| Name | CVE-2016-6351 |
| Description | The esp_do_dma function in hw/scsi/esp.c in QEMU (aka Quick Emulator), when built with ESP/NCR53C9x controller emulation support, allows local guest OS administrators to cause a denial of service (out-of-bounds write and QEMU process crash) or execute arbitrary code on the QEMU host via vectors involving DMA read into ESP command buffer. |
| Source | CVE (at NVD; CERT, LWN, oss-sec, fulldisc, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, GitHub advisories/code/issues, web search, more) |
| References | DLA-1599-1, DLA-573-1, DLA-574-1 |
| Debian Bugs | 832621 |
The table below lists information on source packages.
| Source Package | Release | Version | Status |
|---|---|---|---|
| qemu (PTS) | buster | 1:3.1+dfsg-8+deb10u8 | fixed |
| buster (security) | 1:3.1+dfsg-8+deb10u12 | fixed | |
| bullseye | 1:5.2+dfsg-11+deb11u3 | fixed | |
| bullseye (security) | 1:5.2+dfsg-11+deb11u2 | fixed | |
| bookworm | 1:7.2+dfsg-7+deb12u5 | fixed | |
| trixie | 1:8.2.1+ds-2 | fixed | |
| sid | 1:8.2.2+ds-2 | fixed |
The information below is based on the following data on fixed versions.
| Package | Type | Release | Fixed Version | Urgency | Origin | Debian Bugs |
|---|---|---|---|---|---|---|
| qemu | source | wheezy | 1.1.2+dfsg-6+deb7u14 | DLA-573-1 | ||
| qemu | source | jessie | 1:2.1+dfsg-12+deb8u8 | DLA-1599-1 | ||
| qemu | source | (unstable) | 1:2.6+dfsg-3.1 | 832621 | ||
| qemu-kvm | source | wheezy | 1.1.2+dfsg-6+deb7u14 | DLA-574-1 | ||
| qemu-kvm | source | (unstable) | (unfixed) |
Fixed by: http://git.qemu.org/?p=qemu.git;a=commit;h=926cde5f3e4d2504ed161ed0cb771ac7cad6fd11 (v2.7.0-rc0)
Fixed by: http://git.qemu.org/?p=qemu.git;a=commit;h=cc96677469388bad3d66479379735cf75db069e3 (v2.7.0-rc0)
https://www.openwall.com/lists/oss-security/2016/07/25/14
According to maintainer the fix relies on the fix for CVE-2016-4439