qemu - Debian Package Tracker

general

source: qemu (main)
version: 1:7.1+dfsg-2
maintainer: Debian QEMU Team (archive) (DMD)
uploaders: Michael Tokarev [DMD]
arch: all any
std-ver: 4.5.1
VCS: Git (Browse, QA)

versions [more versions can be listed by madison] [old versions available from snapshot.debian.org]

[pool directory]

o-o-stable: 1:2.8+dfsg-6+deb9u9
o-o-sec: 1:2.8+dfsg-6+deb9u17
oldstable: 1:3.1+dfsg-8+deb10u8
old-sec: 1:3.1+dfsg-8+deb10u9
old-bpo: 1:5.2+dfsg-9~bpo10+1
stable: 1:5.2+dfsg-11+deb11u2
stable-sec: 1:5.2+dfsg-11+deb11u2
stable-bpo: 1:7.1+dfsg-2~bpo11+3
testing: 1:7.1+dfsg-2
test-p-u: 1:7.1+dfsg-2
unstable: 1:7.1+dfsg-2

versioned links

1:2.8+dfsg-6+deb9u9: [.dsc, use dget on this link to retrieve source package] [changelog] [copyright] [rules] [control]
1:2.8+dfsg-6+deb9u17: [.dsc, use dget on this link to retrieve source package] [changelog] [copyright] [rules] [control]
1:3.1+dfsg-8+deb10u8: [.dsc, use dget on this link to retrieve source package] [changelog] [copyright] [rules] [control]
1:3.1+dfsg-8+deb10u9: [.dsc, use dget on this link to retrieve source package] [changelog] [copyright] [rules] [control]
1:5.2+dfsg-9~bpo10+1: [.dsc, use dget on this link to retrieve source package] [changelog] [copyright] [rules] [control]
1:5.2+dfsg-11+deb11u2: [.dsc, use dget on this link to retrieve source package] [changelog] [copyright] [rules] [control]
1:7.1+dfsg-2~bpo11+3: [.dsc, use dget on this link to retrieve source package] [changelog] [copyright] [rules] [control]
1:7.1+dfsg-2: [.dsc, use dget on this link to retrieve source package] [changelog] [copyright] [rules] [control]

binaries

qemu-block-extra
qemu-guest-agent (2 bugs: 0, 2, 0, 0)
qemu-system (8 bugs: 0, 2, 6, 0)
qemu-system-arm (5 bugs: 0, 2, 3, 0)
qemu-system-common (7 bugs: 0, 1, 6, 0)
qemu-system-data
qemu-system-gui (3 bugs: 0, 3, 0, 0)
qemu-system-mips
qemu-system-misc (1 bugs: 0, 1, 0, 0)
qemu-system-ppc (2 bugs: 0, 2, 0, 0)
qemu-system-sparc
qemu-system-x86 (24 bugs: 0, 19, 5, 0)
qemu-system-xen
qemu-user (2 bugs: 0, 2, 0, 0)
qemu-user-binfmt (2 bugs: 0, 1, 1, 0)
qemu-user-static (21 bugs: 0, 20, 1, 0)
qemu-utils (2 bugs: 0, 1, 1, 0)

action needed

A new upstream version is available: 7.2~rc3 high

A new upstream version 7.2~rc3 is available, you should consider packaging it.

Created: 2022-11-12 Last update: 2022-12-08 23:46

11 security issues in sid high

There are 11 open security issues in sid.

11 important issues:

