http://git.qemu.org/?p=qemu.git;a=commit;h=60253ed1e6ec6d8e5ef2efe7bf755f475dce9956

[oss-security] 20160304 CVE request Qemu: rng-random: arbitrary stack based allocation leading to corruption

[oss-security] 20160306 Re: CVE request Qemu: rng-random: arbitrary stack based allocation leading to corruption

84134

USN-2974-1

https://bugzilla.redhat.com/show_bug.cgi?id=1314676

[debian-lts-announce] 20181130 [SECURITY] [DLA 1599-1] qemu security update

GLSA-201604-01

According to the versions of the qemu-kvm packages installed, the EulerOS installation on the remote host is affected by the following vulnerabilities :

  - In libslirp 4.1.0, as used in QEMU 4.2.0, tcp_subr.c     misuses snprintf return values, leading to a buffer     overflow in later code.(CVE-2020-8608)

  - This vulnerability has been modified since it was last     analyzed by the NVD. It is awaiting reanalysis which     may result in further changes to the information     provided.(CVE-2019-11135)

  - tcp_emu in tcp_subr.c in libslirp 4.1.0, as used in     QEMU 4.2.0, mismanages memory, as demonstrated by IRC     DCC commands in EMU_IRC. This can cause a heap-based     buffer overflow or other out-of-bounds access which can     lead to a DoS or potential execute arbitrary     code.(CVE-2020-7039)

  - ip_reass in ip_input.c in libslirp 4.0.0 has a     heap-based buffer overflow via a large packet because     it mishandles a case involving the first     fragment.(CVE-2019-14378)

  - Integer overflow in the VNC display driver in QEMU     before 2.1.0 allows attachers to cause a denial of     service (process crash) via a CLIENT_CUT_TEXT message,     which triggers an infinite loop.(CVE-2015-5239)

  - Buffer overflow in the send_control_msg function in     hw/char/virtio-serial-bus.c in QEMU before 2.4.0 allows     guest users to cause a denial of service (QEMU process     crash) via a crafted virtio control     message.(CVE-2015-5745)

  - The ne2000_receive function in hw/net/ne2000.c in QEMU     before 2.4.0.1 allows attackers to cause a denial of     service (infinite loop and instance crash) or possibly     execute arbitrary code via vectors related to receiving     packets.(CVE-2015-5278)

  - The process_tx_desc function in hw/net/e1000.c in QEMU     before 2.4.0.1 does not properly process transmit     descriptor data when sending a network packet, which     allows attackers to cause a denial of service (infinite     loop and guest crash) via unspecified     vectors.(CVE-2015-6815)

  - Heap-based buffer overflow in the ne2000_receive     function in hw/net/ne2000.c in QEMU before 2.4.0.1     allows guest OS users to cause a denial of service     (instance crash) or possibly execute arbitrary code via     vectors related to receiving packets.(CVE-2015-5279)

  - Heap-based buffer overflow in the .receive callback of     xlnx.xps-ethernetlite in QEMU (aka Quick Emulator)     allows attackers to execute arbitrary code on the QEMU     host via a large ethlite packet.(CVE-2016-7161)

  - hw/net/vmxnet3.c in QEMU 2.0.0-rc0, 1.7.1, and earlier     allows local guest users to cause a denial of service     or possibly execute arbitrary code via vectors related     to (1) RX or (2) TX queue numbers or (3) interrupt     indices. NOTE: some of these details are obtained from     third party information.(CVE-2013-4544)

  - The slirp_smb function in net/slirp.c in QEMU 2.3.0 and     earlier creates temporary files with predictable names,     which allows local users to cause a denial of service     (instantiation failure) by creating /tmp/qemu-smb.*-*     files before the program.(CVE-2015-4037)

  - hw/ide/core.c in QEMU does not properly restrict the     commands accepted by an ATAPI device, which allows     guest users to cause a denial of service or possibly     have unspecified other impact via certain IDE commands,     as demonstrated by a WIN_READ_NATIVE_MAX command to an     empty drive, which triggers a divide-by-zero error and     instance crash.(CVE-2015-6855)

  - hw/virtio/virtio.c in the Virtual Network Device     (virtio-net) support in QEMU, when big or mergeable     receive buffers are not supported, allows remote     attackers to cause a denial of service (guest network     consumption) via a flood of jumbo frames on the (1)     tuntap or (2) macvtap interface.(CVE-2015-7295)

  - The MSI-X MMIO support in hw/pci/msix.c in QEMU (aka     Quick Emulator) allows local guest OS privileged users     to cause a denial of service (NULL pointer dereference     and QEMU process crash) by leveraging failure to define     the .write method.(CVE-2015-7549)

  - The eepro100 emulator in QEMU qemu-kvm blank allows     local guest users to cause a denial of service     (application crash and infinite loop) via vectors     involving the command block list.(CVE-2015-8345)

  - Qemu, when built with VNC display driver support,     allows remote attackers to cause a denial of service     (arithmetic exception and application crash) via     crafted SetPixelFormat messages from a     client.(CVE-2015-8504)

  - The ehci_process_itd function in hw/usb/hcd-ehci.c in     QEMU allows local guest OS administrators to cause a     denial of service (infinite loop and CPU consumption)     via a circular isochronous transfer descriptor (iTD)     list.(CVE-2015-8558)

  - Memory leak in net/vmxnet3.c in QEMU allows remote     attackers to cause a denial of service (memory     consumption).(CVE-2015-8567)

  - Memory leak in QEMU, when built with a VMWARE VMXNET3     paravirtual NIC emulator support, allows local guest     users to cause a denial of service (host memory     consumption) by trying to activate the vmxnet3 device     repeatedly.(CVE-2015-8568)

  - Stack-based buffer overflow in the     megasas_ctrl_get_info function in QEMU, when built with     SCSI MegaRAID SAS HBA emulation support, allows local     guest users to cause a denial of service (QEMU instance     crash) via a crafted SCSI controller CTRL_GET_INFO     command.(CVE-2015-8613)

  - Use-after-free vulnerability in hw/ide/ahci.c in QEMU,     when built with IDE AHCI Emulation support, allows     guest OS users to cause a denial of service (instance     crash) or possibly execute arbitrary code via an     invalid AHCI Native Command Queuing (NCQ) AIO     command.(CVE-2016-1568)

  - QEMU (aka Quick Emulator) built with the USB EHCI     emulation support is vulnerable to a null pointer     dereference flaw. It could occur when an application     attempts to write to EHCI capabilities registers. A     privileged user inside quest could use this flaw to     crash the QEMU process instance resulting in     DoS.(CVE-2016-2198)

  - The ohci_bus_start function in the USB OHCI emulation     support (hw/usb/hcd-ohci.c) in QEMU allows local guest     OS administrators to cause a denial of service (NULL     pointer dereference and QEMU process crash) via vectors     related to multiple eof_timers.(CVE-2016-2391)

  - The is_rndis function in the USB Net device emulator     (hw/usb/dev-network.c) in QEMU before 2.5.1 does not     properly validate USB configuration descriptor objects,     which allows local guest OS administrators to cause a     denial of service (NULL pointer dereference and QEMU     process crash) via vectors involving a remote NDIS     control message packet.(CVE-2016-2392)

  - Multiple integer overflows in the USB Net device     emulator (hw/usb/dev-network.c) in QEMU before 2.5.1     allow local guest OS administrators to cause a denial     of service (QEMU process crash) or obtain sensitive     host memory information via a remote NDIS control     message packet that is mishandled in the (1)     rndis_query_response, (2) rndis_set_response, or (3)     usb_net_handle_dataout function.(CVE-2016-2538)

  - The ne2000_receive function in the NE2000 NIC emulation     support (hw/net/ne2000.c) in QEMU before 2.5.1 allows     local guest OS administrators to cause a denial of     service (infinite loop and QEMU process crash) via     crafted values for the PSTART and PSTOP registers,     involving ring buffer control.(CVE-2016-2841)

  - QEMU, when built with the Pseudo Random Number     Generator (PRNG) back-end support, allows local guest     OS users to cause a denial of service (process crash)     via an entropy request, which triggers arbitrary stack     based allocation and memory corruption.(CVE-2016-2858)

  - Buffer overflow in the stellaris_enet_receive function     in hw/net/stellaris_enet.c in QEMU, when the Stellaris     ethernet controller is configured to accept large     packets, allows remote attackers to cause a denial of     service (QEMU crash) via a large packet.(CVE-2016-4001)

  - Buffer overflow in the mipsnet_receive function in     hw/net/mipsnet.c in QEMU, when the guest NIC is     configured to accept large packets, allows remote     attackers to cause a denial of service (memory     corruption and QEMU crash) or possibly execute     arbitrary code via a packet larger than 1514     bytes.(CVE-2016-4002)

  - The ehci_advance_state function in hw/usb/hcd-ehci.c in     QEMU allows local guest OS administrators to cause a     denial of service (infinite loop and CPU consumption)     via a circular split isochronous transfer descriptor     (siTD) list, a related issue to     CVE-2015-8558.(CVE-2016-4037)

  - The vmsvga_fifo_run function in hw/display/vmware_vga.c     in QEMU allows local guest OS administrators to cause a     denial of service (infinite loop and QEMU process     crash) via a VGA command.(CVE-2016-4453)

  - The vmsvga_fifo_read_raw function in     hw/display/vmware_vga.c in QEMU allows local guest OS     administrators to obtain sensitive host memory     information or cause a denial of service (QEMU process     crash) by changing FIFO registers and issuing a VGA     command, which triggers an out-of-bounds     read.(CVE-2016-4454)

  - The net_tx_pkt_do_sw_fragmentation function in     hw/net/net_tx_pkt.c in QEMU (aka Quick Emulator) allows     local guest OS administrators to cause a denial of     service (infinite loop and QEMU process crash) via a     zero length for the current fragment     length.(CVE-2016-6834)

  - The vmxnet_tx_pkt_parse_headers function in     hw/net/vmxnet_tx_pkt.c in QEMU (aka Quick Emulator)     allows local guest OS administrators to cause a denial     of service (buffer over-read) by leveraging failure to     check IP header length.(CVE-2016-6835)

  - The vmxnet3_complete_packet function in     hw/net/vmxnet3.c in QEMU (aka Quick Emulator) allows     local guest OS administrators to obtain sensitive host     memory information by leveraging failure to initialize     the txcq_descr object.(CVE-2016-6836)

  - Integer overflow in the net_tx_pkt_init function in     hw/net/net_tx_pkt.c in QEMU (aka Quick Emulator) allows     local guest OS administrators to cause a denial of     service (QEMU process crash) via the maximum     fragmentation count, which triggers an unchecked     multiplication and NULL pointer     dereference.(CVE-2016-6888)

  - Directory traversal vulnerability in hw/9pfs/9p.c in     QEMU (aka Quick Emulator) allows local guest OS     administrators to access host files outside the export     path via a .. (dot dot) in an unspecified     string.(CVE-2016-7116)

  - The pvscsi_ring_pop_req_descr function in     hw/scsi/vmw_pvscsi.c in QEMU (aka Quick Emulator)     allows local guest OS administrators to cause a denial     of service (infinite loop and QEMU process crash) by     leveraging failure to limit process IO loop to the ring     size.(CVE-2016-7421)

  - The mcf_fec_do_tx function in hw/net/mcf_fec.c in QEMU     (aka Quick Emulator) does not properly limit the buffer     descriptor count when transmitting packets, which     allows local guest OS administrators to cause a denial     of service (infinite loop and QEMU process crash) via     vectors involving a buffer descriptor with a length of     0 and crafted values in bd.flags.(CVE-2016-7908)

  - The pcnet_rdra_addr function in hw/net/pcnet.c in QEMU     (aka Quick Emulator) allows local guest OS     administrators to cause a denial of service (infinite     loop and QEMU process crash) by setting the (1) receive     or (2) transmit descriptor ring length to     0.(CVE-2016-7909)

  - The xhci_ring_fetch function in hw/usb/hcd-xhci.c in     QEMU (aka Quick Emulator) allows local guest OS     administrators to cause a denial of service (infinite     loop and QEMU process crash) by leveraging failure to     limit the number of link Transfer Request Blocks (TRB)     to process.(CVE-2016-8576)

  - The serial_update_parameters function in     hw/char/serial.c in QEMU (aka Quick Emulator) allows     local guest OS administrators to cause a denial of     service (divide-by-zero error and QEMU process crash)     via vectors involving a value of divider greater than     baud base.(CVE-2016-8669)

  - The intel_hda_xfer function in hw/audio/intel-hda.c in     QEMU (aka Quick Emulator) allows local guest OS     administrators to cause a denial of service (infinite     loop and CPU consumption) via an entry with the same     value for buffer length and pointer     position.(CVE-2016-8909)

  - The rtl8139_cplus_transmit function in hw/net/rtl8139.c     in QEMU (aka Quick Emulator) allows local guest OS     administrators to cause a denial of service (infinite     loop and CPU consumption) by leveraging failure to     limit the ring descriptor count.(CVE-2016-8910)

  - Memory leak in the v9fs_xattrcreate function in     hw/9pfs/9p.c in QEMU (aka Quick Emulator) allows local     guest OS administrators to cause a denial of service     (memory consumption and QEMU process crash) via a large     number of Txattrcreate messages with the same fid     number.(CVE-2016-9102)

  - The v9fs_xattrcreate function in hw/9pfs/9p.c in QEMU     (aka Quick Emulator) allows local guest OS     administrators to obtain sensitive host heap memory     information by reading xattribute values before writing     to them.(CVE-2016-9103)

  - Multiple integer overflows in the (1) v9fs_xattr_read     and (2) v9fs_xattr_write functions in hw/9pfs/9p.c in     QEMU (aka Quick Emulator) allow local guest OS     administrators to cause a denial of service (QEMU     process crash) via a crafted offset, which triggers an     out-of-bounds access.(CVE-2016-9104)

  - Memory leak in the v9fs_link function in hw/9pfs/9p.c     in QEMU (aka Quick Emulator) allows local guest OS     administrators to cause a denial of service (memory     consumption) via vectors involving a reference to the     source fid object.(CVE-2016-9105)

  - Memory leak in the v9fs_write function in hw/9pfs/9p.c     in QEMU (aka Quick Emulator) allows local guest OS     administrators to cause a denial of service (memory     consumption) by leveraging failure to free an IO     vector.(CVE-2016-9106)

  - Race condition in QEMU in Xen allows local x86 HVM     guest OS administrators to gain privileges by changing     certain data on shared rings, aka a 'double fetch'     vulnerability.(CVE-2016-9381)

  - Quick Emulator (Qemu) built with the USB redirector     usb-guest support is vulnerable to a memory leakage     flaw. It could occur while destroying the USB     redirector in 'usbredir_handle_destroy'. A guest     user/process could use this issue to leak host memory,     resulting in DoS for a host.(CVE-2016-9907)

  - Quick Emulator (Qemu) built with the USB EHCI Emulation     support is vulnerable to a memory leakage issue. It     could occur while processing packet data in     'ehci_init_transfer'. A guest user/process could use     this issue to leak host memory, resulting in DoS for a     host.(CVE-2016-9911)

  - Stack-based buffer overflow in hw/usb/redirect.c in     QEMU (aka Quick Emulator) allows local guest OS users     to cause a denial of service (QEMU process crash) via     vectors related to logging debug     messages.(CVE-2017-10806)

  - The dhcp_decode function in slirp/bootp.c in QEMU (aka     Quick Emulator) allows local guest OS users to cause a     denial of service (out-of-bounds read and QEMU process     crash) via a crafted DHCP options     string.(CVE-2017-11434)

  - Integer overflow in the macro ROUND_UP (n, d) in Quick     Emulator (Qemu) allows a user to cause a denial of     service (Qemu process crash).(CVE-2017-18043)

  - Memory leak in the serial_exit_core function in     hw/char/serial.c in QEMU (aka Quick Emulator) allows     local guest OS privileged users to cause a denial of     service (host memory consumption and QEMU process     crash) via a large number of device unplug     operations.(CVE-2017-5579)

  - The xhci_kick_epctx function in hw/usb/hcd-xhci.c in     QEMU (aka Quick Emulator) allows local guest OS     privileged users to cause a denial of service (infinite     loop and QEMU process crash) via vectors related to     control transfer descriptor sequence.(CVE-2017-5973)

  - Memory leak in the audio/audio.c in QEMU (aka Quick     Emulator) allows remote attackers to cause a denial of     service (memory consumption) by repeatedly starting and     stopping audio capture.(CVE-2017-8309)

  - Memory leak in QEMU (aka Quick Emulator), when built     with IDE AHCI Emulation support, allows local guest OS     privileged users to cause a denial of service (memory     consumption) by repeatedly hot-unplugging the AHCI     device.(CVE-2017-9373)

  - Memory leak in QEMU (aka Quick Emulator), when built     with USB EHCI Emulation support, allows local guest OS     privileged users to cause a denial of service (memory     consumption) by repeatedly hot-unplugging the     device.(CVE-2017-9374)

  - Qemu emulator <= 3.0.0 built with the NE2000 NIC     emulation support is vulnerable to an integer overflow,     which could lead to buffer overflow issue. It could     occur when receiving packets over the network. A user     inside guest could use this flaw to crash the Qemu     process resulting in DoS.(CVE-2018-10839)

  - qemu-seccomp.c in QEMU might allow local OS guest users     to cause a denial of service (guest crash) by     leveraging mishandling of the seccomp policy for     threads other than the main thread.(CVE-2018-15746)

  - Qemu has a Buffer Overflow in rtl8139_do_receive in     hw/net/rtl8139.c because an incorrect integer data type     is used.(CVE-2018-17958)

  - qemu_deliver_packet_iov in net/net.c in Qemu accepts     packet sizes greater than INT_MAX, which allows     attackers to cause a denial of service or possibly have     unspecified other impact.(CVE-2018-17963)

  - In QEMU 3.0.0, tcp_emu in slirp/tcp_subr.c has a     heap-based buffer overflow.(CVE-2019-6778)

Note that Tenable Network Security has extracted the preceding description block directly from the EulerOS security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

According to the versions of the qemu-kvm packages installed, the EulerOS installation on the remote host is affected by the following vulnerabilities :

  - Race condition in QEMU in Xen allows local x86 HVM     guest OS administrators to gain privileges by changing     certain data on shared rings, aka a 'double fetch'     vulnerability.(CVE-2016-9381)

  - The ohci_bus_start function in the USB OHCI emulation     support (hw/usb/hcd-ohci.c) in QEMU allows local guest     OS administrators to cause a denial of service (NULL     pointer dereference and QEMU process crash) via vectors     related to multiple eof_timers.(CVE-2016-2391)

  - qemu_deliver_packet_iov in net/net.c in Qemu accepts     packet sizes greater than INT_MAX, which allows     attackers to cause a denial of service or possibly have     unspecified other impact.(CVE-2018-17963)

  - Memory leak in the serial_exit_core function in     hw/char/serial.c in QEMU (aka Quick Emulator) allows     local guest OS privileged users to cause a denial of     service (host memory consumption and QEMU process     crash) via a large number of device unplug     operations.(CVE-2017-5579)

  - Memory leak in QEMU (aka Quick Emulator), when built     with IDE AHCI Emulation support, allows local guest OS     privileged users to cause a denial of service (memory     consumption) by repeatedly hot-unplugging the AHCI     device.(CVE-2017-9373)

  - Microarchitectural Store Buffer Data Sampling (MSBDS):
    Store buffers on some microprocessors utilizing     speculative execution may allow an authenticated user     to potentially enable information disclosure via a side     channel with local access. A list of impacted products     can be found here:
    https://www.intel.com/content/dam/www/public/us/en/docu     ments/corporate-information/SA00233-microcode-update-gu     idance_05132019.pdf(CVE-2018-12126)

  - Microarchitectural Data Sampling Uncacheable Memory     (MDSUM): Uncacheable memory on some microprocessors     utilizing speculative execution may allow an     authenticated user to potentially enable information     disclosure via a side channel with local access. A list     of impacted products can be found here:
    https://www.intel.com/content/dam/www/public/us/en/docu     ments/corporate-information/SA00233-microcode-update-gu     idance_05132019.pdf(CVE-2019-11091)

  - Microarchitectural Fill Buffer Data Sampling (MFBDS):
    Fill buffers on some microprocessors utilizing     speculative execution may allow an authenticated user     to potentially enable information disclosure via a side     channel with local access. A list of impacted products     can be found here:
    https://www.intel.com/content/dam/www/public/us/en/docu     ments/corporate-information/SA00233-microcode-update-gu     idance_05132019.pdf(CVE-2018-12130)

  - Microarchitectural Load Port Data Sampling (MLPDS):
    Load ports on some microprocessors utilizing     speculative execution may allow an authenticated user     to potentially enable information disclosure via a side     channel with local access. A list of impacted products     can be found here:
    https://www.intel.com/content/dam/www/public/us/en/docu     ments/corporate-information/SA00233-microcode-update-gu     idance_05132019.pdf(CVE-2018-12127)

  - Directory traversal vulnerability in hw/9pfs/9p.c in     QEMU (aka Quick Emulator) allows local guest OS     administrators to access host files outside the export     path via a .. (dot dot) in an unspecified     string.(CVE-2016-7116)

  - QEMU, when built with the Pseudo Random Number     Generator (PRNG) back-end support, allows local guest     OS users to cause a denial of service (process crash)     via an entropy request, which triggers arbitrary stack     based allocation and memory corruption.(CVE-2016-2858)

  - hw/ide/core.c in QEMU does not properly restrict the     commands accepted by an ATAPI device, which allows     guest users to cause a denial of service or possibly     have unspecified other impact via certain IDE commands,     as demonstrated by a WIN_READ_NATIVE_MAX command to an     empty drive, which triggers a divide-by-zero error and     instance crash.(CVE-2015-6855)

  - The slirp_smb function in net/slirp.c in QEMU 2.3.0 and     earlier creates temporary files with predictable names,     which allows local users to cause a denial of service     (instantiation failure) by creating /tmp/qemu-smb.*-*     files before the program.(CVE-2015-4037)

  - The MSI-X MMIO support in hw/pci/msix.c in QEMU (aka     Quick Emulator) allows local guest OS privileged users     to cause a denial of service (NULL pointer dereference     and QEMU process crash) by leveraging failure to define     the .write method.(CVE-2015-7549)

  - The ne2000_receive function in the NE2000 NIC emulation     support (hw/net/ne2000.c) in QEMU before 2.5.1 allows     local guest OS administrators to cause a denial of     service (infinite loop and QEMU process crash) via     crafted values for the PSTART and PSTOP registers,     involving ring buffer control.(CVE-2016-2841)

  - The mcf_fec_do_tx function in hw/net/mcf_fec.c in QEMU     (aka Quick Emulator) does not properly limit the buffer     descriptor count when transmitting packets, which     allows local guest OS administrators to cause a denial     of service (infinite loop and QEMU process crash) via     vectors involving a buffer descriptor with a length of     0 and crafted values in bd.flags.(CVE-2016-7908)

  - Integer overflow in the macro ROUND_UP (n, d) in Quick     Emulator (Qemu) allows a user to cause a denial of     service (Qemu process crash).(CVE-2017-18043)

  - The xhci_kick_epctx function in hw/usb/hcd-xhci.c in     QEMU (aka Quick Emulator) allows local guest OS     privileged users to cause a denial of service (infinite     loop and QEMU process crash) via vectors related to     control transfer descriptor sequence.(CVE-2017-5973)

  - Memory leak in QEMU (aka Quick Emulator), when built     with USB EHCI Emulation support, allows local guest OS     privileged users to cause a denial of service (memory     consumption) by repeatedly hot-unplugging the     device.(CVE-2017-9374)

  - Use-after-free vulnerability in hw/ide/ahci.c in QEMU,     when built with IDE AHCI Emulation support, allows     guest OS users to cause a denial of service (instance     crash) or possibly execute arbitrary code via an     invalid AHCI Native Command Queuing (NCQ) AIO     command.(CVE-2016-1568)

  - Buffer overflow in the stellaris_enet_receive function     in hw/net/stellaris_enet.c in QEMU, when the Stellaris     ethernet controller is configured to accept large     packets, allows remote attackers to cause a denial of     service (QEMU crash) via a large packet.(CVE-2016-4001)

  - Buffer overflow in the mipsnet_receive function in     hw/net/mipsnet.c in QEMU, when the guest NIC is     configured to accept large packets, allows remote     attackers to cause a denial of service (memory     corruption and QEMU crash) or possibly execute     arbitrary code via a packet larger than 1514     bytes.(CVE-2016-4002)

  - The pvscsi_ring_pop_req_descr function in     hw/scsi/vmw_pvscsi.c in QEMU (aka Quick Emulator)     allows local guest OS administrators to cause a denial     of service (infinite loop and QEMU process crash) by     leveraging failure to limit process IO loop to the ring     size.(CVE-2016-7421)

