Debian Qemu vulnerabilities

CVE-2019-20382 [LOW] CVE-2019-20382: qemu - QEMU 4.1.0 has a memory leak in zrle_compress_data in ui/vnc-enc-zrle.c during a... QEMU 4.1.0 has a memory leak in zrle_compress_data in ui/vnc-enc-zrle.c during a VNC disconnect operation because libz is misused, resulting in a situation where memory allocated in deflateInit2 is not freed in deflateEnd. Scope: local bookworm: resolved (fixed in 1:4.2-1) bullseye: resolved (fixed in 1:4.2-1) forky: resolved (fixed in 1:4.2-1) sid: resolved (fixed in 1

CVE-2018-17963 [CRITICAL] CVE-2018-17963: qemu - qemu_deliver_packet_iov in net/net.c in Qemu accepts packet sizes greater than I... qemu_deliver_packet_iov in net/net.c in Qemu accepts packet sizes greater than INT_MAX, which allows attackers to cause a denial of service or possibly have unspecified other impact. Scope: local bookworm: resolved (fixed in 1:3.1+dfsg-1) bullseye: resolved (fixed in 1:3.1+dfsg-1) forky: resolved (fixed in 1:3.1+dfsg-1) sid: resolved (fixed in 1:3.1+dfsg-1) trixie:

CVE-2018-20815 [CRITICAL] CVE-2018-20815: qemu - In QEMU 3.1.0, load_device_tree in device_tree.c calls the deprecated load_image... In QEMU 3.1.0, load_device_tree in device_tree.c calls the deprecated load_image function, which has a buffer overflow risk. Scope: local bookworm: resolved (fixed in 1:3.1+dfsg-7) bullseye: resolved (fixed in 1:3.1+dfsg-7) forky: resolved (fixed in 1:3.1+dfsg-7) sid: resolved (fixed in 1:3.1+dfsg-7) trixie: resolved (fixed in 1:3.1+dfsg-7)

CVE-2018-17962 [HIGH] CVE-2018-17962: qemu - Qemu has a Buffer Overflow in pcnet_receive in hw/net/pcnet.c because an incorre... Qemu has a Buffer Overflow in pcnet_receive in hw/net/pcnet.c because an incorrect integer data type is used. Scope: local bookworm: resolved (fixed in 1:3.1+dfsg-1) bullseye: resolved (fixed in 1:3.1+dfsg-1) forky: resolved (fixed in 1:3.1+dfsg-1) sid: resolved (fixed in 1:3.1+dfsg-1) trixie: resolved (fixed in 1:3.1+dfsg-1)

CVE-2018-16847 [HIGH] CVE-2018-16847: qemu - An OOB heap buffer r/w access issue was found in the NVM Express Controller emul... An OOB heap buffer r/w access issue was found in the NVM Express Controller emulation in QEMU. It could occur in nvme_cmb_ops routines in nvme device. A guest user/process could use this flaw to crash the QEMU process resulting in DoS or potentially run arbitrary code with privileges of the QEMU process. Scope: local bookworm: resolved (fixed in 1:3.1+dfsg-1) bullseye:

CVE-2018-17958 [HIGH] CVE-2018-17958: qemu - Qemu has a Buffer Overflow in rtl8139_do_receive in hw/net/rtl8139.c because an ... Qemu has a Buffer Overflow in rtl8139_do_receive in hw/net/rtl8139.c because an incorrect integer data type is used. Scope: local bookworm: resolved (fixed in 1:3.1+dfsg-1) bullseye: resolved (fixed in 1:3.1+dfsg-1) forky: resolved (fixed in 1:3.1+dfsg-1) sid: resolved (fixed in 1:3.1+dfsg-1) trixie: resolved (fixed in 1:3.1+dfsg-1)