CVE-2021-3735: A deadlock issue was found in the AHCI controller device of QEMU. It occurs on a software reset (ahci_reset_port) while handling a host-to-device Register FIS (Frame Information Structure) packet from the guest. A privileged user inside the guest could use this flaw to hang the QEMU process on the host, resulting in a denial of service condition. The highest threat from this vulnerability is to system availability.
CVE-2022-3165: An integer underflow issue was found in the QEMU VNC server while processing ClientCutText messages in the extended format. A malicious client could use this flaw to make QEMU unresponsive by sending a specially crafted payload message, resulting in a denial of service.
CVE-2022-3872: An off-by-one read/write issue was found in the SDHCI device of QEMU. It occurs when reading/writing the Buffer Data Port Register in sdhci_read_dataport and sdhci_write_dataport, respectively, if data_count == block_size. A malicious guest could use this flaw to crash the QEMU process on the host, resulting in a denial of service condition.
CVE-2022-4144: An out-of-bounds read flaw was found in the QXL display device emulation in QEMU. The qxl_phys2virt() function does not check the size of the structure pointed to by the guest physical address, potentially reading past the end of the bar space into adjacent pages. A malicious guest user could use this flaw to crash the QEMU process on the host causing a denial of service condition.
CVE-2022-4172: An integer overflow and buffer overflow issues were found in the ACPI Error Record Serialization Table (ERST) device of QEMU in the read_erst_record() and write_erst_record() functions. Both issues may allow the guest to overrun the host buffer allocated for the ERST memory device. A malicious guest could use these flaws to crash the QEMU process on the host.
CVE-2019-12067: The ahci_commit_buf function in ide/ahci.c in QEMU allows attackers to cause a denial of service (NULL dereference) when the command header 'ad->cur_cmd' is null.
CVE-2020-25741: fdctrl_write_data in hw/block/fdc.c in QEMU 5.0.0 has a NULL pointer dereference via a NULL block pointer for the current drive.
CVE-2020-25742: pci_change_irq_level in hw/pci/pci.c in QEMU before 5.1.1 has a NULL pointer dereference because pci_get_bus() might not return a valid pointer.
CVE-2020-25743: hw/ide/pci.c in QEMU before 5.1.1 can trigger a NULL pointer dereference because it lacks a pointer check before an ide_cancel_dma_sync call.
CVE-2020-35503: A NULL pointer dereference flaw was found in the megasas-gen2 SCSI host bus adapter emulation of QEMU in versions before and including 6.0. This issue occurs in the megasas_command_cancelled() callback function while dropping a SCSI request. This flaw allows a privileged guest user to crash the QEMU process on the host, resulting in a denial of service. The highest threat from this vulnerability is to system availability.
CVE-2021-20255: A stack overflow via an infinite recursion vulnerability was found in the eepro100 i8255x device emulator of QEMU. This issue occurs while processing controller commands due to a DMA reentry issue. This flaw allows a guest user or process to consume CPU cycles or crash the QEMU process on the host, resulting in a denial of service. The highest threat from this vulnerability is to system availability.

Created: 2022-07-04 Last update: 2022-12-01 04:07

21 security issues in buster high

There are 21 open security issues in buster.

1 important issue:

CVE-2022-4144: An out-of-bounds read flaw was found in the QXL display device emulation in QEMU. The qxl_phys2virt() function does not check the size of the structure pointed to by the guest physical address, potentially reading past the end of the bar space into adjacent pages. A malicious guest user could use this flaw to crash the QEMU process on the host causing a denial of service condition.

19 issues postponed or untriaged:

