qemu - Debian Package Tracker

general

source: qemu (main)
version: 1:7.0+dfsg-7
maintainer: Debian QEMU Team (archive) (DMD)
uploaders: Michael Tokarev [DMD]
arch: all any
std-ver: 4.5.1
VCS: Git (Browse, QA)

versions [more versions can be listed by madison] [old versions available from snapshot.debian.org]

[pool directory]

o-o-stable: 1:2.8+dfsg-6+deb9u9
o-o-sec: 1:2.8+dfsg-6+deb9u17
oldstable: 1:3.1+dfsg-8+deb10u8
old-sec: 1:3.1+dfsg-8+deb10u8
old-bpo: 1:5.2+dfsg-9~bpo10+1
stable: 1:5.2+dfsg-11+deb11u2
stable-sec: 1:5.2+dfsg-11+deb11u2
stable-bpo: 1:7.0+dfsg-2~bpo11+2
testing: 1:7.0+dfsg-7
unstable: 1:7.0+dfsg-7

versioned links

1:2.8+dfsg-6+deb9u9: [.dsc, use dget on this link to retrieve source package] [changelog] [copyright] [rules] [control]
1:2.8+dfsg-6+deb9u17: [.dsc, use dget on this link to retrieve source package] [changelog] [copyright] [rules] [control]
1:3.1+dfsg-8+deb10u8: [.dsc, use dget on this link to retrieve source package] [changelog] [copyright] [rules] [control]
1:5.2+dfsg-9~bpo10+1: [.dsc, use dget on this link to retrieve source package] [changelog] [copyright] [rules] [control]
1:5.2+dfsg-11+deb11u2: [.dsc, use dget on this link to retrieve source package] [changelog] [copyright] [rules] [control]
1:6.2+dfsg-2~bpo11+1: [.dsc, use dget on this link to retrieve source package] [changelog] [copyright] [rules] [control]
1:7.0+dfsg-2~bpo11+2: [.dsc, use dget on this link to retrieve source package] [changelog] [copyright] [rules] [control]
1:7.0+dfsg-7: [.dsc, use dget on this link to retrieve source package] [changelog] [copyright] [rules] [control]

binaries

qemu-block-extra
qemu-guest-agent (2 bugs: 0, 2, 0, 0)
qemu-system (9 bugs: 0, 3, 6, 0)
qemu-system-arm (5 bugs: 0, 2, 3, 0)
qemu-system-common (5 bugs: 0, 0, 5, 0)
qemu-system-data
qemu-system-gui (3 bugs: 0, 3, 0, 0)
qemu-system-mips
qemu-system-misc (1 bugs: 0, 1, 0, 0)
qemu-system-ppc (2 bugs: 0, 2, 0, 0)
qemu-system-sparc
qemu-system-x86 (24 bugs: 0, 19, 5, 0)
qemu-system-xen
qemu-user (2 bugs: 0, 2, 0, 0)
qemu-user-binfmt (2 bugs: 0, 2, 0, 0)
qemu-user-static (23 bugs: 0, 22, 1, 0)
qemu-utils (2 bugs: 0, 1, 1, 0)

action needed

A new upstream version is available: 7.1~rc1 high

A new upstream version 7.1~rc1 is available, you should consider packaging it.

Created: 2022-07-30 Last update: 2022-08-09 11:34

12 security issues in sid high

There are 12 open security issues in sid.

12 important issues:

CVE-2021-3507: A heap buffer overflow was found in the floppy disk emulator of QEMU up to 6.0.0 (including). It could occur in fdctrl_transfer_handler() in hw/block/fdc.c while processing DMA read data transfers from the floppy drive to the guest system. A privileged guest user could use this flaw to crash the QEMU process on the host resulting in DoS scenario, or potential information leakage from the host memory.
CVE-2021-3735:
CVE-2022-0216:
CVE-2022-1050: A flaw was found in the QEMU implementation of VMWare's paravirtual RDMA device. This flaw allows a crafted guest driver to execute HW commands when shared buffers are not yet allocated, potentially leading to a use-after-free condition.
CVE-2019-12067: The ahci_commit_buf function in ide/ahci.c in QEMU allows attackers to cause a denial of service (NULL dereference) when the command header 'ad->cur_cmd' is null.
CVE-2020-14394:
CVE-2020-25741: fdctrl_write_data in hw/block/fdc.c in QEMU 5.0.0 has a NULL pointer dereference via a NULL block pointer for the current drive.
CVE-2020-25742: pci_change_irq_level in hw/pci/pci.c in QEMU before 5.1.1 has a NULL pointer dereference because pci_get_bus() might not return a valid pointer.
CVE-2020-25743: hw/ide/pci.c in QEMU before 5.1.1 can trigger a NULL pointer dereference because it lacks a pointer check before an ide_cancel_dma_sync call.
CVE-2020-35503: A NULL pointer dereference flaw was found in the megasas-gen2 SCSI host bus adapter emulation of QEMU in versions before and including 6.0. This issue occurs in the megasas_command_cancelled() callback function while dropping a SCSI request. This flaw allows a privileged guest user to crash the QEMU process on the host, resulting in a denial of service. The highest threat from this vulnerability is to system availability.
CVE-2021-20255: A stack overflow via an infinite recursion vulnerability was found in the eepro100 i8255x device emulator of QEMU. This issue occurs while processing controller commands due to a DMA reentry issue. This flaw allows a guest user or process to consume CPU cycles or crash the QEMU process on the host, resulting in a denial of service. The highest threat from this vulnerability is to system availability.
CVE-2022-35414: softmmu/physmem.c in QEMU through 7.0.0 can perform an uninitialized read on the translate_fail path, leading to an io_readx or io_writex crash.

