CVE-2020-29130 – QEMU: slirp: out-of-bounds access while processing ARP/NCSI packets
https://notcve.org/view.php?id=CVE-2020-29130
slirp.c in libslirp through 4.3.1 has a buffer over-read because it tries to read a certain amount of header data even if that exceeds the total packet length. El archivo slirp.c en libslirp versiones hasta 4.3.1, presenta una sobrescritura del búfer porque intenta leer una determinada cantidad de datos del encabezado inclusive si excede la longitud total del paquete An out-of-bounds access issue was found in the SLiRP user networking implementation of QEMU. It could occur while processing ARP/NCSI packets, if the packet length was shorter than required to accommodate respective protocol headers and payload. A privileged guest user may use this flaw to potentially leak host information bytes. • http://www.openwall.com/lists/oss-security/2020/11/27/1 https://lists.debian.org/debian-lts-announce/2021/02/msg00024.html https://lists.debian.org/debian-lts-announce/2023/03/msg00013.html https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/45S5IHSWYITJKMRT23HCHJQDI674AMTQ https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/OPCOHDEONMHH6QPJZKRLLCNRGRYODG7X https://lists.freedesktop.org/archives/slirp/2020-November/000115.html https:/ • CWE-125: Out-of-bounds Read •
CVE-2020-10756 – QEMU SLiRP Networking Out-Of-Bounds Read Information Disclosure Vulnerability
https://notcve.org/view.php?id=CVE-2020-10756
An out-of-bounds read vulnerability was found in the SLiRP networking implementation of the QEMU emulator. This flaw occurs in the icmp6_send_echoreply() routine while replying to an ICMP echo request, also known as ping. This flaw allows a malicious guest to leak the contents of the host memory, resulting in possible information disclosure. This flaw affects versions of libslirp before 4.3.1. Se encontró una vulnerabilidad de lectura fuera de límites en la implementación de red SLiRP del emulador QEMU. • http://lists.opensuse.org/opensuse-security-announce/2020-07/msg00035.html http://lists.opensuse.org/opensuse-security-announce/2020-07/msg00040.html https://bugzilla.redhat.com/show_bug.cgi?id=1835986 https://lists.debian.org/debian-lts-announce/2020/07/msg00020.html https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/JYTZ32P67PZER6P7TW6FQK3SZRKQLVEI https://security.netapp.com/advisory/ntap-20201001-0001 https://usn.ubuntu.com/4437-1 https://usn.ubuntu.com/ • CWE-125: Out-of-bounds Read •
CVE-2020-1983 – libslirp: use after free vulnerability cause a denial of service.
https://notcve.org/view.php?id=CVE-2020-1983
A use after free vulnerability in ip_reass() in ip_input.c of libslirp 4.2.0 and prior releases allows crafted packets to cause a denial of service. Una vulnerabilidad de uso de la memoria previamente liberada en la función ip_reass() en el archivo ip_input.c de libslirp versiones 4.2.0 y anteriores permite que paquetes especialmente diseñados causen una denegación de servicio. A use-after-free flaw was found in the SLiRP networking implementation of the QEMU emulator. Specifically, this flaw occurs in the ip_reass() routine while reassembling incoming IP fragments whose combined size is bigger than 65k. This flaw allows an attacker to crash the QEMU process on the host, resulting in a denial of service. • http://lists.opensuse.org/opensuse-security-announce/2020-05/msg00022.html http://lists.opensuse.org/opensuse-security-announce/2020-06/msg00001.html https://gitlab.freedesktop.org/slirp/libslirp/-/commit/9ac0371bb8c0a40f5d9f82a1c25129660e81df04 https://gitlab.freedesktop.org/slirp/libslirp/-/issues/20 https://lists.debian.org/debian-lts-announce/2020/06/msg00032.html https://lists.debian.org/debian-lts-announce/2020/07/msg00020.html https://lists.fedoraproject.org/archives/list/package-announce%40lists.fe • CWE-416: Use After Free •
CVE-2019-15890 – QEMU: Slirp: use-after-free during packet reassembly
https://notcve.org/view.php?id=CVE-2019-15890
libslirp 4.0.0, as used in QEMU 4.1.0, has a use-after-free in ip_reass in ip_input.c. libslirp versión 4.0.0, como es usado en QEMU versión 4.1.0, presenta un uso de la memoria previamente liberada en la función ip_reass en el archivo ip_input.c. A use-after-free issue was found in the SLiRP networking implementation of the QEMU emulator. The issue occurs in ip_reass() routine while reassembling incoming packets, if the first fragment is bigger than the m->m_dat[] buffer. A user or process could use this flaw to crash the QEMU process on the host, resulting in a denial of service. • http://lists.opensuse.org/opensuse-security-announce/2019-11/msg00034.html http://www.openwall.com/lists/oss-security/2019/09/06/3 https://access.redhat.com/errata/RHSA-2020:0775 https://gitlab.freedesktop.org/slirp/libslirp/commit/c5927943 https://lists.debian.org/debian-lts-announce/2019/09/msg00021.html https://seclists.org/bugtraq/2020/Feb/0 https://usn.ubuntu.com/4191-1 https://usn.ubuntu.com/4191-2 https://www.debian.org/security/2020/dsa-4616 https://ac • CWE-416: Use After Free •
CVE-2019-14378 – QEMU - Denial of Service
https://notcve.org/view.php?id=CVE-2019-14378
ip_reass in ip_input.c in libslirp 4.0.0 has a heap-based buffer overflow via a large packet because it mishandles a case involving the first fragment. La función ip_reass en el archivo ip_input.c en libslirp versión 4.0.0, presenta un desbordamiento de búfer en la región heap de la memoria por medio de un paquete largo debido a que maneja inapropiadamente un caso que involucra el primer fragmento. A heap buffer overflow issue was found in the SLiRP networking implementation of the QEMU emulator. This flaw occurs in the ip_reass() routine while reassembling incoming packets if the first fragment is bigger than the m->m_dat[] buffer. An attacker could use this flaw to crash the QEMU process on the host, resulting in a Denial of Service or potentially executing arbitrary code with privileges of the QEMU process. • https://www.exploit-db.com/exploits/47320 http://lists.opensuse.org/opensuse-security-announce/2019-09/msg00000.html http://lists.opensuse.org/opensuse-security-announce/2019-09/msg00008.html http://lists.opensuse.org/opensuse-security-announce/2019-11/msg00034.html http://packetstormsecurity.com/files/154269/QEMU-Denial-Of-Service.html http://www.openwall.com/lists/oss-security/2019/08/01/2 https://access.redhat.com/errata/RHSA-2019:3179 https://access.redhat.com/errata/RHSA-2019:3403 • CWE-122: Heap-based Buffer Overflow CWE-755: Improper Handling of Exceptional Conditions CWE-787: Out-of-bounds Write •