CVE-2021-3592: (postponed; to be fixed through a stable update) An invalid pointer initialization issue was found in the SLiRP networking implementation of QEMU. The flaw exists in the bootp_input() function and could occur while processing a udp packet that is smaller than the size of the 'bootp_t' structure. A malicious guest could use this flaw to leak 10 bytes of uninitialized heap memory from the host. The highest threat from this vulnerability is to data confidentiality. This flaw affects libslirp versions prior to 4.6.0.
CVE-2021-3593: (postponed; to be fixed through a stable update) An invalid pointer initialization issue was found in the SLiRP networking implementation of QEMU. The flaw exists in the udp6_input() function and could occur while processing a udp packet that is smaller than the size of the 'udphdr' structure. This issue may lead to out-of-bounds read access or indirect host memory disclosure to the guest. The highest threat from this vulnerability is to data confidentiality. This flaw affects libslirp versions prior to 4.6.0.
CVE-2021-3594: (postponed; to be fixed through a stable update) An invalid pointer initialization issue was found in the SLiRP networking implementation of QEMU. The flaw exists in the udp_input() function and could occur while processing a udp packet that is smaller than the size of the 'udphdr' structure. This issue may lead to out-of-bounds read access or indirect host memory disclosure to the guest. The highest threat from this vulnerability is to data confidentiality. This flaw affects libslirp versions prior to 4.6.0.
CVE-2021-3595: (postponed; to be fixed through a stable update) An invalid pointer initialization issue was found in the SLiRP networking implementation of QEMU. The flaw exists in the tftp_input() function and could occur while processing a udp packet that is smaller than the size of the 'tftp_t' structure. This issue may lead to out-of-bounds read access or indirect host memory disclosure to the guest. The highest threat from this vulnerability is to data confidentiality. This flaw affects libslirp versions prior to 4.6.0.
CVE-2021-3735: (postponed; to be fixed through a stable update) A deadlock issue was found in the AHCI controller device of QEMU. It occurs on a software reset (ahci_reset_port) while handling a host-to-device Register FIS (Frame Information Structure) packet from the guest. A privileged user inside the guest could use this flaw to hang the QEMU process on the host, resulting in a denial of service condition. The highest threat from this vulnerability is to system availability.
CVE-2021-3750: (postponed; to be fixed through a stable update) A DMA reentrancy issue was found in the USB EHCI controller emulation of QEMU. EHCI does not verify if the Buffer Pointer overlaps with its MMIO region when it transfers the USB packets. Crafted content may be written to the controller's registers and trigger undesirable actions (such as reset) while the device is still transferring packets. This can ultimately lead to a use-after-free issue. A malicious guest could use this flaw to crash the QEMU process on the host, resulting in a denial of service condition, or potentially execute arbitrary code within the context of the QEMU process on the host. This flaw affects QEMU versions before 7.0.0.
CVE-2021-3929: (needs triaging) A DMA reentrancy issue was found in the NVM Express Controller (NVME) emulation in QEMU. This CVE is similar to CVE-2021-3750 and, just like it, when the reentrancy write triggers the reset function nvme_ctrl_reset(), data structs will be freed leading to a use-after-free issue. A malicious guest could use this flaw to crash the QEMU process on the host, resulting in a denial of service condition or, potentially, executing arbitrary code within the context of the QEMU process on the host.
CVE-2022-0216: (postponed; to be fixed through a stable update) A use-after-free vulnerability was found in the LSI53C895A SCSI Host Bus Adapter emulation of QEMU. The flaw occurs while processing repeated messages to cancel the current SCSI request via the lsi_do_msgout function. This flaw allows a malicious privileged user within the guest to crash the QEMU process on the host, resulting in a denial of service.
CVE-2022-1050: (postponed; to be fixed through a stable update) A flaw was found in the QEMU implementation of VMWare's paravirtual RDMA device. This flaw allows a crafted guest driver to execute HW commands when shared buffers are not yet allocated, potentially leading to a use-after-free condition.
CVE-2022-3872: (postponed; to be fixed through a stable update) An off-by-one read/write issue was found in the SDHCI device of QEMU. It occurs when reading/writing the Buffer Data Port Register in sdhci_read_dataport and sdhci_write_dataport, respectively, if data_count == block_size. A malicious guest could use this flaw to crash the QEMU process on the host, resulting in a denial of service condition.
CVE-2019-12067: (postponed; to be fixed through a stable update) The ahci_commit_buf function in ide/ahci.c in QEMU allows attackers to cause a denial of service (NULL dereference) when the command header 'ad->cur_cmd' is null.
CVE-2020-14394: (postponed; to be fixed through a stable update) An infinite loop flaw was found in the USB xHCI controller emulation of QEMU while computing the length of the Transfer Request Block (TRB) Ring. This flaw allows a privileged guest user to hang the QEMU process on the host, resulting in a denial of service.
CVE-2020-17380: (postponed; to be fixed through a stable update) A heap-based buffer overflow was found in QEMU through 5.0.0 in the SDHCI device emulation support. It could occur while doing a multi block SDMA transfer via the sdhci_sdma_transfer_multi_blocks() routine in hw/sd/sdhci.c. A guest user or process could use this flaw to crash the QEMU process on the host, resulting in a denial of service condition, or potentially execute arbitrary code with privileges of the QEMU process on the host.
CVE-2020-25741: (postponed; to be fixed through a stable update) fdctrl_write_data in hw/block/fdc.c in QEMU 5.0.0 has a NULL pointer dereference via a NULL block pointer for the current drive.
CVE-2020-25742: (postponed; to be fixed through a stable update) pci_change_irq_level in hw/pci/pci.c in QEMU before 5.1.1 has a NULL pointer dereference because pci_get_bus() might not return a valid pointer.
CVE-2020-25743: (postponed; to be fixed through a stable update) hw/ide/pci.c in QEMU before 5.1.1 can trigger a NULL pointer dereference because it lacks a pointer check before an ide_cancel_dma_sync call.
CVE-2020-29130: (postponed; to be fixed through a stable update) slirp.c in libslirp through 4.3.1 has a buffer over-read because it tries to read a certain amount of header data even if that exceeds the total packet length.
CVE-2020-35503: (postponed; to be fixed through a stable update) A NULL pointer dereference flaw was found in the megasas-gen2 SCSI host bus adapter emulation of QEMU in versions before and including 6.0. This issue occurs in the megasas_command_cancelled() callback function while dropping a SCSI request. This flaw allows a privileged guest user to crash the QEMU process on the host, resulting in a denial of service. The highest threat from this vulnerability is to system availability.
CVE-2021-20255: (postponed; to be fixed through a stable update) A stack overflow via an infinite recursion vulnerability was found in the eepro100 i8255x device emulator of QEMU. This issue occurs while processing controller commands due to a DMA reentry issue. This flaw allows a guest user or process to consume CPU cycles or crash the QEMU process on the host, resulting in a denial of service. The highest threat from this vulnerability is to system availability.