Created: 2022-07-04 Last update: 2022-08-01 13:40

30 security issues in buster high

There are 30 open security issues in buster.

3 important issues:

CVE-2021-4206: A flaw was found in the QXL display device emulation in QEMU. An integer overflow in the cursor_alloc() function can lead to the allocation of a small cursor object followed by a subsequent heap-based buffer overflow. This flaw allows a malicious privileged guest user to crash the QEMU process on the host or potentially execute arbitrary code within the context of the QEMU process.
CVE-2021-4207: A flaw was found in the QXL display device emulation in QEMU. A double fetch of guest controlled values `cursor->header.width` and `cursor->header.height` can lead to the allocation of a small cursor object followed by a subsequent heap-based buffer overflow. A malicious privileged guest user could use this flaw to crash the QEMU process on the host or potentially execute arbitrary code within the context of the QEMU process.
CVE-2022-35414: softmmu/physmem.c in QEMU through 7.0.0 can perform an uninitialized read on the translate_fail path, leading to an io_readx or io_writex crash.

25 issues postponed or untriaged:

CVE-2021-3416: (postponed; to be fixed through a stable update) A potential stack overflow via infinite loop issue was found in various NIC emulators of QEMU in versions up to and including 5.2.0. The issue occurs in loopback mode of a NIC wherein reentrant DMA checks get bypassed. A guest user/process may use this flaw to consume CPU cycles or crash the QEMU process on the host resulting in DoS scenario.
CVE-2021-3507: (needs triaging) A heap buffer overflow was found in the floppy disk emulator of QEMU up to 6.0.0 (including). It could occur in fdctrl_transfer_handler() in hw/block/fdc.c while processing DMA read data transfers from the floppy drive to the guest system. A privileged guest user could use this flaw to crash the QEMU process on the host resulting in DoS scenario, or potential information leakage from the host memory.
CVE-2021-3592: (needs triaging) An invalid pointer initialization issue was found in the SLiRP networking implementation of QEMU. The flaw exists in the bootp_input() function and could occur while processing a udp packet that is smaller than the size of the 'bootp_t' structure. A malicious guest could use this flaw to leak 10 bytes of uninitialized heap memory from the host. The highest threat from this vulnerability is to data confidentiality. This flaw affects libslirp versions prior to 4.6.0.
CVE-2021-3593: (needs triaging) An invalid pointer initialization issue was found in the SLiRP networking implementation of QEMU. The flaw exists in the udp6_input() function and could occur while processing a udp packet that is smaller than the size of the 'udphdr' structure. This issue may lead to out-of-bounds read access or indirect host memory disclosure to the guest. The highest threat from this vulnerability is to data confidentiality. This flaw affects libslirp versions prior to 4.6.0.
CVE-2021-3594: (needs triaging) An invalid pointer initialization issue was found in the SLiRP networking implementation of QEMU. The flaw exists in the udp_input() function and could occur while processing a udp packet that is smaller than the size of the 'udphdr' structure. This issue may lead to out-of-bounds read access or indirect host memory disclosure to the guest. The highest threat from this vulnerability is to data confidentiality. This flaw affects libslirp versions prior to 4.6.0.
CVE-2021-3595: (needs triaging) An invalid pointer initialization issue was found in the SLiRP networking implementation of QEMU. The flaw exists in the tftp_input() function and could occur while processing a udp packet that is smaller than the size of the 'tftp_t' structure. This issue may lead to out-of-bounds read access or indirect host memory disclosure to the guest. The highest threat from this vulnerability is to data confidentiality. This flaw affects libslirp versions prior to 4.6.0.
CVE-2021-3735: (needs triaging)
CVE-2021-3750: (needs triaging) A DMA reentrancy issue was found in the USB EHCI controller emulation of QEMU. EHCI does not verify if the Buffer Pointer overlaps with its MMIO region when it transfers the USB packets. Crafted content may be written to the controller's registers and trigger undesirable actions (such as reset) while the device is still transferring packets. This can ultimately lead to a use-after-free issue. A malicious guest could use this flaw to crash the QEMU process on the host, resulting in a denial of service condition, or potentially execute arbitrary code within the context of the QEMU process on the host. This flaw affects QEMU versions before 7.0.0.
