-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 Format: 1.8 Date: Wed, 01 Sep 2021 23:08:52 +0200 Source: qemu Binary: qemu qemu-system qemu-block-extra qemu-system-common qemu-system-misc qemu-system-arm qemu-system-mips qemu-system-ppc qemu-system-sparc qemu-system-x86 qemu-user qemu-user-static qemu-user-binfmt qemu-utils qemu-guest-agent qemu-kvm Architecture: source Version: 1:2.8+dfsg-6+deb9u15 Distribution: stretch-security Urgency: high Maintainer: Debian QEMU Team <pkg-qemu-devel@lists.alioth.debian.org> Changed-By: Markus Koschany <apo@debian.org> Description: qemu - fast processor emulator qemu-block-extra - extra block backend modules for qemu-system and qemu-utils qemu-guest-agent - Guest-side qemu-system agent qemu-kvm - QEMU Full virtualization on x86 hardware qemu-system - QEMU full system emulation binaries qemu-system-arm - QEMU full system emulation binaries (arm) qemu-system-common - QEMU full system emulation binaries (common files) qemu-system-mips - QEMU full system emulation binaries (mips) qemu-system-misc - QEMU full system emulation binaries (miscellaneous) qemu-system-ppc - QEMU full system emulation binaries (ppc) qemu-system-sparc - QEMU full system emulation binaries (sparc) qemu-system-x86 - QEMU full system emulation binaries (x86) qemu-user - QEMU user mode emulation binaries qemu-user-binfmt - QEMU user mode binfmt registration for qemu-user qemu-user-static - QEMU user mode emulation binaries (static version) qemu-utils - QEMU utilities Changes: qemu (1:2.8+dfsg-6+deb9u15) stretch-security; urgency=high . * Non-maintainer upload by the ELTS team. * Fix CVE-2021-3713: An out-of-bounds write flaw was found in the UAS (USB Attached SCSI) device emulation of QEMU. The device uses the guest supplied stream number unchecked, which can lead to out-of-bounds access to the UASDevice->data3 and UASDevice->status3 fields. A malicious guest user could use this flaw to crash QEMU or potentially achieve code execution with the privileges of the QEMU process on the host. * Fix CVE-2021-3682: A flaw was found in the USB redirector device emulation of QEMU. It occurs when dropping packets during a bulk transfer from a SPICE client due to the packet queue being full. A malicious SPICE client could use this flaw to make QEMU call free() with faked heap chunk metadata, resulting in a crash of QEMU or potential code execution with the privileges of the QEMU process on the host. * Fix CVE-2021-3527: A flaw was found in the USB redirector device (usb-redir) of QEMU. Small USB packets are combined into a single, large transfer request, to reduce the overhead and improve performance. The combined size of the bulk transfer is used to dynamically allocate a variable length array (VLA) on the stack without proper validation. Since the total size is not bounded, a malicious guest could use this flaw to influence the array length and cause the QEMU process to perform an excessive allocation on the stack, resulting in a denial of service. * Fix CVE-2021-3594: An invalid pointer initialization issue was found in the SLiRP