Debian Package Tracker
Register | Log in
Subscribe

qemu

Choose email to subscribe with

general
  • source: qemu (main)
  • version: 1:8.1.1+ds-1
  • maintainer: Debian QEMU Team (archive) (DMD)
  • uploaders: Michael Tokarev [DMD]
  • arch: all any
  • std-ver: 4.6.1
  • VCS: Git (Browse, QA)
versions [more versions can be listed by madison] [old versions available from snapshot.debian.org]
[pool directory]
  • o-o-stable: 1:3.1+dfsg-8+deb10u8
  • o-o-sec: 1:3.1+dfsg-8+deb10u10
  • o-o-bpo: 1:5.2+dfsg-9~bpo10+1
  • oldstable: 1:5.2+dfsg-11+deb11u2
  • old-sec: 1:5.2+dfsg-11+deb11u2
  • old-bpo: 1:7.2+dfsg-7~bpo11+1
  • old-p-u: 1:5.2+dfsg-11+deb11u3
  • stable: 1:7.2+dfsg-7+deb12u1
  • stable-bpo: 1:8.0.4+dfsg-1~bpo12+1
  • stable-p-u: 1:7.2+dfsg-7+deb12u2
  • testing: 1:8.1.0+ds-6
  • unstable: 1:8.1.1+ds-1
versioned links
  • 1:3.1+dfsg-8+deb10u8: [.dsc, use dget on this link to retrieve source package] [changelog] [copyright] [rules] [control]
  • 1:3.1+dfsg-8+deb10u10: [.dsc, use dget on this link to retrieve source package] [changelog] [copyright] [rules] [control]
  • 1:5.2+dfsg-9~bpo10+1: [.dsc, use dget on this link to retrieve source package] [changelog] [copyright] [rules] [control]
  • 1:5.2+dfsg-11+deb11u2: [.dsc, use dget on this link to retrieve source package] [changelog] [copyright] [rules] [control]
  • 1:5.2+dfsg-11+deb11u3: [.dsc, use dget on this link to retrieve source package] [changelog] [copyright] [rules] [control]
  • 1:7.2+dfsg-7~bpo11+1: [.dsc, use dget on this link to retrieve source package] [changelog] [copyright] [rules] [control]
  • 1:7.2+dfsg-7+deb12u1: [.dsc, use dget on this link to retrieve source package] [changelog] [copyright] [rules] [control]
  • 1:7.2+dfsg-7+deb12u2: [.dsc, use dget on this link to retrieve source package] [changelog] [copyright] [rules] [control]
  • 1:8.0.4+dfsg-1~bpo12+1: [.dsc, use dget on this link to retrieve source package] [changelog] [copyright] [rules] [control]
  • 1:8.1.0+ds-6: [.dsc, use dget on this link to retrieve source package] [changelog] [copyright] [rules] [control]
  • 1:8.1.1+ds-1: [.dsc, use dget on this link to retrieve source package] [changelog] [copyright] [rules] [control]
binaries
  • qemu-block-extra
  • qemu-guest-agent (1 bugs: 0, 1, 0, 0)
  • qemu-system (8 bugs: 0, 3, 5, 0)
  • qemu-system-arm (5 bugs: 0, 2, 3, 0)
  • qemu-system-common (6 bugs: 0, 0, 6, 0)
  • qemu-system-data (1 bugs: 0, 0, 1, 0)
  • qemu-system-gui (3 bugs: 0, 3, 0, 0)
  • qemu-system-mips
  • qemu-system-misc (1 bugs: 0, 1, 0, 0)
  • qemu-system-modules-opengl
  • qemu-system-modules-spice
  • qemu-system-ppc (2 bugs: 0, 2, 0, 0)
  • qemu-system-sparc
  • qemu-system-x86 (23 bugs: 0, 18, 5, 0)
  • qemu-system-xen
  • qemu-user (1 bugs: 0, 1, 0, 0)
  • qemu-user-binfmt
  • qemu-user-static (17 bugs: 0, 16, 1, 0)
  • qemu-utils (2 bugs: 0, 1, 1, 0)
action needed
11 security issues in trixie high

There are 11 open security issues in trixie.

11 important issues:
  • CVE-2021-3735: A deadlock issue was found in the AHCI controller device of QEMU. It occurs on a software reset (ahci_reset_port) while handling a host-to-device Register FIS (Frame Information Structure) packet from the guest. A privileged user inside the guest could use this flaw to hang the QEMU process on the host, resulting in a denial of service condition. The highest threat from this vulnerability is to system availability.
  • CVE-2022-3872: An off-by-one read/write issue was found in the SDHCI device of QEMU. It occurs when reading/writing the Buffer Data Port Register in sdhci_read_dataport and sdhci_write_dataport, respectively, if data_count == block_size. A malicious guest could use this flaw to crash the QEMU process on the host, resulting in a denial of service condition.
  • CVE-2023-1386: A flaw was found in the 9p passthrough filesystem (9pfs) implementation in QEMU. When a local user in the guest writes an executable file with SUID or SGID, none of these privileged bits are correctly dropped. As a result, in rare circumstances, this flaw could be used by malicious users in the guest to elevate their privileges within the guest and help a host local user to elevate privileges on the host.
  • CVE-2023-3019: A DMA reentrancy issue leading to a use-after-free error was found in the e1000e NIC emulation code in QEMU. This issue could allow a privileged guest user to crash the QEMU process on the host, resulting in a denial of service.
  • CVE-2019-12067: The ahci_commit_buf function in ide/ahci.c in QEMU allows attackers to cause a denial of service (NULL dereference) when the command header 'ad->cur_cmd' is null.
  • CVE-2020-25741: fdctrl_write_data in hw/block/fdc.c in QEMU 5.0.0 has a NULL pointer dereference via a NULL block pointer for the current drive.
  • CVE-2020-25742: pci_change_irq_level in hw/pci/pci.c in QEMU before 5.1.1 has a NULL pointer dereference because pci_get_bus() might not return a valid pointer.
  • CVE-2020-25743: hw/ide/pci.c in QEMU before 5.1.1 can trigger a NULL pointer dereference because it lacks a pointer check before an ide_cancel_dma_sync call.
  • CVE-2020-35503: A NULL pointer dereference flaw was found in the megasas-gen2 SCSI host bus adapter emulation of QEMU in versions before and including 6.0. This issue occurs in the megasas_command_cancelled() callback function while dropping a SCSI request. This flaw allows a privileged guest user to crash the QEMU process on the host, resulting in a denial of service. The highest threat from this vulnerability is to system availability.
  • CVE-2022-36648: The hardware emulation in the of_dpa_cmd_add_l2_flood of rocker device model in QEMU, as used in 7.0.0 and earlier, allows remote attackers to crash the host qemu and potentially execute code on the host via execute a malformed program in the guest OS.
  • CVE-2023-42467: QEMU through 8.0.0 could trigger a division by zero in scsi_disk_reset in hw/scsi/scsi-disk.c because scsi_disk_emulate_mode_select does not prevent s->qdev.blocksize from being 256. This stops QEMU and the guest immediately.
Created: 2023-06-11 Last update: 2023-10-03 08:32
10 security issues in sid high

