Package "qemu-system"

Name:	qemu-system
Description:	QEMU full system emulation binaries
Latest version:	1:6.2+dfsg-2ubuntu6.27
Release:	jammy (22.04)
Level:	security
Repository:	main
Head package:	qemu
Homepage:	http://www.qemu.org/

Links

Raw Package Information

All versions of this package

Bug fixes

List of files in package

Repository home page

Download "qemu-system"

32-bit deb package

64-bit deb package

APT INSTALL

Other versions of "qemu-system" in Jammy

Repository	Area	Version
base	main	1:6.2+dfsg-2ubuntu6
updates	main	1:6.2+dfsg-2ubuntu6.27

Changelog

Version: 1:6.2+dfsg-2ubuntu6.27 2025-09-11 17:06:58 UTC

qemu (1:6.2+dfsg-2ubuntu6.27) jammy-security; urgency=medium * SECURITY UPDATE: double-free in QEMU virtio devices - debian/patches/CVE-2024-3446-pre1.patch: add an optional reentrancy guard to the BH API in docs/devel/multiple-iothreads.txt, include/block/aio.h, include/qemu/main-loop.h, tests/unit/ptimer-test-stubs.c, util/async.c, util/main-loop.c, util/trace-events. - debian/patches/CVE-2024-3446-pre2.patch: replace most qemu_bh_new calls with qemu_bh_new_guarded. - debian/patches/CVE-2024-3446-pre3.patch: introduce virtio_bh_new_guarded() helper in hw/virtio/virtio.c, include/hw/virtio/virtio.h. - debian/patches/CVE-2024-3446-1.patch: protect from DMA re-entrancy bugs in hw/virtio/virtio-crypto.c. - debian/patches/CVE-2024-3446-2.patch: protect from DMA re-entrancy bugs in hw/char/virtio-serial-bus.c. - debian/patches/CVE-2024-3446-3.patch: protect from DMA re-entrancy bugs in hw/display/virtio-gpu.c. - CVE-2024-3446 * SECURITY UPDATE: heap overflow in SDHCI device emulation - debian/patches/CVE-2024-3447.patch: do not update TRNMOD when Command Inhibit (DAT) is set in hw/sd/sdhci.c. - CVE-2024-3447 * SECURITY UPDATE: resource consumption in disk utility - debian/patches/CVE-2024-4467-pre1.patch: do not reopen data_file in invalidate_cache in block/qcow2.c. - debian/patches/CVE-2024-4467-1.patch: don't open data_file with BDRV_O_NO_IO in block/qcow2.c, tests/qemu-iotests/061*. - debian/patches/CVE-2024-4467-2.patch: don't store data-file with protocol in image in tests/qemu-iotests/244. - debian/patches/CVE-2024-4467-3.patch: don't store data-file with json: prefix in image in tests/qemu-iotests/270. - debian/patches/CVE-2024-4467-4.patch: parse filenames only when explicitly requested in block.c. - CVE-2024-4467 * SECURITY UPDATE: heap overflow in virtio-net device RSS feature - debian/patches/CVE-2024-6505.patch: ensure queue index fits with RSS in hw/net/virtio-net.c. - CVE-2024-6505 * SECURITY UPDATE: Dos via improper synchronization during socket closure - debian/patches/CVE-2024-7409-1.patch: plumb in new args to nbd_client_add() in blockdev-nbd.c, include/block/nbd.h, nbd/server.c, qemu-nbd.c. - debian/patches/CVE-2024-7409-2.patch: cap default max-connections to 100 in block/monitor/block-hmp-cmds.c, blockdev-nbd.c, include/block/nbd.h, qapi/block-export.json. - debian/patches/CVE-2024-7409-3.patch: close stray clients at server-stop in blockdev-nbd.c. - debian/patches/CVE-2024-7409-4.patch: drop non-negotiating clients in nbd/server.c, nbd/trace-events. - debian/patches/CVE-2024-7409-5.patch: avoid use-after-free when closing server in blockdev-nbd.c. - CVE-2024-7409 * SECURITY UPDATE: DoS via assert failure in usb_ep_get() - debian/patches/CVE-2024-8354.patch: change ohci validation in hw/usb/hcd-ohci.c, hw/usb/trace-events. - CVE-2024-8354 * SECURITY UPDATE: possibly binfmt privilege escalation (LP: #2120814) - debian/binfmt-install: stop using C (Credentials) flag for binfmt_misc registration. -- Marc Deslauriers <email address hidden> Mon, 25 Aug 2025 19:16:14 -0400