CVE-2018-7550 [HIGH] CVE-2018-7550: qemu - The load_multiboot function in hw/i386/multiboot.c in Quick Emulator (aka QEMU) ... The load_multiboot function in hw/i386/multiboot.c in Quick Emulator (aka QEMU) allows local guest OS users to execute arbitrary code on the QEMU host via a mh_load_end_addr value greater than mh_bss_end_addr, which triggers an out-of-bounds read or write memory access. Scope: local bookworm: resolved (fixed in 1:2.12~rc3+dfsg-1) bullseye: resolved (fixed in 1:2.12~rc3+d

CVE-2018-16867 [HIGH] CVE-2018-16867: qemu - A flaw was found in qemu Media Transfer Protocol (MTP) before version 3.1.0. A p... A flaw was found in qemu Media Transfer Protocol (MTP) before version 3.1.0. A path traversal in the in usb_mtp_write_data function in hw/usb/dev-mtp.c due to an improper filename sanitization. When the guest device is mounted in read-write mode, this allows to read/write arbitrary files which may lead do DoS scenario OR possibly lead to code execution on the host. Sco

CVE-2018-11806 [HIGH] CVE-2018-11806: qemu - m_cat in slirp/mbuf.c in Qemu has a heap-based buffer overflow via incoming frag... m_cat in slirp/mbuf.c in Qemu has a heap-based buffer overflow via incoming fragmented datagrams. Scope: local bookworm: resolved (fixed in 1:3.1+dfsg-1) bullseye: resolved (fixed in 1:3.1+dfsg-1) forky: resolved (fixed in 1:3.1+dfsg-1) sid: resolved (fixed in 1:3.1+dfsg-1) trixie: resolved (fixed in 1:3.1+dfsg-1)

CVE-2018-18849 [MEDIUM] CVE-2018-18849: qemu - In Qemu 3.0.0, lsi_do_msgin in hw/scsi/lsi53c895a.c allows out-of-bounds access ... In Qemu 3.0.0, lsi_do_msgin in hw/scsi/lsi53c895a.c allows out-of-bounds access by triggering an invalid msg_len value. Scope: local bookworm: resolved (fixed in 1:3.1+dfsg-1) bullseye: resolved (fixed in 1:3.1+dfsg-1) forky: resolved (fixed in 1:3.1+dfsg-1) sid: resolved (fixed in 1:3.1+dfsg-1) trixie: resolved (fixed in 1:3.1+dfsg-1)

CVE-2018-7858 [MEDIUM] CVE-2018-7858: qemu - Quick Emulator (aka QEMU), when built with the Cirrus CLGD 54xx VGA Emulator sup... Quick Emulator (aka QEMU), when built with the Cirrus CLGD 54xx VGA Emulator support, allows local guest OS privileged users to cause a denial of service (out-of-bounds access and QEMU process crash) by leveraging incorrect region calculation when updating VGA display. Scope: local bookworm: resolved (fixed in 1:2.12~rc3+dfsg-1) bullseye: resolved (fixed in 1:2.12~rc3+

CVE-2018-18438 [MEDIUM] CVE-2018-18438: qemu - Qemu has integer overflows because IOReadHandler and its associated functions us... Qemu has integer overflows because IOReadHandler and its associated functions use a signed integer data type for a size value. Scope: local bookworm: resolved (fixed in 1:3.1+dfsg-1) bullseye: resolved (fixed in 1:3.1+dfsg-1) forky: resolved (fixed in 1:3.1+dfsg-1) sid: resolved (fixed in 1:3.1+dfsg-1) trixie: resolved (fixed in 1:3.1+dfsg-1)

CVE-2018-10839 [MEDIUM] CVE-2018-10839: qemu - Qemu emulator <= 3.0.0 built with the NE2000 NIC emulation support is vulnerable... Qemu emulator <= 3.0.0 built with the NE2000 NIC emulation support is vulnerable to an integer overflow, which could lead to buffer overflow issue. It could occur when receiving packets over the network. A user inside guest could use this flaw to crash the Qemu process resulting in DoS. Scope: local bookworm: resolved (fixed in 1:3.1+dfsg-1) bullseye: resolved (fixed

