First published: Fri Nov 20 2015(Updated: )
Qemu emulator built with the SCSI MegaRAID SAS HBA emulation support is vulnerable to a stack buffer overflow issue. It occurs while processing the SCSI controller's CTRL_GET_INFO command. A privileged guest user could use this flaw to crash the Qemu process instance resulting in DoS. Upstream patch: --------------- -> <a href="https://lists.gnu.org/archive/html/qemu-devel/2015-12/msg03737.html">https://lists.gnu.org/archive/html/qemu-devel/2015-12/msg03737.html</a> Reference: ---------- -> <a href="http://www.openwall.com/lists/oss-security/2015/12/22/1">http://www.openwall.com/lists/oss-security/2015/12/22/1</a>
Credit: secalert@redhat.com secalert@redhat.com
Affected Software | Affected Version | How to fix |
---|---|---|
QEMU qemu | <=2.5.1 | |
Debian Debian Linux | =8.0 | |
ubuntu/qemu | <2.0.0+dfsg-2ubuntu1.22 | 2.0.0+dfsg-2ubuntu1.22 |
ubuntu/qemu | <1:2.3+dfsg-5ubuntu9.2 | 1:2.3+dfsg-5ubuntu9.2 |
debian/qemu | 1:5.2+dfsg-11+deb11u3 1:5.2+dfsg-11+deb11u2 1:7.2+dfsg-7+deb12u7 1:9.0.2+ds-2 1:9.1.0+ds-3 |
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
CVE-2015-8613 is a vulnerability that allows local guest users to cause a denial of service (QEMU instance crash) via a crafted SCSI controller CTRL_GET_INFO command in QEMU, when built with SCSI MegaRAID SAS HBA emulation support.
No, CVE-2015-8613 has a low severity level.
QEMU versions 2.0.0+dfsg-2ubuntu1.22, 1:2.3+dfsg-5ubuntu9.2, and various Debian versions are affected by CVE-2015-8613.
To fix CVE-2015-8613, update QEMU to a version that includes the necessary security patches.
You can find more information about CVE-2015-8613 at the following references: [Security Focus](http://www.securityfocus.com/bid/79719), [Debian Security Advisory](http://www.debian.org/security/2016/dsa-3471), [Gentoo Linux Security Advisory](https://security.gentoo.org/glsa/201604-01).