CVE-2019-12068
First published: Tue Sep 24 2019(Updated: )
In QEMU 1:4.1-1, 1:2.1+dfsg-12+deb8u6, 1:2.8+dfsg-6+deb9u8, 1:3.1+dfsg-8~deb10u1, 1:3.1+dfsg-8+deb10u2, and 1:2.1+dfsg-12+deb8u12 (fixed), when executing script in lsi_execute_script(), the LSI scsi adapter emulator advances 's->dsp' index to read next opcode. This can lead to an infinite loop if the next opcode is empty. Move the existing loop exit after 10k iterations so that it covers no-op opcodes as well.
Credit: cve@mitre.org
| Affected Software | Affected Version | How to fix |
|---|---|---|
| QEMU KVM | =1\-4.1-1 | |
| All of | ||
| QEMU KVM | =1\-2.1\+dfsg-12\+deb8u6 | |
| Debian GNU/Linux | =8.0 | |
| All of | ||
| QEMU KVM | =1\-2.8\+dfsg-6\+deb9u8 | |
| Debian GNU/Linux | =9.0 | |
| All of | ||
| Any of | ||
| QEMU KVM | =1\-3.1\+dfsg-8\+deb10u2 | |
| QEMU KVM | =1\-3.1\+dfsg-8\~deb10u1 | |
| Debian GNU/Linux | =10.0 | |
| Ubuntu Linux | =14.04 | |
| Ubuntu Linux | =16.04 | |
| Ubuntu Linux | =18.04 | |
| Ubuntu Linux | =19.04 | |
| Ubuntu Linux | =19.10 | |
| openSUSE | =15.0 | |
| openSUSE | =15.1 | |
| QEMU KVM | =1\-2.1\+dfsg-12\+deb8u6 | |
| Debian | =8.0 | |
| QEMU KVM | =1\-2.8\+dfsg-6\+deb9u8 | |
| Debian | =9.0 | |
| QEMU KVM | =1\-3.1\+dfsg-8\+deb10u2 | |
| QEMU KVM | =1\-3.1\+dfsg-8\~deb10u1 | |
| Debian | =10.0 | |
| Ubuntu | =14.04 | |
| Ubuntu | =16.04 | |
| Ubuntu | =18.04 | |
| Ubuntu | =19.04 | |
| Ubuntu | =19.10 | |
| debian/qemu | 1:5.2+dfsg-11+deb11u3 1:5.2+dfsg-11+deb11u2 1:7.2+dfsg-7+deb12u12 1:9.2.1+ds-1 |
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Reference Links
- http://lists.opensuse.org/opensuse-security-announce/2019-11/msg00034.html
- http://lists.opensuse.org/opensuse-security-announce/2019-11/msg00038.html
- https://git.qemu.org/?p=qemu.git;a=commit;h=de594e47659029316bbf9391efb79da0a1a08e08
- https://lists.debian.org/debian-lts-announce/2019/09/msg00021.html
- https://lists.debian.org/debian-lts-announce/2020/07/msg00020.html
- https://lists.gnu.org/archive/html/qemu-devel/2019-08/msg01518.html
- https://security-tracker.debian.org/tracker/CVE-2019-12068
- https://usn.ubuntu.com/4191-1/
- https://usn.ubuntu.com/4191-2/
- https://www.debian.org/security/2020/dsa-4665
- https://launchpad.net/bugs/cve/CVE-2019-12068
- https://git.qemu.org/?p=qemu.git%3Ba=commit%3Bh=de594e47659029316bbf9391efb79da0a1a08e08
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-12068
- https://nvd.nist.gov/vuln/detail/CVE-2019-12068
- https://ubuntu.com/security/CVE-2019-12068
Frequently Asked Questions
What is the severity of CVE-2019-12068?
The severity of CVE-2019-12068 is low.
How does CVE-2019-12068 affect QEMU?
CVE-2019-12068 affects QEMU versions 1:4.1-1, 1:2.1+dfsg-12+deb8u6, 1:2.8+dfsg-6+deb9u8, 1:3.1+dfsg-8~deb10u1, 1:3.1+dfsg-8+deb10u2, and 1:2.1+dfsg-12+deb8u12 (fixed).
How can I fix CVE-2019-12068 in QEMU?
To fix CVE-2019-12068 in QEMU, update to version 1:4.1-2 or later.
Is Debian Linux affected by CVE-2019-12068?
Debian Linux versions 8.0, 9.0, and 10.0 are not vulnerable to CVE-2019-12068.
Where can I find more information about CVE-2019-12068?
More information about CVE-2019-12068 can be found at the following references: - [GIT Commit](https://git.qemu.org/?p=qemu.git;a=commit;h=de594e47659029316bbf9391efb79da0a1a08e08) - [QEMU Development Mailing List](https://lists.gnu.org/archive/html/qemu-devel/2019-08/msg01518.html) - [Debian Security Tracker](https://security-tracker.debian.org/tracker/CVE-2019-12068)
- agent/type
- collector/launchpad-cve
- source/Launchpad
- agent/weakness
- agent/severity
- collector/mitre-cve
- source/MITRE
- collector/usn-cve
- source/Ubuntu
- agent/references
- agent/remedy
- agent/description
- agent/first-publish-date
- agent/last-modified-date
- agent/trending
- agent/source
- agent/event
- agent/author
- collector/nvd-cve
- source/NVD
- agent/software-canonical-lookup
- agent/software-canonical-lookup-request
- collector/nvd-index
- agent/tags
- collector/security-tracker-debian
- source/Debian
- agent/softwarecombine
- vendor/qemu
- canonical/qemu kvm
- version/qemu kvm/1\-4.1-1
- version/qemu kvm/1\-2.1\+dfsg-12\+deb8u6
- vendor/debian
- canonical/debian gnu/linux
- version/debian gnu/linux/8.0
- version/qemu kvm/1\-2.8\+dfsg-6\+deb9u8
- version/debian gnu/linux/9.0
- version/qemu kvm/1\-3.1\+dfsg-8\+deb10u2
- version/qemu kvm/1\-3.1\+dfsg-8\~deb10u1
- version/debian gnu/linux/10.0
- vendor/canonical
- canonical/ubuntu linux
- version/ubuntu linux/14.04
- version/ubuntu linux/16.04
- version/ubuntu linux/18.04
- version/ubuntu linux/19.04
- version/ubuntu linux/19.10
- vendor/opensuse
- canonical/opensuse
- version/opensuse/15.0
- version/opensuse/15.1
- canonical/debian
- version/debian/8.0
- version/debian/9.0
- version/debian/10.0
- canonical/ubuntu
- version/ubuntu/14.04
- version/ubuntu/16.04
- version/ubuntu/18.04
- version/ubuntu/19.04
- version/ubuntu/19.10
- package-manager/debian