[3.6] qemu: Multiple vulnerabilities (CVE-2016-7994, CVE…. CVE-2017-5857, CVE-2017-5898, CVE-2017-5931, CVE-2017-2615, CVE-2017-2620)
CVE-2016-7994: Qemu virtio-gpu: memory leak in virtio_gpu_resource_create_2d
Reference:
http://openwall.com/lists/oss-security/2016/10/08/3
Patch:
http://git.qemu-project.org/?p=qemu.git;a=patch;h=cb3a0522b694cc5bb6424497b3f828ccd28fd1dd
CVE-2016-7995: Qemu: usb: hcd-ehci: memory leak in ehci_process_itd
Reference:
http://openwall.com/lists/oss-security/2016/10/08/4
Patch:
http://git.qemu-project.org/?p=qemu.git;a=patch;h=b16c129daf0fed91febbb88de23dae8271c8898a
CVE-2016-8576: Qemu: usb: xHCI: infinite loop vulnerability in xhci_ring_fetch
References:
http://openwall.com/lists/oss-security/2016/10/10/12
https://lists.gnu.org/archive/html/qemu-devel/2016-10/msg01265.html
CVE-2016-8577: Qemu: 9pfs: host memory leakage in v9fs_read
Reference:
http://openwall.com/lists/oss-security/2016/10/10/13
Patch:
https://lists.gnu.org/archive/html/qemu-devel/2016-09/msg07127.html
CVE-2016-8578: Qemu: 9pfs: potential NULL dereferencein 9pfs routines
References:
http://openwall.com/lists/oss-security/2016/10/10/14
https://lists.gnu.org/archive/html/qemu-devel/2016-09/msg07143.html
CVE-2016-8668: Qemu: net: OOB buffer access in rocker switch emulation
References:
http://openwall.com/lists/oss-security/2016/10/15/9
https://lists.gnu.org/archive/html/qemu-devel/2016-10/msg02501.html
CVE-2016-8909: Qemu: audio: intel-hda: infinite loop in processing dma buffer stream
References:
http://openwall.com/lists/oss-security/2016/10/24/4
https://lists.gnu.org/archive/html/qemu-devel/2016-10/msg04717.html
CVE-2016-8910: Qemu: net: rtl8139: infinite loop while transmit in C+ mode
References:
http://openwall.com/lists/oss-security/2016/10/24/5
https://lists.gnu.org/archive/html/qemu-devel/2016-10/msg05495.html
CVE-2016-9101: Qemu: net: eepro100 memory leakage at device unplug
References:
http://www.openwall.com/lists/oss-security/2016/10/27/14
https://lists.gnu.org/archive/html/qemu-devel/2016-10/msg03024.html
CVE-2016-9102: Qemu: 9pfs: memory leakage when creating extended attribute
References:
http://openwall.com/lists/oss-security/2016/10/30/6
Patch:
http://git.qemu-project.org/?p=qemu.git;a=patch;h=ff55e94d23ae94c8628b0115320157c763eb3e06
CVE-2016-9103: Qemu: 9pfs: information leakage via xattribute
References:
http://openwall.com/lists/oss-security/2016/10/30/7
Patch:
http://git.qemu-project.org/?p=qemu.git;a=patch;h=eb687602853b4ae656e9236ee4222609f3a6887d
CVE-2016-9104: Qemu: 9pfs: integer overflow leading to OOB access
References:
http://openwall.com/lists/oss-security/2016/10/30/8
https://lists.gnu.org/archive/html/qemu-devel/2016-10/msg02942.html
CVE-2016-9105: Qemu: memory leakage in v9fs_link
References:
http://openwall.com/lists/oss-security/2016/10/30/9
Patch:
http://git.qemu-project.org/?p=qemu.git;a=patch;h=4c1586787ff43c9acd18a56c12d720e3e6be9f7c
CVE-2016-9106: Qemu: 9pfs: memory leakage in v9fs_write
References:
http://openwall.com/lists/oss-security/2016/10/30/10
Patch:
http://git.qemu-project.org/?p=qemu.git;a=patch;h=fdfcc9aeea1492f4b819a24c94dfb678145b1bf9
CVE-2017-5525: Qemu: audio: memory leakage in ac97 device
Reference:
http://openwall.com/lists/oss-security/2017/01/18/7
Patch:
http://git.qemu-project.org/?p=qemu.git;a=commit;h=12351a91da97b414eec8cdb09f1d9f41e535a401
CVE-2017-5552: Qemu: display: virtio-gpu-3d: memory leakage in virgl_resource_attach_backing
Reference:
http://www.openwall.com/lists/oss-security/2017/01/21/5
Patch:
http://git.qemu-project.org/?p=qemu.git;a=commit;h=33243031dad02d161225ba99d782616da133f689
CVE-2017-5578: Qemu: display: virtio-gpu: host memory leakage in virtio_gpu_resource_attach_backing
Reference:
http://seclists.org/oss-sec/2017/q1/185
Patch:
http://git.qemu.org/?p=qemu.git;a=commit;h=204f01b30975923c64006f8067f0937b91eea68b
CVE-2017-5579: Qemu: serial: host memory leakage in 16550A UART emulation
Reference:
http://openwall.com/lists/oss-security/2017/01/25/3
Patch:
http://git.qemu-project.org/?p=qemu.git;a=commit;h=8409dc884a201bf74b30a9d232b6bbdd00cb7e2b