Source diff to previous version

2120814	binfmt_misc C (Credentials) flag as security risk with setuid binaries
CVE-2024-3446	A double free vulnerability was found in QEMU virtio devices (virtio-gpu, virtio-serial-bus, virtio-crypto), where the mem_reentrancy_guard flag insu
CVE-2024-3447	A heap-based buffer overflow was found in the SDHCI device emulation of QEMU. The bug is triggered when both `s->data_count` and the size of `s->fif
CVE-2024-4467	A flaw was found in the QEMU disk image utility (qemu-img) 'info' command. A specially crafted image file containing a `json:{}` value describing blo
CVE-2024-6505	A flaw was found in the virtio-net device in QEMU. When enabling the RSS feature on the virtio-net network card, the indirections_table data within R
CVE-2024-7409	A flaw was found in the QEMU NBD Server. This vulnerability allows a denial of service (DoS) attack via improper synchronization during socket closur
CVE-2024-8354	A flaw was found in QEMU. An assertion failure was present in the usb_ep_get() function in hw/net/core.c when trying to get the USB endpoint from a U

Version: 1:6.2+dfsg-2ubuntu6.24 2024-11-11 00:07:02 UTC

qemu (1:6.2+dfsg-2ubuntu6.24) jammy-security; urgency=medium * SECURITY UPDATE: denial of service - debian/patches/CVE-2023-3019-pre1.patch: Add definition for MemReentrancyGuard struct and add to DeviceState struct - debian/patches/CVE-2023-3019-1.patch: Provide MemReentrancyGuard * to qemu_new_nic() - debian/patches/CVE-2023-3019-2.patch: Update MemReentrancyGuard for NIC - CVE-2023-3019 -- Bruce Cable <email address hidden> Tue, 22 Oct 2024 16:33:28 +1100

Source diff to previous version

CVE-2023-3019

A DMA reentrancy issue leading to a use-after-free error was found in the e1000e NIC emulation code in QEMU. This issue could allow a privileged gues

Version: 1:6.2+dfsg-2ubuntu6.22 2024-08-13 20:07:10 UTC

qemu (1:6.2+dfsg-2ubuntu6.22) jammy-security; urgency=medium * SECURITY UPDATE: null dereference - debian/patches/CVE-2023-6683-1.patch: Check size before populating info->types data - debian/patches/CVE-2023-6683-2.patch: Check clipboard types for if a callback needs to be set - CVE-2023-6683 * SECURITY UPDATE: stack based buffer overflow - debian/patches/CVE-2023-6693.patch: Correctly copy vnet header when flushing TX - CVE-2023-6693 * SECURITY UPDATE: integer underflow - debian/patches/CVE-2024-24474.patch: Restrict non-DMA transfer length to that of available data - CVE-2024-24474 -- Bruce Cable <email address hidden> Thu, 01 Aug 2024 13:08:05 +1000

Source diff to previous version

CVE-2023-6683	A flaw was found in the QEMU built-in VNC server while processing ClientCutText messages. The qemu_clipboard_request() function can be reached before
CVE-2023-6693	A stack based buffer overflow was found in the virtio-net device of QEMU. This issue occurs when flushing TX in the virtio_net_flush_tx function if g
CVE-2024-24474	QEMU before 8.2.0 has an integer underflow, and resultant buffer overflow, via a TI command when an expected non-DMA transfer length is less than the

Version: 1:6.2+dfsg-2ubuntu6.21 2024-06-06 18:07:35 UTC

qemu (1:6.2+dfsg-2ubuntu6.21) jammy-security; urgency=medium * SECURITY REGRESSION: 9pfs restrictions on sockets (LP: #2065579) - debian/patches/ubuntu/lp-2065579-9pfs-allow-sockets.patch: allow sockets and FIFOs to be opened in hw/9pfs/9p-util.h. The fix for CVE-2023-2861 was too restrictive for some use-cases. -- Marc Deslauriers <email address hidden> Wed, 05 Jun 2024 12:25:53 -0400