1 ignored issue:

CVE-2019-8934: hw/ppc/spapr.c in QEMU through 3.1.0 allows Information Exposure because the hypervisor shares the /proc/device-tree/system-id and /proc/device-tree/model system attributes with a guest.

Created: 2022-11-26 Last update: 2022-12-01 04:07

11 security issues in bookworm high

There are 11 open security issues in bookworm.

11 important issues:

CVE-2021-3735: A deadlock issue was found in the AHCI controller device of QEMU. It occurs on a software reset (ahci_reset_port) while handling a host-to-device Register FIS (Frame Information Structure) packet from the guest. A privileged user inside the guest could use this flaw to hang the QEMU process on the host, resulting in a denial of service condition. The highest threat from this vulnerability is to system availability.
CVE-2022-3165: An integer underflow issue was found in the QEMU VNC server while processing ClientCutText messages in the extended format. A malicious client could use this flaw to make QEMU unresponsive by sending a specially crafted payload message, resulting in a denial of service.
CVE-2022-3872: An off-by-one read/write issue was found in the SDHCI device of QEMU. It occurs when reading/writing the Buffer Data Port Register in sdhci_read_dataport and sdhci_write_dataport, respectively, if data_count == block_size. A malicious guest could use this flaw to crash the QEMU process on the host, resulting in a denial of service condition.
CVE-2022-4144: An out-of-bounds read flaw was found in the QXL display device emulation in QEMU. The qxl_phys2virt() function does not check the size of the structure pointed to by the guest physical address, potentially reading past the end of the bar space into adjacent pages. A malicious guest user could use this flaw to crash the QEMU process on the host causing a denial of service condition.
CVE-2022-4172: An integer overflow and buffer overflow issues were found in the ACPI Error Record Serialization Table (ERST) device of QEMU in the read_erst_record() and write_erst_record() functions. Both issues may allow the guest to overrun the host buffer allocated for the ERST memory device. A malicious guest could use these flaws to crash the QEMU process on the host.
CVE-2019-12067: The ahci_commit_buf function in ide/ahci.c in QEMU allows attackers to cause a denial of service (NULL dereference) when the command header 'ad->cur_cmd' is null.
CVE-2020-25741: fdctrl_write_data in hw/block/fdc.c in QEMU 5.0.0 has a NULL pointer dereference via a NULL block pointer for the current drive.
CVE-2020-25742: pci_change_irq_level in hw/pci/pci.c in QEMU before 5.1.1 has a NULL pointer dereference because pci_get_bus() might not return a valid pointer.
CVE-2020-25743: hw/ide/pci.c in QEMU before 5.1.1 can trigger a NULL pointer dereference because it lacks a pointer check before an ide_cancel_dma_sync call.
CVE-2020-35503: A NULL pointer dereference flaw was found in the megasas-gen2 SCSI host bus adapter emulation of QEMU in versions before and including 6.0. This issue occurs in the megasas_command_cancelled() callback function while dropping a SCSI request. This flaw allows a privileged guest user to crash the QEMU process on the host, resulting in a denial of service. The highest threat from this vulnerability is to system availability.
CVE-2021-20255: A stack overflow via an infinite recursion vulnerability was found in the eepro100 i8255x device emulator of QEMU. This issue occurs while processing controller commands due to a DMA reentry issue. This flaw allows a guest user or process to consume CPU cycles or crash the QEMU process on the host, resulting in a denial of service. The highest threat from this vulnerability is to system availability.