CVE-2021-3929: (needs triaging)
CVE-2022-0216: (needs triaging)
CVE-2022-1050: (needs triaging) A flaw was found in the QEMU implementation of VMWare's paravirtual RDMA device. This flaw allows a crafted guest driver to execute HW commands when shared buffers are not yet allocated, potentially leading to a use-after-free condition.
CVE-2019-12067: (postponed; to be fixed through a stable update) The ahci_commit_buf function in ide/ahci.c in QEMU allows attackers to cause a denial of service (NULL dereference) when the command header 'ad->cur_cmd' is null.
CVE-2020-14394: (postponed; to be fixed through a stable update)
CVE-2020-17380: (postponed; to be fixed through a stable update) A heap-based buffer overflow was found in QEMU through 5.0.0 in the SDHCI device emulation support. It could occur while doing a multi block SDMA transfer via the sdhci_sdma_transfer_multi_blocks() routine in hw/sd/sdhci.c. A guest user or process could use this flaw to crash the QEMU process on the host, resulting in a denial of service condition, or potentially execute arbitrary code with privileges of the QEMU process on the host.
CVE-2020-25741: (postponed; to be fixed through a stable update) fdctrl_write_data in hw/block/fdc.c in QEMU 5.0.0 has a NULL pointer dereference via a NULL block pointer for the current drive.
CVE-2020-25742: (postponed; to be fixed through a stable update) pci_change_irq_level in hw/pci/pci.c in QEMU before 5.1.1 has a NULL pointer dereference because pci_get_bus() might not return a valid pointer.
CVE-2020-25743: (postponed; to be fixed through a stable update) hw/ide/pci.c in QEMU before 5.1.1 can trigger a NULL pointer dereference because it lacks a pointer check before an ide_cancel_dma_sync call.
CVE-2020-27821: (postponed; to be fixed through a stable update) A flaw was found in the memory management API of QEMU during the initialization of a memory region cache. This issue could lead to an out-of-bounds write access to the MSI-X table while performing MMIO operations. A guest user may abuse this flaw to crash the QEMU process on the host, resulting in a denial of service. This flaw affects QEMU versions prior to 5.2.0.
CVE-2020-28916: (postponed; to be fixed through a stable update) hw/net/e1000e_core.c in QEMU 5.0.0 has an infinite loop via an RX descriptor with a NULL buffer address.
CVE-2020-29129: (postponed; to be fixed through a stable update) ncsi.c in libslirp through 4.3.1 has a buffer over-read because it tries to read a certain amount of header data even if that exceeds the total packet length.
CVE-2020-29130: (postponed; to be fixed through a stable update) slirp.c in libslirp through 4.3.1 has a buffer over-read because it tries to read a certain amount of header data even if that exceeds the total packet length.
CVE-2020-29443: (postponed; to be fixed through a stable update) ide_atapi_cmd_reply_end in hw/ide/atapi.c in QEMU 5.1.0 allows out-of-bounds read access because a buffer index is not validated.
CVE-2020-35503: (postponed; to be fixed through a stable update) A NULL pointer dereference flaw was found in the megasas-gen2 SCSI host bus adapter emulation of QEMU in versions before and including 6.0. This issue occurs in the megasas_command_cancelled() callback function while dropping a SCSI request. This flaw allows a privileged guest user to crash the QEMU process on the host, resulting in a denial of service. The highest threat from this vulnerability is to system availability.
CVE-2021-20255: (postponed; to be fixed through a stable update) A stack overflow via an infinite recursion vulnerability was found in the eepro100 i8255x device emulator of QEMU. This issue occurs while processing controller commands due to a DMA reentry issue. This flaw allows a guest user or process to consume CPU cycles or crash the QEMU process on the host, resulting in a denial of service. The highest threat from this vulnerability is to system availability.
CVE-2022-26354: (needs triaging) A flaw was found in the vhost-vsock device of QEMU. In case of error, an invalid element was not detached from the virtqueue before freeing its memory, leading to memory leakage and other unexpected results. Affected QEMU versions <= 6.2.0.

2 ignored issues:

CVE-2019-8934: hw/ppc/spapr.c in QEMU through 3.1.0 allows Information Exposure because the hypervisor shares the /proc/device-tree/system-id and /proc/device-tree/model system attributes with a guest.
CVE-2020-15469: In QEMU 4.2.0, a MemoryRegionOps object may lack read/write callback methods, leading to a NULL pointer dereference.

