FreshPorts - VuXML

This page displays vulnerability information about FreeBSD Ports.

The VUXML data was last processed by FreshPorts on 2024-03-27 18:04:16 UTC

List all Vulnerabilities, by package

List all Vulnerabilities, by date

k68

These are the vulnerabilities relating to the commit you have selected:

VuXML IDDescription
bbc97005-b14e-11e5-9728-002590263bf5qemu -- denial of service vulnerability in IDE disk/CD/DVD-ROM emulation

Prasad J Pandit, Red Hat Product Security Team, reports:

Qemu emulator built with the IDE disk and CD/DVD-ROM emulation support is vulnerable to a divide by zero issue. It could occur while executing an IDE command WIN_READ_NATIVE_MAX to determine the maximum size of a drive.

A privileged user inside guest could use this flaw to crash the Qemu instance resulting in DoS.


Discovery 2015-09-09
Entry 2016-01-02
qemu
qemu-devel
< 2.4.1

qemu-sbruno
qemu-user-static
< 2.5.50.g20151224

CVE-2015-6855
http://www.openwall.com/lists/oss-security/2015/09/10/1
http://git.qemu.org/?p=qemu.git;a=commit;h=63d761388d6fea994ca498c6e7a210851a99ad93
https://github.com/seanbruno/qemu-bsd-user/commit/d9033e1d3aa666c5071580617a57bd853c5d794a
a228c7a0-ba66-11e6-b1cf-14dae9d210b8qemu -- denial of service vulnerability

Daniel P. Berrange reports:

The VNC server websockets decoder will read and buffer data from websockets clients until it sees the end of the HTTP headers, as indicated by \r\n\r\n. In theory this allows a malicious to trick QEMU into consuming an arbitrary amount of RAM.


Discovery 2015-03-23
Entry 2016-12-04
Modified 2016-12-06
qemu
qemu-devel
qemu-sbruno
< 2.3.0

https://lists.gnu.org/archive/html/qemu-devel/2015-03/msg04895.html
CVE-2015-1779
ports/206725
9ad8993e-b1ba-11e5-9728-002590263bf5qemu -- denial of service vulnerability in VMWARE VMXNET3 NIC support

Prasad J Pandit, Red Hat Product Security Team, reports:

Qemu emulator built with a VMWARE VMXNET3 paravirtual NIC emulator support is vulnerable to a memory leakage flaw. It occurs when a guest repeatedly tries to activate the vmxnet3 device.

A privileged guest user could use this flaw to leak host memory, resulting in DoS on the host.


Discovery 2015-12-15
Entry 2016-01-03
Modified 2016-07-06
qemu
qemu-devel
< 2.5.0

qemu-sbruno
qemu-user-static
< 2.5.50.g20160213

CVE-2015-8567
CVE-2015-8568
ports/205813
ports/205814
http://www.openwall.com/lists/oss-security/2015/12/15/4
https://lists.gnu.org/archive/html/qemu-devel/2015-12/msg02299.html
http://git.qemu.org/?p=qemu.git;a=commit;h=aa4a3dce1c88ed51b616806b8214b7c8428b7470
https://github.com/seanbruno/qemu-bsd-user/commit/aa4a3dce1c88ed51b616806b8214b7c8428b7470
acd5d037-1c33-11e5-be9c-6805ca1d3bb1qemu -- Heap overflow in QEMU PCNET controller, allowing guest to host escape (CVE-2015-3209)

The QEMU security team reports:

A guest which has access to an emulated PCNET network device (e.g. with "model=pcnet" in their VIF configuration) can exploit this vulnerability to take over the qemu process elevating its privilege to that of the qemu process.


Discovery 2015-04-10
Entry 2015-06-26
Modified 2015-07-11
qemu
qemu-devel
< 0.11.1_20

ge 0.12 lt 2.3.0_2

qemu-sbruno
< 2.3.50.g20150618_1

xen-tools
< 4.5.0_6

http://xenbits.xen.org/xsa/advisory-135.html
CVE-2015-3209
b56fe6bb-b1b1-11e5-9728-002590263bf5qemu -- denial of service vulnerabilities in eepro100 NIC support

Prasad J Pandit, Red Hat Product Security Team, reports:

Qemu emulator built with the i8255x (PRO100) emulation support is vulnerable to an infinite loop issue. It could occur while processing a chain of commands located in the Command Block List (CBL). Each Command Block(CB) points to the next command in the list. An infinite loop unfolds if the link to the next CB points to the same block or there is a closed loop in the chain.

