CVE-2020-7211
https://notcve.org/view.php?id=CVE-2020-7211
tftp.c in libslirp 4.1.0, as used in QEMU 4.2.0, does not prevent ..\ directory traversal on Windows. El archivo tftp.c en libslirp versión 4.1.0, como es usado en QEMU versión 4.2.0, no impide el salto de directorio ..\ en Windows. • http://www.openwall.com/lists/oss-security/2020/01/17/2 https://gitlab.freedesktop.org/slirp/libslirp/commit/14ec36e107a8c9af7d0a80c3571fe39b291ff1d4 https://security-tracker.debian.org/tracker/CVE-2020-7211 • CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') •
CVE-2020-7039 – QEMU: slirp: OOB buffer access while emulating tcp protocols in tcp_emu()
https://notcve.org/view.php?id=CVE-2020-7039
tcp_emu in tcp_subr.c in libslirp 4.1.0, as used in QEMU 4.2.0, mismanages memory, as demonstrated by IRC DCC commands in EMU_IRC. This can cause a heap-based buffer overflow or other out-of-bounds access which can lead to a DoS or potential execute arbitrary code. El archivo tcp_emu en tcp_subr.c en libslirp versión 4.1.0, como es usado en QEMU versión 4.2.0, administra inapropiadamente la memoria, como es demostrado por los comandos IRC DCC en EMU_IRC. Esto puede causar un desbordamiento del búfer en la región heap de la memoria u otro acceso fuera de límites que puede conllevar a una DoS o un código arbitrario de ejecución potencial. A heap buffer overflow issue was found in the SLiRP networking implementation of the QEMU emulator. • http://lists.opensuse.org/opensuse-security-announce/2020-04/msg00007.html http://www.openwall.com/lists/oss-security/2020/01/16/2 https://access.redhat.com/errata/RHSA-2020:0348 https://access.redhat.com/errata/RHSA-2020:0775 https://gitlab.freedesktop.org/slirp/libslirp/commit/2655fffed7a9e765bcb4701dd876e9dab975f289 https://gitlab.freedesktop.org/slirp/libslirp/commit/82ebe9c370a0e2970fb5695aa19aa5214a6a1c80 https://gitlab.freedesktop.org/slirp/libslirp/commit/ce131029d6d4a405cb7d3ac6716d03e58fb4a5d9 https://lists.debian.org • CWE-122: Heap-based Buffer Overflow CWE-787: Out-of-bounds Write •
CVE-2019-20175
https://notcve.org/view.php?id=CVE-2019-20175
An issue was discovered in ide_dma_cb() in hw/ide/core.c in QEMU 2.4.0 through 4.2.0. The guest system can crash the QEMU process in the host system via a special SCSI_IOCTL_SEND_COMMAND. It hits an assertion that implies that the size of successful DMA transfers there must be a multiple of 512 (the size of a sector). NOTE: a member of the QEMU security team disputes the significance of this issue because a "privileged guest user has many ways to cause similar DoS effect, without triggering this assert. ** EN DISPUTA ** Se descubrió un problema en la función ide_dma_cb() en el archivo hw/ide/core.c en QEMU versiones 2.4.0 hasta la versión 4.2.0. El sistema invitado puede bloquear el proceso de QEMU en el sistema host por medio de un SCSI_IOCTL_SEND_COMMAND especial. • https://lists.nongnu.org/archive/html/qemu-devel/2019-07/msg01651.html https://lists.nongnu.org/archive/html/qemu-devel/2019-07/msg03869.html https://lists.nongnu.org/archive/html/qemu-devel/2019-11/msg00597.html https://lists.nongnu.org/archive/html/qemu-devel/2019-11/msg02165.html https://www.mail-archive.com/qemu-devel%40nongnu.org/msg667396.html • CWE-754: Improper Check for Unusual or Exceptional Conditions •
CVE-2013-2016
https://notcve.org/view.php?id=CVE-2013-2016
A flaw was found in the way qemu v1.3.0 and later (virtio-rng) validates addresses when guest accesses the config space of a virtio device. If the virtio device has zero/small sized config space, such as virtio-rng, a privileged guest user could use this flaw to access the matching host's qemu address space and thus increase their privileges on the host. Se encontró un fallo en la manera en que qemu versión v1.3.0 y posteriores (virtio-rng) comprueba las direcciones cuando el invitado accede al espacio de configuración de un dispositivo virtio. Si el dispositivo virtio posee un espacio de configuración de tamaño cero o pequeño, ta y como virtio-rng, un usuario invitado privilegiado podría usar este fallo para acceder al espacio de direcciones qemu del host correspondiente y así aumentar sus privilegios en el host. • http://lists.opensuse.org/opensuse-security-announce/2014-05/msg00002.html http://www.openwall.com/lists/oss-security/2013/04/29/5 http://www.openwall.com/lists/oss-security/2013/04/29/6 http://www.securityfocus.com/bid/59541 https://access.redhat.com/security/cve/cve-2013-2016 https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2013-2016 https://exchange.xforce.ibmcloud.com/vulnerabilities/83850 https://github.com/qemu/qemu/commit/5f5a1318653c08e435cfa52f60b6a712815b659d https://securi • CWE-269: Improper Privilege Management •
CVE-2019-12068
https://notcve.org/view.php?id=CVE-2019-12068
In QEMU 1:4.1-1, 1:2.1+dfsg-12+deb8u6, 1:2.8+dfsg-6+deb9u8, 1:3.1+dfsg-8~deb10u1, 1:3.1+dfsg-8+deb10u2, and 1:2.1+dfsg-12+deb8u12 (fixed), when executing script in lsi_execute_script(), the LSI scsi adapter emulator advances 's->dsp' index to read next opcode. This can lead to an infinite loop if the next opcode is empty. Move the existing loop exit after 10k iterations so that it covers no-op opcodes as well. En QEMU versiones 1:4.1-1, 1:2.1+dfsg-12+deb8u6, 1:2.8+dfsg-6+deb9u8, 1:3.1+dfsg-8~deb10u1, 1:3.1+dfsg-8+deb10u2, y 1:2.1+dfsg-12+deb8u12 (corregida), cuando se ejecuta el script en la función lsi_execute_script(), el emulador del adaptador scsi de LSI avanza el índice "s-)dsp" para leer el próximo opcode. Esto puede conllevar a un bucle infinito si el siguiente opcode está vacío. • http://lists.opensuse.org/opensuse-security-announce/2019-11/msg00034.html http://lists.opensuse.org/opensuse-security-announce/2019-11/msg00038.html https://git.qemu.org/?p=qemu.git%3Ba=commit%3Bh=de594e47659029316bbf9391efb79da0a1a08e08 https://lists.debian.org/debian-lts-announce/2019/09/msg00021.html https://lists.debian.org/debian-lts-announce/2020/07/msg00020.html https://lists.gnu.org/archive/html/qemu-devel/2019-08/msg01518.html https://security-tracker.debian.org/tracker/CVE-2019-12068 • CWE-835: Loop with Unreachable Exit Condition ('Infinite Loop') •