  - Quick Emulator (Qemu) built with the USB redirector     usb-guest support is vulnerable to a memory leakage     flaw. It could occur while destroying the USB     redirector in 'usbredir_handle_destroy'. A guest     user/process could use this issue to leak host memory,     resulting in DoS for a host.(CVE-2016-9907)

  - qemu-seccomp.c in QEMU might allow local OS guest users     to cause a denial of service (guest crash) by     leveraging mishandling of the seccomp policy for     threads other than the main thread.(CVE-2018-15746)

  - Stack-based buffer overflow in hw/usb/redirect.c in     QEMU (aka Quick Emulator) allows local guest OS users     to cause a denial of service (QEMU process crash) via     vectors related to logging debug     messages.(CVE-2017-10806)

  - The dhcp_decode function in slirp/bootp.c in QEMU (aka     Quick Emulator) allows local guest OS users to cause a     denial of service (out-of-bounds read and QEMU process     crash) via a crafted DHCP options     string.(CVE-2017-11434)

  - Memory leak in the audio/audio.c in QEMU (aka Quick     Emulator) allows remote attackers to cause a denial of     service (memory consumption) by repeatedly starting and     stopping audio capture.(CVE-2017-8309)

  - Qemu emulator <= 3.0.0 built with the NE2000 NIC     emulation support is vulnerable to an integer overflow,     which could lead to buffer overflow issue. It could     occur when receiving packets over the network. A user     inside guest could use this flaw to crash the Qemu     process resulting in DoS.(CVE-2018-10839)

  - Qemu has a Buffer Overflow in rtl8139_do_receive in     hw/net/rtl8139.c because an incorrect integer data type     is used.(CVE-2018-17958)

  - In QEMU 3.0.0, tcp_emu in slirp/tcp_subr.c has a     heap-based buffer overflow.(CVE-2019-6778)

  - The vmxnet_tx_pkt_parse_headers function in     hw/net/vmxnet_tx_pkt.c in QEMU (aka Quick Emulator)     allows local guest OS administrators to cause a denial     of service (buffer over-read) by leveraging failure to     check IP header length.(CVE-2016-6835)

  - Memory leak in the v9fs_xattrcreate function in     hw/9pfs/9p.c in QEMU (aka Quick Emulator) allows local     guest OS administrators to cause a denial of service     (memory consumption and QEMU process crash) via a large     number of Txattrcreate messages with the same fid     number.(CVE-2016-9102)

  - The v9fs_xattrcreate function in hw/9pfs/9p.c in QEMU     (aka Quick Emulator) allows local guest OS     administrators to obtain sensitive host heap memory     information by reading xattribute values before writing     to them.(CVE-2016-9103)

  - Multiple integer overflows in the (1) v9fs_xattr_read     and (2) v9fs_xattr_write functions in hw/9pfs/9p.c in     QEMU (aka Quick Emulator) allow local guest OS     administrators to cause a denial of service (QEMU     process crash) via a crafted offset, which triggers an     out-of-bounds access.(CVE-2016-9104)

  - Memory leak in the v9fs_link function in hw/9pfs/9p.c     in QEMU (aka Quick Emulator) allows local guest OS     administrators to cause a denial of service (memory     consumption) via vectors involving a reference to the     source fid object.(CVE-2016-9105)

  - Memory leak in the v9fs_write function in hw/9pfs/9p.c     in QEMU (aka Quick Emulator) allows local guest OS     administrators to cause a denial of service (memory     consumption) by leveraging failure to free an IO     vector.(CVE-2016-9106)

  - Quick Emulator (Qemu) built with the USB EHCI Emulation     support is vulnerable to a memory leakage issue. It     could occur while processing packet data in     'ehci_init_transfer'. A guest user/process could use     this issue to leak host memory, resulting in DoS for a     host.(CVE-2016-9911)

  - The net_tx_pkt_do_sw_fragmentation function in     hw/net/net_tx_pkt.c in QEMU (aka Quick Emulator) allows     local guest OS administrators to cause a denial of     service (infinite loop and QEMU process crash) via a     zero length for the current fragment     length.(CVE-2016-6834)

  - The vmxnet3_complete_packet function in     hw/net/vmxnet3.c in QEMU (aka Quick Emulator) allows     local guest OS administrators to obtain sensitive host     memory information by leveraging failure to initialize     the txcq_descr object.(CVE-2016-6836)

  - Integer overflow in the net_tx_pkt_init function in     hw/net/net_tx_pkt.c in QEMU (aka Quick Emulator) allows     local guest OS administrators to cause a denial of     service (QEMU process crash) via the maximum     fragmentation count, which triggers an unchecked     multiplication and NULL pointer     dereference.(CVE-2016-6888)

  - The pcnet_rdra_addr function in hw/net/pcnet.c in QEMU     (aka Quick Emulator) allows local guest OS     administrators to cause a denial of service (infinite     loop and QEMU process crash) by setting the (1) receive     or (2) transmit descriptor ring length to     0.(CVE-2016-7909)

  - The xhci_ring_fetch function in hw/usb/hcd-xhci.c in     QEMU (aka Quick Emulator) allows local guest OS     administrators to cause a denial of service (infinite     loop and QEMU process crash) by leveraging failure to     limit the number of link Transfer Request Blocks (TRB)     to process.(CVE-2016-8576)

  - The serial_update_parameters function in     hw/char/serial.c in QEMU (aka Quick Emulator) allows     local guest OS administrators to cause a denial of     service (divide-by-zero error and QEMU process crash)     via vectors involving a value of divider greater than     baud base.(CVE-2016-8669)

  - The intel_hda_xfer function in hw/audio/intel-hda.c in     QEMU (aka Quick Emulator) allows local guest OS     administrators to cause a denial of service (infinite     loop and CPU consumption) via an entry with the same     value for buffer length and pointer     position.(CVE-2016-8909)

  - The rtl8139_cplus_transmit function in hw/net/rtl8139.c     in QEMU (aka Quick Emulator) allows local guest OS     administrators to cause a denial of service (infinite     loop and CPU consumption) by leveraging failure to     limit the ring descriptor count.(CVE-2016-8910)

  - Stack-based buffer overflow in the     megasas_ctrl_get_info function in QEMU, when built with     SCSI MegaRAID SAS HBA emulation support, allows local     guest users to cause a denial of service (QEMU instance     crash) via a crafted SCSI controller CTRL_GET_INFO     command.(CVE-2015-8613)

  - QEMU (aka Quick Emulator) built with the USB EHCI     emulation support is vulnerable to a null pointer     dereference flaw. It could occur when an application     attempts to write to EHCI capabilities registers. A     privileged user inside quest could use this flaw to     crash the QEMU process instance resulting in     DoS.(CVE-2016-2198)

  - The is_rndis function in the USB Net device emulator     (hw/usb/dev-network.c) in QEMU before 2.5.1 does not     properly validate USB configuration descriptor objects,     which allows local guest OS administrators to cause a     denial of service (NULL pointer dereference and QEMU     process crash) via vectors involving a remote NDIS     control message packet.(CVE-2016-2392)

  - The ehci_advance_state function in hw/usb/hcd-ehci.c in     QEMU allows local guest OS administrators to cause a     denial of service (infinite loop and CPU consumption)     via a circular split isochronous transfer descriptor     (siTD) list, a related issue to     CVE-2015-8558.(CVE-2016-4037)

  - The vmsvga_fifo_run function in hw/display/vmware_vga.c     in QEMU allows local guest OS administrators to cause a     denial of service (infinite loop and QEMU process     crash) via a VGA command.(CVE-2016-4453)

  - The vmsvga_fifo_read_raw function in     hw/display/vmware_vga.c in QEMU allows local guest OS     administrators to obtain sensitive host memory     information or cause a denial of service (QEMU process     crash) by changing FIFO registers and issuing a VGA     command, which triggers an out-of-bounds     read.(CVE-2016-4454)

  - hw/virtio/virtio.c in the Virtual Network Device     (virtio-net) support in QEMU, when big or mergeable     receive buffers are not supported, allows remote     attackers to cause a denial of service (guest network     consumption) via a flood of jumbo frames on the (1)     tuntap or (2) macvtap interface.(CVE-2015-7295)

  - The eepro100 emulator in QEMU qemu-kvm blank allows     local guest users to cause a denial of service     (application crash and infinite loop) via vectors     involving the command block list.(CVE-2015-8345)

  - Qemu, when built with VNC display driver support,     allows remote attackers to cause a denial of service     (arithmetic exception and application crash) via     crafted SetPixelFormat messages from a     client.(CVE-2015-8504)

