Debian Security Advisory

DLA-1497-1 qemu -- LTS security update

Date Reported:
06 Sep 2018
Affected Packages:
Security database references:
In the Debian bugtracking system: Bug 813193, Bug 834904, Bug 835031, Bug 840945, Bug 840950, Bug 847496, Bug 847951, Bug 847953.
In Mitre's CVE dictionary: CVE-2015-8666, CVE-2016-2198, CVE-2016-6833, CVE-2016-6835, CVE-2016-8576, CVE-2016-8667, CVE-2016-8669, CVE-2016-9602, CVE-2016-9603, CVE-2016-9776, CVE-2016-9907, CVE-2016-9911, CVE-2016-9914, CVE-2016-9915, CVE-2016-9916, CVE-2016-9921, CVE-2016-9922, CVE-2016-10155, CVE-2017-2615, CVE-2017-2620, CVE-2017-5525, CVE-2017-5526, CVE-2017-5579, CVE-2017-5667, CVE-2017-5715, CVE-2017-5856, CVE-2017-5973, CVE-2017-5987, CVE-2017-6505, CVE-2017-7377, CVE-2017-7493, CVE-2017-7718, CVE-2017-7980, CVE-2017-8086, CVE-2017-8112, CVE-2017-8309, CVE-2017-8379, CVE-2017-9330, CVE-2017-9373, CVE-2017-9374, CVE-2017-9503, CVE-2017-10806, CVE-2017-10911, CVE-2017-11434, CVE-2017-14167, CVE-2017-15038, CVE-2017-15289, CVE-2017-16845, CVE-2017-18030, CVE-2017-18043, CVE-2018-5683, CVE-2018-7550.
More information:

Several vulnerabilities were found in qemu, a fast processor emulator:

  • CVE-2015-8666

    Heap-based buffer overflow in QEMU when built with the Q35-chipset-based PC system emulator

  • CVE-2016-2198

    Null pointer dereference in ehci_caps_write in the USB EHCI support that may result in denial of service

  • CVE-2016-6833

    Use after free while writing in the vmxnet3 device that could be used to cause a denial of service

  • CVE-2016-6835

    Buffer overflow in vmxnet_tx_pkt_parse_headers() in vmxnet3 device that could result in denial of service

  • CVE-2016-8576

    Infinite loop vulnerability in xhci_ring_fetch in the USB xHCI support

  • CVE-2016-8667 / CVE-2016-8669

    Divide by zero errors in set_next_tick in the JAZZ RC4030 chipset emulator, and in serial_update_parameters of some serial devices, that could result in denial of service

  • CVE-2016-9602

    Improper link following with VirtFS

  • CVE-2016-9603

    Heap buffer overflow via vnc connection in the Cirrus CLGD 54xx VGA emulator support

  • CVE-2016-9776

    Infinite loop while receiving data in the ColdFire Fast Ethernet Controller emulator

  • CVE-2016-9907

    Memory leakage in the USB redirector usb-guest support

  • CVE-2016-9911

    Memory leakage in ehci_init_transfer in the USB EHCI support

  • CVE-2016-9914 / CVE-2016-9915 / CVE-2016-9916

    Plan 9 File System (9pfs): add missing cleanup operation in FileOperations, in the handle backend and in the proxy backend driver

  • CVE-2016-9921 / CVE-2016-9922

    Divide by zero in cirrus_do_copy in the Cirrus CLGD 54xx VGA Emulator support

  • CVE-2016-10155

    Memory leak in hw/watchdog/wdt_i6300esb.c allowing local guest OS privileged users to cause a denial of service via a large number of device unplug operations.

  • CVE-2017-2615 / CVE-2017-2620 / CVE-2017-18030 / CVE-2018-5683 / CVE-2017-7718

    Out-of-bounds access issues in the Cirrus CLGD 54xx VGA emulator support, that could result in denial of service

  • CVE-2017-5525 / CVE-2017-5526

    Memory leakage issues in the ac97 and es1370 device emulation

  • CVE-2017-5579

    Most memory leakage in the 16550A UART emulation

  • CVE-2017-5667

    Out-of-bounds access during multi block SDMA transfer in the SDHCI emulation support.

  • CVE-2017-5715

    Mitigations against the Spectre v2 vulnerability. For more information please refer to

  • CVE-2017-5856

    Memory leak in the MegaRAID SAS 8708EM2 Host Bus Adapter emulation support

  • CVE-2017-5973 / CVE-2017-5987 / CVE-2017-6505

    Infinite loop issues in the USB xHCI, in the transfer mode register of the SDHCI protocol, and the USB ohci_service_ed_list

  • CVE-2017-7377

    9pfs: host memory leakage via v9fs_create

  • CVE-2017-7493

    Improper access control issues in the host directory sharing via 9pfs support.

  • CVE-2017-7980

    Heap-based buffer overflow in the Cirrus VGA device that could allow local guest OS users to execute arbitrary code or cause a denial of service

  • CVE-2017-8086

    9pfs: host memory leakage via v9pfs_list_xattr

  • CVE-2017-8112

    Infinite loop in the VMWare PVSCSI emulation

  • CVE-2017-8309 / CVE-2017-8379

    Host memory leakage issues via the audio capture buffer and the keyboard input event handlers

  • CVE-2017-9330

    Infinite loop due to incorrect return value in USB OHCI that may result in denial of service

  • CVE-2017-9373 / CVE-2017-9374

    Host memory leakage during hot unplug in IDE AHCI and USB emulated devices that could result in denial of service

  • CVE-2017-9503

    Null pointer dereference while processing megasas command

  • CVE-2017-10806

    Stack buffer overflow in USB redirector

  • CVE-2017-10911

    Xen disk may leak stack data via response ring

  • CVE-2017-11434

    Out-of-bounds read while parsing Slirp/DHCP options

  • CVE-2017-14167

    Out-of-bounds access while processing multiboot headers that could result in the execution of arbitrary code

  • CVE-2017-15038

    9pfs: information disclosure when reading extended attributes

  • CVE-2017-15289

    Out-of-bounds write access issue in the Cirrus graphic adaptor that could result in denial of service

  • CVE-2017-16845

    Information leak in the PS/2 mouse and keyboard emulation support that could be exploited during instance migration

  • CVE-2017-18043

    Integer overflow in the macro ROUND_UP (n, d) that could result in denial of service

  • CVE-2018-7550

    Incorrect handling of memory during multiboot that could may result in execution of arbitrary code

For Debian 8 Jessie, these problems have been fixed in version 1:2.1+dfsg-12+deb8u7.

We recommend that you upgrade your qemu packages.

Further information about Debian LTS security advisories, how to apply these updates to your system and frequently asked questions can be found at: