CVE-2016-9602

Published: 31 December 2016

Qemu before version 2.9 is vulnerable to an improper link following when built with the VirtFS. A privileged user inside guest could use this flaw to access host file system beyond the shared folder and potentially escalating their privileges on a host.

Priority

Medium

CVSS 3 base score: 8.8

Status

Package Release Status
qemu
Launchpad, Ubuntu, Debian
Upstream Needed

Ubuntu 21.04 (Hirsute Hippo)
Released (1:2.8+dfsg-3ubuntu2.1)
Ubuntu 20.04 LTS (Focal Fossa)
Released (1:2.8+dfsg-3ubuntu2.1)
Ubuntu 18.04 LTS (Bionic Beaver)
Released (1:2.8+dfsg-3ubuntu2.1)
Ubuntu 16.04 ESM (Xenial Xerus)
Released (1:2.5+dfsg-5ubuntu10.11)
Ubuntu 14.04 ESM (Trusty Tahr)
Released (2.0.0+dfsg-2ubuntu1.33)
Patches:
Upstream: http://git.qemu-project.org/?p=qemu.git;a=commit;h=56fc494bdcba35d74da27e1d34dbb6db6fa7bd67
Upstream: http://git.qemu-project.org/?p=qemu.git;a=commit;h=00c90bd1c2ff6aabb9ca948a254ba044a403e399
Upstream: http://git.qemu-project.org/?p=qemu.git;a=commit;h=21328e1e57f526e3f0c2fcd00f10c8aa6e7bc07f
Upstream: http://git.qemu-project.org/?p=qemu.git;a=commit;h=6482a961636d66cc10928dde5d4d908206e5f65a
Upstream: http://git.qemu-project.org/?p=qemu.git;a=commit;h=0e35a3782948c6154d7fafe9a02a86bc130199c7
Upstream: http://git.qemu-project.org/?p=qemu.git;a=commit;h=996a0d76d7e756e4023ef79bc37bfe629b9eaca7
Upstream: http://git.qemu-project.org/?p=qemu.git;a=commit;h=56ad3e54dad6cdcee8668d170df161d89581846f
Upstream: http://git.qemu-project.org/?p=qemu.git;a=commit;h=5507904e362df252f6065cb27d1ff98372db6abc
Upstream: http://git.qemu-project.org/?p=qemu.git;a=commit;h=3e36aba757f76673007a80b3cd56a4062c2e3462
Upstream: http://git.qemu-project.org/?p=qemu.git;a=commit;h=72f0d0bf51362011c4d841a89fb8f5cfb16e0bf3
Upstream: http://git.qemu-project.org/?p=qemu.git;a=commit;h=df4938a6651b1f980018f9eaf86af43e6b9d7fed
Upstream: http://git.qemu-project.org/?p=qemu.git;a=commit;h=a0e640a87210b1e986bcd4e7f7de03beb3db0a4a
Upstream: http://git.qemu-project.org/?p=qemu.git;a=commit;h=a33eda0dd99e00faa3bacae43d19490bb9500e07
Upstream: http://git.qemu-project.org/?p=qemu.git;a=commit;h=31e51d1c15b35dc98b88a301812914b70a2b55dc
Upstream: http://git.qemu-project.org/?p=qemu.git;a=commit;h=ac125d993b461d4dee4d6df4d93ac3f2eb959d1d
Upstream: http://git.qemu-project.org/?p=qemu.git;a=commit;h=bec1e9546e03b9e7f5152cf3e8c95cf8acff5e12
Upstream: http://git.qemu-project.org/?p=qemu.git;a=commit;h=f9aef99b3e6df88036436b0d3dc3d504b9346c8c
Upstream: http://git.qemu-project.org/?p=qemu.git;a=commit;h=99f2cf4b2dad7b37c69759deb0d0b19d3ec1a24a
Upstream: http://git.qemu-project.org/?p=qemu.git;a=commit;h=d2767edec582558f1e6c52e1dd9370d62e2b30fc
Upstream: http://git.qemu-project.org/?p=qemu.git;a=commit;h=6dd4b1f1d026e478d9177b28169b377e212400f3
Upstream: http://git.qemu-project.org/?p=qemu.git;a=commit;h=ad0b46e6ac769b187cb4dcf0065675ef8a198a5e
Upstream: http://git.qemu-project.org/?p=qemu.git;a=commit;h=e3187a45dd02a7490f9191c16527dc28a4ba45b9
Upstream: http://git.qemu-project.org/?p=qemu.git;a=commit;h=d369f20763a857eac544a5289a046d0285a91df8
Upstream: http://git.qemu-project.org/?p=qemu.git;a=commit;h=38771613ea6759f499645afd709aa422161eb27e
Upstream: http://git.qemu-project.org/?p=qemu.git;a=commit;h=d815e7219036d6911fce12efe3e59906264c8536
Upstream: http://git.qemu-project.org/?p=qemu.git;a=commit;h=3f3a16990b09e62d787bd2eb2dd51aafbe90019a
Upstream: http://git.qemu-project.org/?p=qemu.git;a=commit;h=a565fea56546e254b7610305b07711f0a3bda0c7
Upstream: http://git.qemu-project.org/?p=qemu.git;a=commit;h=c23d5f1d5bc0e23aeb845b1af8f996f16783ce98
Upstream: http://git.qemu-project.org/?p=qemu.git;a=commit;h=b003fc0d8aa5e7060dbf7e5862b8013c73857c7f
qemu-kvm
Launchpad, Ubuntu, Debian
Upstream Needed

Ubuntu 21.04 (Hirsute Hippo) Does not exist

Ubuntu 20.04 LTS (Focal Fossa) Does not exist

Ubuntu 18.04 LTS (Bionic Beaver) Does not exist

Ubuntu 16.04 ESM (Xenial Xerus) Does not exist

Ubuntu 14.04 ESM (Trusty Tahr) Does not exist