Univention Bugzilla – Full Text Bug Listing |
Summary: | qemu-kvm: multiple issues (4.1) | ||
---|---|---|---|
Product: | UCS | Reporter: | Arvid Requate <requate> |
Component: | Security updates | Assignee: | Security maintainers <security-maintainers> |
Status: | RESOLVED DUPLICATE | QA Contact: | |
Severity: | normal | ||
Priority: | P3 | CC: | gohmann, hahn |
Version: | UCS 4.1 | Flags: | requate:
Patch_Available+
|
Target Milestone: | --- | ||
Hardware: | Other | ||
OS: | Linux | ||
What kind of report is it?: | Security Issue | What type of bug is this?: | --- |
Who will be affected by this bug?: | --- | How will those affected feel about the bug?: | --- |
User Pain: | Enterprise Customer affected?: | ||
School Customer affected?: | ISV affected?: | ||
Waiting Support: | Flags outvoted (downgraded) after PO Review: | ||
Ticket number: | Bug group (optional): | Security | |
Max CVSS v3 score: | |||
Bug Depends on: | 40634 | ||
Bug Blocks: |
Description
Arvid Requate
2016-10-04 15:44:06 CEST
Additional issues fixed in 1.1.2+dfsg-6+deb7u14: * Integer overflow in vnc_client_read() and protocol_client_msg() (CVE-2015-5239) * The patch_instruction function in hw/i386/kvmvapic.c in QEMU does not initialize the imm32 variable, which allows local guest OS administrators to obtain sensitive information from host stack memory by accessing the Task Priority Register (TPR). (CVE-2016-4020) * The virtqueue_pop function in hw/virtio/virtio.c in QEMU allows local guest OS administrators to cause a denial of service (memory consumption and QEMU process crash) by submitting requests without waiting for completion. (CVE-2016-5403) Upstream Debian package version 1.1.2+dfsg-6+deb7u15 fixes this additional issue: * 9p: directory traversal flaw in 9p virtio backend (CVE-2016-7116) Fixed in upstream Debian package version 1.1.2+dfsg-6+deb7u16: * Heap-based buffer overflow in the .receive callback of xlnx.xps-ethernetlite in QEMU (aka Quick Emulator) allows attackers to execute arbitrary code on the QEMU host via a large ethlite packet. (CVE-2016-7161) * vmware_vga: OOB stack memory access when processing svga command (CVE-2016-7170) * The mcf_fec_do_tx function in hw/net/mcf_fec.c in QEMU (aka Quick Emulator) does not properly limit the buffer descriptor count when transmitting packets, which allows local guest OS administrators to cause a denial of service (infinite loop and QEMU process crash) via vectors involving a buffer descriptor with a length of 0 and crafted values in bd.flags. (CVE-2016-7908) CVSS v3 base scores: CVE-2016-7161: 8.5 (CVSS:3.0/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H) CVE-2016-7170: 3.5 (CVSS:3.0/AV:A/AC:L/PR:H/UI:N/S:U/C:N/I:L/A:L) CVE-2016-7908: 3.0 (CVSS:3.0/AV:A/AC:H/PR:L/UI:N/S:C/C:N/I:N/A:L) |