CVE-2017-13711 – QEMU: Slirp: use-after-free when sending response
https://notcve.org/view.php?id=CVE-2017-13711
Use-after-free vulnerability in the sofree function in slirp/socket.c in QEMU (aka Quick Emulator) allows attackers to cause a denial of service (QEMU instance crash) by leveraging failure to properly clear ifq_so from pending packets. Una vulnerabilidad de uso después de liberación de memoria (use-after-free) en la función sofree en slirp/socket.c en QEMU (también conocido como Quick Emulator) permite que atacantes remotos provoquen una denegación de servicio (bloqueo de la instancia QEMU) aprovechando el error a la hora de eliminar correctamente ifq_so de los paquetes pendientes. A use-after-free issue was found in the Slirp networking implementation of the Quick emulator (QEMU). It occurs when a Socket referenced from multiple packets is freed while responding to a message. A user/process could use this flaw to crash the QEMU process on the host resulting in denial of service. • http://www.debian.org/security/2017/dsa-3991 http://www.openwall.com/lists/oss-security/2017/08/29/6 http://www.securityfocus.com/bid/100534 https://access.redhat.com/errata/RHSA-2018:0816 https://access.redhat.com/errata/RHSA-2018:1104 https://access.redhat.com/errata/RHSA-2018:1113 https://bugzilla.redhat.com/show_bug.cgi?id=1486400 https://lists.gnu.org/archive/html/qemu-devel/2017-08/msg05201.html https://access.redhat.com/security/cve/CVE-2017-13711 • CWE-416: Use After Free •
CVE-2017-12809
https://notcve.org/view.php?id=CVE-2017-12809
QEMU (aka Quick Emulator), when built with the IDE disk and CD/DVD-ROM Emulator support, allows local guest OS privileged users to cause a denial of service (NULL pointer dereference and QEMU process crash) by flushing an empty CDROM device drive. QEMU (también conocido como Quick Emulator), cuando se integra con el disco IDE y soporte para CD/DVD-ROM Emulator, permite que usuarios con privilegios de sistema operativo invitado local provoquen una denegación de servicio (desreferencia de puntero NULL y bloqueo del proceso QEMU) al vaciar una unidad de dispositivo CDROM vacía. • http://www.debian.org/security/2017/dsa-3991 http://www.openwall.com/lists/oss-security/2017/08/21/2 http://www.securityfocus.com/bid/100451 https://lists.gnu.org/archive/html/qemu-devel/2017-08/msg01850.html • CWE-476: NULL Pointer Dereference •
CVE-2017-10806
https://notcve.org/view.php?id=CVE-2017-10806
Stack-based buffer overflow in hw/usb/redirect.c in QEMU (aka Quick Emulator) allows local guest OS users to cause a denial of service (QEMU process crash) via vectors related to logging debug messages. Una vulnerabilidad de desbordamiento de búfer de pila en hw/usb/redirect.c en Quick Emulator (QEMU) podría permitir a los usuarios locales invitados del sistema operativo provocar una denegación de servicio mediante vectores relacionados con el registro de mensajes de depuración. • http://www.debian.org/security/2017/dsa-3925 http://www.openwall.com/lists/oss-security/2017/07/07/1 http://www.securityfocus.com/bid/99475 https://bugzilla.redhat.com/show_bug.cgi?id=1468496 https://lists.debian.org/debian-lts-announce/2018/09/msg00007.html https://lists.nongnu.org/archive/html/qemu-devel/2017-05/msg03087.html • CWE-787: Out-of-bounds Write •
CVE-2017-11334 – Qemu: exec: oob access during dma operation
https://notcve.org/view.php?id=CVE-2017-11334
The address_space_write_continue function in exec.c in QEMU (aka Quick Emulator) allows local guest OS privileged users to cause a denial of service (out-of-bounds access and guest instance crash) by leveraging use of qemu_map_ram_ptr to access guest ram block area. La función address_space_write_continue en exec.c en QEMU (también conocido como Quick Emulator) permite a los usuarios invitado locales con privilegios del sistema operativo provocar una denegación de servicio (acceso fuera de los límites y detención de las instancias de la cuenta de invitado) usando qemu_map_ram_ptr para acceder al área del bloque de memoria ram del invitado. Quick Emulator (QEMU), compiled with qemu_map_ram_ptr to access guests' RAM block area, is vulnerable to an OOB r/w access issue. The crash can occur if a privileged user inside a guest conducts certain DMA operations, resulting in a DoS. • http://www.debian.org/security/2017/dsa-3925 http://www.openwall.com/lists/oss-security/2017/07/17/4 http://www.securityfocus.com/bid/99895 https://access.redhat.com/errata/RHSA-2017:3369 https://access.redhat.com/errata/RHSA-2017:3466 https://access.redhat.com/errata/RHSA-2017:3470 https://access.redhat.com/errata/RHSA-2017:3471 https://access.redhat.com/errata/RHSA-2017:3472 https://access.redhat.com/errata/RHSA-2017:3473 https://access.redhat.com/errata/RH • CWE-125: Out-of-bounds Read CWE-787: Out-of-bounds Write •
CVE-2017-10664 – Qemu: qemu-nbd: server breaks with SIGPIPE upon client abort
https://notcve.org/view.php?id=CVE-2017-10664
qemu-nbd in QEMU (aka Quick Emulator) does not ignore SIGPIPE, which allows remote attackers to cause a denial of service (daemon crash) by disconnecting during a server-to-client reply attempt. qemu-nbd en QEMU (Quick Emulator) no ignora la señal SIGPIPE, lo que permite a atacantes remotos provocar una denegación de servicio desconectando el proceso durante un intento de respuesta de servidor a cliente. Quick Emulator (QEMU) built with the Network Block Device (NBD) Server support is vulnerable to a crash via a SIGPIPE signal. The crash can occur if a client aborts a connection due to any failure during negotiation or read operation. A remote user/process could use this flaw to crash the qemu-nbd server resulting in a Denial of Service (DoS). • http://www.debian.org/security/2017/dsa-3920 http://www.openwall.com/lists/oss-security/2017/06/29/1 http://www.securityfocus.com/bid/99513 https://access.redhat.com/errata/RHSA-2017:2390 https://access.redhat.com/errata/RHSA-2017:2445 https://access.redhat.com/errata/RHSA-2017:3466 https://access.redhat.com/errata/RHSA-2017:3470 https://access.redhat.com/errata/RHSA-2017:3471 https://access.redhat.com/errata/RHSA-2017:3472 https://access.redhat.com/errata/RH • CWE-248: Uncaught Exception •