Debian Security Advisory
DSA-3349-1 qemu-kvm -- security update
- Date Reported:
- 02 Sep 2015
- Affected Packages:
- Security database references:
- In Mitre's CVE dictionary: CVE-2015-5165, CVE-2015-5745.
- More information:
Several vulnerabilities were discovered in qemu-kvm, a full virtualization solution on x86 hardware.
Donghai Zhu discovered that the QEMU model of the RTL8139 network card did not sufficiently validate inputs in the C+ mode offload emulation, allowing a malicious guest to read uninitialized memory from the QEMU process's heap.
A buffer overflow vulnerability was discovered in the way QEMU handles the virtio-serial device. A malicious guest could use this flaw to mount a denial of service (QEMU process crash).
For the oldstable distribution (wheezy), these problems have been fixed in version 1.1.2+dfsg-6+deb7u9.
We recommend that you upgrade your qemu-kvm packages.