networking implementation of QEMU. The flaw exists in the udp_input() function and could occur while processing a udp packet that is smaller than the size of the 'udphdr' structure. This issue may lead to out-of-bounds read access or indirect host memory disclosure to the guest. The highest threat from this vulnerability is to data confidentiality. * Fix CVE-2021-3592: An invalid pointer initialization issue was found in the SLiRP networking implementation of QEMU. The flaw exists in the bootp_input() function and could occur while processing a udp packet that is smaller than the size of the 'bootp_t' structure. A malicious guest could use this flaw to leak 10 bytes of uninitialized heap memory from the host. The highest threat from this vulnerability is to data confidentiality. * Fix CVE-2021-3595: An invalid pointer initialization issue was found in the SLiRP networking implementation of QEMU. The flaw exists in the tftp_input() function and could occur while processing a udp packet that is smaller than the size of the 'tftp_t' structure. This issue may lead to out-of-bounds read access or indirect host memory disclosure to the guest. The highest threat from this vulnerability is to data confidentiality. Checksums-Sha1: 46e373ffe71a6739abe0ccf387c002a24bce9ab9 6059 qemu_2.8+dfsg-6+deb9u15.dsc 8e023d5c5ee6196f4c83618aef294dad932781a1 204216 qemu_2.8+dfsg-6+deb9u15.debian.tar.xz 6e6a43692989c0f7aa65245887a904d7e7cde6ab 13826 qemu_2.8+dfsg-6+deb9u15_source.buildinfo Checksums-Sha256: 33247144b274c4b09c9175e1a84885471fad4e25bbb83a6c818cc0516ed68205 6059 qemu_2.8+dfsg-6+deb9u15.dsc 131ed9709910df7a00a90e1e998fa0ae580d1bb45170dc152088562d3db14a84 204216 qemu_2.8+dfsg-6+deb9u15.debian.tar.xz f3176c2615d7dfa9f08e63bbbad7f771abc088ce7297e5395514044da2a21a69 13826 qemu_2.8+dfsg-6+deb9u15_source.buildinfo Files: 1b8cbcdfd15f7cc9bfdba82442ff7922 6059 otherosfs optional qemu_2.8+dfsg-6+deb9u15.dsc a3e76ec96d3d33a1f026952225f7ed41 204216 otherosfs optional qemu_2.8+dfsg-6+deb9u15.debian.tar.xz 6a80f85747b6d1f1e58935f9f6a1a830 13826 otherosfs optional qemu_2.8+dfsg-6+deb9u15_source.buildinfo -----BEGIN PGP SIGNATURE----- iQKjBAEBCgCNFiEErPPQiO8y7e9qGoNf2a0UuVE7UeQFAmEw+DpfFIAAAAAALgAo aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldEFD RjNEMDg4RUYzMkVERUY2QTFBODM1RkQ5QUQxNEI5NTEzQjUxRTQPHGFwb0BkZWJp YW4ub3JnAAoJENmtFLlRO1HkZGUQAIhYhaHAz2WWUaQu7fMMCc90WPBKBXz39U+H B5TdfI4lu7dSlBRDh/y++XH2w34/lO82jbzaGmmKGtjTHGorbWXbrT+8EpK5hjFw LUWG3NVFM9DG2AGbN7J8pYZ3nsEEan4cM9tPg9VAuqEesiO9vLCCvz/X3/nWGazG p1v9iSR1FkJvYRvkLxVVzJ0wn1lChvrPo/yUBDDZZhNOCvk88+vksbS28b8huBJM ZjfoQZAabaf/QglHKkaVDPACSqglltIOYyaWJzzJWDIBwPdSgDd821iVDhyr1+S0 VFLPhji8kRP1RG1BlrC9nZMffBapbaQl1QWoiVqkvVD0YuCCdRIre2eUQr7SzmF+ Fb6AGtdpH/SYLWI5mcxluIrLgWMKBF+zkuzsBsjIQi5ddemqdyFKzDQ02e05fSMi FYAjD3D4c26VFyk8XwHT33dxr9nbE7YseCa6pMGJ0bOZBRo950PhKvypc27glp8h MxYLZOzkLdl13zOkmh8JmbEZOsKAtljtnt2ETHMENYYw0Ue/kvOox0cSn7v43tYB SvTqAKLkHVZN7w+t4CPYRx2btzOvhqUxWhoQD6Z2qyiTujMdviwFTxwxLcRiCqkN 3Yu5MujeLP7MwyR7c/tQy0XNW9IfzJNQJKaQ5p2WsD/j03dQM38ADoO2mb4aocUJ yG0Qe8wZ =lJL4 -----END PGP SIGNATURE-----
