Your submission was sent successfully! Close

You have successfully unsubscribed! Close

CVE-2016-9602

Published: 31 December 2016

Qemu before version 2.9 is vulnerable to an improper link following when built with the VirtFS. A privileged user inside guest could use this flaw to access host file system beyond the shared folder and potentially escalating their privileges on a host.

Priority

Medium

CVSS 3 base score: 8.8

Status

Package Release Status
qemu
Launchpad, Ubuntu, Debian 		artful
Released (1:2.8+dfsg-3ubuntu2.1)
bionic
Released (1:2.8+dfsg-3ubuntu2.1)
cosmic
Released (1:2.8+dfsg-3ubuntu2.1)
disco
Released (1:2.8+dfsg-3ubuntu2.1)
eoan
Released (1:2.8+dfsg-3ubuntu2.1)
focal
Released (1:2.8+dfsg-3ubuntu2.1)
groovy
Released (1:2.8+dfsg-3ubuntu2.1)
hirsute
Released (1:2.8+dfsg-3ubuntu2.1)
precise Does not exist

trusty
Released (2.0.0+dfsg-2ubuntu1.33)
upstream Needed

xenial
Released (1:2.5+dfsg-5ubuntu10.11)
yakkety
Released (1:2.6.1+dfsg-0ubuntu5.4)
zesty
Released (1:2.8+dfsg-3ubuntu2.1)
Patches:
upstream: http://git.qemu-project.org/?p=qemu.git;a=commit;h=56fc494bdcba35d74da27e1d34dbb6db6fa7bd67
upstream: http://git.qemu-project.org/?p=qemu.git;a=commit;h=00c90bd1c2ff6aabb9ca948a254ba044a403e399
upstream: http://git.qemu-project.org/?p=qemu.git;a=commit;h=21328e1e57f526e3f0c2fcd00f10c8aa6e7bc07f
upstream: http://git.qemu-project.org/?p=qemu.git;a=commit;h=6482a961636d66cc10928dde5d4d908206e5f65a
upstream: http://git.qemu-project.org/?p=qemu.git;a=commit;h=0e35a3782948c6154d7fafe9a02a86bc130199c7
upstream: http://git.qemu-project.org/?p=qemu.git;a=commit;h=996a0d76d7e756e4023ef79bc37bfe629b9eaca7
upstream: http://git.qemu-project.org/?p=qemu.git;a=commit;h=56ad3e54dad6cdcee8668d170df161d89581846f
upstream: http://git.qemu-project.org/?p=qemu.git;a=commit;h=5507904e362df252f6065cb27d1ff98372db6abc
upstream: http://git.qemu-project.org/?p=qemu.git;a=commit;h=3e36aba757f76673007a80b3cd56a4062c2e3462
upstream: http://git.qemu-project.org/?p=qemu.git;a=commit;h=72f0d0bf51362011c4d841a89fb8f5cfb16e0bf3
upstream: http://git.qemu-project.org/?p=qemu.git;a=commit;h=df4938a6651b1f980018f9eaf86af43e6b9d7fed
upstream: http://git.qemu-project.org/?p=qemu.git;a=commit;h=a0e640a87210b1e986bcd4e7f7de03beb3db0a4a
upstream: http://git.qemu-project.org/?p=qemu.git;a=commit;h=a33eda0dd99e00faa3bacae43d19490bb9500e07
upstream: http://git.qemu-project.org/?p=qemu.git;a=commit;h=31e51d1c15b35dc98b88a301812914b70a2b55dc
upstream: http://git.qemu-project.org/?p=qemu.git;a=commit;h=ac125d993b461d4dee4d6df4d93ac3f2eb959d1d
upstream: http://git.qemu-project.org/?p=qemu.git;a=commit;h=bec1e9546e03b9e7f5152cf3e8c95cf8acff5e12
upstream: http://git.qemu-project.org/?p=qemu.git;a=commit;h=f9aef99b3e6df88036436b0d3dc3d504b9346c8c
upstream: http://git.qemu-project.org/?p=qemu.git;a=commit;h=99f2cf4b2dad7b37c69759deb0d0b19d3ec1a24a
upstream: http://git.qemu-project.org/?p=qemu.git;a=commit;h=d2767edec582558f1e6c52e1dd9370d62e2b30fc
upstream: http://git.qemu-project.org/?p=qemu.git;a=commit;h=6dd4b1f1d026e478d9177b28169b377e212400f3
upstream: http://git.qemu-project.org/?p=qemu.git;a=commit;h=ad0b46e6ac769b187cb4dcf0065675ef8a198a5e
upstream: http://git.qemu-project.org/?p=qemu.git;a=commit;h=e3187a45dd02a7490f9191c16527dc28a4ba45b9
upstream: http://git.qemu-project.org/?p=qemu.git;a=commit;h=d369f20763a857eac544a5289a046d0285a91df8
upstream: http://git.qemu-project.org/?p=qemu.git;a=commit;h=38771613ea6759f499645afd709aa422161eb27e
upstream: http://git.qemu-project.org/?p=qemu.git;a=commit;h=d815e7219036d6911fce12efe3e59906264c8536
upstream: http://git.qemu-project.org/?p=qemu.git;a=commit;h=3f3a16990b09e62d787bd2eb2dd51aafbe90019a
upstream: http://git.qemu-project.org/?p=qemu.git;a=commit;h=a565fea56546e254b7610305b07711f0a3bda0c7
upstream: http://git.qemu-project.org/?p=qemu.git;a=commit;h=c23d5f1d5bc0e23aeb845b1af8f996f16783ce98
upstream: http://git.qemu-project.org/?p=qemu.git;a=commit;h=b003fc0d8aa5e7060dbf7e5862b8013c73857c7f
qemu-kvm
Launchpad, Ubuntu, Debian 		artful Does not exist

bionic Does not exist

cosmic Does not exist

disco Does not exist

eoan Does not exist

focal Does not exist

groovy Does not exist

hirsute Does not exist

precise Ignored
(end of ESM support, was needed)
trusty Does not exist

upstream Needed

xenial Does not exist

yakkety Does not exist

zesty Does not exist

References

Bugs

Join the discussion

Canonical is offering Expanded Security Maintenance

Canonical is offering Ubuntu Expanded Security Maintenance (ESM) for security fixes and essential packages.

Find out more about ESM ›

Further reading