There are 10 open security issues in sid.

10 important issues:
  • CVE-2021-3735: A deadlock issue was found in the AHCI controller device of QEMU. It occurs on a software reset (ahci_reset_port) while handling a host-to-device Register FIS (Frame Information Structure) packet from the guest. A privileged user inside the guest could use this flaw to hang the QEMU process on the host, resulting in a denial of service condition. The highest threat from this vulnerability is to system availability.
  • CVE-2022-3872: An off-by-one read/write issue was found in the SDHCI device of QEMU. It occurs when reading/writing the Buffer Data Port Register in sdhci_read_dataport and sdhci_write_dataport, respectively, if data_count == block_size. A malicious guest could use this flaw to crash the QEMU process on the host, resulting in a denial of service condition.
  • CVE-2023-1386: A flaw was found in the 9p passthrough filesystem (9pfs) implementation in QEMU. When a local user in the guest writes an executable file with SUID or SGID, none of these privileged bits are correctly dropped. As a result, in rare circumstances, this flaw could be used by malicious users in the guest to elevate their privileges within the guest and help a host local user to elevate privileges on the host.
  • CVE-2023-3019: A DMA reentrancy issue leading to a use-after-free error was found in the e1000e NIC emulation code in QEMU. This issue could allow a privileged guest user to crash the QEMU process on the host, resulting in a denial of service.
  • CVE-2019-12067: The ahci_commit_buf function in ide/ahci.c in QEMU allows attackers to cause a denial of service (NULL dereference) when the command header 'ad->cur_cmd' is null.
  • CVE-2020-25741: fdctrl_write_data in hw/block/fdc.c in QEMU 5.0.0 has a NULL pointer dereference via a NULL block pointer for the current drive.
  • CVE-2020-25742: pci_change_irq_level in hw/pci/pci.c in QEMU before 5.1.1 has a NULL pointer dereference because pci_get_bus() might not return a valid pointer.
  • CVE-2020-25743: hw/ide/pci.c in QEMU before 5.1.1 can trigger a NULL pointer dereference because it lacks a pointer check before an ide_cancel_dma_sync call.
  • CVE-2020-35503: A NULL pointer dereference flaw was found in the megasas-gen2 SCSI host bus adapter emulation of QEMU in versions before and including 6.0. This issue occurs in the megasas_command_cancelled() callback function while dropping a SCSI request. This flaw allows a privileged guest user to crash the QEMU process on the host, resulting in a denial of service. The highest threat from this vulnerability is to system availability.
  • CVE-2022-36648: The hardware emulation in the of_dpa_cmd_add_l2_flood of rocker device model in QEMU, as used in 7.0.0 and earlier, allows remote attackers to crash the host qemu and potentially execute code on the host via execute a malformed program in the guest OS.
Created: 2022-07-04 Last update: 2023-10-03 08:32
21 security issues in buster high

There are 21 open security issues in buster.

1 important issue:
  • CVE-2020-24165: An issue was discovered in TCG Accelerator in QEMU 4.2.0, allows local attackers to execute arbitrary code, escalate privileges, and cause a denial of service (DoS).
19 issues postponed or untriaged:
  • CVE-2021-3735: (postponed; to be fixed through a stable update) A deadlock issue was found in the AHCI controller device of QEMU. It occurs on a software reset (ahci_reset_port) while handling a host-to-device Register FIS (Frame Information Structure) packet from the guest. A privileged user inside the guest could use this flaw to hang the QEMU process on the host, resulting in a denial of service condition. The highest threat from this vulnerability is to system availability.
  • CVE-2021-3750: (postponed; to be fixed through a stable update) A DMA reentrancy issue was found in the USB EHCI controller emulation of QEMU. EHCI does not verify if the Buffer Pointer overlaps with its MMIO region when it transfers the USB packets. Crafted content may be written to the controller's registers and trigger undesirable actions (such as reset) while the device is still transferring packets. This can ultimately lead to a use-after-free issue. A malicious guest could use this flaw to crash the QEMU process on the host, resulting in a denial of service condition, or potentially execute arbitrary code within the context of the QEMU process on the host. This flaw affects QEMU versions before 7.0.0.
  • CVE-2022-3872: (postponed; to be fixed through a stable update) An off-by-one read/write issue was found in the SDHCI device of QEMU. It occurs when reading/writing the Buffer Data Port Register in sdhci_read_dataport and sdhci_write_dataport, respectively, if data_count == block_size. A malicious guest could use this flaw to crash the QEMU process on the host, resulting in a denial of service condition.
  • CVE-2022-4144: (postponed; to be fixed through a stable update) An out-of-bounds read flaw was found in the QXL display device emulation in QEMU. The qxl_phys2virt() function does not check the size of the structure pointed to by the guest physical address, potentially reading past the end of the bar space into adjacent pages. A malicious guest user could use this flaw to crash the QEMU process on the host causing a denial of service condition.
  • CVE-2023-0330: (postponed; to be fixed through a stable update) A vulnerability in the lsi53c895a device affects the latest version of qemu. A DMA-MMIO reentrancy problem may lead to memory corruption bugs like stack overflow or use-after-free.
  • CVE-2023-1386: (needs triaging) A flaw was found in the 9p passthrough filesystem (9pfs) implementation in QEMU. When a local user in the guest writes an executable file with SUID or SGID, none of these privileged bits are correctly dropped. As a result, in rare circumstances, this flaw could be used by malicious users in the guest to elevate their privileges within the guest and help a host local user to elevate privileges on the host.
  • CVE-2023-1544: (needs triaging) A flaw was found in the QEMU implementation of VMWare's paravirtual RDMA device. This flaw allows a crafted guest driver to allocate and initialize a huge number of page tables to be used as a ring of descriptors for CQ and async events, potentially leading to an out-of-bounds read and crash of QEMU.
  • CVE-2023-2861: (needs triaging)
  • CVE-2023-3019: (needs triaging) A DMA reentrancy issue leading to a use-after-free error was found in the e1000e NIC emulation code in QEMU. This issue could allow a privileged guest user to crash the QEMU process on the host, resulting in a denial of service.
  • CVE-2023-3180: (postponed; to be fixed through a stable update) A flaw was found in the QEMU virtual crypto device while handling data encryption/decryption requests in virtio_crypto_handle_sym_req. There is no check for the value of `src_len` and `dst_len` in virtio_crypto_sym_op_helper, potentially leading to a heap buffer overflow when the two values differ.
  • CVE-2023-3354: (needs triaging) A flaw was found in the QEMU built-in VNC server. When a client connects to the VNC server, QEMU checks whether the current number of connections crosses a certain threshold and if so, cleans up the previous connection. If the previous connection happens to be in the handshake phase and fails, QEMU cleans up the connection again, resulting in a NULL pointer dereference issue. This could allow a remote unauthenticated client to cause a denial of service.
  • CVE-2019-12067: (postponed; to be fixed through a stable update) The ahci_commit_buf function in ide/ahci.c in QEMU allows attackers to cause a denial of service (NULL dereference) when the command header 'ad->cur_cmd' is null.
  • CVE-2020-25741: (postponed; to be fixed through a stable update) fdctrl_write_data in hw/block/fdc.c in QEMU 5.0.0 has a NULL pointer dereference via a NULL block pointer for the current drive.
  • CVE-2020-25742: (postponed; to be fixed through a stable update) pci_change_irq_level in hw/pci/pci.c in QEMU before 5.1.1 has a NULL pointer dereference because pci_get_bus() might not return a valid pointer.
  • CVE-2020-25743: (postponed; to be fixed through a stable update) hw/ide/pci.c in QEMU before 5.1.1 can trigger a NULL pointer dereference because it lacks a pointer check before an ide_cancel_dma_sync call.
  • CVE-2020-35503: (postponed; to be fixed through a stable update) A NULL pointer dereference flaw was found in the megasas-gen2 SCSI host bus adapter emulation of QEMU in versions before and including 6.0. This issue occurs in the megasas_command_cancelled() callback function while dropping a SCSI request. This flaw allows a privileged guest user to crash the QEMU process on the host, resulting in a denial of service. The highest threat from this vulnerability is to system availability.
  • CVE-2021-20255: (postponed; to be fixed through a stable update) A stack overflow via an infinite recursion vulnerability was found in the eepro100 i8255x device emulator of QEMU. This issue occurs while processing controller commands due to a DMA reentry issue. This flaw allows a guest user or process to consume CPU cycles or crash the QEMU process on the host, resulting in a denial of service. The highest threat from this vulnerability is to system availability.
  • CVE-2022-36648: (postponed; to be fixed through a stable update) The hardware emulation in the of_dpa_cmd_add_l2_flood of rocker device model in QEMU, as used in 7.0.0 and earlier, allows remote attackers to crash the host qemu and potentially execute code on the host via execute a malformed program in the guest OS.
  • CVE-2023-42467: (needs triaging) QEMU through 8.0.0 could trigger a division by zero in scsi_disk_reset in hw/scsi/scsi-disk.c because scsi_disk_emulate_mode_select does not prevent s->qdev.blocksize from being 256. This stops QEMU and the guest immediately.
1 ignored issue:
  • CVE-2019-8934: hw/ppc/spapr.c in QEMU through 3.1.0 allows Information Exposure because the hypervisor shares the /proc/device-tree/system-id and /proc/device-tree/model system attributes with a guest.
Created: 2023-08-31 Last update: 2023-10-03 08:32
debian/patches: 2 patches with invalid metadata, 30 patches to forward upstream high

Among the 38 debian patches available in version 1:8.1.1+ds-1 of the package, we noticed the following issues:

  • 2 patches with invalid metadata that ought to be fixed.
  • 30 patches where the metadata indicates that the patch has not yet been forwarded upstream. You should either forward the patch upstream or update the metadata to document its real status.
Created: 2023-02-26 Last update: 2023-10-02 12:23
2 bugs tagged patch in the BTS normal
The BTS contains patches fixing 2 bugs, consider including or untagging them.
Created: 2023-09-13 Last update: 2023-10-04 17:27
Does not build reproducibly during testing normal
A package building reproducibly enables third parties to verify that the source matches the distributed binaries. It has been identified that this source package produced different results, failed to build or had other issues in a test environment. Please read about how to improve the situation!
Created: 2023-09-30 Last update: 2023-10-04 13:07
Multiarch hinter reports 1 issue(s) normal
There are issues with the multiarch metadata for this package.
  • qemu-system-modules-opengl could be marked Multi-Arch: same
Created: 2023-09-12 Last update: 2023-10-04 10:24
lintian reports 14 warnings normal
Lintian reports 14 warnings about this package. You should make the package lintian clean getting rid of them.
Created: 2023-09-11 Last update: 2023-10-02 13:05
24 low-priority security issues in bullseye low

There are 24 open security issues in bullseye.