A privileged(CAP_SYS_RAWIO) user inside guest could use this flaw to crash the Qemu instance resulting in DoS.


Discovery 2015-10-16
Entry 2016-01-03
Modified 2016-07-06
qemu
qemu-devel
< 2.5.50

qemu-sbruno
qemu-user-static
< 2.5.50.g20160213

CVE-2015-8345
ports/205813
ports/205814
http://www.openwall.com/lists/oss-security/2015/11/25/3
https://lists.gnu.org/archive/html/qemu-devel/2015-10/msg03911.html
http://git.qemu.org/?p=qemu.git;a=commit;h=00837731d254908a841d69298a4f9f077babaf24
https://github.com/seanbruno/qemu-bsd-user/commit/00837731d254908a841d69298a4f9f077babaf24
60cb2055-b1b8-11e5-9728-002590263bf5qemu -- denial of service vulnerability in USB EHCI emulation support

Prasad J Pandit, Red Hat Product Security Team, reports:

Qemu emulator built with the USB EHCI emulation support is vulnerable to an infinite loop issue. It occurs during communication between host controller interface(EHCI) and a respective device driver. These two communicate via a isochronous transfer descriptor list(iTD) and an infinite loop unfolds if there is a closed loop in this list.

A privileges user inside guest could use this flaw to consume excessive CPU cycles & resources on the host.


Discovery 2015-12-14
Entry 2016-01-03
qemu
qemu-devel
< 2.5.0

qemu-sbruno
qemu-user-static
< 2.5.50.g20151224

CVE-2015-8558
ports/205814
http://www.openwall.com/lists/oss-security/2015/12/14/9
http://git.qemu.org/?p=qemu.git;a=commit;h=156a2e4dbffa85997636a7a39ef12da6f1b40254
https://github.com/seanbruno/qemu-bsd-user/commit/156a2e4dbffa85997636a7a39ef12da6f1b40254
2b3b4c27-b0c7-11e5-8d13-bc5ff45d0f28qemu -- buffer overflow vulnerability in VNC

Prasad J Pandit, Red Hat Product Security Team, reports:

Qemu emulator built with the VNC display driver support is vulnerable to a buffer overflow flaw leading to a heap memory corruption issue. It could occur while refreshing the server display surface via routine vnc_refresh_server_surface().

A privileged guest user could use this flaw to corrupt the heap memory and crash the Qemu process instance OR potentially use it to execute arbitrary code on the host.


Discovery 2015-08-17
Entry 2016-01-01
qemu
qemu-devel
< 2.4.0.1

qemu-sbruno
qemu-user-static
< 2.4.50.g20151011

CVE-2015-5225
http://www.openwall.com/lists/oss-security/2015/08/21/6
http://git.qemu.org/?p=qemu.git;a=commit;h=efec4dcd2552e85ed57f276b58f09fc385727450
https://github.com/seanbruno/qemu-bsd-user/commit/eb8934b0418b3b1d125edddc4fc334a54334a49b
8a560bcf-b14b-11e5-9728-002590263bf5qemu -- denial of service vulnerability in VNC

Prasad J Pandit, Red Hat Product Security Team, reports:

Qemu emulator built with the VNC display driver is vulnerable to an infinite loop issue. It could occur while processing a CLIENT_CUT_TEXT message with specially crafted payload message.

A privileged guest user could use this flaw to crash the Qemu process on the host, resulting in DoS.