Source diff to previous version

2065579	[UBUNTU 22.04] OS guest boot issues on 9p filesystem
CVE-2023-2861	A flaw was found in the 9p passthrough filesystem (9pfs) implementation in QEMU. The 9pfs server did not prohibit opening special files on the host s

Version: 1:6.2+dfsg-2ubuntu6.16 2024-01-08 19:07:00 UTC

qemu (1:6.2+dfsg-2ubuntu6.16) jammy-security; urgency=medium * SECURITY UPDATE: infinite loop in USB xHCI controller - debian/patches/CVE-2020-14394.patch: fix unbounded loop in hw/usb/hcd-xhci.c. - CVE-2020-14394 * SECURITY UPDATE: OOB read in RDMA device - debian/patches/CVE-2023-1544.patch: protect against buggy or malicious guest driver in hw/rdma/vmw/pvrdma_main.c. - CVE-2023-1544 * SECURITY UPDATE: 9pfs special file access - debian/patches/CVE-2023-2861.patch: prevent opening special files in fsdev/virtfs-proxy-helper.c, hw/9pfs/9p-util.h. - CVE-2023-2861 * SECURITY UPDATE: heap overflow in crypto device - debian/patches/CVE-2023-3180.patch: verify src&dst buffer length for sym request in hw/virtio/virtio-crypto.c. - CVE-2023-3180 * SECURITY UPDATE: infinite loop in VNC server - debian/patches/CVE-2023-3255.patch: fix infinite loop in inflate_buffer in ui/vnc-clipboard.c. - CVE-2023-3255 * SECURITY UPDATE: race in virtio-net hot-unplug - debian/patches/CVE-2023-3301.patch: do not cleanup the vdpa/vhost-net structures if peer nic is present in net/vhost-vdpa.c. - CVE-2023-3301 * SECURITY UPDATE: DoS in VNC server - debian/patches/CVE-2023-3354.patch: remove io watch if TLS channel is closed during handshake in include/io/channel-tls.h, io/channel-tls.c. - CVE-2023-3354 * SECURITY UPDATE: disk offset 0 access - debian/patches/CVE-2023-5088.patch: cancel async DMA operation before resetting state in hw/ide/core.c. - CVE-2023-5088 * SECURITY UPDATE: DoS in Intel HD Audio device - debian/patches/CVE-2021-3611-*.patch: add MemTxAttrs argument to DMA functions and use it in hw/audio/intel-hda.c. - CVE-2021-3611 -- Marc Deslauriers <email address hidden> Thu, 30 Nov 2023 09:53:27 -0500

CVE-2020-14394	An infinite loop flaw was found in the USB xHCI controller emulation of QEMU while computing the length of the Transfer Request Block (TRB) Ring. Thi
CVE-2023-1544	A flaw was found in the QEMU implementation of VMWare's paravirtual RDMA device. This flaw allows a crafted guest driver to allocate and initialize a
CVE-2023-2861	A flaw was found in the 9p passthrough filesystem (9pfs) implementation in QEMU. The 9pfs server did not prohibit opening special files on the host s
CVE-2023-3180	A flaw was found in the QEMU virtual crypto device while handling data encryption/decryption requests in virtio_crypto_handle_sym_req. There is no ch
CVE-2023-3255	A flaw was found in the QEMU built-in VNC server while processing ClientCutText messages. A wrong exit condition may lead to an infinite loop when in
CVE-2023-3301	A flaw was found in QEMU. The async nature of hot-unplug enables a race scenario where the net device backend is cleared before the virtio-net pci fr
CVE-2023-3354	A flaw was found in the QEMU built-in VNC server. When a client connects to the VNC server, QEMU checks whether the current number of connections cro
CVE-2023-5088	A bug in QEMU could cause a guest I/O operation otherwise addressed to an arbitrary disk offset to be targeted to offset 0 instead (potentially overw
CVE-2021-3611	A stack overflow vulnerability was found in the Intel HD Audio device (intel-hda) of QEMU. A malicious guest could use this flaw to crash the QEMU pr

About - Send Feedback to @ubuntu_updates

Package "qemu-system"

Links

Download "qemu-system"

Other versions of "qemu-system" in Jammy

Changelog

Share this page

Bookmarks

Latest updates

security

updates

PPA updates