15 issues left for the package maintainer to handle:
  • CVE-2021-3735: (postponed; to be fixed through a stable update) A deadlock issue was found in the AHCI controller device of QEMU. It occurs on a software reset (ahci_reset_port) while handling a host-to-device Register FIS (Frame Information Structure) packet from the guest. A privileged user inside the guest could use this flaw to hang the QEMU process on the host, resulting in a denial of service condition. The highest threat from this vulnerability is to system availability.
  • CVE-2022-1050: (needs triaging) A flaw was found in the QEMU implementation of VMWare's paravirtual RDMA device. This flaw allows a crafted guest driver to execute HW commands when shared buffers are not yet allocated, potentially leading to a use-after-free condition.
  • CVE-2022-3872: (postponed; to be fixed through a stable update) An off-by-one read/write issue was found in the SDHCI device of QEMU. It occurs when reading/writing the Buffer Data Port Register in sdhci_read_dataport and sdhci_write_dataport, respectively, if data_count == block_size. A malicious guest could use this flaw to crash the QEMU process on the host, resulting in a denial of service condition.
  • CVE-2023-1386: (postponed; to be fixed through a stable update) A flaw was found in the 9p passthrough filesystem (9pfs) implementation in QEMU. When a local user in the guest writes an executable file with SUID or SGID, none of these privileged bits are correctly dropped. As a result, in rare circumstances, this flaw could be used by malicious users in the guest to elevate their privileges within the guest and help a host local user to elevate privileges on the host.
  • CVE-2023-3019: (postponed; to be fixed through a stable update) A DMA reentrancy issue leading to a use-after-free error was found in the e1000e NIC emulation code in QEMU. This issue could allow a privileged guest user to crash the QEMU process on the host, resulting in a denial of service.
  • CVE-2023-3180: (needs triaging) A flaw was found in the QEMU virtual crypto device while handling data encryption/decryption requests in virtio_crypto_handle_sym_req. There is no check for the value of `src_len` and `dst_len` in virtio_crypto_sym_op_helper, potentially leading to a heap buffer overflow when the two values differ.
  • CVE-2023-3354: (needs triaging) A flaw was found in the QEMU built-in VNC server. When a client connects to the VNC server, QEMU checks whether the current number of connections crosses a certain threshold and if so, cleans up the previous connection. If the previous connection happens to be in the handshake phase and fails, QEMU cleans up the connection again, resulting in a NULL pointer dereference issue. This could allow a remote unauthenticated client to cause a denial of service.
  • CVE-2019-12067: (postponed; to be fixed through a stable update) The ahci_commit_buf function in ide/ahci.c in QEMU allows attackers to cause a denial of service (NULL dereference) when the command header 'ad->cur_cmd' is null.
  • CVE-2020-25741: (postponed; to be fixed through a stable update) fdctrl_write_data in hw/block/fdc.c in QEMU 5.0.0 has a NULL pointer dereference via a NULL block pointer for the current drive.
  • CVE-2020-25742: (postponed; to be fixed through a stable update) pci_change_irq_level in hw/pci/pci.c in QEMU before 5.1.1 has a NULL pointer dereference because pci_get_bus() might not return a valid pointer.
  • CVE-2020-25743: (postponed; to be fixed through a stable update) hw/ide/pci.c in QEMU before 5.1.1 can trigger a NULL pointer dereference because it lacks a pointer check before an ide_cancel_dma_sync call.
  • CVE-2020-35503: (postponed; to be fixed through a stable update) A NULL pointer dereference flaw was found in the megasas-gen2 SCSI host bus adapter emulation of QEMU in versions before and including 6.0. This issue occurs in the megasas_command_cancelled() callback function while dropping a SCSI request. This flaw allows a privileged guest user to crash the QEMU process on the host, resulting in a denial of service. The highest threat from this vulnerability is to system availability.
  • CVE-2021-20255: (postponed; to be fixed through a stable update) A stack overflow via an infinite recursion vulnerability was found in the eepro100 i8255x device emulator of QEMU. This issue occurs while processing controller commands due to a DMA reentry issue. This flaw allows a guest user or process to consume CPU cycles or crash the QEMU process on the host, resulting in a denial of service. The highest threat from this vulnerability is to system availability.
  • CVE-2022-36648: (postponed; to be fixed through a stable update) The hardware emulation in the of_dpa_cmd_add_l2_flood of rocker device model in QEMU, as used in 7.0.0 and earlier, allows remote attackers to crash the host qemu and potentially execute code on the host via execute a malformed program in the guest OS.
  • CVE-2023-42467: (needs triaging) QEMU through 8.0.0 could trigger a division by zero in scsi_disk_reset in hw/scsi/scsi-disk.c because scsi_disk_emulate_mode_select does not prevent s->qdev.blocksize from being 256. This stops QEMU and the guest immediately.

You can find information about how to handle these issues in the security team's documentation.