  - The ehci_process_itd function in hw/usb/hcd-ehci.c in     QEMU allows local guest OS administrators to cause a     denial of service (infinite loop and CPU consumption)     via a circular isochronous transfer descriptor (iTD)     list.(CVE-2015-8558)

  - Memory leak in net/vmxnet3.c in QEMU allows remote     attackers to cause a denial of service (memory     consumption).(CVE-2015-8567)

  - Memory leak in QEMU, when built with a VMWARE VMXNET3     paravirtual NIC emulator support, allows local guest     users to cause a denial of service (host memory     consumption) by trying to activate the vmxnet3 device     repeatedly.(CVE-2015-8568)

  - Buffer overflow in the pxa2xx_ssp_load function in     hw/arm/pxa2xx.c in QEMU before 1.7.2 allows remote     attackers to cause a denial of service or possibly     execute arbitrary code via a crafted s->rx_level value     in a savevm image.(CVE-2013-4533)

  - hw/net/vmxnet3.c in QEMU 2.0.0-rc0, 1.7.1, and earlier     allows local guest users to cause a denial of service     or possibly execute arbitrary code via vectors related     to (1) RX or (2) TX queue numbers or (3) interrupt     indices. NOTE: some of these details are obtained from     third party information.(CVE-2013-4544)

  - Multiple integer overflows in the USB Net device     emulator (hw/usb/dev-network.c) in QEMU before 2.5.1     allow local guest OS administrators to cause a denial     of service (QEMU process crash) or obtain sensitive     host memory information via a remote NDIS control     message packet that is mishandled in the (1)     rndis_query_response, (2) rndis_set_response, or (3)     usb_net_handle_dataout function.(CVE-2016-2538)

Note that Tenable Network Security has extracted the preceding description block directly from the EulerOS security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

Several vulnerabilities were found in QEMU, a fast processor emulator :

CVE-2016-2391

Zuozhi Fzz discovered that eof_times in USB OHCI emulation support could be used to cause a denial of service, via a NULL pointer dereference.

CVE-2016-2392 / CVE-2016-2538

Qinghao Tang found a NULL pointer dereference and multiple integer overflows in the USB Net device support that could allow local guest OS administrators to cause a denial of service. These issues related to remote NDIS control message handling.

CVE-2016-2841

Yang Hongke reported an infinite loop vulnerability in the NE2000 NIC emulation support.

CVE-2016-2857

Liu Ling found a flaw in QEMU IP checksum routines. Attackers could take advantage of this issue to cause QEMU to crash.

CVE-2016-2858

Arbitrary stack based allocation in the Pseudo Random Number Generator (PRNG) back-end support.

CVE-2016-4001 / CVE-2016-4002

Oleksandr Bazhaniuk reported buffer overflows in the Stellaris and the MIPSnet ethernet controllers emulation. Remote malicious users could use these issues to cause QEMU to crash.

CVE-2016-4020

Donghai Zdh reported that QEMU incorrectly handled the access to the Task Priority Register (TPR), allowing local guest OS administrators to obtain sensitive information from host stack memory.

CVE-2016-4037

Du Shaobo found an infinite loop vulnerability in the USB EHCI emulation support.

CVE-2016-4439 / CVE-2016-4441 / CVE-2016-5238 / CVE-2016-5338 / CVE-2016-6351

Li Qiang found different issues in the QEMU 53C9X Fast SCSI Controller (FSC) emulation support, that made it possible for local guest OS privileged users to cause denials of service or potentially execute arbitrary code.

CVE-2016-4453 / CVE-2016-4454

Li Qiang reported issues in the QEMU VMWare VGA module handling, that may be used to cause QEMU to crash, or to obtain host sensitive information.

CVE-2016-4952 / CVE-2016-7421 / CVE-2016-7156

Li Qiang reported flaws in the VMware paravirtual SCSI bus emulation support. These issues concern an out-of-bounds access and infinite loops, that allowed local guest OS privileged users to cause a denial of service.

CVE-2016-5105 / CVE-2016-5106 / CVE-2016-5107 / CVE-2016-5337

Li Qiang discovered several issues in the MegaRAID SAS 8708EM2 Host Bus Adapter emulation support. These issues include stack information leakage while reading configuration and out-of-bounds write and read.

CVE-2016-6834

Li Qiang reported an infinite loop vulnerability during packet fragmentation in the network transport abstraction layer support.
Local guest OS privileged users could made use of this flaw to cause a denial of service.

CVE-2016-6836 / CVE-2016-6888

Li Qiang found issues in the VMWare VMXNET3 network card emulation support, relating to information leak and integer overflow in packet initialisation.

CVE-2016-7116

Felix Wilhel discovered a directory traversal flaw in the Plan 9 File System (9pfs), exploitable by local guest OS privileged users.

CVE-2016-7155

Tom Victor and Li Qiang reported an out-of-bounds read and an infinite loop in the VMware paravirtual SCSI bus emulation support.

CVE-2016-7161

Hu Chaojian reported a heap overflow in the xlnx.xps-ethernetlite emulation support. Privileged users in local guest OS could made use of this to cause QEMU to crash.

CVE-2016-7170

Qinghao Tang and Li Qiang reported a flaw in the QEMU VMWare VGA module, that could be used by privileged user in local guest OS to cause QEMU to crash via an out-of-bounds stack memory access.

CVE-2016-7908 / CVE-2016-7909

Li Qiang reported infinite loop vulnerabilities in the ColdFire Fast Ethernet Controller and the AMD PC-Net II (Am79C970A) emulations.
These flaws allowed local guest OS administrators to cause a denial of service.

CVE-2016-8909

Huawei PSIRT found an infinite loop vulnerability in the Intel HDA emulation support, relating to DMA buffer stream processing.
Privileged users in local guest OS could made use of this to cause a denial of service.

CVE-2016-8910

Andrew Henderson reported an infinite loop in the RTL8139 ethernet controller emulation support. Privileged users inside a local guest OS could made use of this to cause a denial of service.

CVE-2016-9101

Li Qiang reported a memory leakage in the i8255x (PRO100) ethernet controller emulation support.

CVE-2016-9102 / CVE-2016-9103 / CVE-2016-9104 / CVE-2016-9105 / CVE-2016-9106 / CVE-2016-8577 / CVE-2016-8578

Li Qiang reported various Plan 9 File System (9pfs) security issues, including host memory leakage and denial of service.

CVE-2017-10664

Denial of service in the qemu-nbd (QEMU Disk Network Block Device) Server.

CVE-2018-10839 / CVE-2018-17962 / CVE-2018-17963

Daniel Shapira reported several integer overflows in the packet handling in ethernet controllers emulated by QEMU. These issues could lead to denial of service.

For Debian 8 'Jessie', these problems have been fixed in version 1:2.1+dfsg-12+deb8u8.

We recommend that you upgrade your qemu packages.

NOTE: Tenable Network Security has extracted the preceding description block directly from the DLA security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

kvm was updated to fix 33 security issues.

These security issues were fixed :

  - CVE-2016-4439: Avoid OOB access in 53C9X emulation     (bsc#980711)

  - CVE-2016-4441: Avoid OOB access in 53C9X emulation     (bsc#980723)

  - CVE-2016-3710: Fixed VGA emulation based OOB access with     potential for guest escape (bsc#978158)

  - CVE-2016-3712: Fixed VGa emulation based DOS and OOB     read access exploit (bsc#978160)

  - CVE-2016-4037: Fixed USB ehci based DOS (bsc#976109)

  - CVE-2016-2538: Fixed potential OOB access in USB net     device emulation (bsc#967969)

  - CVE-2016-2841: Fixed OOB access / hang in ne2000     emulation (bsc#969350)

  - CVE-2016-2858: Avoid potential DOS when using QEMU     pseudo random number generator (bsc#970036)

  - CVE-2016-2857: Fixed OOB access when processing IP     checksums (bsc#970037)

  - CVE-2016-4001: Fixed OOB access in Stellaris enet     emulated nic (bsc#975128)

  - CVE-2016-4002: Fixed OOB access in MIPSnet emulated     controller (bsc#975136)

  - CVE-2016-4020: Fixed possible host data leakage to guest     from TPR access (bsc#975700)

  - CVE-2015-3214: Fixed OOB read in i8254 PIC (bsc#934069)

  - CVE-2014-9718: Fixed the handling of malformed or short     ide PRDTs to avoid any opportunity for guest to cause     DoS by abusing that interface (bsc#928393)

  - CVE-2014-3689: Fixed insufficient parameter validation     in rectangle functions (bsc#901508)

  - CVE-2014-3615: The VGA emulator in QEMU allowed local     guest users to read host memory by setting the display     to a high resolution (bsc#895528).

