Debian Security Advisory
DSA-3573-1 qemu -- security update
- Date Reported:
- 09 May 2016
- Affected Packages:
- qemu
- Vulnerable:
- Yes
- Security database references:
- In the Debian bugtracking system: Bug 823830.
In Mitre's CVE dictionary: CVE-2016-3710, CVE-2016-3712. - More information:
-
Several vulnerabilities were discovered in qemu, a fast processor emulator.
- CVE-2016-3710
Wei Xiao and Qinghao Tang of 360.cn Inc discovered an out-of-bounds read and write flaw in the QEMU VGA module. A privileged guest user could use this flaw to execute arbitrary code on the host with the privileges of the hosting QEMU process.
- CVE-2016-3712
Zuozhi Fzz of Alibaba Inc discovered potential integer overflow or out-of-bounds read access issues in the QEMU VGA module. A privileged guest user could use this flaw to mount a denial of service (QEMU process crash).
For the stable distribution (jessie), these problems have been fixed in version 1:2.1+dfsg-12+deb8u6.
We recommend that you upgrade your qemu packages.
- CVE-2016-3710