9 ignored issues:
  • CVE-2021-3611: A stack overflow vulnerability was found in the Intel HD Audio device (intel-hda) of QEMU. A malicious guest could use this flaw to crash the QEMU process on the host, resulting in a denial of service condition. The highest threat from this vulnerability is to system availability. This flaw affects QEMU versions prior to 7.0.0.
  • CVE-2021-3750: A DMA reentrancy issue was found in the USB EHCI controller emulation of QEMU. EHCI does not verify if the Buffer Pointer overlaps with its MMIO region when it transfers the USB packets. Crafted content may be written to the controller's registers and trigger undesirable actions (such as reset) while the device is still transferring packets. This can ultimately lead to a use-after-free issue. A malicious guest could use this flaw to crash the QEMU process on the host, resulting in a denial of service condition, or potentially execute arbitrary code within the context of the QEMU process on the host. This flaw affects QEMU versions before 7.0.0.
  • CVE-2021-3929: A DMA reentrancy issue was found in the NVM Express Controller (NVME) emulation in QEMU. This CVE is similar to CVE-2021-3750 and, just like it, when the reentrancy write triggers the reset function nvme_ctrl_reset(), data structs will be freed leading to a use-after-free issue. A malicious guest could use this flaw to crash the QEMU process on the host, resulting in a denial of service condition or, potentially, executing arbitrary code within the context of the QEMU process on the host.
  • CVE-2022-4144: An out-of-bounds read flaw was found in the QXL display device emulation in QEMU. The qxl_phys2virt() function does not check the size of the structure pointed to by the guest physical address, potentially reading past the end of the bar space into adjacent pages. A malicious guest user could use this flaw to crash the QEMU process on the host causing a denial of service condition.
  • CVE-2023-2861:
  • CVE-2020-15469: In QEMU 4.2.0, a MemoryRegionOps object may lack read/write callback methods, leading to a NULL pointer dereference.
  • CVE-2020-35504: A NULL pointer dereference flaw was found in the SCSI emulation support of QEMU in versions before 6.0.0. This flaw allows a privileged guest user to crash the QEMU process on the host, resulting in a denial of service. The highest threat from this vulnerability is to system availability.
  • CVE-2020-35505: A NULL pointer dereference flaw was found in the am53c974 SCSI host bus adapter emulation of QEMU in versions before 6.0.0. This issue occurs while handling the 'Information Transfer' command. This flaw allows a privileged guest user to crash the QEMU process on the host, resulting in a denial of service. The highest threat from this vulnerability is to system availability.
  • CVE-2020-35506: A use-after-free vulnerability was found in the am53c974 SCSI host bus adapter emulation of QEMU in versions before 6.0.0 during the handling of the 'Information Transfer' command (CMD_TI). This flaw allows a privileged guest user to crash the QEMU process on the host, resulting in a denial of service or potential code execution with the privileges of the QEMU process.
9 issues that should be fixed with the next stable update:
  • CVE-2021-3507: A heap buffer overflow was found in the floppy disk emulator of QEMU up to 6.0.0 (including). It could occur in fdctrl_transfer_handler() in hw/block/fdc.c while processing DMA read data transfers from the floppy drive to the guest system. A privileged guest user could use this flaw to crash the QEMU process on the host resulting in DoS scenario, or potential information leakage from the host memory.
  • CVE-2021-3930: An off-by-one error was found in the SCSI device emulation in QEMU. It could occur while processing MODE SELECT commands in mode_sense_page() if the 'page' argument was set to MODE_PAGE_ALLS (0x3f). A malicious guest could use this flaw to potentially crash QEMU, resulting in a denial of service condition.
  • CVE-2022-0216: A use-after-free vulnerability was found in the LSI53C895A SCSI Host Bus Adapter emulation of QEMU. The flaw occurs while processing repeated messages to cancel the current SCSI request via the lsi_do_msgout function. This flaw allows a malicious privileged user within the guest to crash the QEMU process on the host, resulting in a denial of service.
  • CVE-2023-0330: A vulnerability in the lsi53c895a device affects the latest version of qemu. A DMA-MMIO reentrancy problem may lead to memory corruption bugs like stack overflow or use-after-free.
  • CVE-2023-1544: A flaw was found in the QEMU implementation of VMWare's paravirtual RDMA device. This flaw allows a crafted guest driver to allocate and initialize a huge number of page tables to be used as a ring of descriptors for CQ and async events, potentially leading to an out-of-bounds read and crash of QEMU.
  • CVE-2023-3301: A flaw was found in QEMU. The async nature of hot-unplug enables a race scenario where the net device backend is cleared before the virtio-net pci frontend has been unplugged. A malicious guest could use this time window to trigger an assertion and cause a denial of service.
  • CVE-2020-14394: An infinite loop flaw was found in the USB xHCI controller emulation of QEMU while computing the length of the Transfer Request Block (TRB) Ring. This flaw allows a privileged guest user to hang the QEMU process on the host, resulting in a denial of service.
  • CVE-2021-20196: A NULL pointer dereference flaw was found in the floppy disk emulator of QEMU. This issue occurs while processing read/write ioport commands if the selected floppy drive is not initialized with a block device. This flaw allows a privileged guest user to crash the QEMU process on the host, resulting in a denial of service. The highest threat from this vulnerability is to system availability.
  • CVE-2021-20203: An integer overflow issue was found in the vmxnet3 NIC emulator of the QEMU for versions up to v5.2.0. It may occur if a guest was to supply invalid values for rx/tx queue size or other NIC parameters. A privileged guest user may use this flaw to crash the QEMU process on the host resulting in DoS scenario.
Created: 2022-07-04 Last update: 2023-10-03 08:32
14 low-priority security issues in bookworm low

There are 14 open security issues in bookworm.

