CVE-2008-0928
Published: 3 March 2008
Qemu 0.9.1 and earlier does not perform range checks for block device read or write requests, which allows guest host users with root privileges to access arbitrary memory and escape the virtual machine.
Notes
Author | Note |
---|---|
kees | note that the original patch corrupts growable devices, see RH bug |
jdstrand | there is now an updated patch in the RH bug 434978 Debian claims that patches break existing images |
Priority
Status
Package | Release | Status |
---|---|---|
qemu Launchpad, Ubuntu, Debian |
natty |
Does not exist
|
intrepid |
Not vulnerable
|
|
jaunty |
Not vulnerable
|
|
karmic |
Does not exist
|
|
lucid |
Does not exist
|
|
dapper |
Ignored
(end of life)
|
|
edgy |
Ignored
(end of life, was needed)
|
|
feisty |
Ignored
(end of life, was needed)
|
|
gutsy |
Ignored
(end of life, was needed)
|
|
hardy |
Ignored
(end of life)
|
|
maverick |
Does not exist
|
|
oneiric |
Does not exist
|
|
upstream |
Needed
|
|
kvm Launchpad, Ubuntu, Debian |
dapper |
Does not exist
|
edgy |
Does not exist
|
|
feisty |
Ignored
(end of life, was needed)
|
|
gutsy |
Ignored
(end of life, was needed)
|
|
hardy |
Released
(1:62+dfsg-0ubuntu3)
|
|
intrepid |
Not vulnerable
|
|
jaunty |
Not vulnerable
|
|
karmic |
Does not exist
|
|
lucid |
Does not exist
|
|
maverick |
Does not exist
|
|
natty |
Does not exist
|
|
oneiric |
Does not exist
|
|
upstream |
Needed
|
|
Patches: vendor: http://patch-tracking.debian.net/patch/series/view/kvm/72+dfsg-1.1/CVE-2008-0928.patch |
||
qemu-kvm Launchpad, Ubuntu, Debian |
dapper |
Does not exist
|
hardy |
Does not exist
|
|
intrepid |
Does not exist
|
|
jaunty |
Does not exist
|
|
karmic |
Not vulnerable
|
|
lucid |
Not vulnerable
|
|
maverick |
Not vulnerable
|
|
natty |
Not vulnerable
|
|
oneiric |
Not vulnerable
|
|
upstream |
Needs triage
|
|
xen-3.0 Launchpad, Ubuntu, Debian |
dapper |
Does not exist
|
edgy |
Ignored
(end of life, was needs-triage)
|
|
feisty |
Ignored
(end of life, was needs-triage)
|
|
gutsy |
Does not exist
|
|
hardy |
Does not exist
|
|
intrepid |
Does not exist
|
|
jaunty |
Does not exist
|
|
karmic |
Does not exist
|
|
lucid |
Does not exist
|
|
maverick |
Does not exist
|
|
natty |
Does not exist
|
|
oneiric |
Does not exist
|
|
upstream |
Needs triage
|
|
xen-3.1 Launchpad, Ubuntu, Debian |
dapper |
Does not exist
|
edgy |
Does not exist
|
|
feisty |
Does not exist
|
|
gutsy |
Ignored
(end of life, was needed)
|
|
hardy |
Ignored
(end of life)
|
|
intrepid |
Ignored
(end of life, was needed)
|
|
jaunty |
Does not exist
|
|
karmic |
Does not exist
|
|
lucid |
Does not exist
|
|
maverick |
Does not exist
|
|
natty |
Does not exist
|
|
oneiric |
Does not exist
|
|
upstream |
Needs triage
|
|
Patches: vendor: http://people.ubuntu.com/~kees/qemu/xen-qemu-CVE-2008-0928.patch vendor: https://bugzilla.redhat.com/attachment.cgi?id=296004 (improved) |
||
Binaries built from this source package are in Universe and so are supported by the community. | ||
xen-3.2 Launchpad, Ubuntu, Debian |
dapper |
Does not exist
|
edgy |
Does not exist
|
|
feisty |
Does not exist
|
|
gutsy |
Does not exist
|
|
hardy |
Ignored
(end of life)
|
|
intrepid |
Does not exist
|
|
jaunty |
Does not exist
|
|
karmic |
Does not exist
|
|
lucid |
Does not exist
|
|
maverick |
Does not exist
|
|
natty |
Does not exist
|
|
oneiric |
Does not exist
|
|
upstream |
Released
(3.2.0-4)
|
|
Patches: vendor: http://people.ubuntu.com/~kees/qemu/xen-qemu-CVE-2008-0928.patch vendor: https://bugzilla.redhat.com/attachment.cgi?id=296004 (improved) |
||
Binaries built from this source package are in Universe and so are supported by the community. | ||
xen-3.3 Launchpad, Ubuntu, Debian |
dapper |
Does not exist
|
edgy |
Does not exist
|
|
feisty |
Does not exist
|
|
gutsy |
Does not exist
|
|
hardy |
Does not exist
|
|
intrepid |
Not vulnerable
|
|
jaunty |
Not vulnerable
|
|
karmic |
Not vulnerable
|
|
lucid |
Not vulnerable
|
|
maverick |
Not vulnerable
|
|
natty |
Not vulnerable
|
|
oneiric |
Does not exist
|
|
upstream |
Not vulnerable
|