-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

===========================================================================
             AUSCERT External Security Bulletin Redistribution

                               ESB-2019.3578
                    qemu security update for Debian LTS
                             23 September 2019

===========================================================================

        AusCERT Security Bulletin Summary
        ---------------------------------

Product:           qemu
Publisher:         Debian
Operating System:  Debian GNU/Linux 8
Impact/Access:     Execute Arbitrary Code/Commands -- Existing Account
                   Denial of Service               -- Existing Account
                   Unauthorised Access             -- Existing Account
Resolution:        Patch/Upgrade
CVE Names:         CVE-2019-15890 CVE-2019-14378 CVE-2019-13164
                   CVE-2019-12155 CVE-2019-12068 CVE-2017-9375
                   CVE-2016-5403 CVE-2016-5126 

Reference:         ESB-2019.3474
                   ESB-2017.1882
                   ESB-2016.1934

Original Bulletin: 
   https://lists.debian.org/debian-lts-announce/2019/09/msg00021.html

- --------------------------BEGIN INCLUDED TEXT--------------------

- -----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Package        : qemu
Version        : 1:2.1+dfsg-12+deb8u12
CVE ID         : CVE-2016-5126 CVE-2016-5403 CVE-2017-9375 CVE-2019-12068 
                 CVE-2019-12155 CVE-2019-13164 CVE-2019-14378 CVE-2019-15890
Debian Bug     : 826151 832619 864219 929353 931351 933741 933742 939868 939869


Several vulnerabilities were found in QEMU, a fast processor emulator
(notably used in KVM and Xen HVM virtualization).

CVE-2016-5126

    Heap-based buffer overflow in the iscsi_aio_ioctl function in
    block/iscsi.c in QEMU allows local guest OS users to cause a
    denial of service (QEMU process crash) or possibly execute
    arbitrary code via a crafted iSCSI asynchronous I/O ioctl call.

CVE-2016-5403

    The virtqueue_pop function in hw/virtio/virtio.c in QEMU allows
    local guest OS administrators to cause a denial of service (memory
    consumption and QEMU process crash) by submitting requests without
    waiting for completion.

CVE-2017-9375

    QEMU, when built with USB xHCI controller emulator support, allows
    local guest OS privileged users to cause a denial of service
    (infinite recursive call) via vectors involving control transfer
    descriptors sequencing.

CVE-2019-12068

    QEMU scsi disk backend: lsi: exit infinite loop while executing
    script

CVE-2019-12155

    interface_release_resource in hw/display/qxl.c in QEMU has a NULL
    pointer dereference.

CVE-2019-13164

    qemu-bridge-helper.c in QEMU does not ensure that a network
    interface name (obtained from bridge.conf or a --br=bridge option)
    is limited to the IFNAMSIZ size, which can lead to an ACL bypass.

CVE-2019-14378

    ip_reass in ip_input.c in libslirp 4.0.0 has a heap-based buffer
    overflow via a large packet because it mishandles a case involving
    the first fragment.

CVE-2019-15890

    libslirp 4.0.0, as used in QEMU, has a use-after-free in ip_reass
    in ip_input.c.

For Debian 8 "Jessie", these problems have been fixed in version
1:2.1+dfsg-12+deb8u12.

We recommend that you upgrade your qemu packages.

Further information about Debian LTS security advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://wiki.debian.org/LTS
- -----BEGIN PGP SIGNATURE-----

iQEzBAEBCgAdFiEEQic8GuN/xDR88HkSj/HLbo2JBZ8FAl2EkSsACgkQj/HLbo2J
BZ8/AQf6AmErhOVKqKi+8HVX5GIdlfM25ZPGP1Qi6FDMTsHxqeWNJQZ8zceoZAnq
8/y+UTvpnHiwegB5rQCE5p7hf/dkVkVqqHMwSChdxtuBw9wZc6Wa9oPwwZFX84Hv
gC2q0rHIfBL1m9t0yO0OhWPwxd9ReizeLI6GmLGZNAlob7jKDPi4hzvDtZx4Pnwb
jYDNVihhepdYcVmTbIh9c9bSboHatsbLTySgltN8pTkW1zmCeBauqntwS8P5S1YO
9UqpIAbpfpnIiUwv/0mZSLJAd7100gyl2OcdhAe+y3/RK8jfc/6vCUhJE9a2gYBB
eamzL+01LkHnGrBssrvO2rXoR1tA+w==
=tnrb
- -----END PGP SIGNATURE-----

- --------------------------END INCLUDED TEXT--------------------

You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.

NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members.  As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.

NOTE: This is only the original release of the security bulletin.  It may
not be updated when updates to the original are made.  If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.

Contact information for the authors of the original document is included
in the Security Bulletin above.  If you have any questions or need further
information, please contact them directly.

Previous advisories and external security bulletins can be retrieved from:

        https://www.auscert.org.au/bulletins/

===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072

Internet Email: auscert@auscert.org.au
Facsimile:      (07) 3365 7031
Telephone:      (07) 3365 4417 (International: +61 7 3365 4417)
                AusCERT personnel answer during Queensland business hours
                which are GMT+10:00 (AEST).
                On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967

iQIVAwUBXYgywWaOgq3Tt24GAQgumxAAi6qvw+Y6d5Lbs1EDRJ4AgJSx9ydhMh0G
ORqUVQeo78+IDUDKaxccvcPxnwKabB0okpeHAmIohCx8zElPzFW2aOsaJ4uHvYbB
pDFCcOzeWqp4yfYRk27EOHMvDzWNGQNbOgwjJEB+WQXwK68MU6ajiAeIQAPfwo2/
EqCtzYBpw1Ny3AIP4XcxZDipfH2wFawvyheBg9E52hcE4k2RENssxlQRdgcheMfa
mp+QzTpcqpn7Chf9qv8SGIdObugUZ/eivI+nt4PQcqI38n+UICr+p8xOhXNxdnoz
YXzUVLW5u1hEFNDyWGwVARbOIpT2MpYrLVjH0iWC21QcHTl26Pm9zvd+ks7Ao5hC
rYv0TR21x+iqS+QQa8bs4NCRDQ1GrggwCBXEMeLQOFO1iCfhKCjLyZ6B1tH2qiJu
RrAXVO45Eb/cSsnLDqzI5Jbs0m7Gm+TUhNg4dq/FfWJgdlAvgK46nQ1YiAmOR3+u
hKikj/EkPagHG48/BJ2gFiSZozmqREgRqnBeIxRHZ/7ZamRpgGiRv4vKKtjEc362
uKsgi9vG2euFopVtydRaXiJlz21PoHnL1rAbno0azCN2SdoVoWfcwUQf9g5cjTtu
c8n421tDyamSnBMUyllEuT+bWl6TRvPaAbTpFz/9N/nNPDl+YDO+CR1fA1uKiFJ9
Y4j1vpJCRv0=
=p21j
-----END PGP SIGNATURE-----