  - CVE-2015-5239: Integer overflow in vnc_client_read() and     protocol_client_msg() (bsc#944463).

  - CVE-2015-5278: Infinite loop in ne2000_receive()     function (bsc#945989).

  - CVE-2015-5279: Heap-based buffer overflow in the     ne2000_receive function in hw/net/ne2000.c in QEMU     allowed guest OS users to cause a denial of service     (instance crash) or possibly execute arbitrary code via     vectors related to receiving packets (bsc#945987).

  - CVE-2015-5745: Buffer overflow in virtio-serial     (bsc#940929).

  - CVE-2015-6855: hw/ide/core.c in QEMU did not properly     restrict the commands accepted by an ATAPI device, which     allowed guest users to cause a denial of service or     possibly have unspecified other impact via certain IDE     commands, as demonstrated by a WIN_READ_NATIVE_MAX     command to an empty drive, which triggers a     divide-by-zero error and instance crash (bsc#945404).

  - CVE-2015-7295: hw/virtio/virtio.c in the Virtual Network     Device (virtio-net) support in QEMU, when big or     mergeable receive buffers are not supported, allowed     remote attackers to cause a denial of service (guest     network consumption) via a flood of jumbo frames on the     (1) tuntap or (2) macvtap interface (bsc#947159).

  - CVE-2015-7549: PCI NULL pointer dereferences     (bsc#958917).

  - CVE-2015-8504: VNC floating point exception     (bsc#958491).

  - CVE-2015-8558: Infinite loop in ehci_advance_state     resulting in DoS (bsc#959005).

  - CVE-2015-8613: Wrong sized memset in megasas command     handler (bsc#961358).

  - CVE-2015-8619: Potential DoS for long HMP sendkey     command argument (bsc#960334).

  - CVE-2015-8743: OOB memory access in ne2000 ioport r/w     functions (bsc#960725).

  - CVE-2016-1568: AHCI use-after-free in aio port commands     (bsc#961332).

  - CVE-2016-1714: Potential OOB memory access in processing     firmware configuration (bsc#961691).

  - CVE-2016-1922: NULL pointer dereference when processing     hmp i/o command (bsc#962320).

  - CVE-2016-1981: Potential DoS (infinite loop) in e1000     device emulation by malicious privileged user within     guest (bsc#963782).

  - CVE-2016-2198: Malicious privileged guest user were able     to cause DoS by writing to read-only EHCI capabilities     registers (bsc#964413).

The update package also includes non-security fixes. See advisory for details.

Note that Tenable Network Security has extracted the preceding description block directly from the SUSE security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

qemu was updated to fix 29 security issues.

These security issues were fixed :

  - CVE-2016-4439: Avoid OOB access in 53C9X emulation     (bsc#980711)

  - CVE-2016-4441: Avoid OOB access in 53C9X emulation     (bsc#980723)

  - CVE-2016-4952: Avoid OOB access in Vmware PV SCSI     emulation (bsc#981266)

  - CVE-2015-8817: Avoid OOB access in PCI dma I/O     (bsc#969121)

  - CVE-2015-8818: Avoid OOB access in PCI dma I/O     (bsc#969122)

  - CVE-2016-3710: Fixed VGA emulation based OOB access with     potential for guest escape (bsc#978158)

  - CVE-2016-3712: Fixed VGa emulation based DOS and OOB     read access exploit (bsc#978160)

  - CVE-2016-4037: Fixed USB ehci based DOS (bsc#976109)

  - CVE-2016-2538: Fixed potential OOB access in USB net     device emulation (bsc#967969)

  - CVE-2016-2841: Fixed OOB access / hang in ne2000     emulation (bsc#969350)

  - CVE-2016-2858: Avoid potential DOS when using QEMU     pseudo random number generator (bsc#970036)

  - CVE-2016-2857: Fixed OOB access when processing IP     checksums (bsc#970037)

  - CVE-2016-4001: Fixed OOB access in Stellaris enet     emulated nic (bsc#975128)

  - CVE-2016-4002: Fixed OOB access in MIPSnet emulated     controller (bsc#975136)

  - CVE-2016-4020: Fixed possible host data leakage to guest     from TPR access (bsc#975700)

  - CVE-2016-2197: Prevent AHCI NULL pointer dereference     when using FIS CLB engine (bsc#964411)

  - CVE-2015-5745: Buffer overflow in virtio-serial     (bsc#940929).

  - CVE-2015-7549: PCI NULL pointer dereferences     (bsc#958917).

  - CVE-2015-8504: VNC floating point exception     (bsc#958491).

  - CVE-2015-8558: Infinite loop in ehci_advance_state     resulting in DoS (bsc#959005).

  - CVE-2015-8567: A guest repeatedly activating a vmxnet3     device can leak host memory (bsc#959386).

  - CVE-2015-8568: A guest repeatedly activating a vmxnet3     device can leak host memory (bsc#959386).

  - CVE-2015-8613: Wrong sized memset in megasas command     handler (bsc#961358).

  - CVE-2015-8619: Potential DoS for long HMP sendkey     command argument (bsc#960334).

  - CVE-2015-8743: OOB memory access in ne2000 ioport r/w     functions (bsc#960725).

  - CVE-2015-8744: Incorrect l2 header validation could have     lead to a crash via assert(2) call (bsc#960835).

  - CVE-2015-8745: Reading IMR registers could have lead to     a crash via assert(2) call (bsc#960708).

  - CVE-2016-1568: AHCI use-after-free in aio port commands     (bsc#961332).

  - CVE-2016-1714: Potential OOB memory access in processing     firmware configuration (bsc#961691).

  - CVE-2016-1922: NULL pointer dereference when processing     hmp i/o command (bsc#962320).

  - CVE-2016-1981: Potential DoS (infinite loop) in e1000     device emulation by malicious privileged user within     guest (bsc#963782).

  - CVE-2016-2198: Malicious privileged guest user were able     to cause DoS by writing to read-only EHCI capabilities     registers (bsc#964413).

This non-security issue was fixed

  - bsc#886378: qemu truncates vhd images in virt-rescue

Note that Tenable Network Security has extracted the preceding description block directly from the SUSE security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

- CVE-2016-3710: incorrect bounds checking in vga (bz     #1334345)

  - CVE-2016-3712: out of bounds read in vga (bz #1334342)

  - Fix USB redirection (bz #1330221)

  - CVE-2016-4037: infinite loop in usb ehci (bz #1328080)

  - CVE-2016-4001: buffer overflow in stellaris net (bz     #1325885)

  - CVE-2016-2858: rng stack corruption (bz #1314677)

  - CVE-2016-2391: ohci: crash via multiple timers (bz     #1308881)

  - CVE-2016-2198: ehci: NULL pointer dereference (bz     #1303134)

  - Fix tpm passthrough (bz #1281413)

  - Fix ./configure with ccache

  - Ship sysctl file to fix s390x kvm (bz #1290589)

Note that Tenable Network Security has extracted the preceding description block directly from the Fedora update system website.
Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

- CVE-2016-3710: incorrect bounds checking in vga (bz     #1334345)

  - CVE-2016-3712: out of bounds read in vga (bz #1334342)

  - Fix USB redirection (bz #1330221)

  - CVE-2016-4037: infinite loop in usb ehci (bz #1328080)

  - CVE-2016-4001: buffer overflow in stellaris net (bz     #1325885)

  - CVE-2016-2858: rng stack corruption (bz #1314677)

  - CVE-2016-2391: ohci: crash via multiple timers (bz     #1308881)

  - CVE-2016-2198: ehci: NULL pointer dereference (bz     #1303134)

  - Fix ./configure with ccache

Note that Tenable Network Security has extracted the preceding description block directly from the Fedora update system website.
Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

fix for CVE-2016-2858 doesn't build with qemu-xen enabled Unsanitised guest input in libxl device handling code [XSA-175, CVE-2016-4962] (#1342132) Unsanitised driver domain input in libxl device handling [XSA-178, CVE-2016-4963] (#1342131) arm: Host crash caused by VMID exhaust [XSA-181] (#1342530) Qemu: display: vmsvga: out-of-bounds read in vmsvga_fifo_read_raw() routine [CVE-2016-4454] (#1340741) Qemu:
display: vmsvga: infinite loop in vmsvga_fifo_run() routine [CVE-2016-4453] (#1340746) Qemu: scsi: esp: OOB write when using non-DMA mode in get_cmd [CVE-2016-5238] (#1341931)

