Debian DLA-1497-1 : qemu security update (Spectre)

critical Nessus Plugin ID 117351


The remote Debian host is missing a security update.


Several vulnerabilities were found in qemu, a fast processor emulator :


Heap-based buffer overflow in QEMU when built with the Q35-chipset-based PC system emulator


NULL pointer dereference in ehci_caps_write in the USB EHCI support that may result in denial of service


Use after free while writing in the vmxnet3 device that could be used to cause a denial of service


Buffer overflow in vmxnet_tx_pkt_parse_headers() in vmxnet3 device that could result in denial of service


Infinite loop vulnerability in xhci_ring_fetch in the USB xHCI support

CVE-2016-8667 / CVE-2016-8669

Divide by zero errors in set_next_tick in the JAZZ RC4030 chipset emulator, and in serial_update_parameters of some serial devices, that could result in denial of service


Improper link following with VirtFS


Heap buffer overflow via vnc connection in the Cirrus CLGD 54xx VGA emulator support


Infinite loop while receiving data in the ColdFire Fast Ethernet Controller emulator


Memory leakage in the USB redirector usb-guest support


Memory leakage in ehci_init_transfer in the USB EHCI support

CVE-2016-9914 / CVE-2016-9915 / CVE-2016-9916

Plan 9 File System (9pfs): add missing cleanup operation in FileOperations, in the handle backend and in the proxy backend driver

CVE-2016-9921 / CVE-2016-9922

Divide by zero in cirrus_do_copy in the Cirrus CLGD 54xx VGA Emulator support


Memory leak in hw/watchdog/wdt_i6300esb.c allowing local guest OS privileged users to cause a denial of service via a large number of device unplug operations.

CVE-2017-2615 / CVE-2017-2620 / CVE-2017-18030 / CVE-2018-5683 / CVE-2017-7718

Out-of-bounds access issues in the Cirrus CLGD 54xx VGA emulator support, that could result in denial of service

CVE-2017-5525 / CVE-2017-5526

Memory leakage issues in the ac97 and es1370 device emulation


Most memory leakage in the 16550A UART emulation


Out-of-bounds access during multi block SDMA transfer in the SDHCI emulation support.


Mitigations against the Spectre v2 vulnerability. For more information please refer to


Memory leak in the MegaRAID SAS 8708EM2 Host Bus Adapter emulation support

CVE-2017-5973 / CVE-2017-5987 / CVE-2017-6505

Infinite loop issues in the USB xHCI, in the transfer mode register of the SDHCI protocol, and the USB ohci_service_ed_list


9pfs: host memory leakage via v9fs_create


Improper access control issues in the host directory sharing via 9pfs support.


Heap-based buffer overflow in the Cirrus VGA device that could allow local guest OS users to execute arbitrary code or cause a denial of service


9pfs: host memory leakage via v9pfs_list_xattr


Infinite loop in the VMWare PVSCSI emulation

CVE-2017-8309 / CVE-2017-8379

Host memory leakage issues via the audio capture buffer and the keyboard input event handlers


Infinite loop due to incorrect return value in USB OHCI that may result in denial of service

CVE-2017-9373 / CVE-2017-9374

Host memory leakage during hot unplug in IDE AHCI and USB emulated devices that could result in denial of service


NULL pointer dereference while processing megasas command


Stack buffer overflow in USB redirector


Xen disk may leak stack data via response ring


Out-of-bounds read while parsing Slirp/DHCP options


Out-of-bounds access while processing multiboot headers that could result in the execution of arbitrary code


9pfs: information disclosure when reading extended attributes


Out-of-bounds write access issue in the Cirrus graphic adaptor that could result in denial of service


Information leak in the PS/2 mouse and keyboard emulation support that could be exploited during instance migration


Integer overflow in the macro ROUND_UP (n, d) that could result in denial of service


Incorrect handling of memory during multiboot that could may result in execution of arbitrary code

For Debian 8 'Jessie', these problems have been fixed in version 1:2.1+dfsg-12+deb8u7.

We recommend that you upgrade your qemu packages.

NOTE: Tenable Network Security has extracted the preceding description block directly from the DLA security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.


Upgrade the affected packages.

See Also

Plugin Details

Severity: Critical

ID: 117351

File Name: debian_DLA-1497.nasl

Version: 1.8

Type: local

Agent: unix

Published: 9/7/2018

Updated: 1/11/2021

Supported Sensors: Frictionless Assessment Agent, Nessus Agent, Agentless Assessment, Nessus

Risk Information


Risk Factor: High

Score: 7.6


Risk Factor: High

Base Score: 9

Temporal Score: 7.8

Vector: CVSS2#AV:N/AC:L/Au:S/C:C/I:C/A:C


Risk Factor: Critical

Base Score: 10

Temporal Score: 9.5

Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:H

Temporal Vector: CVSS:3.0/E:H/RL:O/RC:C

Vulnerability Information

CPE: p-cpe:/a:debian:debian_linux:qemu, p-cpe:/a:debian:debian_linux:qemu-guest-agent, p-cpe:/a:debian:debian_linux:qemu-kvm, p-cpe:/a:debian:debian_linux:qemu-system, p-cpe:/a:debian:debian_linux:qemu-system-arm, p-cpe:/a:debian:debian_linux:qemu-system-common, p-cpe:/a:debian:debian_linux:qemu-system-mips, p-cpe:/a:debian:debian_linux:qemu-system-misc, p-cpe:/a:debian:debian_linux:qemu-system-ppc, p-cpe:/a:debian:debian_linux:qemu-system-sparc, p-cpe:/a:debian:debian_linux:qemu-system-x86, p-cpe:/a:debian:debian_linux:qemu-user, p-cpe:/a:debian:debian_linux:qemu-user-binfmt, p-cpe:/a:debian:debian_linux:qemu-user-static, p-cpe:/a:debian:debian_linux:qemu-utils, cpe:/o:debian:debian_linux:8.0

Required KB Items: Host/local_checks_enabled, Host/Debian/release, Host/Debian/dpkg-l

Exploit Available: true

Exploit Ease: Exploits are available

Patch Publication Date: 9/6/2018

Vulnerability Publication Date: 11/4/2016

Reference Information

CVE: CVE-2015-8666, CVE-2016-10155, CVE-2016-2198, CVE-2016-6833, CVE-2016-6835, CVE-2016-8576, CVE-2016-8667, CVE-2016-8669, CVE-2016-9602, CVE-2016-9603, CVE-2016-9776, CVE-2016-9907, CVE-2016-9911, CVE-2016-9914, CVE-2016-9915, CVE-2016-9916, CVE-2016-9921, CVE-2016-9922, CVE-2017-10806, CVE-2017-10911, CVE-2017-11434, CVE-2017-14167, CVE-2017-15038, CVE-2017-15289, CVE-2017-16845, CVE-2017-18030, CVE-2017-18043, CVE-2017-2615, CVE-2017-2620, CVE-2017-5525, CVE-2017-5526, CVE-2017-5579, CVE-2017-5667, CVE-2017-5715, CVE-2017-5856, CVE-2017-5973, CVE-2017-5987, CVE-2017-6505, CVE-2017-7377, CVE-2017-7493, CVE-2017-7718, CVE-2017-7980, CVE-2017-8086, CVE-2017-8112, CVE-2017-8309, CVE-2017-8379, CVE-2017-9330, CVE-2017-9373, CVE-2017-9374, CVE-2017-9503, CVE-2018-5683, CVE-2018-7550