| Description: | Summary:
The remote host is missing an update for the Debian 'qemu' package(s) announced via the DLA-1694-1 advisory.
Vulnerability Insight:
Several vulnerabilities were found in QEMU, a fast processor emulator:
CVE-2018-12617
The qmp_guest_file_read function (qga/commands-posix.c) is affected by an integer overflow and subsequent memory allocation failure. This weakness might be leveraged by remote attackers to cause denial of service (application crash).
CVE-2018-16872
The usb_mtp_get_object, usb_mtp_get_partial_object and usb_mtp_object_readdir functions (hw/usb/dev-mtp.c) are affected by a symlink attack. Remote attackers might leverage this vulnerability to perform information disclosure.
CVE-2019-6778
The tcp_emu function (slirp/tcp_subr.c) is affected by a heap buffer overflow caused by insufficient validation of available space in the sc_rcv->sb_data buffer. Remote attackers might leverage this flaw to cause denial of service, or any other unspecified impact.
For Debian 8 Jessie, these problems have been fixed in version 1:2.1+dfsg-12+deb8u10.
We recommend that you upgrade your qemu packages.
Further information about Debian LTS security advisories, how to apply these updates to your system and frequently asked questions can be found at: [link moved to references]
Affected Software/OS:
'qemu' package(s) on Debian 8.
Solution:
Please install the updated package(s).
CVSS Score:
5.0
CVSS Vector:
AV:N/AC:L/Au:N/C:N/I:N/A:P
|