Note that Tenable Network Security has extracted the preceding description block directly from the Fedora update system website.
Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

Qemu: scsi: esp: OOB r/w access while processing ESP_FIFO [CVE-2016-5338] (#1343323) Qemu: scsi: megasas: information leakage in megasas_ctrl_get_info [CVE-2016-5337] (#1343909)

----

fix for CVE-2016-2858 doesn't build with qemu-xen enabled Unsanitised guest input in libxl device handling code [XSA-175, CVE-2016-4962] (#1342132) Unsanitised driver domain input in libxl device handling [XSA-178, CVE-2016-4963] (#1342131) arm: Host crash caused by VMID exhaust [XSA-181] (#1342530) Qemu: display: vmsvga: out-of-bounds read in vmsvga_fifo_read_raw() routine [CVE-2016-4454] (#1340741) Qemu:
display: vmsvga: infinite loop in vmsvga_fifo_run() routine [CVE-2016-4453] (#1340746) Qemu: scsi: esp: OOB write when using non-DMA mode in get_cmd [CVE-2016-5238] (#1341931)

Note that Tenable Network Security has extracted the preceding description block directly from the Fedora update system website.
Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

qemu was updated to fix 29 security issues.

These security issues were fixed :

  - CVE-2016-4439: Avoid OOB access in 53C9X emulation     (bsc#980711)

  - CVE-2016-4441: Avoid OOB access in 53C9X emulation     (bsc#980723)

  - CVE-2016-4952: Avoid OOB access in Vmware PV SCSI     emulation (bsc#981266)

  - CVE-2015-8817: Avoid OOB access in PCI dma I/O     (bsc#969121)

  - CVE-2015-8818: Avoid OOB access in PCI dma I/O     (bsc#969122)

  - CVE-2016-3710: Fixed VGA emulation based OOB access with     potential for guest escape (bsc#978158)

  - CVE-2016-3712: Fixed VGa emulation based DOS and OOB     read access exploit (bsc#978160)

  - CVE-2016-4037: Fixed USB ehci based DOS (bsc#976109)

  - CVE-2016-2538: Fixed potential OOB access in USB net     device emulation (bsc#967969)

  - CVE-2016-2841: Fixed OOB access / hang in ne2000     emulation (bsc#969350)

  - CVE-2016-2858: Avoid potential DOS when using QEMU     pseudo random number generator (bsc#970036)

  - CVE-2016-2857: Fixed OOB access when processing IP     checksums (bsc#970037)

  - CVE-2016-4001: Fixed OOB access in Stellaris enet     emulated nic (bsc#975128)

  - CVE-2016-4002: Fixed OOB access in MIPSnet emulated     controller (bsc#975136)

  - CVE-2016-4020: Fixed possible host data leakage to guest     from TPR access (bsc#975700)

  - CVE-2016-2197: Prevent AHCI NULL pointer dereference     when using FIS CLB engine (bsc#964411)

  - CVE-2015-5745: Buffer overflow in virtio-serial     (bsc#940929).

  - CVE-2015-7549: PCI NULL pointer dereferences     (bsc#958917).

  - CVE-2015-8504: VNC floating point exception     (bsc#958491).

  - CVE-2015-8558: Infinite loop in ehci_advance_state     resulting in DoS (bsc#959005).

  - CVE-2015-8567: A guest repeatedly activating a vmxnet3     device can leak host memory (bsc#959386).

  - CVE-2015-8568: A guest repeatedly activating a vmxnet3     device can leak host memory (bsc#959386).

  - CVE-2015-8613: Wrong sized memset in megasas command     handler (bsc#961358).

  - CVE-2015-8619: Potential DoS for long HMP sendkey     command argument (bsc#960334).

  - CVE-2015-8743: OOB memory access in ne2000 ioport r/w     functions (bsc#960725).

  - CVE-2015-8744: Incorrect l2 header validation could have     lead to a crash via assert(2) call (bsc#960835).

  - CVE-2015-8745: Reading IMR registers could have lead to     a crash via assert(2) call (bsc#960708).

  - CVE-2016-1568: AHCI use-after-free in aio port commands     (bsc#961332).

  - CVE-2016-1714: Potential OOB memory access in processing     firmware configuration (bsc#961691).

  - CVE-2016-1922: NULL pointer dereference when processing     hmp i/o command (bsc#962320).

  - CVE-2016-1981: Potential DoS (infinite loop) in e1000     device emulation by malicious privileged user within     guest (bsc#963782).

  - CVE-2016-2198: Malicious privileged guest user were able     to cause DoS by writing to read-only EHCI capabilities     registers (bsc#964413).

This non-security issue was fixed

  - bsc#886378: qemu truncates vhd images in virt-rescue

This update was imported from the SUSE:SLE-12-SP1:Update update project.

qemu was updated to fix 37 security issues.

These security issues were fixed :

  - CVE-2016-4439: Avoid OOB access in 53C9X emulation     (bsc#980711)

  - CVE-2016-4441: Avoid OOB access in 53C9X emulation     (bsc#980723)

  - CVE-2016-4952: Avoid OOB access in Vmware PV SCSI     emulation (bsc#981266)

  - CVE-2015-8817: Avoid OOB access in PCI DMA I/O     (bsc#969121)

  - CVE-2015-8818: Avoid OOB access in PCI DMA I/O     (bsc#969122)

  - CVE-2016-3710: Fixed VGA emulation based OOB access with     potential for guest escape (bsc#978158)

  - CVE-2016-3712: Fixed VGa emulation based DOS and OOB     read access exploit (bsc#978160)

  - CVE-2016-4037: Fixed USB ehci based DOS (bsc#976109)

  - CVE-2016-2538: Fixed potential OOB access in USB net     device emulation (bsc#967969)

  - CVE-2016-2841: Fixed OOB access / hang in ne2000     emulation (bsc#969350)

  - CVE-2016-2858: Avoid potential DOS when using QEMU     pseudo random number generator (bsc#970036)

  - CVE-2016-2857: Fixed OOB access when processing IP     checksums (bsc#970037)

  - CVE-2016-4001: Fixed OOB access in Stellaris enet     emulated nic (bsc#975128)

  - CVE-2016-4002: Fixed OOB access in MIPSnet emulated     controller (bsc#975136)

  - CVE-2016-4020: Fixed possible host data leakage to guest     from TPR access (bsc#975700)

  - CVE-2015-3214: Fixed OOB read in i8254 PIC (bsc#934069)

  - CVE-2014-9718: Fixed the handling of malformed or short     ide PRDTs to avoid any opportunity for guest to cause     DoS by abusing that interface (bsc#928393)

  - CVE-2014-3689: Fixed insufficient parameter validation     in rectangle functions (bsc#901508)

  - CVE-2014-3615: The VGA emulator in QEMU allowed local     guest users to read host memory by setting the display     to a high resolution (bsc#895528).

  - CVE-2015-5239: Integer overflow in vnc_client_read() and     protocol_client_msg() (bsc#944463).

  - CVE-2015-5745: Buffer overflow in virtio-serial     (bsc#940929).

  - CVE-2015-7295: hw/virtio/virtio.c in the Virtual Network     Device (virtio-net) support in QEMU, when big or     mergeable receive buffers are not supported, allowed     remote attackers to cause a denial of service (guest     network consumption) via a flood of jumbo frames on the     (1) tuntap or (2) macvtap interface (bsc#947159).

  - CVE-2015-7549: PCI NULL pointer dereferences     (bsc#958917).

  - CVE-2015-8504: VNC floating point exception     (bsc#958491).

  - CVE-2015-8558: Infinite loop in ehci_advance_state     resulting in DoS (bsc#959005).

  - CVE-2015-8567: A guest repeatedly activating a vmxnet3     device can leak host memory (bsc#959386).

  - CVE-2015-8568: A guest repeatedly activating a vmxnet3     device can leak host memory (bsc#959386).

  - CVE-2015-8613: Wrong sized memset in megasas command     handler (bsc#961358).

  - CVE-2015-8619: Potential DoS for long HMP sendkey     command argument (bsc#960334).

  - CVE-2015-8743: OOB memory access in ne2000 ioport r/w     functions (bsc#960725).

  - CVE-2015-8744: Incorrect l2 header validation could have     lead to a crash via assert(2) call (bsc#960835).

  - CVE-2015-8745: Reading IMR registers could have lead to     a crash via assert(2) call (bsc#960708).

