Lucene search

K
debian
DebianDEBIAN:DLA-2753-1:5803D
HistorySep 02, 2021 - 6:40 p.m.

[SECURITY] [DLA 2753-1] qemu security update

2021-09-0218:40:09
lists.debian.org
48

3.8 Low

CVSS3

Attack Vector

LOCAL

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

NONE

Scope

CHANGED

Confidentiality Impact

LOW

Integrity Impact

NONE

Availability Impact

NONE

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:L/I:N/A:N

2.1 Low

CVSS2

Access Vector

LOCAL

Access Complexity

LOW

Authentication

NONE

Confidentiality Impact

PARTIAL

Integrity Impact

NONE

Availability Impact

NONE

AV:L/AC:L/Au:N/C:P/I:N/A:N

0.0005 Low

EPSS

Percentile

13.1%


Debian LTS Advisory DLA-2753-1 debian-lts@lists.debian.org
https://www.debian.org/lts/security/ Markus Koschany
September 02, 2021 https://wiki.debian.org/LTS

Package : qemu
Version : 1:2.8+dfsg-6+deb9u15
CVE ID : CVE-2021-3527 CVE-2021-3592 CVE-2021-3594 CVE-2021-3595
CVE-2021-3682 CVE-2021-3713
Debian Bug : 988157 989993 989995 989996 991911 992727

Several security vulnerabilities have been found in Qemu, a fast processor
emulator.

CVE-2021-3713

An out-of-bounds write flaw was found in the UAS (USB Attached SCSI) device
emulation of QEMU. The device uses the guest supplied stream number
unchecked, which can lead to out-of-bounds access to the UASDevice->data3
and UASDevice->status3 fields. A malicious guest user could use this flaw
to crash QEMU or potentially achieve code execution with the privileges of
the QEMU process on the host.

CVE-2021-3682

A flaw was found in the USB redirector device emulation of QEMU. It occurs
when dropping packets during a bulk transfer from a SPICE client due to the
packet queue being full. A malicious SPICE client could use this flaw to
make QEMU call free() with faked heap chunk metadata, resulting in a crash
of QEMU or potential code execution with the privileges of the QEMU process
on the host.

CVE-2021-3527

A flaw was found in the USB redirector device (usb-redir) of QEMU. Small
USB packets are combined into a single, large transfer request, to reduce
the overhead and improve performance. The combined size of the bulk
transfer is used to dynamically allocate a variable length array (VLA) on
the stack without proper validation. Since the total size is not bounded, a
malicious guest could use this flaw to influence the array length and cause
the QEMU process to perform an excessive allocation on the stack, resulting
in a denial of service.

CVE-2021-3594

An invalid pointer initialization issue was found in the SLiRP networking
implementation of QEMU. The flaw exists in the udp_input() function and
could occur while processing a udp packet that is smaller than the size of
the 'udphdr' structure. This issue may lead to out-of-bounds read access or
indirect host memory disclosure to the guest. The highest threat from this
vulnerability is to data confidentiality.

CVE-2021-3592

An invalid pointer initialization issue was found in the SLiRP networking
implementation of QEMU. The flaw exists in the bootp_input() function and
could occur while processing a udp packet that is smaller than the size of
the 'bootp_t' structure. A malicious guest could use this flaw to leak 10
bytes of uninitialized heap memory from the host. The highest threat from
this vulnerability is to data confidentiality.

CVE-2021-3595

An invalid pointer initialization issue was found in the SLiRP networking
implementation of QEMU. The flaw exists in the tftp_input() function and
could occur while processing a udp packet that is smaller than the size of
the 'tftp_t' structure. This issue may lead to out-of-bounds read access or
indirect host memory disclosure to the guest. The highest threat from this
vulnerability is to data confidentiality.

For Debian 9 stretch, these problems have been fixed in version
1:2.8+dfsg-6+deb9u15.

We recommend that you upgrade your qemu packages.

For the detailed security status of qemu please refer to
its security tracker page at:
https://security-tracker.debian.org/tracker/qemu

Further information about Debian LTS security advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://wiki.debian.org/LTS
Attachment:
signature.asc
Description: This is a digitally signed message part

Use Vulners API to create your own security tool

API usage cases
  • Network scanning
  • Linux Patch management
  • Threat protection
  • No network audit solution

Ways of integration

Integrate Vulners API

3.8 Low

CVSS3

Attack Vector

LOCAL

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

NONE

Scope

CHANGED

Confidentiality Impact

LOW

Integrity Impact

NONE

Availability Impact

NONE

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:L/I:N/A:N

2.1 Low

CVSS2

Access Vector

LOCAL

Access Complexity

LOW

Authentication

NONE

Confidentiality Impact

PARTIAL

Integrity Impact

NONE

Availability Impact

NONE

AV:L/AC:L/Au:N/C:P/I:N/A:N

0.0005 Low

EPSS

Percentile

13.1%

Related for DEBIAN:DLA-2753-1:5803D