Package : qemu-kvm Version : 1.1.2+dfsg-6+deb7u22 CVE ID : CVE-2016-9602 CVE-2017-7377 CVE-2017-7471 CVE-2017-7493 CVE-2017-8086 Several vulnerabilities were discovered in qemu-kvm, a full virtualization solution for Linux hosts on x86 hardware with x86 guests based on the Quick Emulator(Qemu). CVE-2016-9602 Quick Emulator(Qemu) built with the VirtFS, host directory sharing via Plan 9 File System(9pfs) support, is vulnerable to an improper link following issue. It could occur while accessing symbolic link files on a shared host directory. A privileged user inside guest could use this flaw to access host file system beyond the shared folder and potentially escalating their privileges on a host. CVE-2017-7377 Quick Emulator(Qemu) built with the virtio-9p back-end support is vulnerable to a memory leakage issue. It could occur while doing a I/O operation via v9fs_create/v9fs_lcreate routine. A privileged user/process inside guest could use this flaw to leak host memory resulting in Dos. CVE-2017-7471 Quick Emulator(Qemu) built with the VirtFS, host directory sharing via Plan 9 File System(9pfs) support, is vulnerable to an improper access control issue. It could occur while accessing files on a shared host directory. A privileged user inside guest could use this flaw to access host file system beyond the shared folder and potentially escalating their privileges on a host. CVE-2017-7493 Quick Emulator(Qemu) built with the VirtFS, host directory sharing via Plan 9 File System(9pfs) support, is vulnerable to an improper access control issue. It could occur while accessing virtfs metadata files in mapped-file security mode. A guest user could use this flaw to escalate their privileges inside guest. CVE-2017-8086 Quick Emulator(Qemu) built with the virtio-9p back-end support is vulnerable to a memory leakage issue. It could occur while querying file system extended attributes via 9pfs_list_xattr() routine. A privileged user/process inside guest could use this flaw to leak host memory resulting in Dos. For Debian 7 "Wheezy", these problems have been fixed in version 1.1.2+dfsg-6+deb7u22. We recommend that you upgrade your qemu-kvm packages. Further information about Debian LTS security advisories, how to apply these updates to your system and frequently asked questions can be found at: https://wiki.debian.org/LTS
Attachment:
signature.asc
Description: PGP signature