SB2014111501 - Multiple vulnerabilities in QEMU

Description

This security bulletin contains information about 36 secuirty vulnerabilities.

1) Resource management error (CVE-ID: CVE-2015-8345)

The vulnerability allows a local authenticated user to a crash the entire system.

The eepro100 emulator in QEMU qemu-kvm blank allows local guest users to cause a denial of service (application crash and infinite loop) via vectors involving the command block list.

2) Out-of-bounds write (CVE-ID: CVE-2015-8619)

The vulnerability allows a remote non-authenticated attacker to perform a denial of service (DoS) attack.

The Human Monitor Interface support in QEMU allows remote attackers to cause a denial of service (out-of-bounds write and application crash).

3) Input validation error (CVE-ID: CVE-2015-8504)

The vulnerability allows a remote authenticated user to perform a denial of service (DoS) attack.

Qemu, when built with VNC display driver support, allows remote attackers to cause a denial of service (arithmetic exception and application crash) via crafted SetPixelFormat messages from a client.

4) Memory leak (CVE-ID: CVE-2015-8568)

The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.

The vulnerability exists due to memory leak within QEMU, when built with a VMWARE VMXNET3 paravirtual NIC emulator support, allows local guest users to cause a denial of service (host memory consumption) by trying to activate the vmxnet3 device repeatedly. A remote attacker can perform a denial of service attack.

5) Stack-based buffer overflow (CVE-ID: CVE-2015-8613)

The vulnerability allows a remote attacker to execute arbitrary code on the target system.

The vulnerability exists due to a boundary error when processing a crafted SCSI controller CTRL_GET_INFO command. A remote unauthenticated attacker can trigger stack-based buffer overflow and execute arbitrary code on the target system.

Successful exploitation of this vulnerability may result in complete compromise of vulnerable system.

6) Buffer overflow (CVE-ID: CVE-2015-8666)

The vulnerability allows a local privileged user to a crash the entire system.

Heap-based buffer overflow in QEMU, when built with the Q35-chipset-based PC system emulator.

7) Resource exhaustion (CVE-ID: CVE-2016-9907)

The vulnerability allows a local authenticated user to a crash the entire system.

Quick Emulator (Qemu) built with the USB redirector usb-guest support is vulnerable to a memory leakage flaw. It could occur while destroying the USB redirector in 'usbredir_handle_destroy'. A guest user/process could use this issue to leak host memory, resulting in DoS for a host.

8) Information disclosure (CVE-ID: CVE-2016-9908)

The vulnerability allows a local authenticated user to gain access to sensitive information.

Quick Emulator (Qemu) built with the Virtio GPU Device emulator support is vulnerable to an information leakage issue. It could occur while processing 'VIRTIO_GPU_CMD_GET_CAPSET' command. A guest user/process could use this flaw to leak contents of the host memory bytes.

9) Resource exhaustion (CVE-ID: CVE-2016-9911)

The vulnerability allows a local authenticated user to a crash the entire system.

Quick Emulator (Qemu) built with the USB EHCI Emulation support is vulnerable to a memory leakage issue. It could occur while processing packet data in 'ehci_init_transfer'. A guest user/process could use this issue to leak host memory, resulting in DoS for a host.

10) Resource exhaustion (CVE-ID: CVE-2016-9912)

The vulnerability allows a local authenticated user to a crash the entire system.

Quick Emulator (Qemu) built with the Virtio GPU Device emulator support is vulnerable to a memory leakage issue. It could occur while destroying gpu resource object in 'virtio_gpu_resource_destroy'. A guest user/process could use this flaw to leak host memory bytes, resulting in DoS for a host.

11) Division by zero (CVE-ID: CVE-2016-9921)

The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.

The vulnerability exists due to divide by zero error when cirrus graphics mode was set to be VGA. A privileged user inside guest could use this flaw to crash the Qemu process instance on the host, resulting in DoS. A remote attacker can pass specially crafted file to the application and crash it.

12) Use-after-free (CVE-ID: CVE-2016-9923)

The vulnerability allows a local authenticated user to a crash the entire system.

Quick Emulator (Qemu) built with the 'chardev' backend support is vulnerable to a use after free issue. It could occur while hotplug and unplugging the device in the guest. A guest user/process could use this flaw to crash a Qemu process on the host resulting in DoS.

13) Memory leak (CVE-ID: CVE-2016-7466)

The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.

The vulnerability exists due to memory leak within the usb_xhci_exit function in hw/usb/hcd-xhci.c in QEMU (aka Quick Emulator), when the xhci uses msix, allows local guest OS administrators to cause a denial of service (memory consumption and possibly QEMU process crash) by repeatedly unplugging a USB device. A remote attacker can perform a denial of service attack.

14) NULL pointer dereference (CVE-ID: CVE-2016-7422)

The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.

The vulnerability exists due to a NULL pointer dereference error. A remote attacker can trigger denial of service conditions via a large I/O descriptor buffer length value.

15) Resource management error (CVE-ID: CVE-2016-7421)

The vulnerability allows a local privileged user to perform a denial of service (DoS) attack.

The pvscsi_ring_pop_req_descr function in hw/scsi/vmw_pvscsi.c in QEMU (aka Quick Emulator) allows local guest OS administrators to cause a denial of service (infinite loop and QEMU process crash) by leveraging failure to limit process IO loop to the ring size.

16) Out-of-bounds write (CVE-ID: CVE-2016-7170)

The vulnerability allows a local privileged user to perform a denial of service (DoS) attack.

The vmsvga_fifo_run function in hw/display/vmware_vga.c in QEMU (aka Quick Emulator) allows local guest OS administrators to cause a denial of service (out-of-bounds write and QEMU process crash) via vectors related to cursor.mask[] and cursor.image[] array sizes when processing a DEFINE_CURSOR svga command.

17) Input validation error (CVE-ID: CVE-2016-7157)

The vulnerability allows a local privileged user to perform a denial of service (DoS) attack.

The (1) mptsas_config_manufacturing_1 and (2) mptsas_config_ioc_0 functions in hw/scsi/mptconfig.c in QEMU (aka Quick Emulator) allow local guest OS administrators to cause a denial of service (QEMU process crash) via vectors involving MPTSAS_CONFIG_PACK.

18) Resource management error (CVE-ID: CVE-2016-7156)

The vulnerability allows a local privileged user to perform a denial of service (DoS) attack.

The pvscsi_convert_sglist function in hw/scsi/vmw_pvscsi.c in QEMU (aka Quick Emulator) allows local guest OS administrators to cause a denial of service (infinite loop and QEMU process crash) by leveraging an incorrect cast.

19) Out-of-bounds read (CVE-ID: CVE-2016-7155)

The vulnerability allows a local privileged user to perform a denial of service (DoS) attack.

hw/scsi/vmw_pvscsi.c in QEMU (aka Quick Emulator) allows local guest OS administrators to cause a denial of service (out-of-bounds access or infinite loop, and QEMU process crash) via a crafted page count for descriptor rings.

20) Path traversal (CVE-ID: CVE-2016-7116)

The vulnerability allows a remote attacker to perform directory traversal attacks.

The vulnerability exists due to input validation error when processing directory traversal sequences in hw/9pfs/9p.c in QEMU (aka Quick Emulator). A remote authenticated attacker can send a specially crafted HTTP request and local guest OS administrators to access host files outside the export path via a . (dot dot) in an unspecified string.

21) NULL pointer dereference (CVE-ID: CVE-2016-6888)

The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.

The vulnerability exists due to a NULL pointer dereference error. A remote attacker can trigger denial of service conditions via the maximum fragmentation count, which triggers an unchecked multiplication and NULL pointer dereference.

22) Information disclosure (CVE-ID: CVE-2016-6836)

The vulnerability allows a local privileged user to gain access to sensitive information.