Created: 2022-07-04 Last update: 2022-12-01 04:07

lintian reports 22 errors and 64 warnings high

Lintian reports 22 errors and 64 warnings about this package. You should make the package lintian clean getting rid of them.

Created: 2022-09-14 Last update: 2022-11-07 14:08

Fails to build during reproducibility testing normal

A package building reproducibly enables third parties to verify that the source matches the distributed binaries. It has been identified that this source package produced different results, failed to build or had other issues in a test environment. Please read about how to improve the situation!

Created: 2022-09-24 Last update: 2022-12-08 23:52

1 bug tagged patch in the BTS normal

The BTS contains patches fixing 1 bug, consider including or untagging them.

Created: 2022-10-26 Last update: 2022-12-08 23:34

9 new commits since last upload, is it time to release? normal

vcswatch reports that this package seems to have new commits in its VCS but has not yet updated debian/changelog. You should consider updating the Debian changelog and uploading this new version into the archive.

Here are the relevant commit logs:

commit c2db086b6eff487cc4d109fda51860cc6bb63a66
Author: Michael Tokarev <mjt@tls.msk.ru>
Date:   Sun Nov 6 14:53:54 2022 +0300

    qemu-system-data.lintian-overrides: +shared-library-lacks-prerequisites for s390 bootroms

commit b3606b0a0f65340ab56e858a344631b08081e1ee
Author: Michael Tokarev <mjt@tls.msk.ru>
Date:   Sun Nov 6 14:52:38 2022 +0300

    add source-level lintian overrides

commit 9fbc91b88a5551abe8494c76cafcfbb36779dc83
Author: Michael Tokarev <mjt@tls.msk.ru>
Date:   Sun Nov 6 14:36:30 2022 +0300

    d/rules: alternative, easier fix for #1019011: use -O1 instead of -O2

commit 591846e1e5e434c4c9c4c09ae41fa36a40d481a2
Author: Michael Tokarev <mjt@tls.msk.ru>
Date:   Sun Nov 6 14:34:20 2022 +0300

    Revert "temporary workaround for gcc-12 bug #1019011: use gcc-11-alpha-linux-gnu instead of gcc-alpha-linux-gnu"
    
    This reverts commit 435ceea71d95c959c28041e9c5c3a8377592db72.
    Current gcc-12 does not work still, but only with -O2+.
    With -O1 it works too.  So use this instead.

commit bd5f79be6a0ae6eb196b39b1a5b6bd0e40cee752
Author: Michael Tokarev <mjt@tls.msk.ru>
Date:   Sat Nov 5 16:46:40 2022 +0300

    d/rules: support "terse" build option for non-verbose build

commit ae19f855b912d1ecfe6c2b5b10b6a358fe5f9c4e
Author: Michael Tokarev <mjt@tls.msk.ru>
Date:   Sat Oct 29 09:34:05 2022 +0300

    d/qemu-system-common.lintian-overrides: +shared-library-lacks-prerequisites for all plugins

commit 256cd35049b82b7b0d6c9a7b7754c695505a753c
Author: Michael Tokarev <mjt@tls.msk.ru>
Date:   Sat Oct 29 09:33:33 2022 +0300

    d/qemu-system-data.lintian-overrides: consolidate overrides for all fw files, adopt to new lintian

commit 5bf78d7826b0c727ac6c8b867d319cdb675897a1
Author: Michael Tokarev <mjt@tls.msk.ru>
Date:   Sun Sep 18 19:53:10 2022 +0300

    mention closing of #987410 (CVE-2021-3507) by 7.1

commit 111649fb4cdfb97ec65a729fb82d1f98a69a8621
Author: Michael Tokarev <mjt@tls.msk.ru>
Date:   Tue Sep 13 23:11:29 2022 +0300

    d/changelog: mark #1018913 as fixed by 7.1 upload

Created: 2022-09-18 Last update: 2022-12-08 20:30

24 low-priority security issues in bullseye low

There are 24 open security issues in bullseye.