Discovery 2014-06-30
Entry 2016-01-02
qemu
qemu-devel
< 2.1.0

qemu-sbruno
qemu-user-static
< 2.2.50.g20141230

CVE-2015-5239
http://www.openwall.com/lists/oss-security/2015/09/02/7
http://git.qemu.org/?p=qemu.git;a=commit;h=f9a70e79391f6d7c2a912d785239ee8effc1922d
https://github.com/seanbruno/qemu-bsd-user/commit/f9a70e79391f6d7c2a912d785239ee8effc1922d
a267cd6c-b0c4-11e5-8d13-bc5ff45d0f28qemu -- stack buffer overflow while parsing SCSI commands

Prasad J Pandit, Red Hat Product Security Team, reports:

Qemu emulator built with the SCSI device emulation support is vulnerable to a stack buffer overflow issue. It could occur while parsing SCSI command descriptor block with an invalid operation code.

A privileged(CAP_SYS_RAWIO) user inside guest could use this flaw to crash the Qemu instance resulting in DoS.


Discovery 2015-07-23
Entry 2016-01-01
qemu
qemu-devel
< 2.4.0

qemu-sbruno
qemu-user-static
< 2.4.50.g20150814

CVE-2015-5158
http://openwall.com/lists/oss-security/2015/07/23/6
http://git.qemu.org/?p=qemu.git;a=commit;h=c170aad8b057223b1139d72e5ce7acceafab4fa9
https://github.com/seanbruno/qemu-bsd-user/commit/c170aad8b057223b1139d72e5ce7acceafab4fa9
f06f20dc-4347-11e5-93ad-002590263bf5qemu, xen-tools -- QEMU leak of uninitialized heap memory in rtl8139 device model

The Xen Project reports:

The QEMU model of the RTL8139 network card did not sufficiently validate inputs in the C+ mode offload emulation. This results in uninitialized memory from the QEMU process's heap being leaked to the domain as well as to the network.

A guest may be able to read sensitive host-level data relating to itself which resides in the QEMU process.

Such information may include things such as information relating to real devices backing emulated devices or passwords which the host administrator does not intend to share with the guest admin.


Discovery 2015-08-03
Entry 2015-08-17
Modified 2015-08-19
qemu
qemu-devel
le 0.11.1_20

ge 0.12 le 2.3.0_2

qemu-sbruno
qemu-user-static
< 2.4.50.g20150814

xen-tools
< 4.5.1

CVE-2015-5165
http://xenbits.xen.org/xsa/advisory-140.html
http://git.qemu.org/?p=qemu.git;a=commit;h=2a3612ccc1fa9cea77bd193afbfe21c77e7e91ef
2780e442-fc59-11e4-b18b-6805ca1d3bb1qemu, xen and VirtualBox OSE -- possible VM escape and code execution ("VENOM")

Jason Geffner, CrowdStrike Senior Security Researcher reports:

VENOM, CVE-2015-3456, is a security vulnerability in the virtual floppy drive code used by many computer virtualization platforms. This vulnerability may allow an attacker to escape from the confines of an affected virtual machine (VM) guest and potentially obtain code-execution access to the host. Absent mitigation, this VM escape could open access to the host system and all other VMs running on that host, potentially giving adversaries significant elevated access to the host's local network and adjacent systems.


Discovery 2015-04-29
Entry 2015-05-17
Modified 2015-09-28
qemu
qemu-devel
< 0.11.1_19

ge 0.12 lt 2.3.0_1

qemu-sbruno
< 2.3.50.g20150501_1

virtualbox-ose
< 4.3.28

xen-tools
ge 4.5.0 lt 4.5.0_5

CVE-2015-3456
ports/200255
ports/200256
ports/200257
http://venom.crowdstrike.com/
http://www.oracle.com/technetwork/topics/security/alert-cve-2015-3456-2542656.html
http://xenbits.xen.org/xsa/advisory-133.html
1384f2fd-b1be-11e5-9728-002590263bf5qemu -- denial of service vulnerability in Rocker switch emulation

Prasad J Pandit, Red Hat Product Security Team, reports:

Qemu emulator built with the Rocker switch emulation support is vulnerable to an off-by-one error. It happens while processing transmit(tx) descriptors in 'tx_consume' routine, if a descriptor was to have more than allowed (ROCKER_TX_FRAGS_MAX=16) fragments.

