CVE-2008-2004

Description

The drive_init function in QEMU 0.9.1 determines the format of a raw disk image based on the header, which allows local guest users to read arbitrary files on the host by modifying the header to identify a different format, which is used when the guest is restarted.

How to fix CVE-2008-2004

To remediate CVE-2008-2004, upgrade the affected package to a fixed version below.

• Debian/qemu—upgrade to 0.9.1-5 or later

Is CVE-2008-2004 being exploited?

Low — EPSS is 0.1%, meaning exploitation activity has not been observed at scale.

Affected packages (1)

• from 0, < 0.9.1-5

References (1)

• ADVISORYsecurity-tracker.debian.org/tracker/CVE-2008-2004