23 issues left for the package maintainer to handle:

CVE-2021-3507: (needs triaging) A heap buffer overflow was found in the floppy disk emulator of QEMU up to 6.0.0 (including). It could occur in fdctrl_transfer_handler() in hw/block/fdc.c while processing DMA read data transfers from the floppy drive to the guest system. A privileged guest user could use this flaw to crash the QEMU process on the host resulting in DoS scenario, or potential information leakage from the host memory.
CVE-2021-3611: (needs triaging) A stack overflow vulnerability was found in the Intel HD Audio device (intel-hda) of QEMU. A malicious guest could use this flaw to crash the QEMU process on the host, resulting in a denial of service condition. The highest threat from this vulnerability is to system availability. This flaw affects QEMU versions prior to 7.0.0.
CVE-2021-3735: (needs triaging) A deadlock issue was found in the AHCI controller device of QEMU. It occurs on a software reset (ahci_reset_port) while handling a host-to-device Register FIS (Frame Information Structure) packet from the guest. A privileged user inside the guest could use this flaw to hang the QEMU process on the host, resulting in a denial of service condition. The highest threat from this vulnerability is to system availability.
CVE-2021-3750: (needs triaging) A DMA reentrancy issue was found in the USB EHCI controller emulation of QEMU. EHCI does not verify if the Buffer Pointer overlaps with its MMIO region when it transfers the USB packets. Crafted content may be written to the controller's registers and trigger undesirable actions (such as reset) while the device is still transferring packets. This can ultimately lead to a use-after-free issue. A malicious guest could use this flaw to crash the QEMU process on the host, resulting in a denial of service condition, or potentially execute arbitrary code within the context of the QEMU process on the host. This flaw affects QEMU versions before 7.0.0.
CVE-2021-3929: (needs triaging) A DMA reentrancy issue was found in the NVM Express Controller (NVME) emulation in QEMU. This CVE is similar to CVE-2021-3750 and, just like it, when the reentrancy write triggers the reset function nvme_ctrl_reset(), data structs will be freed leading to a use-after-free issue. A malicious guest could use this flaw to crash the QEMU process on the host, resulting in a denial of service condition or, potentially, executing arbitrary code within the context of the QEMU process on the host.
CVE-2021-3930: (postponed; to be fixed through a stable update) An off-by-one error was found in the SCSI device emulation in QEMU. It could occur while processing MODE SELECT commands in mode_sense_page() if the 'page' argument was set to MODE_PAGE_ALLS (0x3f). A malicious guest could use this flaw to potentially crash QEMU, resulting in a denial of service condition.
CVE-2022-0216: (needs triaging) A use-after-free vulnerability was found in the LSI53C895A SCSI Host Bus Adapter emulation of QEMU. The flaw occurs while processing repeated messages to cancel the current SCSI request via the lsi_do_msgout function. This flaw allows a malicious privileged user within the guest to crash the QEMU process on the host, resulting in a denial of service.
CVE-2022-1050: (needs triaging) A flaw was found in the QEMU implementation of VMWare's paravirtual RDMA device. This flaw allows a crafted guest driver to execute HW commands when shared buffers are not yet allocated, potentially leading to a use-after-free condition.
CVE-2022-2962: (needs triaging) A DMA reentrancy issue was found in the Tulip device emulation in QEMU. When Tulip reads or writes to the rx/tx descriptor or copies the rx/tx frame, it doesn't check whether the destination address is its own MMIO address. This can cause the device to trigger MMIO handlers multiple times, possibly leading to a stack or heap overflow. A malicious guest could use this flaw to crash the QEMU process on the host, resulting in a denial of service condition.
CVE-2022-3872: (needs triaging) An off-by-one read/write issue was found in the SDHCI device of QEMU. It occurs when reading/writing the Buffer Data Port Register in sdhci_read_dataport and sdhci_write_dataport, respectively, if data_count == block_size. A malicious guest could use this flaw to crash the QEMU process on the host, resulting in a denial of service condition.