CVE-2018-5683 [MEDIUM] CVE-2018-5683: qemu - The vga_draw_text function in Qemu allows local OS guest privileged users to cau... The vga_draw_text function in Qemu allows local OS guest privileged users to cause a denial of service (out-of-bounds read and QEMU process crash) by leveraging improper memory address validation. Scope: local bookworm: resolved (fixed in 1:2.12~rc3+dfsg-1) bullseye: resolved (fixed in 1:2.12~rc3+dfsg-1) forky: resolved (fixed in 1:2.12~rc3+dfsg-1) sid: resolved (fixed

CVE-2018-19489 [MEDIUM] CVE-2018-19489: qemu - v9fs_wstat in hw/9pfs/9p.c in QEMU allows guest OS users to cause a denial of se... v9fs_wstat in hw/9pfs/9p.c in QEMU allows guest OS users to cause a denial of service (crash) because of a race condition during file renaming. Scope: local bookworm: resolved (fixed in 1:3.1+dfsg-1) bullseye: resolved (fixed in 1:3.1+dfsg-1) forky: resolved (fixed in 1:3.1+dfsg-1) sid: resolved (fixed in 1:3.1+dfsg-1) trixie: resolved (fixed in 1:3.1+dfsg-1)

CVE-2018-19364 [MEDIUM] CVE-2018-19364: qemu - hw/9pfs/cofile.c and hw/9pfs/9p.c in QEMU can modify an fid path while it is bei... hw/9pfs/cofile.c and hw/9pfs/9p.c in QEMU can modify an fid path while it is being accessed by a second thread, leading to (for example) a use-after-free outcome. Scope: local bookworm: resolved (fixed in 1:3.1+dfsg-1) bullseye: resolved (fixed in 1:3.1+dfsg-1) forky: resolved (fixed in 1:3.1+dfsg-1) sid: resolved (fixed in 1:3.1+dfsg-1) trixie: resolved (fixed in 1:

CVE-2018-16872 [MEDIUM] CVE-2018-16872: qemu - A flaw was found in qemu Media Transfer Protocol (MTP). The code opening files i... A flaw was found in qemu Media Transfer Protocol (MTP). The code opening files in usb_mtp_get_object and usb_mtp_get_partial_object and directories in usb_mtp_object_readdir doesn't consider that the underlying filesystem may have changed since the time lstat(2) was called in usb_mtp_object_alloc, a classical TOCTTOU problem. An attacker with write access to the host

CVE-2018-20126 [MEDIUM] CVE-2018-20126: qemu - hw/rdma/vmw/pvrdma_cmd.c in QEMU allows create_cq and create_qp memory leaks bec... hw/rdma/vmw/pvrdma_cmd.c in QEMU allows create_cq and create_qp memory leaks because errors are mishandled. Scope: local bookworm: resolved (fixed in 1:4.1-1) bullseye: resolved (fixed in 1:4.1-1) forky: resolved (fixed in 1:4.1-1) sid: resolved (fixed in 1:4.1-1) trixie: resolved (fixed in 1:4.1-1)

CVE-2018-12617 [HIGH] CVE-2018-12617: qemu - qmp_guest_file_read in qga/commands-posix.c and qga/commands-win32.c in qemu-ga ... qmp_guest_file_read in qga/commands-posix.c and qga/commands-win32.c in qemu-ga (aka QEMU Guest Agent) in QEMU 2.12.50 has an integer overflow causing a g_malloc0() call to trigger a segmentation fault when trying to allocate a large memory chunk. The vulnerability can be exploited by sending a crafted QMP command (including guest-file-read with a large count value) to

CVE-2018-20191 [HIGH] CVE-2018-20191: qemu - hw/rdma/vmw/pvrdma_main.c in QEMU does not implement a read operation (such as u... hw/rdma/vmw/pvrdma_main.c in QEMU does not implement a read operation (such as uar_read by analogy to uar_write), which allows attackers to cause a denial of service (NULL pointer dereference). Scope: local bookworm: resolved (fixed in 1:4.1-1) bullseye: resolved (fixed in 1:4.1-1) forky: resolved (fixed in 1:4.1-1) sid: resolved (fixed in 1:4.1-1) trixie: resolved (fi