Debian Package Tracker

general

source: qemu (main)
version: 1:4.1-3
maintainer: Debian QEMU Team (archive) (DMD)
uploaders: Aurelien Jarno [DMD] – Riku Voipio [DMD] – Michael Tokarev [DMD]
arch: all any
std-ver: 3.9.8
VCS: Git (Browse, QA)

versions [more versions can be listed by madison] [old versions available from snapshot.debian.org]

[pool directory]

o-o-stable: 1:2.1+dfsg-12+deb8u6
o-o-sec: 1:2.1+dfsg-12+deb8u12
oldstable: 1:2.8+dfsg-6+deb9u8
old-sec: 1:2.8+dfsg-6+deb9u8
stable: 1:3.1+dfsg-8+deb10u2
stable-sec: 1:3.1+dfsg-8+deb10u3
stable-p-u: 1:3.1+dfsg-8+deb10u3
testing: 1:4.1-3
unstable: 1:4.1-3

versioned links

1:2.1+dfsg-12+deb8u6: [.dsc, use dget on this link to retrieve source package] [changelog] [copyright] [rules] [control]
1:2.1+dfsg-12+deb8u12: [.dsc, use dget on this link to retrieve source package] [changelog] [copyright] [rules] [control]
1:2.8+dfsg-6+deb9u8: [.dsc, use dget on this link to retrieve source package] [changelog] [copyright] [rules] [control]
1:3.1+dfsg-8+deb10u2: [.dsc, use dget on this link to retrieve source package] [changelog] [copyright] [rules] [control]
1:3.1+dfsg-8+deb10u3: [.dsc, use dget on this link to retrieve source package] [changelog] [copyright] [rules] [control]
1:4.1-3: [.dsc, use dget on this link to retrieve source package] [changelog] [copyright] [rules] [control]

binaries

qemu (48 bugs: 0, 21, 27, 0)
qemu-block-extra
qemu-guest-agent
qemu-kvm (35 bugs: 0, 9, 26, 0)
qemu-system (8 bugs: 0, 2, 6, 0)
qemu-system-arm (2 bugs: 0, 1, 1, 0)
qemu-system-common (5 bugs: 0, 0, 5, 0)
qemu-system-data (1 bugs: 0, 1, 0, 0)
qemu-system-gui (3 bugs: 0, 3, 0, 0)
qemu-system-mips
qemu-system-misc
qemu-system-ppc (2 bugs: 0, 2, 0, 0)
qemu-system-sparc
qemu-system-x86 (29 bugs: 0, 24, 5, 0)
qemu-user (2 bugs: 0, 2, 0, 0)
qemu-user-binfmt
qemu-user-static (27 bugs: 0, 23, 4, 0)
qemu-utils (7 bugs: 0, 4, 3, 0)

action needed

A new upstream version is available: 4.2.0-rc4 high

A new upstream version 4.2.0-rc4 is available, you should consider packaging it.

Created: 2019-03-24 Last update: 2019-12-11 23:44

1 security issue in bullseye high

There is 1 open security issue in bullseye.

1 important issue:

CVE-2019-12067:

Please fix it.

Created: 2019-07-07 Last update: 2019-12-07 07:32

1 security issue in sid high

There is 1 open security issue in sid.

1 important issue:

CVE-2019-12067:

Please fix it.

Created: 2019-02-18 Last update: 2019-12-07 07:32

Standards version of the package is outdated. high

The package is severely out of date with respect to the Debian Policy. The package should be updated to follow the last version of Debian Policy (Standards-Version 4.4.1 instead of 3.9.8).

Created: 2017-07-21 Last update: 2019-12-02 20:18

Depends on packages which need a new maintainer normal

The packages that qemu depends on which need a new maintainer are:

spice-protocol (#911429)
- Build-Depends: libspice-protocol-dev
usbredir (#911431)
- Build-Depends: libusbredirparser-dev
- Depends: libusbredirparser1 libusbredirparser1 libusbredirparser1 libusbredirparser1 libusbredirparser1 libusbredirparser1

Created: 2019-11-22 Last update: 2019-12-11 23:52

9 bugs tagged patch in the BTS normal

The BTS contains patches fixing 9 bugs, consider including or untagging them.

Created: 2019-04-01 Last update: 2019-12-11 23:34

4 ignored security issues in buster low

There are 4 open security issues in buster.

