first fragment. Scope: local bookworm: resolved (fixed in 1:4.1-1) bullseye: resolved (fixed in 1:4.1-1) forky: resolved (fixed in 1:4.1-1) sid: resolved (fixed in 1:4.1-1) trixie: resolved (fixed in 1:4.1-1)

CVE-2019-20808 [MEDIUM] CVE-2019-20808: qemu - In QEMU 4.1.0, an out-of-bounds read flaw was found in the ATI VGA implementatio... In QEMU 4.1.0, an out-of-bounds read flaw was found in the ATI VGA implementation. It occurs in the ati_cursor_define() routine while handling MMIO write operations through the ati_mm_write() callback. A malicious guest could abuse this flaw to crash the QEMU process, resulting in a denial of service. Scope: local bookworm: resolved (fixed in 1:4.2-1) bullseye: resol

CVE-2019-9824 [MEDIUM] CVE-2019-9824: qemu - tcp_emu in slirp/tcp_subr.c (aka slirp/src/tcp_subr.c) in QEMU 3.0.0 uses uninit... tcp_emu in slirp/tcp_subr.c (aka slirp/src/tcp_subr.c) in QEMU 3.0.0 uses uninitialized data in an snprintf call, leading to Information disclosure. Scope: local bookworm: resolved (fixed in 1:3.1+dfsg-6) bullseye: resolved (fixed in 1:3.1+dfsg-6) forky: resolved (fixed in 1:3.1+dfsg-6) sid: resolved (fixed in 1:3.1+dfsg-6) trixie: resolved (fixed in 1:3.1+dfsg-6)

CVE-2019-6501 [MEDIUM] CVE-2019-6501: qemu - In QEMU 3.1, scsi_handle_inquiry_reply in hw/scsi/scsi-generic.c allows out-of-b... In QEMU 3.1, scsi_handle_inquiry_reply in hw/scsi/scsi-generic.c allows out-of-bounds write and read operations. Scope: local bookworm: resolved (fixed in 1:3.1+dfsg-3) bullseye: resolved (fixed in 1:3.1+dfsg-3) forky: resolved (fixed in 1:3.1+dfsg-3) sid: resolved (fixed in 1:3.1+dfsg-3) trixie: resolved (fixed in 1:3.1+dfsg-3)

CVE-2019-15034 [MEDIUM] CVE-2019-15034: qemu - hw/display/bochs-display.c in QEMU 4.0.0 does not ensure a sufficient PCI config... hw/display/bochs-display.c in QEMU 4.0.0 does not ensure a sufficient PCI config space allocation, leading to a buffer overflow involving the PCIe extended config space. Scope: local bookworm: resolved (fixed in 1:4.1-1) bullseye: resolved (fixed in 1:4.1-1) forky: resolved (fixed in 1:4.1-1) sid: resolved (fixed in 1:4.1-1) trixie: resolved (fixed in 1:4.1-1)

CVE-2019-3812 [MEDIUM] CVE-2019-3812: qemu - QEMU, through version 2.10 and through version 3.1.0, is vulnerable to an out-of... QEMU, through version 2.10 and through version 3.1.0, is vulnerable to an out-of-bounds read of up to 128 bytes in the hw/i2c/i2c-ddc.c:i2c_ddc() function. A local attacker with permission to execute i2c commands could exploit this to read stack memory of the qemu process on the host. Scope: local bookworm: resolved (fixed in 1:3.1+dfsg-5) bullseye: resolved (fixed in

CVE-2019-12929 [CRITICAL] CVE-2019-12929: qemu - The QMP guest_exec command in QEMU 4.0.0 and earlier is prone to OS command inje... The QMP guest_exec command in QEMU 4.0.0 and earlier is prone to OS command injection, which allows the attacker to achieve code execution, denial of service, or information disclosure by sending a crafted QMP command to the listening server. Note: This has been disputed as a non-issue since QEMU's -qmp interface is meant to be used by trusted users. If one is able

