Univention Bugzilla – Bug 42552
qemu-kvm: multiple issues (4.1)
Last modified: 2017-06-01 18:34:52 CEST
+++ This bug was initially created as a clone of Bug #40920 +++ Upstream Debian package version 1.1.2+dfsg-6a+deb7u13 fixes these issues: * The VGA module in QEMU improperly performs bounds checking on banked access to video memory, which allows local guest OS administrators to execute arbitrary code on the host by changing access modes after setting the bank register, aka the "Dark Portal" issue. (CVE-2016-3710) * Integer overflow in the VGA module in QEMU allows local guest OS users to cause a denial of service (out-of-bounds read and QEMU process crash) by editing VGA registers in VBE mode. (CVE-2016-3712)
Additional issues fixed in 1.1.2+dfsg-6+deb7u14: * Integer overflow in vnc_client_read() and protocol_client_msg() (CVE-2015-5239) * The patch_instruction function in hw/i386/kvmvapic.c in QEMU does not initialize the imm32 variable, which allows local guest OS administrators to obtain sensitive information from host stack memory by accessing the Task Priority Register (TPR). (CVE-2016-4020) * The virtqueue_pop function in hw/virtio/virtio.c in QEMU allows local guest OS administrators to cause a denial of service (memory consumption and QEMU process crash) by submitting requests without waiting for completion. (CVE-2016-5403)
Upstream Debian package version 1.1.2+dfsg-6+deb7u15 fixes this additional issue: * 9p: directory traversal flaw in 9p virtio backend (CVE-2016-7116)
Fixed in upstream Debian package version 1.1.2+dfsg-6+deb7u16: * Heap-based buffer overflow in the .receive callback of xlnx.xps-ethernetlite in QEMU (aka Quick Emulator) allows attackers to execute arbitrary code on the QEMU host via a large ethlite packet. (CVE-2016-7161) * vmware_vga: OOB stack memory access when processing svga command (CVE-2016-7170) * The mcf_fec_do_tx function in hw/net/mcf_fec.c in QEMU (aka Quick Emulator) does not properly limit the buffer descriptor count when transmitting packets, which allows local guest OS administrators to cause a denial of service (infinite loop and QEMU process crash) via vectors involving a buffer descriptor with a length of 0 and crafted values in bd.flags. (CVE-2016-7908) CVSS v3 base scores: CVE-2016-7161: 8.5 (CVSS:3.0/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H) CVE-2016-7170: 3.5 (CVSS:3.0/AV:A/AC:L/PR:H/UI:N/S:U/C:N/I:L/A:L) CVE-2016-7908: 3.0 (CVSS:3.0/AV:A/AC:H/PR:L/UI:N/S:C/C:N/I:N/A:L)
Let's simply track this together with qemu itself, they are getting release in parallel. *** This bug has been marked as a duplicate of bug 40920 ***