Univention Bugzilla – Bug 40919
qemu-kvm: multiple issues (3.2)
Last modified: 2019-04-11 19:25:12 CEST
+++ This bug was initially created as a clone of Bug #40635 +++ Upstream Debian package version 1.1.2+dfsg-6+deb7u12 fixes these issues: * virtio-net: possible remote DoS (CVE-2015-7295) * pcnet: heap overflow vulnerability in loopback mode (CVE-2015-7504) (XSA-162) * net: pcnet: heap overflow vulnerability in loopback mode (CVE-2015-7504) * Buffer overflow in the pcnet_receive function in hw/net/pcnet.c in QEMU, when a guest NIC has a larger MTU, allows remote attackers to cause a denial of service (guest OS crash) or execute arbitrary code via a large packet. (CVE-2015-7512) * Qemu: net: eepro100: infinite loop in processing command block list (CVE-2015-8345) * vnc: avoid floating point exception (CVE-2015-8504) * usb: infinite loop in ehci_advance_state results in DoS (CVE-2015-8558) * net: ne2000: OOB r/w in ioport operations (CVE-2015-8743) * ide: ahci use-after-free vulnerability in aio port commands (CVE-2016-1568) * nvram: OOB r/w access in processing firmware configurations (CVE-2016-1714) * i386: null pointer dereference in vapic_write() (CVE-2016-1922)
Created attachment 7679 [details] CVE-2016-371x.diff from Debian Jessie qemu package Two additional issues: * The VGA module in QEMU improperly performs bounds checking on banked access to video memory, which allows local guest OS users to execute arbitrary code on the host by changing access modes after setting the bank register, aka the "Dark Portal" issue. (CVE-2016-3710) * Integer overflow in the VGA module in QEMU allows local guest OS users to cause a denial of service (out-of-bounds read and QEMU process crash) by editing VGA registers in VBE mode. (CVE-2016-3712) The source package "qemu-kvm" is not supported in Wheezy LTS. The attached patches have been extracted from the Debian Jessie "qemu" source package
Upstream Debian package version 1.1.2+dfsg-6a+deb7u13 fixes these issues: * The VGA module in QEMU improperly performs bounds checking on banked access to video memory, which allows local guest OS administrators to execute arbitrary code on the host by changing access modes after setting the bank register, aka the "Dark Portal" issue. (CVE-2016-3710) * Integer overflow in the VGA module in QEMU allows local guest OS users to cause a denial of service (out-of-bounds read and QEMU process crash) by editing VGA registers in VBE mode. (CVE-2016-3712)
Additional issues fixed in 1.1.2+dfsg-6+deb7u14: * Integer overflow in vnc_client_read() and protocol_client_msg() (CVE-2015-5239) * The patch_instruction function in hw/i386/kvmvapic.c in QEMU does not initialize the imm32 variable, which allows local guest OS administrators to obtain sensitive information from host stack memory by accessing the Task Priority Register (TPR). (CVE-2016-4020) * The virtqueue_pop function in hw/virtio/virtio.c in QEMU allows local guest OS administrators to cause a denial of service (memory consumption and QEMU process crash) by submitting requests without waiting for completion. (CVE-2016-5403)
Upstream Debian package version 1.1.2+dfsg-6+deb7u15 fixes this additional issue: * 9p: directory traversal flaw in 9p virtio backend (CVE-2016-7116)
Fixed in upstream Debian package version 1.1.2+dfsg-6+deb7u16: * Heap-based buffer overflow in the .receive callback of xlnx.xps-ethernetlite in QEMU (aka Quick Emulator) allows attackers to execute arbitrary code on the QEMU host via a large ethlite packet. (CVE-2016-7161) * vmware_vga: OOB stack memory access when processing svga command (CVE-2016-7170) * The mcf_fec_do_tx function in hw/net/mcf_fec.c in QEMU (aka Quick Emulator) does not properly limit the buffer descriptor count when transmitting packets, which allows local guest OS administrators to cause a denial of service (infinite loop and QEMU process crash) via vectors involving a buffer descriptor with a length of 0 and crafted values in bd.flags. (CVE-2016-7908) CVSS v3 base scores: CVE-2016-7161: 8.5 (CVSS:3.0/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H) CVE-2016-7170: 3.5 (CVSS:3.0/AV:A/AC:L/PR:H/UI:N/S:U/C:N/I:L/A:L) CVE-2016-7908: 3.0 (CVSS:3.0/AV:A/AC:H/PR:L/UI:N/S:C/C:N/I:N/A:L)
Upstream Debian package version 1.1.2+dfsg-6+deb7u17 fixes these issues: * usb: xHCI: infinite loop vulnerability in xhci_ring_fetch (CVE-2016-8576) * 9pfs: host memory leakage in v9fs_read (CVE-2016-8577) * 9pfs: potential NULL dereferencein 9pfs routines (CVE-2016-8578) * char: divide by zero error in serial_update_parameters (CVE-2016-8669)
Upstream Debian package versions 1.1.2+dfsg-6+deb7u18 fix these issues: * net: pcnet: check rx/tx descriptor ring length (CVE-2016-7909) * audio: intel-hda: check stream entry count during transfer (CVE-2016-8909) * net: rtl8139: limit processing of ring descriptors (CVE-2016-8910)
UCS 3.2 is out of maintenance.