  - CVE-2016-1568: AHCI use-after-free in aio port commands     (bsc#961332).

  - CVE-2016-1714: Potential OOB memory access in processing     firmware configuration (bsc#961691).

  - CVE-2016-1922: NULL pointer dereference when processing     hmp i/o command (bsc#962320).

  - CVE-2016-1981: Potential DoS (infinite loop) in e1000     device emulation by malicious privileged user within     guest (bsc#963782).

  - CVE-2016-2198: Malicious privileged guest user were able     to cause DoS by writing to read-only EHCI capabilities     registers (bsc#964413).

This non-security issue was fixed

  - bsc#886378: qemu truncates vhd images in virt-rescue

Note that Tenable Network Security has extracted the preceding description block directly from the SUSE security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

Zuozhi Fzz discovered that QEMU incorrectly handled USB OHCI emulation support. A privileged attacker inside the guest could use this issue to cause QEMU to crash, resulting in a denial of service.
(CVE-2016-2391)

Qinghao Tang discovered that QEMU incorrectly handled USB Net emulation support. A privileged attacker inside the guest could use this issue to cause QEMU to crash, resulting in a denial of service.
(CVE-2016-2392)

Qinghao Tang discovered that QEMU incorrectly handled USB Net emulation support. A privileged attacker inside the guest could use this issue to cause QEMU to crash, resulting in a denial of service, or possibly leak host memory bytes. (CVE-2016-2538)

Hongke Yang discovered that QEMU incorrectly handled NE2000 emulation support. A privileged attacker inside the guest could use this issue to cause QEMU to crash, resulting in a denial of service.
(CVE-2016-2841)

Ling Liu discovered that QEMU incorrectly handled IP checksum routines. An attacker inside the guest could use this issue to cause QEMU to crash, resulting in a denial of service, or possibly leak host memory bytes. (CVE-2016-2857)

It was discovered that QEMU incorrectly handled the PRNG back-end support. An attacker inside the guest could use this issue to cause QEMU to crash, resulting in a denial of service. This issue only applied to Ubuntu 14.04 LTS, Ubuntu 15.10 and Ubuntu 16.04 LTS.
(CVE-2016-2858)

Wei Xiao and Qinghao Tang discovered that QEMU incorrectly handled access in the VGA module. A privileged attacker inside the guest could use this issue to cause QEMU to crash, resulting in a denial of service, or possibly execute arbitrary code on the host. In the default installation, when QEMU is used with libvirt, attackers would be isolated by the libvirt AppArmor profile. (CVE-2016-3710)

Zuozhi Fzz discovered that QEMU incorrectly handled access in the VGA module. A privileged attacker inside the guest could use this issue to cause QEMU to crash, resulting in a denial of service, or possibly execute arbitrary code on the host. In the default installation, when QEMU is used with libvirt, attackers would be isolated by the libvirt AppArmor profile. (CVE-2016-3712)

Oleksandr Bazhaniuk discovered that QEMU incorrectly handled Luminary Micro Stellaris ethernet controller emulation. A remote attacker could use this issue to cause QEMU to crash, resulting in a denial of service. (CVE-2016-4001)

Oleksandr Bazhaniuk discovered that QEMU incorrectly handled MIPSnet controller emulation. A remote attacker could use this issue to cause QEMU to crash, resulting in a denial of service. (CVE-2016-4002)

Donghai Zdh discovered that QEMU incorrectly handled the Task Priority Register(TPR). A privileged attacker inside the guest could use this issue to possibly leak host memory bytes. This issue only applied to Ubuntu 14.04 LTS, Ubuntu 15.10 and Ubuntu 16.04 LTS. (CVE-2016-4020)

Du Shaobo discovered that QEMU incorrectly handled USB EHCI emulation support. A privileged attacker inside the guest could use this issue to cause QEMU to consume resources, resulting in a denial of service.
(CVE-2016-4037).

Note that Tenable Network Security has extracted the preceding description block directly from the Ubuntu security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

The remote host is affected by the vulnerability described in GLSA-201604-01 (QEMU: Multiple vulnerabilities)

    Multiple vulnerabilities have been discovered in QEMU. Please review the       CVE identifiers referenced below for details.
  Impact :

    Local users within a guest QEMU environment can execute arbitrary code       within the host or a cause a Denial of Service condition of the QEMU       guest process.
  Workaround :

    There is no known workaround at this time.

Qemu: nvram: OOB r/w access in processing firmware configurations CVE-2016-1714 (#1296080) Qemu: i386: NULL pointer dereference in vapic_write() CVE-2016-1922 (#1292767) qemu: Stack-based buffer overflow in megasas_ctrl_get_info CVE-2015-8613 (#1293305) qemu-kvm:
Infinite loop and out-of-bounds transfer start in start_xmit() and e1000_receive_iov() CVE-2016-1981 (#1299996) Qemu: usb ehci out-of-bounds read in ehci_process_itd (#1300235) Qemu: usb: ehci NULL pointer dereference in ehci_caps_write CVE-2016-2198 (#1303135) Qemu:
net: ne2000: infinite loop in ne2000_receive CVE-2016-2841 (#1304048) Qemu: usb: integer overflow in remote NDIS control message handling CVE-2016-2538 (#1305816) Qemu: usb: NULL pointer dereference in remote NDIS control message handling CVE-2016-2392 (#1307116) Qemu: usb:
multiple eof_timers in ohci module leads to NULL pointer dereference CVE-2016-2391 (#1308882) Qemu: net: out of bounds read in net_checksum_calculate() CVE-2016-2857 (#1309565) Qemu: OOB access in address_space_rw leads to segmentation fault CVE-2015-8817 CVE-2015-8818 (#1313273) Qemu: rng-random: arbitrary stack based allocation leading to corruption CVE-2016-2858 (#1314678)

Note that Tenable Network Security has extracted the preceding description block directly from the Fedora security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

Qemu: nvram: OOB r/w access in processing firmware configurations CVE-2016-1714 (#1296080)

Note that Tenable Network Security has extracted the preceding description block directly from the Fedora security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

ID	Name	Product	Family	Severity
135559	EulerOS 2.0 SP3 : qemu-kvm (EulerOS-SA-2020-1430)	Nessus	Huawei Local Security Checks	critical
131585	EulerOS 2.0 SP2 : qemu-kvm (EulerOS-SA-2019-2431)	Nessus	Huawei Local Security Checks	critical
119310	Debian DLA-1599-1 : qemu security update	Nessus	Debian Local Security Checks	critical
93180	SUSE SLES11 Security Update : kvm (SUSE-SU-2016:1785-1)	Nessus	SuSE Local Security Checks	critical
93170	SUSE SLED12 / SLES12 Security Update : qemu (SUSE-SU-2016:1703-1)	Nessus	SuSE Local Security Checks	high
93169	SUSE SLES11 Security Update : kvm (SUSE-SU-2016:1698-1)	Nessus	SuSE Local Security Checks	critical
92201	Fedora 23 : 2:qemu (2016-f2b1f07256)	Nessus	Fedora Local Security Checks	high
92135	Fedora 22 : 2:qemu (2016-a3298e39f7)	Nessus	Fedora Local Security Checks	high
92081	Fedora 24 : xen (2016-389be30b95)	Nessus	Fedora Local Security Checks	medium
92059	Fedora 23 : xen (2016-103752d2a9)	Nessus	Fedora Local Security Checks	medium
91980	openSUSE Security Update : qemu (openSUSE-2016-839)	Nessus	SuSE Local Security Checks	high
91660	SUSE SLED12 / SLES12 Security Update : qemu (SUSE-SU-2016:1560-1)	Nessus	SuSE Local Security Checks	high
91122	Ubuntu 12.04 LTS / 14.04 LTS / 15.10 / 16.04 LTS : qemu, qemu-kvm vulnerabilities (USN-2974-1)	Nessus	Ubuntu Local Security Checks	high
90339	GLSA-201604-01 : QEMU: Multiple vulnerabilities	Nessus	Gentoo Local Security Checks	medium
90045	Fedora 23 : xen-4.5.2-9.fc23 (2016-f4504e9445)	Nessus	Fedora Local Security Checks	medium
90036	Fedora 22 : xen-4.5.2-9.fc22 (2016-38b20aa50f)	Nessus	Fedora Local Security Checks	medium

CVE-2016-2858

Description

References

Details

Risk Information

CVSS v2.0

CVSS v3.0

Vulnerable Software

Configuration 1

Configuration 2

Tenable Plugins