A privileged user inside guest could use this flaw to cause memory leakage on the host or crash the Qemu process instance resulting in DoS issue.


Discovery 2015-12-28
Entry 2016-01-03
Modified 2016-07-06
qemu
qemu-devel
< 2.5.50

qemu-sbruno
qemu-user-static
< 2.5.50.g20160213

CVE-2015-8701
ports/205813
ports/205814
http://www.openwall.com/lists/oss-security/2015/12/28/6
https://lists.gnu.org/archive/html/qemu-devel/2015-12/msg04629.html
http://git.qemu.org/?p=qemu.git;a=commit;h=007cd223de527b5f41278f2d886c1a4beb3e67aa
https://github.com/seanbruno/qemu-bsd-user/commit/007cd223de527b5f41278f2d886c1a4beb3e67aa
42cbd1e8-b152-11e5-9728-002590263bf5qemu -- denial of service vulnerability in virtio-net support

Prasad J Pandit, Red Hat Product Security Team, reports:

Qemu emulator built with the Virtual Network Device(virtio-net) support is vulnerable to a DoS issue. It could occur while receiving large packets over the tuntap/macvtap interfaces and when guest's virtio-net driver did not support big/mergeable receive buffers.

An attacker on the local network could use this flaw to disable guest's networking by sending a large number of jumbo frames to the guest, exhausting all receive buffers and thus leading to a DoS situation.


Discovery 2015-09-18
Entry 2016-01-02
qemu
qemu-devel
< 2.4.1

qemu-sbruno
qemu-user-static
< 2.5.50.g20151224

CVE-2015-7295
http://www.openwall.com/lists/oss-security/2015/09/18/5
http://git.qemu.org/?p=qemu.git;a=commit;h=696317f1895e836d53b670c7b77b7be93302ba08
https://github.com/seanbruno/qemu-bsd-user/commit/0cf33fb6b49a19de32859e2cdc6021334f448fb3
b3f9f8ef-b1bb-11e5-9728-002590263bf5qemu -- denial of service vulnerability in MegaRAID SAS HBA emulation

Prasad J Pandit, Red Hat Product Security Team, reports:

Qemu emulator built with the SCSI MegaRAID SAS HBA emulation support is vulnerable to a stack buffer overflow issue. It occurs while processing the SCSI controller's CTRL_GET_INFO command. A privileged guest user could use this flaw to crash the Qemu process instance resulting in DoS.


Discovery 2015-12-21
Entry 2016-01-03
Modified 2016-07-06
qemu
qemu-devel
< 2.5.0

qemu-sbruno
qemu-user-static
< 2.5.50.g20160213

CVE-2015-8613
ports/205813
ports/205814
http://www.openwall.com/lists/oss-security/2015/12/21/7
https://lists.gnu.org/archive/html/qemu-devel/2015-12/msg03737.html
http://git.qemu.org/?p=qemu.git;a=commit;h=36fef36b91f7ec0435215860f1458b5342ce2811
https://github.com/seanbruno/qemu-bsd-user/commit/36fef36b91f7ec0435215860f1458b5342ce2811
3fb06284-b1b7-11e5-9728-002590263bf5qemu -- denial of service vulnerability in MSI-X support

Prasad J Pandit, Red Hat Product Security Team, reports:

Qemu emulator built with the PCI MSI-X support is vulnerable to null pointer dereference issue. It occurs when the controller attempts to write to the pending bit array(PBA) memory region. Because the MSI-X MMIO support did not define the .write method.

A privileges used inside guest could use this flaw to crash the Qemu process resulting in DoS issue.