24 issues that should be fixed with the next stable update:

CVE-2021-3392: A use-after-free flaw was found in the MegaRAID emulator of QEMU. This issue occurs while processing SCSI I/O requests in the case of an error mptsas_free_request() that does not dequeue the request object 'req' from a pending requests queue. This flaw allows a privileged guest user to crash the QEMU process on the host, resulting in a denial of service. Versions between 2.10.0 and 5.2.0 are potentially affected.
CVE-2021-3527: A flaw was found in the USB redirector device (usb-redir) of QEMU. Small USB packets are combined into a single, large transfer request, to reduce the overhead and improve performance. The combined size of the bulk transfer is used to dynamically allocate a variable length array (VLA) on the stack without proper validation. Since the total size is not bounded, a malicious guest could use this flaw to influence the array length and cause the QEMU process to perform an excessive allocation on the stack, resulting in a denial of service.
CVE-2021-3582: A flaw was found in the QEMU implementation of VMWare's paravirtual RDMA device. The issue occurs while handling a "PVRDMA_CMD_CREATE_MR" command due to improper memory remapping (mremap). This flaw allows a malicious guest to crash the QEMU process on the host. The highest threat from this vulnerability is to system availability.
CVE-2021-3607: An integer overflow was found in the QEMU implementation of VMWare's paravirtual RDMA device in versions prior to 6.1.0. The issue occurs while handling a "PVRDMA_REG_DSRHIGH" write from the guest due to improper input validation. This flaw allows a privileged guest user to make QEMU allocate a large amount of memory, resulting in a denial of service. The highest threat from this vulnerability is to system availability.
CVE-2021-3608: A flaw was found in the QEMU implementation of VMWare's paravirtual RDMA device in versions prior to 6.1.0. The issue occurs while handling a "PVRDMA_REG_DSRHIGH" write from the guest and may result in a crash of QEMU or cause undefined behavior due to the access of an uninitialized pointer. The highest threat from this vulnerability is to system availability.
CVE-2021-3682: A flaw was found in the USB redirector device emulation of QEMU in versions prior to 6.1.0-rc2. It occurs when dropping packets during a bulk transfer from a SPICE client due to the packet queue being full. A malicious SPICE client could use this flaw to make QEMU call free() with faked heap chunk metadata, resulting in a crash of QEMU or potential code execution with the privileges of the QEMU process on the host.
CVE-2021-3713: An out-of-bounds write flaw was found in the UAS (USB Attached SCSI) device emulation of QEMU in versions prior to 6.2.0-rc0. The device uses the guest supplied stream number unchecked, which can lead to out-of-bounds access to the UASDevice->data3 and UASDevice->status3 fields. A malicious guest user could use this flaw to crash QEMU or potentially achieve code execution with the privileges of the QEMU process on the host.
CVE-2021-3748: A use-after-free vulnerability was found in the virtio-net device of QEMU. It could occur when the descriptor's address belongs to the non direct access region, due to num_buffers being set after the virtqueue elem has been unmapped. A malicious guest could use this flaw to crash QEMU, resulting in a denial of service condition, or potentially execute code on the host with the privileges of the QEMU process.
CVE-2021-3930: An off-by-one error was found in the SCSI device emulation in QEMU. It could occur while processing MODE SELECT commands in mode_sense_page() if the 'page' argument was set to MODE_PAGE_ALLS (0x3f). A malicious guest could use this flaw to potentially crash QEMU, resulting in a denial of service condition.
CVE-2020-13253: sd_wp_addr in hw/sd/sd.c in QEMU 4.2.0 uses an unvalidated address, which leads to an out-of-bounds read during sdhci_write() operations. A guest OS user can crash the QEMU process.
