-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 Package : qemu Version : 1:2.1+dfsg-12+deb8u10 CVE ID : CVE-2018-12617 CVE-2018-16872 CVE-2019-6778 Debian Bug : 916397, 902725, 921525
Several vulnerabilities were found in QEMU, a fast processor emulator: CVE-2018-12617 The qmp_guest_file_read function (qga/commands-posix.c) is affected by an integer overflow and subsequent memory allocation failure. This weakness might be leveraged by remote attackers to cause denial of service (application crash). CVE-2018-16872 The usb_mtp_get_object, usb_mtp_get_partial_object and usb_mtp_object_readdir functions (hw/usb/dev-mtp.c) are affected by a symlink attack. Remote attackers might leverage this vulnerability to perform information disclosure. CVE-2019-6778 The tcp_emu function (slirp/tcp_subr.c) is affected by a heap buffer overflow caused by insufficient validation of available space in the sc_rcv->sb_data buffer. Remote attackers might leverage this flaw to cause denial of service, or any other unspecified impact. For Debian 8 "Jessie", these problems have been fixed in version 1:2.1+dfsg-12+deb8u10. We recommend that you upgrade your qemu packages. Further information about Debian LTS security advisories, how to apply these updates to your system and frequently asked questions can be found at: https://wiki.debian.org/LTS -----BEGIN PGP SIGNATURE----- iQEzBAEBCgAdFiEEUFZhdgIWqBhwqCvuZYVUZx9w0DQFAlx3nrgACgkQZYVUZx9w 0DRI+QgAkfsQUegInTTeJQpptCHey+NYMdMfehEBUzvMh7AX6vRX1SV/W98liyaL P52oCDngc31tADsZpRbO4PCk4LLUfGMva0dSJWK9eJOBVWDZpVhHvqxIBJhaLyrG ieHO2TZ+79s56idbEc1mTOO78Ot4Ysv/UKq8OBc64VtMdkV6JFhqHCAVP6lZuDKQ pEtlSAq1TRZRxKC/XSyEO+dV3bBCFC0unR3jOpP+XEJy2b+DrbImj875nlir3vQX 8Nch3HQleUSY2rYNZSkHiUPlskBm1hesoZaXm8WbZyO6FYtd3Vo98yKGDb7QaZjp xEQDRooLmOMxvJDhE+KIvMK1mXuYMA== =71bv -----END PGP SIGNATURE-----