CVE-2017-15118 – QEMU - NBD Server Long Export Name Stack Buffer Overflow
https://notcve.org/view.php?id=CVE-2017-15118
A stack-based buffer overflow vulnerability was found in NBD server implementation in qemu before 2.11 allowing a client to request an export name of size up to 4096 bytes, which in fact should be limited to 256 bytes, causing an out-of-bounds stack write in the qemu process. If NBD server requires TLS, the attacker cannot trigger the buffer overflow without first successfully negotiating TLS. Se ha detectado una vulnerabilidad de desbordamiento de búfer basado en pila en la implementación de servidor NBD en qemu en versiones anteriores a la 2.11, permitiendo a un cliente solicitar un nombre de exportación de hasta 4096 bytes, que de hecho debería estar limitado a 256 bytes, provocando una escritura de pila fuera de límites en el proceso qemu. Si el servidor NBD requiere TLS, el atacante no puede activar el desbordamiento del búfer sin haber negociado primero con éxito el TLS. A stack-based buffer overflow vulnerability was found in NBD server implementation in qemu allowing a client to request an export name of size up to 4096 bytes, which in fact should be limited to 256 bytes, allowing causing an out-of-bounds stack write in the qemu process. • https://www.exploit-db.com/exploits/43194 http://www.openwall.com/lists/oss-security/2017/11/28/8 http://www.securityfocus.com/bid/101975 https://access.redhat.com/errata/RHSA-2018:1104 https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2017-15118 https://lists.gnu.org/archive/html/qemu-devel/2017-11/msg05045.html https://usn.ubuntu.com/3575-1 https://access.redhat.com/security/cve/CVE-2017-15118 https://bugzilla.redhat.com/show_bug.cgi?id=1516922 • CWE-121: Stack-based Buffer Overflow CWE-787: Out-of-bounds Write •
CVE-2017-16845
https://notcve.org/view.php?id=CVE-2017-16845
hw/input/ps2.c in Qemu does not validate 'rptr' and 'count' values during guest migration, leading to out-of-bounds access. hw/input/ps2.c en Qemu no valida los valores "rptr" y "count" durante la migración de invitado, lo que da lugar a un acceso fuera de límites. • http://www.securityfocus.com/bid/101923 https://lists.debian.org/debian-lts-announce/2018/09/msg00007.html https://lists.gnu.org/archive/html/qemu-devel/2017-11/msg02982.html https://usn.ubuntu.com/3575-1 https://usn.ubuntu.com/3649-1 https://www.debian.org/security/2018/dsa-4213 • CWE-20: Improper Input Validation •
CVE-2017-15289 – Qemu: cirrus: OOB access issue in mode4and5 write functions
https://notcve.org/view.php?id=CVE-2017-15289
The mode4and5 write functions in hw/display/cirrus_vga.c in Qemu allow local OS guest privileged users to cause a denial of service (out-of-bounds write access and Qemu process crash) via vectors related to dst calculation. Las funciones de escritura mode4and5 en hw/display/cirrus_vga.c en Qemu permiten que usuarios del sistema operativo invitados con privilegios provoquen una denegación de servicio (acceso de lectura fuera de límites y cierre inesperado del proceso Qemu) mediante vectores relacionados con el cálculo dst. Quick emulator (QEMU), compiled with the Cirrus CLGD 54xx VGA Emulator support, is vulnerable to an OOB write access issue. The issue could occur while writing to VGA memory via mode4and5 write functions. A privileged user inside guest could use this flaw to crash the QEMU process resulting in Denial of Serivce (DoS). • http://www.openwall.com/lists/oss-security/2017/10/12/16 http://www.securityfocus.com/bid/101262 https://access.redhat.com/errata/RHSA-2017:3368 https://access.redhat.com/errata/RHSA-2017:3369 https://access.redhat.com/errata/RHSA-2017:3466 https://access.redhat.com/errata/RHSA-2017:3470 https://access.redhat.com/errata/RHSA-2017:3471 https://access.redhat.com/errata/RHSA-2017:3472 https://access.redhat.com/errata/RHSA-2017:3473 https://access.redhat.com/errata • CWE-787: Out-of-bounds Write •
CVE-2017-15268 – QEMU: I/O: potential memory exhaustion via websock connection to VNC
https://notcve.org/view.php?id=CVE-2017-15268
Qemu through 2.10.0 allows remote attackers to cause a memory leak by triggering slow data-channel read operations, related to io/channel-websock.c. Qemu hasta la versión 2.10.0 permite que atacantes remotos causen una fuga de memoria desencadenando operaciones lentas de lectura de canales de datos. Esto está relacionado con io/channel-websock.c. A memory leakage issue was found in the I/O channels websockets implementation of the Quick Emulator (QEMU). It could occur while sending screen updates to a client, which is slow to read and process them further. • http://www.securityfocus.com/bid/101277 https://access.redhat.com/errata/RHSA-2018:0816 https://access.redhat.com/errata/RHSA-2018:1104 https://bugs.launchpad.net/qemu/+bug/1718964 https://lists.gnu.org/archive/html/qemu-devel/2017-10/msg02278.html https://usn.ubuntu.com/3575-1 https://www.debian.org/security/2018/dsa-4213 https://access.redhat.com/security/cve/CVE-2017-15268 https://bugzilla.redhat.com/show_bug.cgi?id=1496879 • CWE-400: Uncontrolled Resource Consumption CWE-772: Missing Release of Resource after Effective Lifetime •
CVE-2017-15038
https://notcve.org/view.php?id=CVE-2017-15038
Race condition in the v9fs_xattrwalk function in hw/9pfs/9p.c in QEMU (aka Quick Emulator) allows local guest OS users to obtain sensitive information from host heap memory via vectors related to reading extended attributes. Condición de carrera en la función v9fs_xattrwalk en hw/9pfs/9p.c en QEMU (también conocido como Quick Emulator) permite que los usuarios de sistemas operativos invitados locales obtengan información sensible de la memoria dinámica (heap) mediante vectores relacionados con la lectura de atributos extendidos. • http://www.openwall.com/lists/oss-security/2017/10/06/1 https://lists.debian.org/debian-lts-announce/2018/09/msg00007.html https://lists.gnu.org/archive/html/qemu-devel/2017-10/msg00729.html https://usn.ubuntu.com/3575-1 https://www.debian.org/security/2018/dsa-4213 • CWE-362: Concurrent Execution using Shared Resource with Improper Synchronization ('Race Condition') •