CVE-2022-4144: (needs triaging) An out-of-bounds read flaw was found in the QXL display device emulation in QEMU. The qxl_phys2virt() function does not check the size of the structure pointed to by the guest physical address, potentially reading past the end of the bar space into adjacent pages. A malicious guest user could use this flaw to crash the QEMU process on the host causing a denial of service condition.
CVE-2019-12067: (postponed; to be fixed through a stable update) The ahci_commit_buf function in ide/ahci.c in QEMU allows attackers to cause a denial of service (NULL dereference) when the command header 'ad->cur_cmd' is null.
CVE-2020-14394: (postponed; to be fixed through a stable update) An infinite loop flaw was found in the USB xHCI controller emulation of QEMU while computing the length of the Transfer Request Block (TRB) Ring. This flaw allows a privileged guest user to hang the QEMU process on the host, resulting in a denial of service.
CVE-2020-25741: (postponed; to be fixed through a stable update) fdctrl_write_data in hw/block/fdc.c in QEMU 5.0.0 has a NULL pointer dereference via a NULL block pointer for the current drive.
CVE-2020-25742: (postponed; to be fixed through a stable update) pci_change_irq_level in hw/pci/pci.c in QEMU before 5.1.1 has a NULL pointer dereference because pci_get_bus() might not return a valid pointer.
CVE-2020-25743: (postponed; to be fixed through a stable update) hw/ide/pci.c in QEMU before 5.1.1 can trigger a NULL pointer dereference because it lacks a pointer check before an ide_cancel_dma_sync call.
CVE-2020-35503: (postponed; to be fixed through a stable update) A NULL pointer dereference flaw was found in the megasas-gen2 SCSI host bus adapter emulation of QEMU in versions before and including 6.0. This issue occurs in the megasas_command_cancelled() callback function while dropping a SCSI request. This flaw allows a privileged guest user to crash the QEMU process on the host, resulting in a denial of service. The highest threat from this vulnerability is to system availability.
CVE-2020-35504: (postponed; to be fixed through a stable update) A NULL pointer dereference flaw was found in the SCSI emulation support of QEMU in versions before 6.0.0. This flaw allows a privileged guest user to crash the QEMU process on the host, resulting in a denial of service. The highest threat from this vulnerability is to system availability.
CVE-2020-35505: (postponed; to be fixed through a stable update) A NULL pointer dereference flaw was found in the am53c974 SCSI host bus adapter emulation of QEMU in versions before 6.0.0. This issue occurs while handling the 'Information Transfer' command. This flaw allows a privileged guest user to crash the QEMU process on the host, resulting in a denial of service. The highest threat from this vulnerability is to system availability.
CVE-2020-35506: (postponed; to be fixed through a stable update) A use-after-free vulnerability was found in the am53c974 SCSI host bus adapter emulation of QEMU in versions before 6.0.0 during the handling of the 'Information Transfer' command (CMD_TI). This flaw allows a privileged guest user to crash the QEMU process on the host, resulting in a denial of service or potential code execution with the privileges of the QEMU process.
CVE-2021-20196: (postponed; to be fixed through a stable update) A NULL pointer dereference flaw was found in the floppy disk emulator of QEMU. This issue occurs while processing read/write ioport commands if the selected floppy drive is not initialized with a block device. This flaw allows a privileged guest user to crash the QEMU process on the host, resulting in a denial of service. The highest threat from this vulnerability is to system availability.
CVE-2021-20203: (postponed; to be fixed through a stable update) An integer overflow issue was found in the vmxnet3 NIC emulator of the QEMU for versions up to v5.2.0. It may occur if a guest was to supply invalid values for rx/tx queue size or other NIC parameters. A privileged guest user may use this flaw to crash the QEMU process on the host resulting in DoS scenario.
CVE-2021-20255: (postponed; to be fixed through a stable update) A stack overflow via an infinite recursion vulnerability was found in the eepro100 i8255x device emulator of QEMU. This issue occurs while processing controller commands due to a DMA reentry issue. This flaw allows a guest user or process to consume CPU cycles or crash the QEMU process on the host, resulting in a denial of service. The highest threat from this vulnerability is to system availability.

