CVE-2016-9602

Qemu before version 2.9 is vulnerable to an improper link following when built with the VirtFS. A privileged user inside guest could use this flaw to access host file system beyond the shared folder and potentially escalating their privileges on a host.

Status

Show unmaintained releases

Package	Ubuntu Release	Status
qemu	21.04 hirsute	Fixed 1:2.8+dfsg-3ubuntu2.1
	20.10 groovy	Fixed 1:2.8+dfsg-3ubuntu2.1
	20.04 LTS focal	Fixed 1:2.8+dfsg-3ubuntu2.1
	19.10 eoan	Fixed 1:2.8+dfsg-3ubuntu2.1
	19.04 disco	Fixed 1:2.8+dfsg-3ubuntu2.1
	18.10 cosmic	Fixed 1:2.8+dfsg-3ubuntu2.1
	18.04 LTS bionic	Fixed 1:2.8+dfsg-3ubuntu2.1
	17.10 artful	Fixed 1:2.8+dfsg-3ubuntu2.1
	17.04 zesty	Fixed 1:2.8+dfsg-3ubuntu2.1
	16.10 yakkety	Fixed 1:2.6.1+dfsg-0ubuntu5.4
	16.04 LTS xenial	Fixed 1:2.5+dfsg-5ubuntu10.11
	14.04 LTS trusty	Fixed 2.0.0+dfsg-2ubuntu1.33
	12.04 LTS precise	Not in release
qemu-kvm	21.04 hirsute	Not in release
	20.10 groovy	Not in release
	20.04 LTS focal	Not in release
	19.10 eoan	Not in release
	19.04 disco	Not in release
	18.10 cosmic	Not in release
	18.04 LTS bionic	Not in release
	17.10 artful	Not in release
	17.04 zesty	Not in release
	16.10 yakkety	Not in release
	16.04 LTS xenial	Not in release
	14.04 LTS trusty	Not in release
	12.04 LTS precise	Ignored end of life

Patch details

For informational purposes only. We recommend not to cherry-pick updates. How can I get the fixes?

Package	Patch details
qemu	Upstream: http://git.qemu-project.org/?p=qemu.git;a=commit;h=56fc494bdcba35d74da27e1d34dbb6db6fa7bd67 Upstream: http://git.qemu-project.org/?p=qemu.git;a=commit;h=00c90bd1c2ff6aabb9ca948a254ba044a403e399 Upstream: http://git.qemu-project.org/?p=qemu.git;a=commit;h=21328e1e57f526e3f0c2fcd00f10c8aa6e7bc07f Upstream: http://git.qemu-project.org/?p=qemu.git;a=commit;h=6482a961636d66cc10928dde5d4d908206e5f65a Upstream: http://git.qemu-project.org/?p=qemu.git;a=commit;h=0e35a3782948c6154d7fafe9a02a86bc130199c7 Upstream: http://git.qemu-project.org/?p=qemu.git;a=commit;h=996a0d76d7e756e4023ef79bc37bfe629b9eaca7 Upstream: http://git.qemu-project.org/?p=qemu.git;a=commit;h=56ad3e54dad6cdcee8668d170df161d89581846f Upstream: http://git.qemu-project.org/?p=qemu.git;a=commit;h=5507904e362df252f6065cb27d1ff98372db6abc Upstream: http://git.qemu-project.org/?p=qemu.git;a=commit;h=3e36aba757f76673007a80b3cd56a4062c2e3462 Upstream: http://git.qemu-project.org/?p=qemu.git;a=commit;h=72f0d0bf51362011c4d841a89fb8f5cfb16e0bf3 Upstream: http://git.qemu-project.org/?p=qemu.git;a=commit;h=df4938a6651b1f980018f9eaf86af43e6b9d7fed Upstream: http://git.qemu-project.org/?p=qemu.git;a=commit;h=a0e640a87210b1e986bcd4e7f7de03beb3db0a4a Upstream: http://git.qemu-project.org/?p=qemu.git;a=commit;h=a33eda0dd99e00faa3bacae43d19490bb9500e07 Upstream: http://git.qemu-project.org/?p=qemu.git;a=commit;h=31e51d1c15b35dc98b88a301812914b70a2b55dc Upstream: http://git.qemu-project.org/?p=qemu.git;a=commit;h=ac125d993b461d4dee4d6df4d93ac3f2eb959d1d Upstream: http://git.qemu-project.org/?p=qemu.git;a=commit;h=bec1e9546e03b9e7f5152cf3e8c95cf8acff5e12 Upstream: http://git.qemu-project.org/?p=qemu.git;a=commit;h=f9aef99b3e6df88036436b0d3dc3d504b9346c8c Upstream: http://git.qemu-project.org/?p=qemu.git;a=commit;h=99f2cf4b2dad7b37c69759deb0d0b19d3ec1a24a Upstream: http://git.qemu-project.org/?p=qemu.git;a=commit;h=d2767edec582558f1e6c52e1dd9370d62e2b30fc Upstream: http://git.qemu-project.org/?p=qemu.git;a=commit;h=6dd4b1f1d026e478d9177b28169b377e212400f3 Upstream: http://git.qemu-project.org/?p=qemu.git;a=commit;h=ad0b46e6ac769b187cb4dcf0065675ef8a198a5e Upstream: http://git.qemu-project.org/?p=qemu.git;a=commit;h=e3187a45dd02a7490f9191c16527dc28a4ba45b9 Upstream: http://git.qemu-project.org/?p=qemu.git;a=commit;h=d369f20763a857eac544a5289a046d0285a91df8 Upstream: http://git.qemu-project.org/?p=qemu.git;a=commit;h=38771613ea6759f499645afd709aa422161eb27e Upstream: http://git.qemu-project.org/?p=qemu.git;a=commit;h=d815e7219036d6911fce12efe3e59906264c8536 Upstream: http://git.qemu-project.org/?p=qemu.git;a=commit;h=3f3a16990b09e62d787bd2eb2dd51aafbe90019a Upstream: http://git.qemu-project.org/?p=qemu.git;a=commit;h=a565fea56546e254b7610305b07711f0a3bda0c7 Upstream: http://git.qemu-project.org/?p=qemu.git;a=commit;h=c23d5f1d5bc0e23aeb845b1af8f996f16783ce98 Upstream: http://git.qemu-project.org/?p=qemu.git;a=commit;h=b003fc0d8aa5e7060dbf7e5862b8013c73857c7f

Package

Patch details

qemu

Severity score breakdown

Parameter	Value
Base score	8.8 · High
Attack vector	Network
Attack complexity	Low
Privileges required	Low
User interaction	None
Scope	Unchanged
Confidentiality	High
Integrity impact	High
Availability impact	High
Vector	CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Cvss 3 Severity Score

Status

Patch details

Severity score breakdown

References

Related Ubuntu Security Notices (USN)

Other references