Discovery 2015-06-26
Entry 2016-01-03
qemu
qemu-devel
< 2.5.0

qemu-sbruno
qemu-user-static
< 2.5.50.g20151224

CVE-2015-7549
http://www.openwall.com/lists/oss-security/2015/12/14/2
http://git.qemu.org/?p=qemu.git;a=commit;h=43b11a91dd861a946b231b89b7542856ade23d1b
https://github.com/seanbruno/qemu-bsd-user/commit/43b11a91dd861a946b231b89b7542856ade23d1b
405446f4-b1b3-11e5-9728-002590263bf5qemu and xen-tools -- denial of service vulnerabilities in AMD PC-Net II NIC support

Prasad J Pandit, Red Hat Product Security Team, reports:

Qemu emulator built with the AMD PC-Net II Ethernet Controller support is vulnerable to a heap buffer overflow flaw. While receiving packets in the loopback mode, it appends CRC code to the receive buffer. If the data size given is same as the receive buffer size, the appended CRC code overwrites 4 bytes beyond this 's->buffer' array.

A privileged(CAP_SYS_RAWIO) user inside guest could use this flaw to crash the Qemu instance resulting in DoS or potentially execute arbitrary code with privileges of the Qemu process on the host.

The AMD PC-Net II emulator(hw/net/pcnet.c), while receiving packets from a remote host(non-loopback mode), fails to validate the received data size, thus resulting in a buffer overflow issue. It could potentially lead to arbitrary code execution on the host, with privileges of the Qemu process. It requires the guest NIC to have larger MTU limit.

A remote user could use this flaw to crash the guest instance resulting in DoS or potentially execute arbitrary code on a remote host with privileges of the Qemu process.


Discovery 2015-11-30
Entry 2016-01-03
Modified 2016-01-06
qemu
qemu-devel
< 2.5.0

qemu-sbruno
qemu-user-static
< 2.5.50.g20151224

xen-tools
< 4.5.2_1

CVE-2015-7504
CVE-2015-7512
http://www.openwall.com/lists/oss-security/2015/11/30/2
http://www.openwall.com/lists/oss-security/2015/11/30/3
http://git.qemu.org/?p=qemu.git;a=commit;h=837f21aacf5a714c23ddaadbbc5212f9b661e3f7
http://git.qemu.org/?p=qemu.git;a=commit;h=8b98a2f07175d46c3f7217639bd5e03f2ec56343
https://github.com/seanbruno/qemu-bsd-user/commit/837f21aacf5a714c23ddaadbbc5212f9b661e3f7
https://github.com/seanbruno/qemu-bsd-user/commit/8b98a2f07175d46c3f7217639bd5e03f2ec56343
http://xenbits.xen.org/xsa/advisory-162.html
21e5abe3-b0c6-11e5-8d13-bc5ff45d0f28qemu -- buffer overflow vulnerability in virtio-serial message exchanges

Prasad J Pandit, Red Hat Product Security Team, reports:

Qemu emulator built with the virtio-serial vmchannel support is vulnerable to a buffer overflow issue. It could occur while exchanging virtio control messages between guest and the host.

A malicious guest could use this flaw to corrupt few bytes of Qemu memory area, potentially crashing the Qemu process.


Discovery 2015-08-06
Entry 2016-01-01
qemu
qemu-devel
< 2.4.0

qemu-sbruno
qemu-user-static
< 2.4.50.g20150814

CVE-2015-5745
http://www.openwall.com/lists/oss-security/2015/08/06/5
http://git.qemu.org/?p=qemu.git;a=commit;h=7882080388be5088e72c425b02223c02e6cb4295
https://github.com/seanbruno/qemu-bsd-user/commit/7882080388be5088e72c425b02223c02e6cb4295
da451130-365d-11e5-a4a5-002590263bf5qemu, xen-tools -- QEMU heap overflow flaw with certain ATAPI commands

The Xen Project reports:

A heap overflow flaw was found in the way QEMU's IDE subsystem handled I/O buffer access while processing certain ATAPI commands.

A privileged guest user in a guest with CDROM drive enabled could potentially use this flaw to execute arbitrary code on the host with the privileges of the host's QEMU process corresponding to the guest.