The vmxnet3_complete_packet function in hw/net/vmxnet3.c in QEMU (aka Quick Emulator) allows local guest OS administrators to obtain sensitive host memory information by leveraging failure to initialize the txcq_descr object.

23) Buffer overflow (CVE-ID: CVE-2016-6835)

The vulnerability allows a local privileged user to a crash the entire system.

The vmxnet_tx_pkt_parse_headers function in hw/net/vmxnet_tx_pkt.c in QEMU (aka Quick Emulator) allows local guest OS administrators to cause a denial of service (buffer over-read) by leveraging failure to check IP header length.

24) Resource management error (CVE-ID: CVE-2016-6834)

The vulnerability allows a local privileged user to perform a denial of service (DoS) attack.

The net_tx_pkt_do_sw_fragmentation function in hw/net/net_tx_pkt.c in QEMU (aka Quick Emulator) allows local guest OS administrators to cause a denial of service (infinite loop and QEMU process crash) via a zero length for the current fragment length.

25) Use-after-free (CVE-ID: CVE-2016-6833)

The vulnerability allows a local privileged user to perform a denial of service (DoS) attack.

Use-after-free vulnerability in the vmxnet3_io_bar0_write function in hw/net/vmxnet3.c in QEMU (aka Quick Emulator) allows local guest OS administrators to cause a denial of service (QEMU instance crash) by leveraging failure to check if the device is active.

26) Input validation error (CVE-ID: CVE-2016-6490)

The vulnerability allows a local privileged user to perform a denial of service (DoS) attack.

The virtqueue_map_desc function in hw/virtio/virtio.c in QEMU (aka Quick Emulator) allows local guest OS administrators to cause a denial of service (infinite loop and QEMU process crash) via a zero length for the descriptor buffer.

27) Input validation error (CVE-ID: CVE-2016-4964)

The vulnerability allows a local privileged user to a crash the entire system.

The mptsas_fetch_requests function in hw/scsi/mptsas.c in QEMU (aka Quick Emulator) allows local guest OS administrators to cause a denial of service (infinite loop, and CPU consumption or QEMU process crash) via vectors involving s->state.

28) Division by zero (CVE-ID: CVE-2016-8669)

The vulnerability allows a local privileged user to a crash the entire system.

The serial_update_parameters function in hw/char/serial.c in QEMU (aka Quick Emulator) allows local guest OS administrators to cause a denial of service (divide-by-zero error and QEMU process crash) via vectors involving a value of divider greater than baud base.

29) Division by zero (CVE-ID: CVE-2016-8667)

The vulnerability allows a local privileged user to a crash the entire system.

The rc4030_write function in hw/dma/rc4030.c in QEMU (aka Quick Emulator) allows local guest OS administrators to cause a denial of service (divide-by-zero error and QEMU process crash) via a large interval timer reload value.

30) Out-of-bounds write (CVE-ID: CVE-2016-7423)

The vulnerability allows a local privileged user to perform a denial of service (DoS) attack.

The mptsas_process_scsi_io_request function in QEMU (aka Quick Emulator), when built with LSI SAS1068 Host Bus emulation support, allows local guest OS administrators to cause a denial of service (out-of-bounds write and QEMU process crash) via vectors involving MPTSASRequest objects.

31) Input validation error (CVE-ID: CVE-2015-8558)

The vulnerability allows a local authenticated user to perform a denial of service (DoS) attack.

The ehci_process_itd function in hw/usb/hcd-ehci.c in QEMU allows local guest OS administrators to cause a denial of service (infinite loop and CPU consumption) via a circular isochronous transfer descriptor (iTD) list.

32) Input validation error (CVE-ID: CVE-2016-1568)

The vulnerability allows guest OS users to perform a denial of service (DoS) attack.

The vulnerability exists due to insufficient validation of user-supplied input. A remote attacker can cause a denial of service (instance crash) or possibly execute arbitrary code via an invalid AHCI Native Command Queuing (NCQ) AIO command.