CVE-2020-15859: QEMU 4.2.0 has a use-after-free in hw/net/e1000e_core.c because a guest OS user can trigger an e1000e packet with the data's address set to the e1000e's MMIO address.
CVE-2020-25084: QEMU 5.0.0 has a use-after-free in hw/usb/hcd-xhci.c because the usb_packet_map return value is not checked.
CVE-2020-25085: QEMU 5.0.0 has a heap-based Buffer Overflow in flatview_read_continue in exec.c because hw/sd/sdhci.c mishandles a write operation in the SDHC_BLKSIZE case.
CVE-2020-25624: hw/usb/hcd-ohci.c in QEMU 5.0.0 has a stack-based buffer over-read via values obtained from the host controller driver.
CVE-2020-25625: hw/usb/hcd-ohci.c in QEMU 5.0.0 has an infinite loop when a TD list has a loop.
CVE-2020-25723: A reachable assertion issue was found in the USB EHCI emulation code of QEMU. It could occur while processing USB requests due to missing handling of DMA memory map failure. A malicious privileged user within the guest may abuse this flaw to send bogus USB requests and crash the QEMU process on the host, resulting in a denial of service.
CVE-2020-27617: eth_get_gso_type in net/eth.c in QEMU 4.2.1 allows guest OS users to trigger an assertion failure. A guest can crash the QEMU process via packet data that lacks a valid Layer 3 protocol.
CVE-2020-35504: A NULL pointer dereference flaw was found in the SCSI emulation support of QEMU in versions before 6.0.0. This flaw allows a privileged guest user to crash the QEMU process on the host, resulting in a denial of service. The highest threat from this vulnerability is to system availability.
CVE-2020-35505: A NULL pointer dereference flaw was found in the am53c974 SCSI host bus adapter emulation of QEMU in versions before 6.0.0. This issue occurs while handling the 'Information Transfer' command. This flaw allows a privileged guest user to crash the QEMU process on the host, resulting in a denial of service. The highest threat from this vulnerability is to system availability.
CVE-2021-20181: A race condition flaw was found in the 9pfs server implementation of QEMU up to and including 5.2.0. This flaw allows a malicious 9p client to cause a use-after-free error, potentially escalating their privileges on the system. The highest threat from this vulnerability is to confidentiality, integrity as well as system availability.
CVE-2021-20196: A NULL pointer dereference flaw was found in the floppy disk emulator of QEMU. This issue occurs while processing read/write ioport commands if the selected floppy drive is not initialized with a block device. This flaw allows a privileged guest user to crash the QEMU process on the host, resulting in a denial of service. The highest threat from this vulnerability is to system availability.
CVE-2021-20203: An integer overflow issue was found in the vmxnet3 NIC emulator of the QEMU for versions up to v5.2.0. It may occur if a guest was to supply invalid values for rx/tx queue size or other NIC parameters. A privileged guest user may use this flaw to crash the QEMU process on the host resulting in DoS scenario.
CVE-2021-20221: An out-of-bounds heap buffer access issue was found in the ARM Generic Interrupt Controller emulator of QEMU up to and including qemu 4.2.0on aarch64 platform. The issue occurs because while writing an interrupt ID to the controller memory area, it is not masked to be 4 bits wide. It may lead to the said issue while updating controller state fields and their subsequent processing. A privileged guest user may use this flaw to crash the QEMU process on the host resulting in DoS scenario.
CVE-2021-20257: An infinite loop flaw was found in the e1000 NIC emulator of the QEMU. This issue occurs while processing transmits (tx) descriptors in process_tx_desc if various descriptor fields are initialized with invalid values. This flaw allows a guest to consume CPU cycles on the host, resulting in a denial of service. The highest threat from this vulnerability is to system availability.

