Debian Long Term Support / LTS Security Information / 2018 / Security Information -- DLA-1497-1 qemu

Debian Security Advisory

DLA-1497-1 qemu -- LTS security update

Date Reported:

06 Sep 2018

Affected Packages:

qemu

Vulnerable:

Yes

Security database references:

In the Debian bugtracking system: Bug 813193, Bug 834904, Bug 835031, Bug 840945, Bug 840950, Bug 847496, Bug 847951, Bug 847953.
In Mitre's CVE dictionary: CVE-2015-8666, CVE-2016-2198, CVE-2016-6833, CVE-2016-6835, CVE-2016-8576, CVE-2016-8667, CVE-2016-8669, CVE-2016-9602, CVE-2016-9603, CVE-2016-9776, CVE-2016-9907, CVE-2016-9911, CVE-2016-9914, CVE-2016-9915, CVE-2016-9916, CVE-2016-9921, CVE-2016-9922, CVE-2016-10155, CVE-2017-2615, CVE-2017-2620, CVE-2017-5525, CVE-2017-5526, CVE-2017-5579, CVE-2017-5667, CVE-2017-5715, CVE-2017-5856, CVE-2017-5973, CVE-2017-5987, CVE-2017-6505, CVE-2017-7377, CVE-2017-7493, CVE-2017-7718, CVE-2017-7980, CVE-2017-8086, CVE-2017-8112, CVE-2017-8309, CVE-2017-8379, CVE-2017-9330, CVE-2017-9373, CVE-2017-9374, CVE-2017-9503, CVE-2017-10806, CVE-2017-10911, CVE-2017-11434, CVE-2017-14167, CVE-2017-15038, CVE-2017-15289, CVE-2017-16845, CVE-2017-18030, CVE-2017-18043, CVE-2018-5683, CVE-2018-7550.

More information:

Several vulnerabilities were found in qemu, a fast processor emulator:

• CVE-2015-8666

  Heap-based buffer overflow in QEMU when built with the Q35-chipset-based PC system emulator

• CVE-2016-2198

  Null pointer dereference in ehci_caps_write in the USB EHCI support that may result in denial of service

• CVE-2016-6833

  Use after free while writing in the vmxnet3 device that could be used to cause a denial of service

• CVE-2016-6835

  Buffer overflow in vmxnet_tx_pkt_parse_headers() in vmxnet3 device that could result in denial of service

• CVE-2016-8576

  Infinite loop vulnerability in xhci_ring_fetch in the USB xHCI support

• CVE-2016-8667 / CVE-2016-8669

  Divide by zero errors in set_next_tick in the JAZZ RC4030 chipset emulator, and in serial_update_parameters of some serial devices, that could result in denial of service

• CVE-2016-9602

  Improper link following with VirtFS

• CVE-2016-9603

  Heap buffer overflow via vnc connection in the Cirrus CLGD 54xx VGA emulator support

• CVE-2016-9776

  Infinite loop while receiving data in the ColdFire Fast Ethernet Controller emulator

• CVE-2016-9907

  Memory leakage in the USB redirector usb-guest support

• CVE-2016-9911

  Memory leakage in ehci_init_transfer in the USB EHCI support

• CVE-2016-9914 / CVE-2016-9915 / CVE-2016-9916

  Plan 9 File System (9pfs): add missing cleanup operation in FileOperations, in the handle backend and in the proxy backend driver

• CVE-2016-9921 / CVE-2016-9922

  Divide by zero in cirrus_do_copy in the Cirrus CLGD 54xx VGA Emulator support

• CVE-2016-10155

  Memory leak in hw/watchdog/wdt_i6300esb.c allowing local guest OS privileged users to cause a denial of service via a large number of device unplug operations.

• CVE-2017-2615 / CVE-2017-2620 / CVE-2017-18030 / CVE-2018-5683 / CVE-2017-7718

  Out-of-bounds access issues in the Cirrus CLGD 54xx VGA emulator support, that could result in denial of service

• CVE-2017-5525 / CVE-2017-5526

  Memory leakage issues in the ac97 and es1370 device emulation

• CVE-2017-5579

  Most memory leakage in the 16550A UART emulation

• CVE-2017-5667

  Out-of-bounds access during multi block SDMA transfer in the SDHCI emulation support.

• CVE-2017-5715

  Mitigations against the Spectre v2 vulnerability. For more information please refer to https://www.qemu.org/2018/01/04/spectre/

• CVE-2017-5856

  Memory leak in the MegaRAID SAS 8708EM2 Host Bus Adapter emulation support

• CVE-2017-5973 / CVE-2017-5987 / CVE-2017-6505

  Infinite loop issues in the USB xHCI, in the transfer mode register of the SDHCI protocol, and the USB ohci_service_ed_list

• CVE-2017-7377

  9pfs: host memory leakage via v9fs_create

• CVE-2017-7493

  Improper access control issues in the host directory sharing via 9pfs support.

• CVE-2017-7980

  Heap-based buffer overflow in the Cirrus VGA device that could allow local guest OS users to execute arbitrary code or cause a denial of service

• CVE-2017-8086

  9pfs: host memory leakage via v9pfs_list_xattr

• CVE-2017-8112

  Infinite loop in the VMWare PVSCSI emulation

• CVE-2017-8309 / CVE-2017-8379

  Host memory leakage issues via the audio capture buffer and the keyboard input event handlers

• CVE-2017-9330

  Infinite loop due to incorrect return value in USB OHCI that may result in denial of service

• CVE-2017-9373 / CVE-2017-9374

  Host memory leakage during hot unplug in IDE AHCI and USB emulated devices that could result in denial of service

• CVE-2017-9503

  Null pointer dereference while processing megasas command

• CVE-2017-10806

  Stack buffer overflow in USB redirector

• CVE-2017-10911

  Xen disk may leak stack data via response ring

• CVE-2017-11434

  Out-of-bounds read while parsing Slirp/DHCP options

• CVE-2017-14167

  Out-of-bounds access while processing multiboot headers that could result in the execution of arbitrary code

• CVE-2017-15038

  9pfs: information disclosure when reading extended attributes

• CVE-2017-15289

  Out-of-bounds write access issue in the Cirrus graphic adaptor that could result in denial of service

• CVE-2017-16845

  Information leak in the PS/2 mouse and keyboard emulation support that could be exploited during instance migration

• CVE-2017-18043

  Integer overflow in the macro ROUND_UP (n, d) that could result in denial of service

• CVE-2018-7550

  Incorrect handling of memory during multiboot that could may result in execution of arbitrary code

For Debian 8 Jessie, these problems have been fixed in version 1:2.1+dfsg-12+deb8u7.

We recommend that you upgrade your qemu packages.

Further information about Debian LTS security advisories, how to apply these updates to your system and frequently asked questions can be found at: https://wiki.debian.org/LTS