4 issues skipped by the security teams:

CVE-2019-15890: libslirp 4.0.0, as used in QEMU 4.1.0, has a use-after-free in ip_reass in ip_input.c.
CVE-2019-12067:
CVE-2019-8934: hw/ppc/spapr.c in QEMU through 3.1.0 allows Information Exposure because the hypervisor shares the /proc/device-tree/system-id and /proc/device-tree/model system attributes with a guest.
CVE-2019-12068: In QEMU 1:4.1-1, 1:2.1+dfsg-12+deb8u6, 1:2.8+dfsg-6+deb9u8, 1:3.1+dfsg-8~deb10u1, 1:3.1+dfsg-8+deb10u2, and 1:2.1+dfsg-12+deb8u12 (fixed), when executing script in lsi_execute_script(), the LSI scsi adapter emulator advances 's->dsp' index to read next opcode. This can lead to an infinite loop if the next opcode is empty. Move the existing loop exit after 10k iterations so that it covers no-op opcodes as well.

Please fix them.

Created: 2019-01-22 Last update: 2019-12-07 07:32

10 ignored security issues in jessie low

There are 10 open security issues in jessie.

10 issues skipped by the security teams:

CVE-2018-15746: qemu-seccomp.c in QEMU might allow local OS guest users to cause a denial of service (guest crash) by leveraging mishandling of the seccomp policy for threads other than the main thread.
CVE-2017-15124: VNC server implementation in Quick Emulator (QEMU) 2.11.0 and older was found to be vulnerable to an unbounded memory allocation issue, as it did not throttle the framebuffer updates sent to its client. If the client did not consume these updates, VNC server allocates growing memory to hold onto this data. A malicious remote VNC client could use this flaw to cause DoS to the server host.
CVE-2017-11334: The address_space_write_continue function in exec.c in QEMU (aka Quick Emulator) allows local guest OS privileged users to cause a denial of service (out-of-bounds access and guest instance crash) by leveraging use of qemu_map_ram_ptr to access guest ram block area.
CVE-2016-9923: Quick Emulator (Qemu) built with the 'chardev' backend support is vulnerable to a use after free issue. It could occur while hotplug and unplugging the device in the guest. A guest user/process could use this flaw to crash a Qemu process on the host resulting in DoS.
CVE-2019-12067:
CVE-2015-8817: QEMU (aka Quick Emulator) built to use 'address_space_translate' to map an address to a MemoryRegionSection is vulnerable to an OOB r/w access issue. It could occur while doing pci_dma_read/write calls. Affects QEMU versions >= 1.6.0 and <= 2.3.1. A privileged user inside guest could use this flaw to crash the guest instance resulting in DoS.
CVE-2017-13672: QEMU (aka Quick Emulator), when built with the VGA display emulator support, allows local guest OS privileged users to cause a denial of service (out-of-bounds read and QEMU process crash) via vectors involving display update.
CVE-2018-19665: The Bluetooth subsystem in QEMU mishandles negative values for length variables, leading to memory corruption.
CVE-2018-18438: Qemu has integer overflows because IOReadHandler and its associated functions use a signed integer data type for a size value.
CVE-2019-8934: hw/ppc/spapr.c in QEMU through 3.1.0 allows Information Exposure because the hypervisor shares the /proc/device-tree/system-id and /proc/device-tree/model system attributes with a guest.

Please fix them.

Created: 2015-09-05 Last update: 2019-12-07 07:32

9 ignored security issues in stretch low

There are 9 open security issues in stretch.

9 issues skipped by the security teams:

CVE-2019-15890: libslirp 4.0.0, as used in QEMU 4.1.0, has a use-after-free in ip_reass in ip_input.c.
CVE-2018-15746: qemu-seccomp.c in QEMU might allow local OS guest users to cause a denial of service (guest crash) by leveraging mishandling of the seccomp policy for threads other than the main thread.
CVE-2019-5008: hw/sparc64/sun4u.c in QEMU 3.1.50 is vulnerable to a NULL pointer dereference, which allows the attacker to cause a denial of service via a device driver.
CVE-2017-9503: QEMU (aka Quick Emulator), when built with MegaRAID SAS 8708EM2 Host Bus Adapter emulation support, allows local guest OS privileged users to cause a denial of service (NULL pointer dereference and QEMU process crash) via vectors involving megasas command processing.
CVE-2019-12067:
CVE-2018-19665: The Bluetooth subsystem in QEMU mishandles negative values for length variables, leading to memory corruption.
CVE-2018-18438: Qemu has integer overflows because IOReadHandler and its associated functions use a signed integer data type for a size value.
CVE-2019-8934: hw/ppc/spapr.c in QEMU through 3.1.0 allows Information Exposure because the hypervisor shares the /proc/device-tree/system-id and /proc/device-tree/model system attributes with a guest.
CVE-2019-12068: In QEMU 1:4.1-1, 1:2.1+dfsg-12+deb8u6, 1:2.8+dfsg-6+deb9u8, 1:3.1+dfsg-8~deb10u1, 1:3.1+dfsg-8+deb10u2, and 1:2.1+dfsg-12+deb8u12 (fixed), when executing script in lsi_execute_script(), the LSI scsi adapter emulator advances 's->dsp' index to read next opcode. This can lead to an infinite loop if the next opcode is empty. Move the existing loop exit after 10k iterations so that it covers no-op opcodes as well.