Created: 2022-07-04 Last update: 2022-08-01 13:40

22 security issues in bullseye high

There are 22 open security issues in bullseye.

1 important issue:

CVE-2022-35414: softmmu/physmem.c in QEMU through 7.0.0 can perform an uninitialized read on the translate_fail path, leading to an io_readx or io_writex crash.

20 issues left for the package maintainer to handle:

CVE-2021-3507: (needs triaging) A heap buffer overflow was found in the floppy disk emulator of QEMU up to 6.0.0 (including). It could occur in fdctrl_transfer_handler() in hw/block/fdc.c while processing DMA read data transfers from the floppy drive to the guest system. A privileged guest user could use this flaw to crash the QEMU process on the host resulting in DoS scenario, or potential information leakage from the host memory.
CVE-2021-3611: (needs triaging) A stack overflow vulnerability was found in the Intel HD Audio device (intel-hda) of QEMU. A malicious guest could use this flaw to crash the QEMU process on the host, resulting in a denial of service condition. The highest threat from this vulnerability is to system availability. This flaw affects QEMU versions prior to 7.0.0.
CVE-2021-3735: (needs triaging)
CVE-2021-3750: (needs triaging) A DMA reentrancy issue was found in the USB EHCI controller emulation of QEMU. EHCI does not verify if the Buffer Pointer overlaps with its MMIO region when it transfers the USB packets. Crafted content may be written to the controller's registers and trigger undesirable actions (such as reset) while the device is still transferring packets. This can ultimately lead to a use-after-free issue. A malicious guest could use this flaw to crash the QEMU process on the host, resulting in a denial of service condition, or potentially execute arbitrary code within the context of the QEMU process on the host. This flaw affects QEMU versions before 7.0.0.
CVE-2021-3929: (needs triaging)
CVE-2021-3930: (postponed; to be fixed through a stable update) An off-by-one error was found in the SCSI device emulation in QEMU. It could occur while processing MODE SELECT commands in mode_sense_page() if the 'page' argument was set to MODE_PAGE_ALLS (0x3f). A malicious guest could use this flaw to potentially crash QEMU, resulting in a denial of service condition.
CVE-2022-0216: (needs triaging)
CVE-2022-1050: (needs triaging) A flaw was found in the QEMU implementation of VMWare's paravirtual RDMA device. This flaw allows a crafted guest driver to execute HW commands when shared buffers are not yet allocated, potentially leading to a use-after-free condition.
CVE-2019-12067: (postponed; to be fixed through a stable update) The ahci_commit_buf function in ide/ahci.c in QEMU allows attackers to cause a denial of service (NULL dereference) when the command header 'ad->cur_cmd' is null.
CVE-2020-14394: (postponed; to be fixed through a stable update)
CVE-2020-25741: (postponed; to be fixed through a stable update) fdctrl_write_data in hw/block/fdc.c in QEMU 5.0.0 has a NULL pointer dereference via a NULL block pointer for the current drive.
CVE-2020-25742: (postponed; to be fixed through a stable update) pci_change_irq_level in hw/pci/pci.c in QEMU before 5.1.1 has a NULL pointer dereference because pci_get_bus() might not return a valid pointer.
CVE-2020-25743: (postponed; to be fixed through a stable update) hw/ide/pci.c in QEMU before 5.1.1 can trigger a NULL pointer dereference because it lacks a pointer check before an ide_cancel_dma_sync call.
CVE-2020-35503: (postponed; to be fixed through a stable update) A NULL pointer dereference flaw was found in the megasas-gen2 SCSI host bus adapter emulation of QEMU in versions before and including 6.0. This issue occurs in the megasas_command_cancelled() callback function while dropping a SCSI request. This flaw allows a privileged guest user to crash the QEMU process on the host, resulting in a denial of service. The highest threat from this vulnerability is to system availability.
CVE-2020-35504: (postponed; to be fixed through a stable update) A NULL pointer dereference flaw was found in the SCSI emulation support of QEMU in versions before 6.0.0. This flaw allows a privileged guest user to crash the QEMU process on the host, resulting in a denial of service. The highest threat from this vulnerability is to system availability.
CVE-2020-35505: (postponed; to be fixed through a stable update) A NULL pointer dereference flaw was found in the am53c974 SCSI host bus adapter emulation of QEMU in versions before 6.0.0. This issue occurs while handling the 'Information Transfer' command. This flaw allows a privileged guest user to crash the QEMU process on the host, resulting in a denial of service. The highest threat from this vulnerability is to system availability.
CVE-2020-35506: (postponed; to be fixed through a stable update) A use-after-free vulnerability was found in the am53c974 SCSI host bus adapter emulation of QEMU in versions before 6.0.0 during the handling of the 'Information Transfer' command (CMD_TI). This flaw allows a privileged guest user to crash the QEMU process on the host, resulting in a denial of service or potential code execution with the privileges of the QEMU process.
CVE-2021-20196: (postponed; to be fixed through a stable update) A NULL pointer dereference flaw was found in the floppy disk emulator of QEMU. This issue occurs while processing read/write ioport commands if the selected floppy drive is not initialized with a block device. This flaw allows a privileged guest user to crash the QEMU process on the host, resulting in a denial of service. The highest threat from this vulnerability is to system availability.
CVE-2021-20203: (postponed; to be fixed through a stable update) An integer overflow issue was found in the vmxnet3 NIC emulator of the QEMU for versions up to v5.2.0. It may occur if a guest was to supply invalid values for rx/tx queue size or other NIC parameters. A privileged guest user may use this flaw to crash the QEMU process on the host resulting in DoS scenario.
CVE-2021-20255: (postponed; to be fixed through a stable update) A stack overflow via an infinite recursion vulnerability was found in the eepro100 i8255x device emulator of QEMU. This issue occurs while processing controller commands due to a DMA reentry issue. This flaw allows a guest user or process to consume CPU cycles or crash the QEMU process on the host, resulting in a denial of service. The highest threat from this vulnerability is to system availability.

You can find information about how to handle these issues in the security team's documentation.

1 ignored issue:

CVE-2020-15469: In QEMU 4.2.0, a MemoryRegionOps object may lack read/write callback methods, leading to a NULL pointer dereference.

Created: 2022-07-04 Last update: 2022-08-01 13:40

12 security issues in bookworm high

There are 12 open security issues in bookworm.