33) Stack-based buffer overflow (CVE-ID: CVE-2015-5158)

The vulnerability allows a remote attacker to execute arbitrary code on the target system.

The vulnerability exists due to a boundary error when processing an invalid opcode in a SCSI command descriptor block. A remote unauthenticated attacker can trigger stack-based buffer overflow and execute arbitrary code on the target system.

Successful exploitation of this vulnerability may result in complete compromise of vulnerable system.

34) Buffer overflow (CVE-ID: CVE-2015-7295)

The vulnerability allows a remote non-authenticated attacker to perform service disruption.

hw/virtio/virtio.c in the Virtual Network Device (virtio-net) support in QEMU, when big or mergeable receive buffers are not supported, allows remote attackers to cause a denial of service (guest network consumption) via a flood of jumbo frames on the (1) tuntap or (2) macvtap interface.

35) Improper access control (CVE-ID: CVE-2015-4106)

The vulnerability allows a remote non-authenticated attacker to execute arbitrary code.

QEMU does not properly restrict write access to the PCI config space for certain PCI pass-through devices, which might allow local x86 HVM guests to gain privileges, cause a denial of service (host crash), obtain sensitive information, or possibly have other unspecified impact via unknown vectors.

36) Buffer overflow (CVE-ID: CVE-2014-5388)

The vulnerability allows a remote non-authenticated attacker to read and manipulate data.

Off-by-one error in the pci_read function in the ACPI PCI hotplug interface (hw/acpi/pcihp.c) in QEMU allows local guest users to obtain sensitive information and have other unspecified impact related to a crafted PCI device that triggers memory corruption.

Remediation

Cybersecurity Help is not aware of any official remediation provided by the vendor.