CVE-2019-8934 [LOW] CVE-2019-8934: qemu - hw/ppc/spapr.c in QEMU through 3.1.0 allows Information Exposure because the hyp... hw/ppc/spapr.c in QEMU through 3.1.0 allows Information Exposure because the hypervisor shares the /proc/device-tree/system-id and /proc/device-tree/model system attributes with a guest. Scope: local bookworm: resolved (fixed in 1:4.1-1) bullseye: resolved (fixed in 1:4.1-1) forky: resolved (fixed in 1:4.1-1) sid: resolved (fixed in 1:4.1-1) trixie: resolved (fixed in 1:4

CVE-2019-12247 [HIGH] CVE-2019-12247: qemu - QEMU 3.0.0 has an Integer Overflow because the qga/commands*.c files do not chec... QEMU 3.0.0 has an Integer Overflow because the qga/commands*.c files do not check the length of the argument list or the number of environment variables. NOTE: This has been disputed as not exploitable Scope: local bookworm: open bullseye: open forky: open sid: open trixie: open

CVE-2019-12928 [CRITICAL] CVE-2019-12928: qemu - The QMP migrate command in QEMU version 4.0.0 and earlier is vulnerable to OS co... The QMP migrate command in QEMU version 4.0.0 and earlier is vulnerable to OS command injection, which allows the remote attacker to achieve code execution, denial of service, or information disclosure by sending a crafted QMP command to the listening server. Note: This has been disputed as a non-issue since QEMU's -qmp interface is meant to be used by trusted user

CVE-2019-5008 [HIGH] CVE-2019-5008: qemu - hw/sparc64/sun4u.c in QEMU 3.1.50 is vulnerable to a NULL pointer dereference, w... hw/sparc64/sun4u.c in QEMU 3.1.50 is vulnerable to a NULL pointer dereference, which allows the attacker to cause a denial of service via a device driver. Scope: local bookworm: resolved (fixed in 1:3.1+dfsg-8) bullseye: resolved (fixed in 1:3.1+dfsg-8) forky: resolved (fixed in 1:3.1+dfsg-8) sid: resolved (fixed in 1:3.1+dfsg-8) trixie: resolved (fixed in 1:3.1+dfsg-8)

CVE-2019-12067 [MEDIUM] CVE-2019-12067: qemu - The ahci_commit_buf function in ide/ahci.c in QEMU allows attackers to cause a d... The ahci_commit_buf function in ide/ahci.c in QEMU allows attackers to cause a denial of service (NULL dereference) when the command header 'ad->cur_cmd' is null. Scope: local bookworm: open bullseye: open forky: open sid: open trixie: open

CVE-2019-20175 [HIGH] CVE-2019-20175: qemu - An issue was discovered in ide_dma_cb() in hw/ide/core.c in QEMU 2.4.0 through 4... An issue was discovered in ide_dma_cb() in hw/ide/core.c in QEMU 2.4.0 through 4.2.0. The guest system can crash the QEMU process in the host system via a special SCSI_IOCTL_SEND_COMMAND. It hits an assertion that implies that the size of successful DMA transfers there must be a multiple of 512 (the size of a sector). NOTE: a member of the QEMU security team disputes t

CVE-2019-12068 [LOW] CVE-2019-12068: qemu - In QEMU 1:4.1-1, 1:2.1+dfsg-12+deb8u6, 1:2.8+dfsg-6+deb9u8, 1:3.1+dfsg-8~deb10u1... In QEMU 1:4.1-1, 1:2.1+dfsg-12+deb8u6, 1:2.8+dfsg-6+deb9u8, 1:3.1+dfsg-8~deb10u1, 1:3.1+dfsg-8+deb10u2, and 1:2.1+dfsg-12+deb8u12 (fixed), when executing script in lsi_execute_script(), the LSI scsi adapter emulator advances 's->dsp' index to read next opcode. This can lead to an infinite loop if the next opcode is empty. Move the existing loop exit after 10k iterations