USN-6954-1: QEMU vulnerabilities
13 August 2024
Several security issues were fixed in QEMU.
Releases
Packages
- qemu - Machine emulator and virtualizer
Details
Markus Frank and Fiona Ebner discovered that QEMU did not properly
handle certain memory operations, leading to a NULL pointer dereference.
An authenticated user could potentially use this issue to cause a denial
of service. (CVE-2023-6683)
Xiao Lei discovered that QEMU did not properly handle certain memory
operations when specific features were enabled, which could lead to a
stack overflow. An attacker could potentially use this issue to leak
sensitive information. (CVE-2023-6693)
It was discovered that QEMU had an integer underflow vulnerability in
the TI command, which would result in a buffer overflow. An attacker
could potentially use this issue to cause a denial of service.
(CVE-2024-24474)
Update instructions
The problem can be corrected by updating your system to the following package versions:
Ubuntu 22.04
-
qemu-system
-
1:6.2+dfsg-2ubuntu6.22
-
qemu-system-arm
-
1:6.2+dfsg-2ubuntu6.22
-
qemu-system-mips
-
1:6.2+dfsg-2ubuntu6.22
-
qemu-system-misc
-
1:6.2+dfsg-2ubuntu6.22
-
qemu-system-ppc
-
1:6.2+dfsg-2ubuntu6.22
-
qemu-system-s390x
-
1:6.2+dfsg-2ubuntu6.22
-
qemu-system-sparc
-
1:6.2+dfsg-2ubuntu6.22
-
qemu-system-x86-xen
-
1:6.2+dfsg-2ubuntu6.22
After a standard system update you need to restart all QEMU virtual
machines to make all the necessary changes.