References

• http://www.debian.org/security/2016/dsa-3469
• http://www.debian.org/security/2016/dsa-3470
• http://www.debian.org/security/2016/dsa-3471
• http://www.openwall.com/lists/oss-security/2015/11/25/11
• http://www.securityfocus.com/bid/77985
• https://lists.gnu.org/archive/html/qemu-devel/2015-10/msg03911.html
• https://security.gentoo.org/glsa/201602-01
• http://www.openwall.com/lists/oss-security/2015/12/23/1
• http://www.securityfocus.com/bid/79668
• https://lists.gnu.org/archive/html/qemu-devel/2015-12/msg02930.html
• https://security.gentoo.org/glsa/201604-01
• http://git.qemu-project.org/?p=qemu.git;a=commitdiff;h=4c65fed8bdf96780735dbdb92a8
• http://www.openwall.com/lists/oss-security/2015/12/08/7
• http://www.securityfocus.com/bid/78708
• https://bugzilla.redhat.com/show_bug.cgi?id=1289541
• http://www.openwall.com/lists/oss-security/2015/12/15/10
• http://www.securityfocus.com/bid/79721
• https://bugzilla.redhat.com/show_bug.cgi?id=1289816
• https://lists.gnu.org/archive/html/qemu-devel/2015-12/msg02299.html
• http://www.openwall.com/lists/oss-security/2015/12/22/1
• http://www.securityfocus.com/bid/79719
• https://bugzilla.redhat.com/show_bug.cgi?id=1284008
• https://lists.gnu.org/archive/html/qemu-devel/2015-12/msg03737.html
• http://git.qemu-project.org/?p=qemu.git;a=commit;h=d9a3b33d2c9f996537b7f1d0246dee2d0120cefb
• http://www.openwall.com/lists/oss-security/2015/12/24/1
• http://www.securityfocus.com/bid/79670
• https://bugzilla.redhat.com/show_bug.cgi?id=1283722
• https://lists.debian.org/debian-lts-announce/2018/09/msg00007.html
• http://www.openwall.com/lists/oss-security/2016/12/08/3
• http://www.securityfocus.com/bid/94759
• https://access.redhat.com/errata/RHSA-2017:2392
• https://access.redhat.com/errata/RHSA-2017:2408
• https://security.gentoo.org/glsa/201701-49
• http://www.openwall.com/lists/oss-security/2016/12/08/4
• http://www.securityfocus.com/bid/94761
• http://www.openwall.com/lists/oss-security/2016/12/08/5
• http://www.securityfocus.com/bid/94762
• http://www.openwall.com/lists/oss-security/2016/12/08/6
• http://www.securityfocus.com/bid/94760
• http://www.openwall.com/lists/oss-security/2016/12/09/1
• http://www.securityfocus.com/bid/94803
• http://www.openwall.com/lists/oss-security/2016/12/09/2
• http://www.securityfocus.com/bid/94827
• http://git.qemu.org/?p=qemu.git;a=commit;h=b53dd4495ced2432a0b652ea895e651d07336f7e
• http://lists.opensuse.org/opensuse-updates/2016-12/msg00140.html
• http://www.openwall.com/lists/oss-security/2016/09/19/8
• http://www.openwall.com/lists/oss-security/2016/09/20/3
• http://www.securityfocus.com/bid/93029
• https://lists.gnu.org/archive/html/qemu-devel/2016-09/msg02773.html
• https://security.gentoo.org/glsa/201611-11
• http://git.qemu.org/?p=qemu.git;a=commit;h=973e7170dddefb491a48df5cba33b2ae151013a0
• http://www.openwall.com/lists/oss-security/2016/09/16/10
• http://www.openwall.com/lists/oss-security/2016/09/16/4
• http://www.securityfocus.com/bid/92996
• https://lists.gnu.org/archive/html/qemu-devel/2016-09/msg03546.html
• https://security.gentoo.org/glsa/201609-01
• http://git.qemu.org/?p=qemu.git;a=commit;h=d251157ac1928191af851d199a9ff255d330bec9
• http://www.openwall.com/lists/oss-security/2016/09/16/3
• http://www.openwall.com/lists/oss-security/2016/09/16/9
• http://www.securityfocus.com/bid/92998
• https://lists.debian.org/debian-lts-announce/2018/11/msg00038.html
• https://lists.gnu.org/archive/html/qemu-devel/2016-09/msg03609.html
• http://git.qemu.org/?p=qemu.git;a=commit;h=167d97a3def77ee2dbf6e908b0ecbfe2103977db
• http://www.openwall.com/lists/oss-security/2016/09/09/4
