| Name | CVE-2013-4375 |
| Description | The qdisk PV disk backend in qemu-xen in Xen 4.2.x and 4.3.x before 4.3.1, and qemu 1.1 and other versions, allows local HVM guests to cause a denial of service (domain grant reference consumption) via unspecified vectors. |
| Source | CVE (at NVD; CERT, LWN, oss-sec, fulldisc, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, GitHub advisories/code/issues, web search, more) |
Vulnerable and fixed packages
The table below lists information on source packages.
| Source Package | Release | Version | Status |
|---|
| qemu (PTS) | buster | 1:3.1+dfsg-8+deb10u8 | fixed |
| buster (security) | 1:3.1+dfsg-8+deb10u12 | fixed |
| bullseye | 1:5.2+dfsg-11+deb11u3 | fixed |
| bullseye (security) | 1:5.2+dfsg-11+deb11u2 | fixed |
| bookworm | 1:7.2+dfsg-7+deb12u5 | fixed |
| trixie | 1:8.2.1+ds-2 | fixed |
| sid | 1:8.2.2+ds-2 | fixed |
| xen (PTS) | buster, buster (security) | 4.11.4+107-gef32c7afa2-1 | fixed |
| bullseye | 4.14.6-1 | fixed |
| bullseye (security) | 4.14.5+94-ge49571868d-1 | fixed |
| bookworm | 4.17.3+10-g091466ba55-1~deb12u1 | fixed |
| trixie | 4.17.3+10-g091466ba55-1 | fixed |
| sid | 4.17.3+36-g54dacb5c02-1 | fixed |
The information below is based on the following data on fixed versions.
| Package | Type | Release | Fixed Version | Urgency | Origin | Debian Bugs |
|---|
| qemu | source | squeeze | (not affected) | | | |
| qemu | source | wheezy | (not affected) | | | |
| qemu | source | jessie | (not affected) | | | |
| qemu | source | (unstable) | 1.7.0+dfsg-1 | | | |
| qemu-kvm | source | (unstable) | (not affected) | | | |
| xen | source | squeeze | (not affected) | | | |
| xen | source | wheezy | (not affected) | | | |
| xen | source | (unstable) | 4.2 | | | |
| xen-qemu-dm-4.0 | source | (unstable) | (not affected) | | | |
Notes
[squeeze] - xen <not-affected> (Only affects 4.2 and later)
[wheezy] - xen <not-affected> (Only affects 4.2 and later)
[jessie] - qemu <not-affected> (Xen in Wheezy uses it's internal copy of qemu)
[wheezy] - qemu <not-affected> (Xen in Wheezy uses it's internal copy of qemu)
[squeeze] - qemu <not-affected> (vulnerable from version 1.1 onwards)
- qemu-kvm <not-affected> (This only affects Qemu in combination with Xen)
- xen-qemu-dm-4.0 <not-affected> (Affected code not yet present)
This is only exploitable in combination with Xen.
Xen in Squeeze uses a separate source package: xen-qemu-dm-4.0
Xen in Wheezy includes qemu
Xen after Wheezy uses qemu-system-x86 from qemu, marking 4.2 as pseudo fixed