Debian Security Advisory

DSA-3349-1 qemu-kvm -- security update

Date Reported:
02 Sep 2015
Affected Packages:
Security database references:
In Mitre's CVE dictionary: CVE-2015-5165, CVE-2015-5745.
More information:

Several vulnerabilities were discovered in qemu-kvm, a full virtualization solution on x86 hardware.

  • CVE-2015-5165

    Donghai Zhu discovered that the QEMU model of the RTL8139 network card did not sufficiently validate inputs in the C+ mode offload emulation, allowing a malicious guest to read uninitialized memory from the QEMU process's heap.

  • CVE-2015-5745

    A buffer overflow vulnerability was discovered in the way QEMU handles the virtio-serial device. A malicious guest could use this flaw to mount a denial of service (QEMU process crash).

For the oldstable distribution (wheezy), these problems have been fixed in version 1.1.2+dfsg-6+deb7u9.

We recommend that you upgrade your qemu-kvm packages.