Please fix them.

Created: 2017-05-31 Last update: 2019-12-07 07:32

Build log checks report 1 warning low

Build log checks report 1 warning

Created: 2018-04-13 Last update: 2018-12-12 18:09

news

[rss feed]

[2019-12-07] qemu 1:4.1-3 MIGRATED to testing (Debian testing watch)
[2019-12-02] Accepted qemu 1:4.1-3 (source) into unstable (Michael Tokarev)
[2019-11-29] Accepted qemu 1:4.1-2 (source) into unstable (Michael Tokarev)
[2019-11-19] Accepted qemu 1:3.1+dfsg-8+deb10u3 (source) into proposed-updates->stable-new, proposed-updates (Salvatore Bonaccorso)
[2019-11-12] Accepted qemu 1:3.1+dfsg-8+deb10u3 (source) into stable->embargoed, stable (Salvatore Bonaccorso)
[2019-09-20] Accepted qemu 1:2.1+dfsg-12+deb8u12 (source amd64) into oldoldstable (Sylvain Beucler)
[2019-09-07] Accepted qemu 1:3.1+dfsg-8+deb10u2 (source) into proposed-updates->stable-new, proposed-updates (Michael Tokarev)
[2019-09-02] Accepted qemu 1:3.1+dfsg-8+deb10u2 (source) into stable->embargoed, stable (Michael Tokarev)
[2019-09-01] qemu 1:4.1-1 MIGRATED to testing (Debian testing watch)
[2019-08-27] Accepted qemu 1:4.1-1 (source) into unstable (Michael Tokarev)
[2019-08-25] Accepted qemu 1:2.8+dfsg-6+deb9u8 (source) into oldstable-proposed-updates->oldstable-new, oldstable-proposed-updates (Michael Tokarev)
[2019-08-24] Accepted qemu 1:2.8+dfsg-6+deb9u8 (source) into oldstable->embargoed, oldstable (Michael Tokarev)
[2019-07-26] qemu 1:3.1+dfsg-8 MIGRATED to testing (Debian testing watch)
[2019-06-10] qemu 1:3.1+dfsg-8~deb10u1 MIGRATED to testing (Debian testing watch)
[2019-06-07] Accepted qemu 1:3.1+dfsg-8~deb10u1 (source) into testing-proposed-updates (Salvatore Bonaccorso)
[2019-06-07] Accepted qemu 1:2.8+dfsg-6+deb9u7 (source amd64) into proposed-updates->stable-new, proposed-updates (Moritz Mühlenhoff)
[2019-06-06] Accepted qemu 1:2.8+dfsg-6+deb9u7 (source amd64) into stable->embargoed, stable (Moritz Mühlenhoff)
[2019-06-03] Accepted qemu 1:2.8+dfsg-6+deb9u6 (source) into proposed-updates->stable-new, proposed-updates (Michael Tokarev)
[2019-05-29] Accepted qemu 1:2.8+dfsg-6+deb9u6 (source) into stable->embargoed, stable (Michael Tokarev)
[2019-05-28] Accepted qemu 1:3.1+dfsg-8 (source) into unstable (Michael Tokarev)
[2019-05-09] Accepted qemu 1:2.1+dfsg-12+deb8u11 (source amd64) into oldstable (Emilio Pozuelo Monfort)
[2019-04-06] qemu 1:3.1+dfsg-7 MIGRATED to testing (Debian testing watch)
[2019-03-27] Accepted qemu 1:3.1+dfsg-7 (source) into unstable (Michael Tokarev)
[2019-03-18] Accepted qemu 1:3.1+dfsg-6 (source) into unstable (Michael Tokarev)
[2019-03-16] qemu 1:3.1+dfsg-5 MIGRATED to testing (Debian testing watch)
[2019-03-11] Accepted qemu 1:3.1+dfsg-5 (source) into unstable (Michael Tokarev)
[2019-02-28] Accepted qemu 1:2.1+dfsg-12+deb8u10 (source amd64) into oldstable (Hugo Lefeuvre)
[2019-02-19] qemu 1:3.1+dfsg-4 MIGRATED to testing (Debian testing watch)
[2019-02-12] Accepted qemu 1:3.1+dfsg-4 (source) into unstable (Michael Tokarev)
[2019-02-06] Accepted qemu 1:3.1+dfsg-3 (source) into unstable (Michael Tokarev)

bugs [bug history graph]

all: 169 182
RC: 0
I&N: 95 99
M&W: 74 83
F&P: 0
patch: 9

links

homepage
buildd: logs, checks, clang, reproducibility, cross
popcon
browse source code
edit tags
security tracker
screenshots

ubuntu

[Information about Ubuntu for Debian Developers]

version: 1:4.0+dfsg-0ubuntu10
61 bugs (3 patches)