You can find information about how to handle these issues in the security team's documentation.

1 ignored issue:

CVE-2020-15469: In QEMU 4.2.0, a MemoryRegionOps object may lack read/write callback methods, leading to a NULL pointer dereference.

Created: 2022-07-04 Last update: 2022-12-01 04:07

Build log checks report 2 warnings low

Build log checks report 2 warnings

Created: 2022-10-20 Last update: 2022-10-20 18:00

Standards version of the package is outdated. wishlist

The package should be updated to follow the last version of Debian Policy (Standards-Version 4.6.1 instead of 4.5.1).

Created: 2021-08-18 Last update: 2022-09-14 01:43

news

[rss feed]

[2022-10-03] Accepted qemu 1:7.1+dfsg-2~bpo11+3 (source) into bullseye-backports (Michael Tokarev)
[2022-09-24] Accepted qemu 1:7.1+dfsg-2~bpo11+2 (source) into bullseye-backports (Michael Tokarev)
[2022-09-23] Accepted qemu 1:7.1+dfsg-2~bpo11+1 (source) into bullseye-backports (Michael Tokarev)
[2022-09-23] qemu 1:7.1+dfsg-2 MIGRATED to testing (Debian testing watch)
[2022-09-13] Accepted qemu 1:7.1+dfsg-2 (source) into unstable (Michael Tokarev)
[2022-09-12] Accepted qemu 1:7.1+dfsg-1 (source) into unstable (Michael Tokarev)
[2022-09-04] Accepted qemu 1:3.1+dfsg-8+deb10u9 (source amd64 all) into oldstable (Abhijith PA)
[2022-05-20] qemu 1:7.0+dfsg-7 MIGRATED to testing (Debian testing watch)
[2022-05-15] Accepted qemu 1:7.0+dfsg-7 (source) into unstable (Michael Tokarev)
[2022-05-14] Accepted qemu 1:5.2+dfsg-11+deb11u2 (source) into proposed-updates->stable-new, proposed-updates (Debian FTP Masters) (signed by: Michael Tokarev)
[2022-05-14] qemu 1:7.0+dfsg-6 MIGRATED to testing (Debian testing watch)
[2022-05-09] Accepted qemu 1:5.2+dfsg-11+deb11u2 (source) into stable-security->embargoed, stable-security (Debian FTP Masters) (signed by: Michael Tokarev)
[2022-05-08] Accepted qemu 1:7.0+dfsg-6 (source) into unstable (Michael Tokarev)
[2022-05-08] Accepted qemu 1:7.0+dfsg-2~bpo11+2 (source) into bullseye-backports (Michael Tokarev)
[2022-05-07] Accepted qemu 1:7.0+dfsg-2~bpo11+1 (source amd64 all) into bullseye-backports, bullseye-backports (Debian FTP Masters) (signed by: Michael Tokarev)
[2022-05-07] Accepted qemu 1:7.0+dfsg-5 (source) into unstable (Michael Tokarev)
[2022-05-07] Accepted qemu 1:7.0+dfsg-4 (source) into unstable (Michael Tokarev)
[2022-05-06] Accepted qemu 1:7.0+dfsg-3 (source) into unstable (Michael Tokarev)
[2022-05-05] qemu 1:7.0+dfsg-2 MIGRATED to testing (Debian testing watch)
[2022-04-30] Accepted qemu 1:7.0+dfsg-2 (source) into unstable (Michael Tokarev)
[2022-04-26] qemu 1:7.0+dfsg-1 MIGRATED to testing (Debian testing watch)
[2022-04-21] Accepted qemu 1:7.0+dfsg-1 (source) into unstable (Michael Tokarev)
[2022-04-20] Accepted qemu 1:7.0~rc4+dfsg-1 (source amd64 all) into unstable, unstable (Debian FTP Masters) (signed by: Michael Tokarev)
[2022-04-20] qemu 1:6.2+dfsg-3 MIGRATED to testing (Debian testing watch)
[2022-04-04] Accepted qemu 1:2.8+dfsg-6+deb9u17 (source) into oldoldstable (Emilio Pozuelo Monfort)
[2022-02-26] Accepted qemu 1:6.2+dfsg-3 (source) into unstable (Michael Tokarev)
[2022-02-02] Accepted qemu 1:6.2+dfsg-2~bpo11+1 (source) into bullseye-backports (Michael Tokarev)
[2022-01-25] qemu 1:6.2+dfsg-2 MIGRATED to testing (Debian testing watch)
[2022-01-20] Accepted qemu 1:6.2+dfsg-2 (source) into unstable (Michael Tokarev)
[2022-01-15] qemu 1:6.2+dfsg-1 MIGRATED to testing (Debian testing watch)

bugs [bug history graph]

all: 156 169
RC: 0
I&N: 85 89
M&W: 67 76
F&P: 4
patch: 1

links

homepage
lintian (22, 64)
buildd: logs, checks, reproducibility, cross
popcon
browse source code
edit tags
other distros
security tracker
screenshots
l10n (-, 93)
debci

ubuntu

[Information about Ubuntu for Debian Developers]

version: 1:7.0+dfsg-7ubuntu2
82 bugs (2 patches)