Discovery 2015-07-27
Entry 2015-08-04
Modified 2015-08-19
qemu
qemu-devel
le 0.11.1_20

ge 0.12 le 2.3.0_2

qemu-sbruno
qemu-user-static
< 2.4.50.g20150814

xen-tools
< 4.5.0_9

CVE-2015-5154
http://xenbits.xen.org/xsa/advisory-138.html
http://git.qemu.org/?p=qemu.git;a=commit;h=e40db4c6d391419c0039fe274c74df32a6ca1a28
152acff3-b1bd-11e5-9728-002590263bf5qemu -- denial of service vulnerability in Q35 chipset emulation

Prasad J Pandit, Red Hat Product Security Team, reports:

Qemu emulator built with the Q35 chipset based pc system emulator is vulnerable to a heap based buffer overflow. It occurs during VM guest migration, as more(16 bytes) data is moved into allocated (8 bytes) memory area.

A privileged guest user could use this issue to corrupt the VM guest image, potentially leading to a DoS. This issue affects q35 machine types.


Discovery 2015-11-19
Entry 2016-01-03
Modified 2016-07-06
qemu
qemu-devel
< 2.5.50

qemu-sbruno
qemu-user-static
< 2.5.50.g20151224

CVE-2015-8666
http://www.openwall.com/lists/oss-security/2015/12/24/1
http://git.qemu.org/?p=qemu.git;a=commit;h=d9a3b33d2c9f996537b7f1d0246dee2d0120cefb
https://github.com/seanbruno/qemu-bsd-user/commit/d9a3b33d2c9f996537b7f1d0246dee2d0120cefb
67feba97-b1b5-11e5-9728-002590263bf5qemu -- denial of service vulnerability in VNC

Prasad J Pandit, Red Hat Product Security Team, reports:

Qemu emulator built with the VNC display driver support is vulnerable to an arithmetic exception flaw. It occurs on the VNC server side while processing the 'SetPixelFormat' messages from a client.

A privileged remote client could use this flaw to crash the guest resulting in DoS.


Discovery 2015-12-08
Entry 2016-01-03
qemu
qemu-devel
< 2.5.0

qemu-sbruno
qemu-user-static
< 2.5.50.g20151224

CVE-2015-8504
http://www.openwall.com/lists/oss-security/2015/12/08/4
http://git.qemu.org/?p=qemu.git;a=commitdiff;h=4c65fed8bdf96780735dbdb92a8bd0d6b6526cc3
https://github.com/seanbruno/qemu-bsd-user/commit/4c65fed8bdf96780735dbdb92a8bd0d6b6526cc3
10bf8eed-b14d-11e5-9728-002590263bf5qemu -- denial of service vulnerability in e1000 NIC support

Prasad J Pandit, Red Hat Product Security Team, reports:

Qemu emulator built with the e1000 NIC emulation support is vulnerable to an infinite loop issue. It could occur while processing transmit descriptor data when sending a network packet.

A privileged user inside guest could use this flaw to crash the Qemu instance resulting in DoS.


Discovery 2015-09-04
Entry 2016-01-02
qemu
qemu-devel
< 2.4.0.1

qemu-sbruno
qemu-user-static
< 2.5.50.g20151224

CVE-2015-6815
http://www.openwall.com/lists/oss-security/2015/09/04/4
http://git.qemu.org/?p=qemu.git;a=commit;h=3a56af1fbc17ff453f6e90fb08ce0c0e6fd0b61b
https://github.com/seanbruno/qemu-bsd-user/commit/b947ac2bf26479e710489739c465c8af336599e7
6aa3322f-b150-11e5-9728-002590263bf5qemu -- denial of service vulnerabilities in NE2000 NIC support

Prasad J Pandit, Red Hat Product Security Team, reports:

Qemu emulator built with the NE2000 NIC emulation support is vulnerable to an infinite loop issue. It could occur when receiving packets over the network.

A privileged user inside guest could use this flaw to crash the Qemu instance resulting in DoS.

Qemu emulator built with the NE2000 NIC emulation support is vulnerable to a heap buffer overflow issue. It could occur when receiving packets over the network.

A privileged user inside guest could use this flaw to crash the Qemu instance or potentially execute arbitrary code on the host.


