UbuntuUpdates.org

Package "qemu-system"

Name: qemu-system

Description:

QEMU full system emulation binaries

Latest version: 1:6.2+dfsg-2ubuntu6.24
Release: jammy (22.04)
Level: security
Repository: main
Head package: qemu
Homepage: http://www.qemu.org/

Links


Download "qemu-system"


Other versions of "qemu-system" in Jammy

Repository Area Version
base main 1:6.2+dfsg-2ubuntu6
updates main 1:6.2+dfsg-2ubuntu6.24

Changelog

Version: 1:6.2+dfsg-2ubuntu6.24 2024-11-11 00:07:02 UTC

  qemu (1:6.2+dfsg-2ubuntu6.24) jammy-security; urgency=medium

  * SECURITY UPDATE: denial of service
    - debian/patches/CVE-2023-3019-pre1.patch: Add definition for
      MemReentrancyGuard struct and add to DeviceState struct
    - debian/patches/CVE-2023-3019-1.patch: Provide MemReentrancyGuard *
      to qemu_new_nic()
    - debian/patches/CVE-2023-3019-2.patch: Update MemReentrancyGuard for
      NIC
    - CVE-2023-3019

 -- Bruce Cable <email address hidden> Tue, 22 Oct 2024 16:33:28 +1100

Source diff to previous version
CVE-2023-3019 A DMA reentrancy issue leading to a use-after-free error was found in the e1000e NIC emulation code in QEMU. This issue could allow a privileged gues

Version: 1:6.2+dfsg-2ubuntu6.22 2024-08-13 20:07:10 UTC

  qemu (1:6.2+dfsg-2ubuntu6.22) jammy-security; urgency=medium

  * SECURITY UPDATE: null dereference
    - debian/patches/CVE-2023-6683-1.patch: Check size before
      populating info->types data
    - debian/patches/CVE-2023-6683-2.patch: Check clipboard types
      for if a callback needs to be set
    - CVE-2023-6683
  * SECURITY UPDATE: stack based buffer overflow
    - debian/patches/CVE-2023-6693.patch: Correctly copy vnet header
      when flushing TX
    - CVE-2023-6693
  * SECURITY UPDATE: integer underflow
    - debian/patches/CVE-2024-24474.patch: Restrict non-DMA transfer
      length to that of available data
    - CVE-2024-24474

 -- Bruce Cable <email address hidden> Thu, 01 Aug 2024 13:08:05 +1000

Source diff to previous version
CVE-2023-6683 A flaw was found in the QEMU built-in VNC server while processing ClientCutText messages. The qemu_clipboard_request() function can be reached before
CVE-2023-6693 A stack based buffer overflow was found in the virtio-net device of QEMU. This issue occurs when flushing TX in the virtio_net_flush_tx function if g
CVE-2024-24474 QEMU before 8.2.0 has an integer underflow, and resultant buffer overflow, via a TI command when an expected non-DMA transfer length is less than the

Version: 1:6.2+dfsg-2ubuntu6.21 2024-06-06 18:07:35 UTC

  qemu (1:6.2+dfsg-2ubuntu6.21) jammy-security; urgency=medium

  * SECURITY REGRESSION: 9pfs restrictions on sockets (LP: #2065579)
    - debian/patches/ubuntu/lp-2065579-9pfs-allow-sockets.patch: allow
      sockets and FIFOs to be opened in hw/9pfs/9p-util.h. The fix for
      CVE-2023-2861 was too restrictive for some use-cases.

 -- Marc Deslauriers <email address hidden> Wed, 05 Jun 2024 12:25:53 -0400

Source diff to previous version
2065579 [UBUNTU 22.04] OS guest boot issues on 9p filesystem
CVE-2023-2861 A flaw was found in the 9p passthrough filesystem (9pfs) implementation in QEMU. The 9pfs server did not prohibit opening special files on the host s