• http://www.openwall.com/lists/oss-security/2016/09/09/7
• http://www.securityfocus.com/bid/92904
• https://lists.gnu.org/archive/html/qemu-devel/2016-09/msg01764.html
• http://git.qemu.org/?p=qemu.git;a=commit;h=65a8e1f6413a0f6f79894da710b5d6d43361d27d
• http://www.openwall.com/lists/oss-security/2016/09/06/4
• http://www.openwall.com/lists/oss-security/2016/09/07/3
• http://www.securityfocus.com/bid/92775
• https://lists.gnu.org/archive/html/qemu-devel/2016-08/msg04295.html
• https://lists.gnu.org/archive/html/qemu-devel/2016-08/msg04296.html
• http://git.qemu.org/?p=qemu.git;a=commit;h=49adc5d3f8c6bb75e55ebfeab109c5c37dea65e8
• http://www.openwall.com/lists/oss-security/2016/09/06/3
• http://www.openwall.com/lists/oss-security/2016/09/07/2
• http://www.securityfocus.com/bid/92774
• https://lists.gnu.org/archive/html/qemu-devel/2016-09/msg00772.html
• https://lists.gnu.org/archive/html/qemu-devel/2016-09/msg01246.html
• http://git.qemu.org/?p=qemu.git;a=commit;h=7f61f4690dd153be98900a2a508b88989e692753
• http://www.openwall.com/lists/oss-security/2016/09/06/2
• http://www.openwall.com/lists/oss-security/2016/09/07/1
• http://www.securityfocus.com/bid/92772
• https://lists.gnu.org/archive/html/qemu-devel/2016-09/msg00050.html
• http://git.qemu.org/?p=qemu.git;a=commit;h=56f101ecce0eafd09e2daf1c4eeb1377d6959261
• http://www.openwall.com/lists/oss-security/2016/08/30/1
• http://www.openwall.com/lists/oss-security/2016/08/30/3
• http://www.securityfocus.com/bid/92680
• https://lists.gnu.org/archive/html/qemu-devel/2016-08/msg03917.html
• https://lists.gnu.org/archive/html/qemu-devel/2016-08/msg04231.html
• http://git.qemu.org/?p=qemu.git;a=commit;h=47882fa4975bf0b58dd74474329fdd7154e8f04c
• http://www.openwall.com/lists/oss-security/2016/08/19/10
• http://www.openwall.com/lists/oss-security/2016/08/19/6
• http://www.securityfocus.com/bid/92556
• https://lists.gnu.org/archive/html/qemu-devel/2016-08/msg03176.html
• http://git.qemu.org/?p=qemu.git;a=commit;h=fdda170e50b8af062cf5741e12c4fb5e57a2eacf
• http://www.openwall.com/lists/oss-security/2016/08/11/5
• http://www.openwall.com/lists/oss-security/2016/08/18/5
• http://www.securityfocus.com/bid/92444
• https://lists.gnu.org/archive/html/qemu-devel/2016-08/msg02108.html
• http://git.qemu.org/?p=qemu.git;a=commit;h=93060258ae748573ca7197204125a2670047896d
• http://www.openwall.com/lists/oss-security/2016/08/11/7
• http://www.openwall.com/lists/oss-security/2016/08/18/4
• https://lists.gnu.org/archive/html/qemu-stable/2016-08/msg00077.html
• http://git.qemu.org/?p=qemu.git;a=commit;h=ead315e43ea0c2ca3491209c6c8db8ce3f2bbe05
• http://www.openwall.com/lists/oss-security/2016/08/11/8
• http://www.openwall.com/lists/oss-security/2016/08/18/7
• http://www.securityfocus.com/bid/92446
• https://lists.gnu.org/archive/html/qemu-devel/2016-08/msg01601.html
• http://git.qemu.org/?p=qemu.git;a=commit;h=6c352ca9b4ee3e1e286ea9e8434bd8e69ac7d0d8
• http://www.openwall.com/lists/oss-security/2016/08/12/1
• http://www.openwall.com/lists/oss-security/2016/08/18/3
• http://www.securityfocus.com/bid/93255
• https://lists.gnu.org/archive/html/qemu-devel/2016-08/msg01602.html
• http://git.qemu.org/?p=qemu.git;a=commit;h=1e7aed70144b4673fc26e73062064b6724795e5f
• http://www.openwall.com/lists/oss-security/2016/07/28/4
• http://www.openwall.com/lists/oss-security/2016/07/28/9
• https://lists.gnu.org/archive/html/qemu-devel/2016-07/msg06246.html
• http://git.qemu.org/?p=qemu.git;a=commit;h=06630554ccbdd25780aa03c3548aaff1eb56dffd
• http://www.openwall.com/lists/oss-security/2016/05/24/4
• http://www.openwall.com/lists/oss-security/2016/05/24/7