12 important issues:

CVE-2021-3507: A heap buffer overflow was found in the floppy disk emulator of QEMU up to 6.0.0 (including). It could occur in fdctrl_transfer_handler() in hw/block/fdc.c while processing DMA read data transfers from the floppy drive to the guest system. A privileged guest user could use this flaw to crash the QEMU process on the host resulting in DoS scenario, or potential information leakage from the host memory.
CVE-2021-3735:
CVE-2022-0216:
CVE-2022-1050: A flaw was found in the QEMU implementation of VMWare's paravirtual RDMA device. This flaw allows a crafted guest driver to execute HW commands when shared buffers are not yet allocated, potentially leading to a use-after-free condition.
CVE-2019-12067: The ahci_commit_buf function in ide/ahci.c in QEMU allows attackers to cause a denial of service (NULL dereference) when the command header 'ad->cur_cmd' is null.
CVE-2020-14394:
CVE-2020-25741: fdctrl_write_data in hw/block/fdc.c in QEMU 5.0.0 has a NULL pointer dereference via a NULL block pointer for the current drive.
CVE-2020-25742: pci_change_irq_level in hw/pci/pci.c in QEMU before 5.1.1 has a NULL pointer dereference because pci_get_bus() might not return a valid pointer.
CVE-2020-25743: hw/ide/pci.c in QEMU before 5.1.1 can trigger a NULL pointer dereference because it lacks a pointer check before an ide_cancel_dma_sync call.
CVE-2020-35503: A NULL pointer dereference flaw was found in the megasas-gen2 SCSI host bus adapter emulation of QEMU in versions before and including 6.0. This issue occurs in the megasas_command_cancelled() callback function while dropping a SCSI request. This flaw allows a privileged guest user to crash the QEMU process on the host, resulting in a denial of service. The highest threat from this vulnerability is to system availability.
CVE-2021-20255: A stack overflow via an infinite recursion vulnerability was found in the eepro100 i8255x device emulator of QEMU. This issue occurs while processing controller commands due to a DMA reentry issue. This flaw allows a guest user or process to consume CPU cycles or crash the QEMU process on the host, resulting in a denial of service. The highest threat from this vulnerability is to system availability.
CVE-2022-35414: softmmu/physmem.c in QEMU through 7.0.0 can perform an uninitialized read on the translate_fail path, leading to an io_readx or io_writex crash.

Created: 2022-07-04 Last update: 2022-08-01 13:40

lintian reports 22 errors and 57 warnings high

Lintian reports 22 errors and 57 warnings about this package. You should make the package lintian clean getting rid of them.

Created: 2022-01-01 Last update: 2022-07-30 12:16

1 bug tagged patch in the BTS normal

The BTS contains patches fixing 1 bug, consider including or untagging them.

Created: 2022-07-27 Last update: 2022-08-09 12:33

Fails to build during reproducibility testing normal

A package building reproducibly enables third parties to verify that the source matches the distributed binaries. It has been identified that this source package produced different results, failed to build or had other issues in a test environment. Please read about how to improve the situation!

Created: 2022-05-05 Last update: 2022-08-09 11:35

4 new commits since last upload, is it time to release? normal

vcswatch reports that this package seems to have new commits in its VCS but has not yet updated debian/changelog. You should consider updating the Debian changelog and uploading this new version into the archive.

Here are the relevant commit logs:

commit 97b4d4b75d44bbba824c619ccc08367ff12770ed
Author: Michael Tokarev <mjt@tls.msk.ru>
Date:   Thu Jul 21 14:11:19 2022 +0300

    d/rules: remove ubuntu-xen build as it is now a transitional package

commit f959973c480fa37c41eb4c313fea6cac9466019e
Author: Michael Tokarev <mjt@tls.msk.ru>
Date:   Thu Jul 21 14:09:20 2022 +0300

    d/control: fix description in last change

commit fc6b5b5f554cca944c684dd91032118e12813102
Merge: 0404aa1e7 3c00a7dd3
Author: Michael Tokarev <mjt@debian.org>
Date:   Thu Jul 21 11:07:08 2022 +0000

    Merge branch 'follow-debian-qemu-system-xen' into 'master'
    
    d/control-in: switch qemu-system-x86-xen to qemu-system-xen
    
    See merge request qemu-team/qemu!34

commit 3c00a7dd31b236442bdcbe8e0e12c06e8530c8dc
Author: Christian Ehrhardt <christian.ehrhardt@canonical.com>
Date:   Tue Jul 5 12:55:17 2022 +0200

    d/control-in: switch qemu-system-x86-xen to qemu-system-xen
    
    qemu-system-x86-xen landed in Debian but under a different name.
    Therefore we:
    - no more need the alternate depends as they are no more mutually
      exclusive
    - need a transitional for the name change
    - need breaks/replace for the name change
    
    Signed-off-by: Christian Ehrhardt <christian.ehrhardt@canonical.com>

Created: 2022-07-21 Last update: 2022-08-03 15:17

Multiarch hinter reports 1 issue(s) low

There are issues with the multiarch metadata for this package.

qemu-system could be converted to Architecture: all and marked Multi-Arch: foreign

Created: 2022-05-17 Last update: 2022-08-09 12:00

Build log checks report 2 warnings low

Build log checks report 2 warnings

Created: 2022-05-16 Last update: 2022-05-16 00:32

Standards version of the package is outdated. wishlist

The package should be updated to follow the last version of Debian Policy (Standards-Version 4.6.1 instead of 4.5.1).