CVE-2017-5667: Qemu: sd: sdhci OOB access during multi block SDMA transfer
References:
http://www.openwall.com/lists/oss-security/2017/01/30/2
https://lists.gnu.org/archive/html/qemu-devel/2017-01/msg06191.html
CVE-2017-5856: Qemu: scsi: megasas: host memory leakage in megasas_handle_dcmd
Reference:
http://www.openwall.com/lists/oss-security/2017/02/01/19
Patch:
http://git.qemu-project.org/?p=qemu.git;a=commit;h=765a707000e838c30b18d712fe6cb3dd8e0435f3
CVE-2017-5857: display: virtio-gpu-3d: host memory leakage in virgl_cmd_resource_unref
References:
http://www.openwall.com/lists/oss-security/2017/02/01/21
https://lists.nongnu.org/archive/html/qemu-devel/2017-01/msg04615.html
CVE-2017-5898: Qemu: usb: integer overflow in emulated_apdu_from_guest
Reference:
http://www.openwall.com/lists/oss-security/2017/02/07/3
Patch:
http://git.qemu-project.org/?p=qemu.git;a=commit;h=c7dfbf322595ded4e70b626bf83158a9f3807c6a
CVE-2017-5931: virtio: integer overflow in handling virtio-crypto requests
Reference:
http://seclists.org/oss-sec/2017/q1/337
Patch:
http://git.qemu-project.org/?p=qemu.git;a=commit;h=a08aaff811fb194950f79711d2afe5a892ae03a4
CVE-2017-2615: Qemu: display: cirrus: oob access while doing bitblt copy backward mode
References:
http://www.openwall.com/lists/oss-security/2017/02/01/6
Introduced with:
http://git.qemu.org/?p=qemu.git;a=commit;h=d3532a0db02296e687711b8cdc7791924efccea0
(which was the fix for CVE-2014-8106)
Fixed by:
http://git.qemu.org/?p=qemu.git;a=commit;h=62d4c6bd5263bb8413a06c80144fc678df6dfb64
CVE-2017-2620: Qemu: display: cirrus: potential arbitrary code execution via cirrus_bitblt_cputovideo
References:
http://www.openwall.com/lists/oss-security/2017/02/21/1
https://lists.gnu.org/archive/html/qemu-devel/2017-02/msg04700.html
CVE-2017-6505: usb: an infinite loop issue in ohci_service_ed_list
References:
http://www.openwall.com/lists/oss-security/2017/03/06/6
Patch:
http://git.qemu-project.org/?p=qemu.git;a=commitdiff;h=95ed56939eb2eaa4e2f349fe6dcd13ca4edfd8fb
(from redmine: issue id 6921, created on 2017-02-24, closed on 2019-05-03)
- Relations:
- parent #6920
- Changesets:
- Revision 251f7b99 by Sergei Lukin on 2017-04-21T12:52:14Z:
main/qemu: security fixes #6921
CVE-2016-7994: Qemu virtio-gpu: memory leak in virtio_gpu_resource_create_2d
CVE-2016-7995: Qemu: usb: hcd-ehci: memory leak in ehci_process_itd
CVE-2016-8576: Qemu: usb: xHCI: infinite loop vulnerability in xhci_ring_fetch
CVE-2016-8577: Qemu: 9pfs: host memory leakage in v9fs_read
CVE-2016-8578: Qemu: 9pfs: potential NULL dereferencein 9pfs routines
CVE-2016-8668: Qemu: net: OOB buffer access in rocker switch emulation
CVE-2016-8909: Qemu: audio: intel-hda: infinite loop in processing dma buffer stream
CVE-2016-8910: Qemu: net: rtl8139: infinite loop while transmit in C+ mode
CVE-2016-9101: Qemu: net: eepro100 memory leakage at device unplug
CVE-2016-9102: Qemu: 9pfs: memory leakage when creating extended attribute
CVE-2016-9103: Qemu: 9pfs: information leakage via xattribute
CVE-2016-9104: Qemu: 9pfs: integer overflow leading to OOB access
CVE-2016-9105: Qemu: memory leakage in v9fs_link
CVE-2016-9106: Qemu: 9pfs: memory leakage in v9fs_write
CVE-2017-5525: Qemu: audio: memory leakage in ac97 device
CVE-2017-5552: Qemu: display: virtio-gpu-3d: memory leakage in virgl_resource_attach_backing
CVE-2017-5578: Qemu: display: virtio-gpu: host memory leakage in virtio_gpu_resource_attach_backing
CVE-2017-5579: Qemu: serial: host memory leakage in 16550A UART emulation
CVE-2017-5667: Qemu: sd: sdhci OOB access during multi block SDMA transfer
CVE-2017-5856: Qemu: scsi: megasas: host memory leakage in megasas_handle_dcmd
CVE-2017-5857: display: virtio-gpu-3d: host memory leakage in virgl_cmd_resource_unref
CVE-2017-5898: Qemu: usb: integer overflow in emulated_apdu_from_guest
CVE-2017-5931: virtio: integer overflow in handling virtio-crypto requests
CVE-2017-2615: Qemu: display: cirrus: oob access while doing bitblt copy backward mode
CVE-2017-2620: Qemu: display: cirrus: potential arbitrary code execution via cirrus_bitblt_cputovideo
CVE-2017-6505: usb: an infinite loop issue in ohci_service_ed_list