CVE-2016-9603

Name	CVE-2016-9603
Description	A heap buffer overflow flaw was found in QEMU's Cirrus CLGD 54xx VGA emulator's VNC display driver support before 2.9; the issue could occur when a VNC client attempted to update its display after a VGA operation is performed by a guest. A privileged user/process inside a guest could use this flaw to crash the QEMU process or, potentially, execute arbitrary code on the host with privileges of the QEMU process.
Source	CVE (at NVD; CERT, LWN, oss-sec, fulldisc, bugtraq, EDB, Metasploit, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, Mageia, GitHub code/issues, web search, more)
References	DLA-1035-1, DLA-1270-1, DLA-1497-1, DLA-939-1
NVD severity	high
Debian Bugs	857744

Vulnerable and fixed packages

The table below lists information on source packages.

Source Package	Release	Version	Status
qemu (PTS)	stretch	1:2.8+dfsg-6+deb9u9	fixed
	stretch (security)	1:2.8+dfsg-6+deb9u16	fixed
	buster, buster (security)	1:3.1+dfsg-8+deb10u8	fixed
	bullseye	1:5.2+dfsg-11	fixed
	bookworm, sid	1:6.1+dfsg-5	fixed
xen (PTS)	stretch (security), stretch	4.8.5.final+shim4.10.4-1+deb9u12	fixed
	buster	4.11.4+99-g8bce4698f6-1	fixed
	buster (security)	4.11.4+107-gef32c7afa2-1	fixed
	bookworm, bullseye	4.14.2+25-gb6a8c4f72d-2	fixed
	sid	4.14.3-1	fixed

The information below is based on the following data on fixed versions.

Package	Type	Release	Fixed Version	Origin	Debian Bugs
qemu	source	wheezy	1.1.2+dfsg-6+deb7u22	DLA-1035-1
qemu	source	jessie	1:2.1+dfsg-12+deb8u7	DLA-1497-1
qemu	source	(unstable)	1:2.8+dfsg-4		857744
qemu-kvm	source	wheezy	1.1.2+dfsg-6+deb7u21	DLA-939-1
qemu-kvm	source	(unstable)	(unfixed)
xen	source	wheezy	4.1.6.lts1-12	DLA-1270-1
xen	source	(unstable)	4.4.0-1

Notes

Xen switched to qemu-system in 4.4.0-1
https://xenbits.xen.org/xsa/advisory-211.html
https://www.openwall.com/lists/oss-security/2017/03/14/2
Upstream patch http://git.qemu-project.org/?p=qemu.git;a=commit;h=50628d3479e4f9aa97e323506856e394fe7ad7a6