Version: 1:6.2+dfsg-2ubuntu6.16 2024-01-08 19:07:00 UTC

  qemu (1:6.2+dfsg-2ubuntu6.16) jammy-security; urgency=medium

  * SECURITY UPDATE: infinite loop in USB xHCI controller
    - debian/patches/CVE-2020-14394.patch: fix unbounded loop in
      hw/usb/hcd-xhci.c.
    - CVE-2020-14394
  * SECURITY UPDATE: OOB read in RDMA device
    - debian/patches/CVE-2023-1544.patch: protect against buggy or
      malicious guest driver in hw/rdma/vmw/pvrdma_main.c.
    - CVE-2023-1544
  * SECURITY UPDATE: 9pfs special file access
    - debian/patches/CVE-2023-2861.patch: prevent opening special files in
      fsdev/virtfs-proxy-helper.c, hw/9pfs/9p-util.h.
    - CVE-2023-2861
  * SECURITY UPDATE: heap overflow in crypto device
    - debian/patches/CVE-2023-3180.patch: verify src&dst buffer length for
      sym request in hw/virtio/virtio-crypto.c.
    - CVE-2023-3180
  * SECURITY UPDATE: infinite loop in VNC server
    - debian/patches/CVE-2023-3255.patch: fix infinite loop in
      inflate_buffer in ui/vnc-clipboard.c.
    - CVE-2023-3255
  * SECURITY UPDATE: race in virtio-net hot-unplug
    - debian/patches/CVE-2023-3301.patch: do not cleanup the vdpa/vhost-net
      structures if peer nic is present in net/vhost-vdpa.c.
    - CVE-2023-3301
  * SECURITY UPDATE: DoS in VNC server
    - debian/patches/CVE-2023-3354.patch: remove io watch if TLS channel is
      closed during handshake in include/io/channel-tls.h,
      io/channel-tls.c.
    - CVE-2023-3354
  * SECURITY UPDATE: disk offset 0 access
    - debian/patches/CVE-2023-5088.patch: cancel async DMA operation before
      resetting state in hw/ide/core.c.
    - CVE-2023-5088
  * SECURITY UPDATE: DoS in Intel HD Audio device
    - debian/patches/CVE-2021-3611-*.patch: add MemTxAttrs argument to
      DMA functions and use it in hw/audio/intel-hda.c.
    - CVE-2021-3611

 -- Marc Deslauriers <email address hidden> Thu, 30 Nov 2023 09:53:27 -0500

Source diff to previous version
CVE-2020-14394 An infinite loop flaw was found in the USB xHCI controller emulation of QEMU while computing the length of the Transfer Request Block (TRB) Ring. Thi
CVE-2023-1544 A flaw was found in the QEMU implementation of VMWare's paravirtual RDMA device. This flaw allows a crafted guest driver to allocate and initialize a
CVE-2023-2861 A flaw was found in the 9p passthrough filesystem (9pfs) implementation in QEMU. The 9pfs server did not prohibit opening special files on the host s
CVE-2023-3180 A flaw was found in the QEMU virtual crypto device while handling data encryption/decryption requests in virtio_crypto_handle_sym_req. There is no ch
CVE-2023-3255 A flaw was found in the QEMU built-in VNC server while processing ClientCutText messages. A wrong exit condition may lead to an infinite loop when in
CVE-2023-3301 A flaw was found in QEMU. The async nature of hot-unplug enables a race scenario where the net device backend is cleared before the virtio-net pci fr
CVE-2023-3354 A flaw was found in the QEMU built-in VNC server. When a client connects to the VNC server, QEMU checks whether the current number of connections cro
CVE-2023-5088 A bug in QEMU could cause a guest I/O operation otherwise addressed to an arbitrary disk offset to be targeted to offset 0 instead (potentially overw
CVE-2021-3611 A stack overflow vulnerability was found in the Intel HD Audio device (intel-hda) of QEMU. A malicious guest could use this flaw to crash the QEMU pr

Version: 1:6.2+dfsg-2ubuntu6.11 2023-06-19 05:07:02 UTC

  qemu (1:6.2+dfsg-2ubuntu6.11) jammy-security; urgency=medium

  * SECURITY UPDATE: user-after-free issue
    - debian/patches/CVE-2022-1050.patch: Protect against buggy or
      malicious guest driver
    - CVE-2022-1050
  * SECURITY UPDATE: Out-of-bounds read
    - debian/patches/CVE-2022-4144-*.patch: Have qxl_log_command Return
      early if no log_cmd handler; Document qxl_phys2virt(); Pass requested
      buffer size to qxl_phys2virt(); Avoid buffer overrun in qxl_phys2virt;
      Assert memory slot fits in preallocated MemoryRegion
    - CVE-2022-4144
  * SECURITY UPDATE: reentrancy problem
    - debian/patches/CVE-2023-0330.patch: Fix reentrancy issues in the LSI
      controller
    - CVE-2023-0330

 -- Nishit Majithia <email address hidden> Tue, 13 Jun 2023 17:03:25 +0530

CVE-2022-1050 A flaw was found in the QEMU implementation of VMWare's paravirtual RDMA device. This flaw allows a crafted guest driver to execute HW commands when
CVE-2022-4144 An out-of-bounds read flaw was found in the QXL display device emulation in QEMU. The qxl_phys2virt() function does not check the size of the structu
CVE-2023-0330 A vulnerability in the lsi53c895a device affects the latest version of qemu. A DMA-MMIO reentrancy problem may lead to memory corruption bugs like st



About   -   Send Feedback to @ubuntu_updates