14 issues left for the package maintainer to handle:
  • CVE-2021-3735: (postponed; to be fixed through a stable update) A deadlock issue was found in the AHCI controller device of QEMU. It occurs on a software reset (ahci_reset_port) while handling a host-to-device Register FIS (Frame Information Structure) packet from the guest. A privileged user inside the guest could use this flaw to hang the QEMU process on the host, resulting in a denial of service condition. The highest threat from this vulnerability is to system availability.
  • CVE-2022-3872: (postponed; to be fixed through a stable update) An off-by-one read/write issue was found in the SDHCI device of QEMU. It occurs when reading/writing the Buffer Data Port Register in sdhci_read_dataport and sdhci_write_dataport, respectively, if data_count == block_size. A malicious guest could use this flaw to crash the QEMU process on the host, resulting in a denial of service condition.
  • CVE-2023-1386: (postponed; to be fixed through a stable update) A flaw was found in the 9p passthrough filesystem (9pfs) implementation in QEMU. When a local user in the guest writes an executable file with SUID or SGID, none of these privileged bits are correctly dropped. As a result, in rare circumstances, this flaw could be used by malicious users in the guest to elevate their privileges within the guest and help a host local user to elevate privileges on the host.
  • CVE-2023-1544: (needs triaging) A flaw was found in the QEMU implementation of VMWare's paravirtual RDMA device. This flaw allows a crafted guest driver to allocate and initialize a huge number of page tables to be used as a ring of descriptors for CQ and async events, potentially leading to an out-of-bounds read and crash of QEMU.
  • CVE-2023-3019: (postponed; to be fixed through a stable update) A DMA reentrancy issue leading to a use-after-free error was found in the e1000e NIC emulation code in QEMU. This issue could allow a privileged guest user to crash the QEMU process on the host, resulting in a denial of service.
  • CVE-2023-3301: (needs triaging) A flaw was found in QEMU. The async nature of hot-unplug enables a race scenario where the net device backend is cleared before the virtio-net pci frontend has been unplugged. A malicious guest could use this time window to trigger an assertion and cause a denial of service.
  • CVE-2019-12067: (postponed; to be fixed through a stable update) The ahci_commit_buf function in ide/ahci.c in QEMU allows attackers to cause a denial of service (NULL dereference) when the command header 'ad->cur_cmd' is null.
  • CVE-2020-25741: (postponed; to be fixed through a stable update) fdctrl_write_data in hw/block/fdc.c in QEMU 5.0.0 has a NULL pointer dereference via a NULL block pointer for the current drive.
  • CVE-2020-25742: (postponed; to be fixed through a stable update) pci_change_irq_level in hw/pci/pci.c in QEMU before 5.1.1 has a NULL pointer dereference because pci_get_bus() might not return a valid pointer.
  • CVE-2020-25743: (postponed; to be fixed through a stable update) hw/ide/pci.c in QEMU before 5.1.1 can trigger a NULL pointer dereference because it lacks a pointer check before an ide_cancel_dma_sync call.
  • CVE-2020-35503: (postponed; to be fixed through a stable update) A NULL pointer dereference flaw was found in the megasas-gen2 SCSI host bus adapter emulation of QEMU in versions before and including 6.0. This issue occurs in the megasas_command_cancelled() callback function while dropping a SCSI request. This flaw allows a privileged guest user to crash the QEMU process on the host, resulting in a denial of service. The highest threat from this vulnerability is to system availability.
  • CVE-2021-20255: (postponed; to be fixed through a stable update) A stack overflow via an infinite recursion vulnerability was found in the eepro100 i8255x device emulator of QEMU. This issue occurs while processing controller commands due to a DMA reentry issue. This flaw allows a guest user or process to consume CPU cycles or crash the QEMU process on the host, resulting in a denial of service. The highest threat from this vulnerability is to system availability.
  • CVE-2022-36648: (postponed; to be fixed through a stable update) The hardware emulation in the of_dpa_cmd_add_l2_flood of rocker device model in QEMU, as used in 7.0.0 and earlier, allows remote attackers to crash the host qemu and potentially execute code on the host via execute a malformed program in the guest OS.
  • CVE-2023-42467: (needs triaging) QEMU through 8.0.0 could trigger a division by zero in scsi_disk_reset in hw/scsi/scsi-disk.c because scsi_disk_emulate_mode_select does not prevent s->qdev.blocksize from being 256. This stops QEMU and the guest immediately.

You can find information about how to handle these issues in the security team's documentation.

