CVE-2016-4020

NameCVE-2016-4020
DescriptionThe patch_instruction function in hw/i386/kvmvapic.c in QEMU does not initialize the imm32 variable, which allows local guest OS administrators to obtain sensitive information from host stack memory by accessing the Task Priority Register (TPR).
SourceCVE (at NVD; CERT, LWN, oss-sec, fulldisc, bugtraq, EDB, Metasploit, Red Hat, Ubuntu, Gentoo, SuSE, Mageia, GitHub code/issues, web search, more)
ReferencesDLA-573-1, DLA-574-1
NVD severitylow (attack range: local)
Debian Bugs821062

Vulnerable and fixed packages

The table below lists information on source packages.

Source PackageReleaseVersionStatus
qemu (PTS)wheezy1.1.2+dfsg-6a+deb7u12vulnerable
wheezy (security)1.1.2+dfsg-6+deb7u24fixed
jessie (security), jessie1:2.1+dfsg-12+deb8u6vulnerable
stretch1:2.8+dfsg-6+deb9u2fixed
stretch (security)1:2.8+dfsg-6+deb9u3fixed
buster, sid1:2.10.0+dfsg-2fixed
qemu-kvm (PTS)wheezy1.1.2+dfsg-6+deb7u12vulnerable
wheezy (security)1.1.2+dfsg-6+deb7u24fixed

The information below is based on the following data on fixed versions.

PackageTypeReleaseFixed VersionUrgencyOriginDebian Bugs
qemusource(unstable)1:2.6+dfsg-2low821062
qemusourcewheezy1.1.2+dfsg-6+deb7u14lowDLA-573-1
qemu-kvmsource(unstable)(unfixed)low
qemu-kvmsourcewheezy1.1.2+dfsg-6+deb7u14lowDLA-574-1

Notes

[jessie] - qemu <no-dsa> (Minor issue)
https://lists.gnu.org/archive/html/qemu-devel/2016-04/msg01118.html
https://bugzilla.redhat.com/show_bug.cgi?id=1313686
http://www.openwall.com/lists/oss-security/2016/04/13/6

Search for package or bug name: Reporting problems