Debian DLA-1497-1 : qemu security update (Spectre)
High Nessus Plugin ID 117351
SynopsisThe remote Debian host is missing a security update.
DescriptionSeveral vulnerabilities were found in qemu, a fast processor emulator :
Heap-based buffer overflow in QEMU when built with the Q35-chipset-based PC system emulator
NULL pointer dereference in ehci_caps_write in the USB EHCI support that may result in denial of service
Use after free while writing in the vmxnet3 device that could be used to cause a denial of service
Buffer overflow in vmxnet_tx_pkt_parse_headers() in vmxnet3 device that could result in denial of service
Infinite loop vulnerability in xhci_ring_fetch in the USB xHCI support
CVE-2016-8667 / CVE-2016-8669
Divide by zero errors in set_next_tick in the JAZZ RC4030 chipset emulator, and in serial_update_parameters of some serial devices, that could result in denial of service
Improper link following with VirtFS
Heap buffer overflow via vnc connection in the Cirrus CLGD 54xx VGA emulator support
Infinite loop while receiving data in the ColdFire Fast Ethernet Controller emulator
Memory leakage in the USB redirector usb-guest support
Memory leakage in ehci_init_transfer in the USB EHCI support
CVE-2016-9914 / CVE-2016-9915 / CVE-2016-9916
Plan 9 File System (9pfs): add missing cleanup operation in FileOperations, in the handle backend and in the proxy backend driver
CVE-2016-9921 / CVE-2016-9922
Divide by zero in cirrus_do_copy in the Cirrus CLGD 54xx VGA Emulator support
Memory leak in hw/watchdog/wdt_i6300esb.c allowing local guest OS privileged users to cause a denial of service via a large number of device unplug operations.
CVE-2017-2615 / CVE-2017-2620 / CVE-2017-18030 / CVE-2018-5683 / CVE-2017-7718
Out-of-bounds access issues in the Cirrus CLGD 54xx VGA emulator support, that could result in denial of service
CVE-2017-5525 / CVE-2017-5526
Memory leakage issues in the ac97 and es1370 device emulation
Most memory leakage in the 16550A UART emulation
Out-of-bounds access during multi block SDMA transfer in the SDHCI emulation support.
Mitigations against the Spectre v2 vulnerability. For more information please refer to https://www.qemu.org/2018/01/04/spectre/
Memory leak in the MegaRAID SAS 8708EM2 Host Bus Adapter emulation support
CVE-2017-5973 / CVE-2017-5987 / CVE-2017-6505
Infinite loop issues in the USB xHCI, in the transfer mode register of the SDHCI protocol, and the USB ohci_service_ed_list
9pfs: host memory leakage via v9fs_create
Improper access control issues in the host directory sharing via 9pfs support.
Heap-based buffer overflow in the Cirrus VGA device that could allow local guest OS users to execute arbitrary code or cause a denial of service
9pfs: host memory leakage via v9pfs_list_xattr
Infinite loop in the VMWare PVSCSI emulation
CVE-2017-8309 / CVE-2017-8379
Host memory leakage issues via the audio capture buffer and the keyboard input event handlers
Infinite loop due to incorrect return value in USB OHCI that may result in denial of service
CVE-2017-9373 / CVE-2017-9374
Host memory leakage during hot unplug in IDE AHCI and USB emulated devices that could result in denial of service
NULL pointer dereference while processing megasas command
Stack buffer overflow in USB redirector
Xen disk may leak stack data via response ring
Out-of-bounds read while parsing Slirp/DHCP options
Out-of-bounds access while processing multiboot headers that could result in the execution of arbitrary code
9pfs: information disclosure when reading extended attributes
Out-of-bounds write access issue in the Cirrus graphic adaptor that could result in denial of service
Information leak in the PS/2 mouse and keyboard emulation support that could be exploited during instance migration
Integer overflow in the macro ROUND_UP (n, d) that could result in denial of service
Incorrect handling of memory during multiboot that could may result in execution of arbitrary code
For Debian 8 'Jessie', these problems have been fixed in version 1:2.1+dfsg-12+deb8u7.
We recommend that you upgrade your qemu packages.
NOTE: Tenable Network Security has extracted the preceding description block directly from the DLA security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
SolutionUpgrade the affected packages.