3 issues that should be fixed with the next stable update:
  • CVE-2023-3180: A flaw was found in the QEMU virtual crypto device while handling data encryption/decryption requests in virtio_crypto_handle_sym_req. There is no check for the value of `src_len` and `dst_len` in virtio_crypto_sym_op_helper, potentially leading to a heap buffer overflow when the two values differ.
  • CVE-2023-3255: A flaw was found in the QEMU built-in VNC server while processing ClientCutText messages. A wrong exit condition may lead to an infinite loop when inflating an attacker controlled zlib buffer in the `inflate_buffer` function. This could allow a remote authenticated client who is able to send a clipboard to the VNC server to trigger a denial of service.
  • CVE-2023-3354: A flaw was found in the QEMU built-in VNC server. When a client connects to the VNC server, QEMU checks whether the current number of connections crosses a certain threshold and if so, cleans up the previous connection. If the previous connection happens to be in the handshake phase and fails, QEMU cleans up the connection again, resulting in a NULL pointer dereference issue. This could allow a remote unauthenticated client to cause a denial of service.
Created: 2023-06-10 Last update: 2023-10-03 08:32
Build log checks report 1 warning low
Build log checks report 1 warning
Created: 2023-10-02 Last update: 2023-10-02 04:18
Standards version of the package is outdated. wishlist
The package should be updated to follow the last version of Debian Policy (Standards-Version 4.6.2 instead of 4.6.1).
Created: 2022-12-17 Last update: 2023-10-02 02:41
testing migrations
  • This package will soon be part of the auto-capstone transition. You might want to ensure that your package is ready for it. You can probably find supplementary information in the debian-release archives or in the corresponding release.debian.org bug.
  • excuses:
    • Migration status for qemu (1:8.1.0+ds-6 to 1:8.1.1+ds-1): BLOCKED: Rejected/violates migration policy/introduces a regression
    • Issues preventing migration:
    • ∙ ∙ autopkgtest for cloud-utils/0.33-1: amd64: Pass, arm64: Pass, armel: Pass, armhf: Pass, i386: Pass, ppc64el: Test in progress, s390x: Pass
    • ∙ ∙ autopkgtest for cryptsetup/2:2.6.1-5: amd64: Failed (not a regression), arm64: No test results ♻ (reference ♻), armel: No test results ♻ (reference ♻), armhf: No test results ♻ (reference ♻), i386: Failed (not a regression), ppc64el: Test in progress, s390x: No test results ♻ (reference ♻)
    • ∙ ∙ autopkgtest for debomatic/0.26-2: amd64: Pass, arm64: Pass, armel: Pass, armhf: Pass, i386: Pass, ppc64el: Test in progress, s390x: Failed (not a regression)
    • ∙ ∙ autopkgtest for debvm/0.2.12: s390x: Pass
    • ∙ ∙ autopkgtest for debvm/0.2.13: amd64: Pass, arm64: Pass, armel: No test results ♻ (reference ♻), armhf: No test results ♻ (reference ♻), i386: Pass, ppc64el: Test in progress
    • ∙ ∙ autopkgtest for dropbear/2022.83-2: amd64: Pass, arm64: Pass, armel: Pass, armhf: Pass, i386: Pass, ppc64el: Test in progress, s390x: Pass
    • ∙ ∙ autopkgtest for edk2/2023.05-2: amd64: Pass, arm64: Pass, armel: Pass, armhf: Pass, i386: Pass, ppc64el: Test in progress, s390x: Pass
    • ∙ ∙ autopkgtest for fai/6.0.5: amd64: Pass, arm64: No test results ♻ (reference ♻), armel: No test results ♻ (reference ♻), armhf: No test results ♻ (reference ♻), i386: No test results ♻ (reference ♻), ppc64el: Test in progress, s390x: No test results ♻ (reference ♻)
    • ∙ ∙ autopkgtest for freedom-maker/0.32: amd64: Pass, arm64: Pass, armel: Pass, armhf: Pass, i386: Pass, ppc64el: Test in progress, s390x: Pass
    • ∙ ∙ autopkgtest for genimage/16-2: amd64: Pass, arm64: Pass, armel: Pass, armhf: Pass, i386: Pass, ppc64el: Test in progress, s390x: Pass
    • ∙ ∙ autopkgtest for initramfs-tools/0.142: amd64: Pass, arm64: No test results ♻ (reference ♻), armel: No test results ♻ (reference ♻), armhf: No test results ♻ (reference ♻), i386: No test results ♻ (reference ♻), ppc64el: Test in progress, s390x: No test results ♻ (reference ♻)
    • ∙ ∙ autopkgtest for ipmitool/1.8.19-6: amd64: No test results ♻ (reference ♻), arm64: No test results ♻ (reference ♻), armel: No test results ♻ (reference ♻), armhf: No test results ♻ (reference ♻), i386: No test results ♻ (reference ♻), ppc64el: Test in progress, s390x: No test results ♻ (reference ♻)
    • ∙ ∙ autopkgtest for ironic/1:21.4.0-4: amd64: Pass, arm64: Pass, armel: Pass, armhf: Failed (not a regression), i386: Pass, ppc64el: Test in progress, s390x: Pass
    • ∙ ∙ autopkgtest for kworkflow/20191112-1.2: amd64: Pass, arm64: Pass, armel: Pass, armhf: Pass, i386: Pass, ppc64el: Test in progress, s390x: Pass
    • ∙ ∙ autopkgtest for libguestfs/1:1.50.1-4: amd64: Pass, arm64: Pass, armel: Failed (not a regression), armhf: Pass, i386: Pass, ppc64el: Test in progress, s390x: Pass
    • ∙ ∙ autopkgtest for libvirt/9.7.0-1: amd64: Pass, arm64: Pass, armel: Pass, armhf: Pass, i386: Pass, ppc64el: Test in progress, s390x: Pass
    • ∙ ∙ autopkgtest for multipath-tools/0.9.4-5: amd64: No test results ♻ (reference ♻), arm64: No test results ♻ (reference ♻), armel: No test results ♻ (reference ♻), armhf: No test results ♻ (reference ♻), i386: No test results ♻ (reference ♻), ppc64el: Test in progress, s390x: No test results ♻ (reference ♻)
