CVE-2020-7039 – QEMU: slirp: OOB buffer access while emulating tcp protocols in tcp_emu()
https://notcve.org/view.php?id=CVE-2020-7039
tcp_emu in tcp_subr.c in libslirp 4.1.0, as used in QEMU 4.2.0, mismanages memory, as demonstrated by IRC DCC commands in EMU_IRC. This can cause a heap-based buffer overflow or other out-of-bounds access which can lead to a DoS or potential execute arbitrary code. El archivo tcp_emu en tcp_subr.c en libslirp versión 4.1.0, como es usado en QEMU versión 4.2.0, administra inapropiadamente la memoria, como es demostrado por los comandos IRC DCC en EMU_IRC. Esto puede causar un desbordamiento del búfer en la región heap de la memoria u otro acceso fuera de límites que puede conllevar a una DoS o un código arbitrario de ejecución potencial. A heap buffer overflow issue was found in the SLiRP networking implementation of the QEMU emulator. • http://lists.opensuse.org/opensuse-security-announce/2020-04/msg00007.html http://www.openwall.com/lists/oss-security/2020/01/16/2 https://access.redhat.com/errata/RHSA-2020:0348 https://access.redhat.com/errata/RHSA-2020:0775 https://gitlab.freedesktop.org/slirp/libslirp/commit/2655fffed7a9e765bcb4701dd876e9dab975f289 https://gitlab.freedesktop.org/slirp/libslirp/commit/82ebe9c370a0e2970fb5695aa19aa5214a6a1c80 https://gitlab.freedesktop.org/slirp/libslirp/commit/ce131029d6d4a405cb7d3ac6716d03e58fb4a5d9 https://lists.debian.org • CWE-122: Heap-based Buffer Overflow CWE-787: Out-of-bounds Write •
CVE-2019-20175
https://notcve.org/view.php?id=CVE-2019-20175
An issue was discovered in ide_dma_cb() in hw/ide/core.c in QEMU 2.4.0 through 4.2.0. The guest system can crash the QEMU process in the host system via a special SCSI_IOCTL_SEND_COMMAND. It hits an assertion that implies that the size of successful DMA transfers there must be a multiple of 512 (the size of a sector). NOTE: a member of the QEMU security team disputes the significance of this issue because a "privileged guest user has many ways to cause similar DoS effect, without triggering this assert. ** EN DISPUTA ** Se descubrió un problema en la función ide_dma_cb() en el archivo hw/ide/core.c en QEMU versiones 2.4.0 hasta la versión 4.2.0. El sistema invitado puede bloquear el proceso de QEMU en el sistema host por medio de un SCSI_IOCTL_SEND_COMMAND especial. • https://lists.nongnu.org/archive/html/qemu-devel/2019-07/msg01651.html https://lists.nongnu.org/archive/html/qemu-devel/2019-07/msg03869.html https://lists.nongnu.org/archive/html/qemu-devel/2019-11/msg00597.html https://lists.nongnu.org/archive/html/qemu-devel/2019-11/msg02165.html https://www.mail-archive.com/qemu-devel%40nongnu.org/msg667396.html • CWE-754: Improper Check for Unusual or Exceptional Conditions •
CVE-2019-15890 – QEMU: Slirp: use-after-free during packet reassembly
https://notcve.org/view.php?id=CVE-2019-15890
libslirp 4.0.0, as used in QEMU 4.1.0, has a use-after-free in ip_reass in ip_input.c. libslirp versión 4.0.0, como es usado en QEMU versión 4.1.0, presenta un uso de la memoria previamente liberada en la función ip_reass en el archivo ip_input.c. A use-after-free issue was found in the SLiRP networking implementation of the QEMU emulator. The issue occurs in ip_reass() routine while reassembling incoming packets, if the first fragment is bigger than the m->m_dat[] buffer. A user or process could use this flaw to crash the QEMU process on the host, resulting in a denial of service. • http://lists.opensuse.org/opensuse-security-announce/2019-11/msg00034.html http://www.openwall.com/lists/oss-security/2019/09/06/3 https://access.redhat.com/errata/RHSA-2020:0775 https://gitlab.freedesktop.org/slirp/libslirp/commit/c5927943 https://lists.debian.org/debian-lts-announce/2019/09/msg00021.html https://seclists.org/bugtraq/2020/Feb/0 https://usn.ubuntu.com/4191-1 https://usn.ubuntu.com/4191-2 https://www.debian.org/security/2020/dsa-4616 https://ac • CWE-416: Use After Free •