Several vulnerabilities were discovered in qemu, a fast processor
emulator.
- CVE-2016-3710
Wei Xiao and Qinghao Tang of 360.cn Inc discovered an out-of-bounds
read and write flaw in the QEMU VGA module. A privileged guest user
could use this flaw to execute arbitrary code on the host with the
privileges of the hosting QEMU process.
- CVE-2016-3712
Zuozhi Fzz of Alibaba Inc discovered potential integer overflow
or out-of-bounds read access issues in the QEMU VGA module. A
privileged guest user could use this flaw to mount a denial of
service (QEMU process crash).
For the stable distribution (jessie), these problems have been fixed in
version 1:2.1+dfsg-12+deb8u6.
We recommend that you upgrade your qemu packages.