    • ∙ ∙ autopkgtest for open-iscsi/2.1.8-2: amd64: No test results ♻ (reference ♻), arm64: No test results ♻ (reference ♻), armel: No test results ♻ (reference ♻), armhf: No test results ♻ (reference ♻), i386: No test results ♻ (reference ♻), ppc64el: Test in progress, s390x: No test results ♻ (reference ♻)
    • ∙ ∙ autopkgtest for osk-sdl/0.67.1-3: amd64: Pass, arm64: Pass, armel: Pass, armhf: Failed (not a regression), i386: Pass, ppc64el: Test in progress, s390x: Pass
    • ∙ ∙ autopkgtest for qemu/1:8.1.1+ds-1: amd64: No test results ♻ (reference ♻), arm64: No test results ♻ (reference ♻), armel: No test results ♻ (reference ♻), armhf: No test results ♻ (reference ♻), i386: No test results ♻ (reference ♻), ppc64el: Test in progress, s390x: No test results ♻ (reference ♻)
    • ∙ ∙ autopkgtest for sbuild/0.85.2: armel: Pass, armhf: Pass, i386: Pass, ppc64el: Test in progress, s390x: Pass
    • ∙ ∙ autopkgtest for snek/1.9-3: amd64: Pass, arm64: Pass, armel: Pass, armhf: Pass, i386: Pass, ppc64el: Test in progress, s390x: Pass
    • ∙ ∙ autopkgtest for systemd/254.4-1: amd64: Failed (not a regression), arm64: Pass, armel: Pass, armhf: Pass, i386: Pass, ppc64el: Test in progress, s390x: Regression ♻ (reference ♻)
    • ∙ ∙ autopkgtest for vagrant/2.3.4+dfsg-1: amd64: Pass, arm64: Pass, armel: Pass, armhf: Pass, i386: Pass, ppc64el: Test in progress, s390x: Pass
    • ∙ ∙ autopkgtest for vagrant-mutate/1.2.0-4.1: amd64: Pass, arm64: Pass, armel: Pass, armhf: Pass, i386: Pass, ppc64el: Test in progress, s390x: Pass
    • ∙ ∙ autopkgtest for vmdb2/0.27+really.0.26-1: amd64: Pass, arm64: Pass, armel: Pass, armhf: Pass, i386: Pass, ppc64el: Test in progress, s390x: Pass
    • ∙ ∙ Too young, only 2 of 5 days old
    • Additional info:
    • ∙ ∙ Piuparts tested OK - https://piuparts.debian.org/sid/source/q/qemu.html
    • Not considered
news
[rss feed]
  • [2023-10-01] Accepted qemu 1:8.1.1+ds-1 (source) into unstable (Michael Tokarev)
  • [2023-09-26] qemu 1:8.1.0+ds-6 MIGRATED to testing (Debian testing watch)
  • [2023-09-25] Accepted qemu 1:5.2+dfsg-11+deb11u3 (source) into oldstable-proposed-updates (Debian FTP Masters) (signed by: Moritz Mühlenhoff)
  • [2023-09-25] Accepted qemu 1:7.2+dfsg-7+deb12u2 (source) into proposed-updates (Debian FTP Masters) (signed by: Michael Tokarev)
  • [2023-09-20] Accepted qemu 1:8.1.0+ds-6 (source) into unstable (Michael Tokarev)
  • [2023-09-17] Accepted qemu 1:8.1.0+ds-5 (source) into unstable (Michael Tokarev)
  • [2023-09-11] Accepted qemu 1:8.1.0+ds-4 (source) into unstable (Michael Tokarev)
  • [2023-09-09] Accepted qemu 1:8.1.0+ds-3 (source) into unstable (Michael Tokarev)
  • [2023-09-09] Accepted qemu 1:8.1.0+ds-2 (source) into unstable (Michael Tokarev)
  • [2023-09-09] Accepted qemu 1:8.1.0+ds-1 (source) into unstable (Michael Tokarev)
  • [2023-08-29] qemu 1:8.0.4+dfsg-3 MIGRATED to testing (Debian testing watch)
  • [2023-08-23] Accepted qemu 1:8.1.0+ds-1~exp2 (source amd64 all) into experimental (Debian FTP Masters) (signed by: Michael Tokarev)
  • [2023-08-23] Accepted qemu 1:8.1.0+ds-1~exp1 (source) into experimental (Michael Tokarev)
  • [2023-08-22] Accepted qemu 1:8.0.4+dfsg-3 (source) into unstable (Michael Tokarev)
  • [2023-08-21] Accepted qemu 1:8.0.4+dfsg-2 (source) into unstable (Michael Tokarev)
  • [2023-08-20] Accepted qemu 1:8.1.0~rc4+ds-4 (source) into experimental (Michael Tokarev)
  • [2023-08-20] Accepted qemu 1:8.1.0~rc4+ds-3 (source) into experimental (Michael Tokarev)
  • [2023-08-19] Accepted qemu 1:8.1.0~rc4+ds-2 (source) into experimental (Michael Tokarev)
  • [2023-08-19] Accepted qemu 1:8.1.0~rc4+ds-1 (source) into experimental (Michael Tokarev)
  • [2023-08-17] qemu 1:8.0.4+dfsg-1 MIGRATED to testing (Debian testing watch)
  • [2023-08-16] Accepted qemu 1:8.0.4+dfsg-1~bpo12+1 (source) into stable-backports (Michael Tokarev)
  • [2023-08-15] Accepted qemu 1:8.0.3+dfsg-1~bpo12+1 (source amd64 all) into stable-backports (Debian FTP Masters) (signed by: Michael Tokarev)
  • [2023-08-11] Accepted qemu 1:8.0.4+dfsg-1 (source) into unstable (Michael Tokarev)
  • [2023-08-11] Accepted qemu 1:8.1.0~rc3+dfsg-2 (source) into experimental (Michael Tokarev)
  • [2023-08-11] Accepted qemu 1:8.1.0~rc3+dfsg-1 (source) into experimental (Michael Tokarev)
  • [2023-08-07] qemu 1:8.0.3+dfsg-5 MIGRATED to testing (Debian testing watch)
  • [2023-08-04] Accepted qemu 1:8.1.0~rc2+dfsg-1 (source) into experimental (Michael Tokarev)
  • [2023-08-02] Accepted qemu 1:8.0.3+dfsg-5 (source) into unstable (Michael Tokarev)
  • [2023-07-26] Accepted qemu 1:8.0.3+dfsg-4 (source) into unstable (Michael Tokarev)
  • [2023-07-22] Accepted qemu 1:8.0.3+dfsg-3 (source) into unstable (Michael Tokarev)
  • 1
  • 2
bugs [bug history graph]
  • all: 142 152
  • RC: 0
  • I&N: 78 79
  • M&W: 63 72
  • F&P: 1
  • patch: 2
links
  • homepage
  • lintian (0, 14)
  • buildd: logs, checks, reproducibility, cross
  • popcon
  • browse source code
  • edit tags
  • other distros
  • security tracker
  • screenshots
  • l10n (-, 93)
  • debian patches
  • debci
ubuntu Ubuntu logo [Information about Ubuntu for Debian Developers]
  • version: 1:8.0.4+dfsg-1ubuntu1
  • 89 bugs (1 patch)

Debian Package Tracker — Copyright 2013-2018 The Distro Tracker Developers
Report problems to the tracker.debian.org pseudo-package in the Debian BTS.
Documentation — Bugs — Git Repository — Contributing