DebianDEBIAN:DLA-1781-1:BE52E[SECURITY] [DLA 1781-1] qemu security update
5.5 Medium
CVSS3
Attack Vector
LOCAL
Attack Complexity
LOW
Privileges Required
LOW
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
NONE
Availability Impact
NONE
CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
2.1 Low
CVSS2
Access Vector
LOCAL
Access Complexity
LOW
Authentication
NONE
Confidentiality Impact
PARTIAL
Integrity Impact
NONE
Availability Impact
NONE
AV:L/AC:L/Au:N/C:P/I:N/A:N
0.0005 Low
EPSS
Percentile
15.7%
Package : qemu
Version : 1:2.1+dfsg-12+deb8u11
CVE ID : CVE-2018-11806 CVE-2018-18849 CVE-2018-20815 CVE-2019-9824
Debian Bug : 901017 912535
Several vulnerabilities were found in QEMU, a fast processor emulator:
CVE-2018-11806
It was found that the SLiRP networking implementation could use a wrong
size when reallocating its buffers, which can be exploited by a
priviledged user on a guest to cause denial of service or possibly
arbitrary code execution on the host system.
CVE-2018-18849
It was found that the LSI53C895A SCSI Host Bus Adapter emulation was
susceptible to an out of bounds memory access, which could be leveraged
by a malicious guest user to crash the QEMU process.
CVE-2018-20815
A heap buffer overflow was found in the load_device_tree function,
which could be used by a malicious user to potentially execute
arbitrary code with the priviledges of the QEMU process.
CVE-2019-9824
William Bowling discovered that the SLiRP networking implementation did
not handle some messages properly, which could be triggered to leak
memory via crafted messages.
For Debian 8 "Jessie", these problems have been fixed in version
1:2.1+dfsg-12+deb8u11.
We recommend that you upgrade your qemu packages.
Further information about Debian LTS security advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://wiki.debian.org/LTS
| OS | Version | Architecture | Package | Version | Filename |
|---|---|---|---|---|---|
| Debian | 9 | arm64 | qemu-system-ppc-dbgsym | <Â 1:2.8+dfsg-6+deb9u6 | qemu-system-ppc-dbgsym_1:2.8+dfsg-6+deb9u6_arm64.deb |
| Debian | 9 | ppc64el | qemu-system-common | <Â 1:2.8+dfsg-6+deb9u6 | qemu-system-common_1:2.8+dfsg-6+deb9u6_ppc64el.deb |
| Debian | 9 | i386 | qemu-user | <Â 1:2.8+dfsg-6+deb9u6 | qemu-user_1:2.8+dfsg-6+deb9u6_i386.deb |
| Debian | 8 | armhf | qemu-system-arm | <Â 1:2.1+dfsg-12+deb8u11 | qemu-system-arm_1:2.1+dfsg-12+deb8u11_armhf.deb |
| Debian | 10 | amd64 | slirp4netns-dbgsym | <Â 0.2.3-1 | slirp4netns-dbgsym_0.2.3-1_amd64.deb |
| Debian | 8 | all | qemu | <Â 1:2.1+dfsg-12+deb8u11 | qemu_1:2.1+dfsg-12+deb8u11_all.deb |
| Debian | 9 | mipsel | qemu-guest-agent | <Â 1:2.8+dfsg-6+deb9u6 | qemu-guest-agent_1:2.8+dfsg-6+deb9u6_mipsel.deb |
| Debian | 8 | i386 | qemu | <Â 1:2.1+dfsg-12+deb8u11 | qemu_1:2.1+dfsg-12+deb8u11_i386.deb |
| Debian | 9 | arm64 | qemu-system | <Â 1:2.8+dfsg-6+deb9u6 | qemu-system_1:2.8+dfsg-6+deb9u6_arm64.deb |
| Debian | 9 | mipsel | qemu-user | <Â 1:2.8+dfsg-6+deb9u6 | qemu-user_1:2.8+dfsg-6+deb9u6_mipsel.deb |
Related
5.5 Medium
CVSS3
Attack Vector
LOCAL
Attack Complexity
LOW
Privileges Required
LOW
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
NONE
Availability Impact
NONE
CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
2.1 Low
CVSS2
Access Vector
LOCAL
Access Complexity
LOW
Authentication
NONE
Confidentiality Impact
PARTIAL
Integrity Impact
NONE
Availability Impact
NONE
AV:L/AC:L/Au:N/C:P/I:N/A:N
0.0005 Low
EPSS
Percentile
15.7%