• https://lists.gnu.org/archive/html/qemu-devel/2016-05/msg04027.html
• http://git.qemu.org/?p=qemu.git;a=commit;h=3592fe0c919cf27a81d8e9f9b4f269553418bb01
• http://www.openwall.com/lists/oss-security/2016/10/14/9
• http://www.openwall.com/lists/oss-security/2016/10/15/5
• http://www.securityfocus.com/bid/93563
• http://www.openwall.com/lists/oss-security/2016/10/14/6
• http://www.openwall.com/lists/oss-security/2016/10/15/4
• http://www.securityfocus.com/bid/93567
• https://lists.gnu.org/archive/html/qemu-devel/2016-10/msg02577.html
• http://git.qemu.org/?p=qemu.git;a=commit;h=670e56d3ed2918b3861d9216f2c0540d9e9ae0d5
• http://www.openwall.com/lists/oss-security/2016/09/16/11
• http://www.openwall.com/lists/oss-security/2016/09/16/5
• http://www.securityfocus.com/bid/92997
• https://bugzilla.redhat.com/show_bug.cgi?id=1376776
• https://lists.gnu.org/archive/html/qemu-devel/2016-09/msg03604.html
• http://git.qemu.org/?p=qemu.git;a=commit;h=156a2e4dbffa85997636a7a39ef12da6f1b40254
• http://www.openwall.com/lists/oss-security/2015/12/14/16
• http://www.openwall.com/lists/oss-security/2015/12/14/9
• http://www.securityfocus.com/bid/80694
• https://bugzilla.redhat.com/show_bug.cgi?id=1277983
• https://lists.gnu.org/archive/html/qemu-devel/2015-12/msg02124.html
• http://git.qemu.org/?p=qemu.git;a=commit;h=4ab0359a8ae182a7ac5c99609667273167703fab
• http://rhn.redhat.com/errata/RHSA-2016-0084.html
• http://rhn.redhat.com/errata/RHSA-2016-0086.html
• http://rhn.redhat.com/errata/RHSA-2016-0087.html
• http://rhn.redhat.com/errata/RHSA-2016-0088.html
• http://www.openwall.com/lists/oss-security/2016/01/09/1
• http://www.openwall.com/lists/oss-security/2016/01/09/2
• http://www.securityfocus.com/bid/80191
• http://www.securitytracker.com/id/1034859
• http://www.securityfocus.com/bid/76016
• http://www.securitytracker.com/id/1033095
• https://lists.nongnu.org/archive/html/qemu-devel/2015-07/msg04558.html
• https://security.gentoo.org/glsa/201510-02
• http://lists.fedoraproject.org/pipermail/package-announce/2015-October/169624.html
• http://lists.fedoraproject.org/pipermail/package-announce/2015-October/169767.html
• http://lists.fedoraproject.org/pipermail/package-announce/2015-October/169802.html
• http://www.openwall.com/lists/oss-security/2015/09/18/5
• http://www.openwall.com/lists/oss-security/2015/09/18/9
• http://www.securityfocus.com/bid/82672
• http://lists.fedoraproject.org/pipermail/package-announce/2015-June/160154.html
• http://lists.fedoraproject.org/pipermail/package-announce/2015-June/160171.html
• http://lists.fedoraproject.org/pipermail/package-announce/2015-June/160685.html
• http://lists.opensuse.org/opensuse-security-announce/2015-06/msg00004.html
• http://lists.opensuse.org/opensuse-security-announce/2015-06/msg00007.html
• http://lists.opensuse.org/opensuse-security-announce/2015-06/msg00029.html
• http://lists.opensuse.org/opensuse-security-announce/2015-06/msg00030.html
• http://support.citrix.com/article/CTX201145
• http://www.debian.org/security/2015/dsa-3284
• http://www.debian.org/security/2015/dsa-3286
• http://www.securityfocus.com/bid/74949
• http://www.securitytracker.com/id/1032467
• http://www.ubuntu.com/usn/USN-2630-1
• http://xenbits.xen.org/xsa/advisory-131.html
• https://security.gentoo.org/glsa/201604-03
• https://support.citrix.com/article/CTX206006
• http://git.qemu.org/?p=qemu.git;a=commit;h=fa365d7cd11185237471823a5a33d36765454e16
• http://seclists.org/oss-sec/2014/q3/438
• http://seclists.org/oss-sec/2014/q3/440
• http://www.ubuntu.com/usn/USN-2409-1
• https://bugzilla.redhat.com/show_bug.cgi?id=1132956
• https://lists.gnu.org/archive/html/qemu-devel/2014-08/msg03338.html