Created: 2021-08-18 Last update: 2022-05-15 18:16

news

[rss feed]

[2022-05-20] qemu 1:7.0+dfsg-7 MIGRATED to testing (Debian testing watch)
[2022-05-15] Accepted qemu 1:7.0+dfsg-7 (source) into unstable (Michael Tokarev)
[2022-05-14] Accepted qemu 1:5.2+dfsg-11+deb11u2 (source) into proposed-updates->stable-new, proposed-updates (Debian FTP Masters) (signed by: Michael Tokarev)
[2022-05-14] qemu 1:7.0+dfsg-6 MIGRATED to testing (Debian testing watch)
[2022-05-09] Accepted qemu 1:5.2+dfsg-11+deb11u2 (source) into stable-security->embargoed, stable-security (Debian FTP Masters) (signed by: Michael Tokarev)
[2022-05-08] Accepted qemu 1:7.0+dfsg-6 (source) into unstable (Michael Tokarev)
[2022-05-08] Accepted qemu 1:7.0+dfsg-2~bpo11+2 (source) into bullseye-backports (Michael Tokarev)
[2022-05-07] Accepted qemu 1:7.0+dfsg-2~bpo11+1 (source amd64 all) into bullseye-backports, bullseye-backports (Debian FTP Masters) (signed by: Michael Tokarev)
[2022-05-07] Accepted qemu 1:7.0+dfsg-5 (source) into unstable (Michael Tokarev)
[2022-05-07] Accepted qemu 1:7.0+dfsg-4 (source) into unstable (Michael Tokarev)
[2022-05-06] Accepted qemu 1:7.0+dfsg-3 (source) into unstable (Michael Tokarev)
[2022-05-05] qemu 1:7.0+dfsg-2 MIGRATED to testing (Debian testing watch)
[2022-04-30] Accepted qemu 1:7.0+dfsg-2 (source) into unstable (Michael Tokarev)
[2022-04-26] qemu 1:7.0+dfsg-1 MIGRATED to testing (Debian testing watch)
[2022-04-21] Accepted qemu 1:7.0+dfsg-1 (source) into unstable (Michael Tokarev)
[2022-04-20] Accepted qemu 1:7.0~rc4+dfsg-1 (source amd64 all) into unstable, unstable (Debian FTP Masters) (signed by: Michael Tokarev)
[2022-04-20] qemu 1:6.2+dfsg-3 MIGRATED to testing (Debian testing watch)
[2022-04-04] Accepted qemu 1:2.8+dfsg-6+deb9u17 (source) into oldoldstable (Emilio Pozuelo Monfort)
[2022-02-26] Accepted qemu 1:6.2+dfsg-3 (source) into unstable (Michael Tokarev)
[2022-02-02] Accepted qemu 1:6.2+dfsg-2~bpo11+1 (source) into bullseye-backports (Michael Tokarev)
[2022-01-25] qemu 1:6.2+dfsg-2 MIGRATED to testing (Debian testing watch)
[2022-01-20] Accepted qemu 1:6.2+dfsg-2 (source) into unstable (Michael Tokarev)
[2022-01-15] qemu 1:6.2+dfsg-1 MIGRATED to testing (Debian testing watch)
[2022-01-09] Accepted qemu 1:6.2+dfsg-1 (source) into unstable (Michael Tokarev)
[2021-11-01] qemu 1:6.1+dfsg-8 MIGRATED to testing (Debian testing watch)
[2021-10-27] Accepted qemu 1:6.1+dfsg-8 (source) into unstable (Michael Tokarev)
[2021-10-26] Accepted qemu 1:6.1+dfsg-7 (source) into unstable (Michael Tokarev)
[2021-10-09] Accepted qemu 1:5.2+dfsg-11+deb11u1 (source) into proposed-updates->stable-new, proposed-updates (Debian FTP Masters) (signed by: Michael Tokarev)
[2021-10-08] Accepted qemu 1:6.1+dfsg-6~bpo11+1 (source amd64 all) into bullseye-backports, bullseye-backports (Debian FTP Masters) (signed by: Michael Tokarev)
[2021-10-05] qemu 1:6.1+dfsg-6 MIGRATED to testing (Debian testing watch)

bugs [bug history graph]

all: 157 170
RC: 0
I&N: 91 95
M&W: 66 75
F&P: 0
patch: 1

links

homepage
lintian (22, 57)
buildd: logs, checks, clang, reproducibility, cross
popcon
browse source code
edit tags
other distros
security tracker
screenshots
l10n (-, 92)
debci

ubuntu

[Information about Ubuntu for Debian Developers]

version: 1:7.0+dfsg-7ubuntu1
81 bugs (1 patch)