Discovery 2015-09-15
Entry 2016-01-02
qemu
qemu-devel
< 2.4.0.1

qemu-sbruno
qemu-user-static
< 2.5.50.g20151224

CVE-2015-5278
CVE-2015-5279
http://www.openwall.com/lists/oss-security/2015/09/15/2
http://www.openwall.com/lists/oss-security/2015/09/15/3
http://git.qemu.org/?p=qemu.git;a=commit;h=5a1ccdfe44946e726b4c6fda8a4493b3931a68c1
https://github.com/seanbruno/qemu-bsd-user/commit/737d2b3c41d59eb8f94ab7eb419b957938f24943
http://git.qemu.org/?p=qemu.git;a=commit;h=7aa2bcad0ca837dd6d4bf4fa38a80314b4a6b755
https://github.com/seanbruno/qemu-bsd-user/commit/9bbdbc66e5765068dce76e9269dce4547afd8ad4
ee99899d-4347-11e5-93ad-002590263bf5qemu, xen-tools -- use-after-free in QEMU/Xen block unplug protocol

The Xen Project reports:

When unplugging an emulated block device the device was not fully unplugged, meaning a second unplug attempt would attempt to unplug the device a second time using a previously freed pointer.

An HVM guest which has access to an emulated IDE disk device may be able to exploit this vulnerability in order to take over the qemu process elevating its privilege to that of the qemu process.


Discovery 2015-08-03
Entry 2015-08-17
Modified 2015-08-19
qemu
qemu-devel
le 0.11.1_20

ge 0.12 le 2.3.0_2

qemu-sbruno
qemu-user-static
< 2.4.50.g20150814

xen-tools
< 4.5.1

CVE-2015-5166
http://xenbits.xen.org/xsa/advisory-139.html
http://git.qemu.org/?p=qemu.git;a=commit;h=260425ab405ea76c44dd59744d05176d4f579a52
aea8d90e-b0c1-11e5-8d13-bc5ff45d0f28qemu -- code execution on host machine

Petr Matousek of Red Hat Inc. reports:

Due converting PIO to the new memory read/write api we no longer provide separate I/O region lenghts for read and write operations. As a result, reading from PIT Mode/Command register will end with accessing pit->channels with invalid index and potentially cause memory corruption and/or minor information leak.

A privileged guest user in a guest with QEMU PIT emulation enabled could potentially (tough unlikely) use this flaw to execute arbitrary code on the host with the privileges of the hosting QEMU process.

Please note that by default QEMU/KVM guests use in-kernel (KVM) PIT emulation and are thus not vulnerable to this issue.


Discovery 2015-06-17
Entry 2016-01-01
qemu
qemu-devel
< 2.4.0

qemu-sbruno
qemu-user-static
< 2.4.50.g20150814

CVE-2015-3214
http://openwall.com/lists/oss-security/2015/06/17/5
http://git.qemu.org/?p=qemu.git;a=commit;h=d4862a87e31a51de9eb260f25c9e99a75efe3235
https://github.com/seanbruno/qemu-bsd-user/commit/d4862a87e31a51de9eb260f25c9e99a75efe3235
62ab8707-b1bc-11e5-9728-002590263bf5qemu -- denial of service vulnerability in Human Monitor Interface support

Prasad J Pandit, Red Hat Product Security Team, reports:

Qemu emulator built with the Human Monitor Interface(HMP) support is vulnerable to an OOB write issue. It occurs while processing 'sendkey' command in hmp_sendkey routine, if the command argument is longer than the 'keyname_buf' buffer size.

A user/process could use this flaw to crash the Qemu process instance resulting in DoS.


Discovery 2015-12-23
Entry 2016-01-03
Modified 2016-07-06
qemu
qemu-devel
< 2.5.0

qemu-sbruno
qemu-user-static
< 2.5.50.g20160213

CVE-2015-8619
ports/205813
ports/205814
http://www.openwall.com/lists/oss-security/2015/12/22/8
https://lists.gnu.org/archive/html/qemu-devel/2015-12/msg02930.html
http://git.qemu.org/?p=qemu.git;a=commit;h=64ffbe04eaafebf4045a3ace52a360c14959d196
https://github.com/seanbruno/qemu-bsd-user/commit/64ffbe04eaafebf4045a3ace52a360c14959d196