CVE-2017-2630

NameCVE-2017-2630
DescriptionA stack buffer overflow flaw was found in the Quick Emulator (QEMU) before 2.9 built with the Network Block Device (NBD) client support. The flaw could occur while processing server's response to a 'NBD_OPT_LIST' request. A malicious NBD server could use this issue to crash a remote NBD client resulting in DoS or potentially execute arbitrary code on client host with privileges of the QEMU process.
SourceCVE (at NVD; CERT, LWN, oss-sec, fulldisc, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, GitHub advisories/code/issues, web search, more)
Debian Bugs855227

Vulnerable and fixed packages

The table below lists information on source packages.

Source PackageReleaseVersionStatus
qemu (PTS)jessie, jessie (lts)1:2.1+dfsg-12+deb8u23fixed
stretch (security)1:2.8+dfsg-6+deb9u17fixed
stretch (lts), stretch1:2.8+dfsg-6+deb9u19fixed
buster (security), buster, buster (lts)1:3.1+dfsg-8+deb10u12fixed
bullseye1:5.2+dfsg-11+deb11u3fixed
bullseye (security)1:5.2+dfsg-11+deb11u2fixed
bookworm1:7.2+dfsg-7+deb12u7fixed
sid, trixie1:9.1.1+ds-5fixed

The information below is based on the following data on fixed versions.

PackageTypeReleaseFixed VersionUrgencyOriginDebian Bugs
qemusourcewheezy(not affected)
qemusourcejessie(not affected)
qemusource(unstable)1:2.8+dfsg-3855227
qemu-kvmsource(unstable)(not affected)

Notes

[jessie] - qemu <not-affected> (Vulnerable code introduced in v2.8.0-rc0)
[wheezy] - qemu <not-affected> (Vulnerable code introduced in v2.8.0-rc0)
- qemu-kvm <not-affected> (Vulnerable code introduced later)
Upstream patch: https://lists.gnu.org/archive/html/qemu-devel/2017-02/msg01246.html
https://bugzilla.redhat.com/show_bug.cgi?id=1422415

Search for package or bug name: Reporting problems