CVE-2017-13673 – QEMU: VGA: reachable assert failure during display update
https://notcve.org/view.php?id=CVE-2017-13673
The vga display update in mis-calculated the region for the dirty bitmap snapshot in case split screen mode is used causing a denial of service (assertion failure) in the cpu_physical_memory_snapshot_get_dirty function. La actualización de la pantalla VGA en la región calculada inapropiadamente para la instantánea dirty bitmap en el caso de que el modo pantalla dividida sea usado, lo que provoca una denegación de servicio (fallo de aserción) en la función cpu_physical_memory_snapshot_get_dirty. An assert failure issue was found in the VGA display emulator built into the Quick emulator (QEMU). It could occur while updating graphics display, due to miscalculating region for dirty bitmap snapshot in split screen mode. A privileged user/process inside guest could use this flaw to crash the QEMU process on the host resulting in denial of service. • http://lists.opensuse.org/opensuse-security-announce/2019-03/msg00042.html http://www.openwall.com/lists/oss-security/2017/09/10/1 http://www.securityfocus.com/bid/100527 https://access.redhat.com/errata/RHSA-2018:1104 https://access.redhat.com/errata/RHSA-2018:1113 https://git.qemu.org/gitweb.cgi?p=qemu.git%3Ba=commit%3Bh=bfc56535f793c557aa754c50213fc5f882e6482d https://lists.gnu.org/archive/html/qemu-devel/2017-08/msg04685.html https://access.redhat.com/security/cve/CVE-2017-13673& • CWE-617: Reachable Assertion •
CVE-2017-12809
https://notcve.org/view.php?id=CVE-2017-12809
QEMU (aka Quick Emulator), when built with the IDE disk and CD/DVD-ROM Emulator support, allows local guest OS privileged users to cause a denial of service (NULL pointer dereference and QEMU process crash) by flushing an empty CDROM device drive. QEMU (también conocido como Quick Emulator), cuando se integra con el disco IDE y soporte para CD/DVD-ROM Emulator, permite que usuarios con privilegios de sistema operativo invitado local provoquen una denegación de servicio (desreferencia de puntero NULL y bloqueo del proceso QEMU) al vaciar una unidad de dispositivo CDROM vacía. • http://www.debian.org/security/2017/dsa-3991 http://www.openwall.com/lists/oss-security/2017/08/21/2 http://www.securityfocus.com/bid/100451 https://lists.gnu.org/archive/html/qemu-devel/2017-08/msg01850.html • CWE-476: NULL Pointer Dereference •
CVE-2017-10806
https://notcve.org/view.php?id=CVE-2017-10806
Stack-based buffer overflow in hw/usb/redirect.c in QEMU (aka Quick Emulator) allows local guest OS users to cause a denial of service (QEMU process crash) via vectors related to logging debug messages. Una vulnerabilidad de desbordamiento de búfer de pila en hw/usb/redirect.c en Quick Emulator (QEMU) podría permitir a los usuarios locales invitados del sistema operativo provocar una denegación de servicio mediante vectores relacionados con el registro de mensajes de depuración. • http://www.debian.org/security/2017/dsa-3925 http://www.openwall.com/lists/oss-security/2017/07/07/1 http://www.securityfocus.com/bid/99475 https://bugzilla.redhat.com/show_bug.cgi?id=1468496 https://lists.debian.org/debian-lts-announce/2018/09/msg00007.html https://lists.nongnu.org/archive/html/qemu-devel/2017-05/msg03087.html • CWE-787: Out-of-bounds Write •
CVE-2017-11334 – Qemu: exec: oob access during dma operation
https://notcve.org/view.php?id=CVE-2017-11334
The address_space_write_continue function in exec.c in QEMU (aka Quick Emulator) allows local guest OS privileged users to cause a denial of service (out-of-bounds access and guest instance crash) by leveraging use of qemu_map_ram_ptr to access guest ram block area. La función address_space_write_continue en exec.c en QEMU (también conocido como Quick Emulator) permite a los usuarios invitado locales con privilegios del sistema operativo provocar una denegación de servicio (acceso fuera de los límites y detención de las instancias de la cuenta de invitado) usando qemu_map_ram_ptr para acceder al área del bloque de memoria ram del invitado. Quick Emulator (QEMU), compiled with qemu_map_ram_ptr to access guests' RAM block area, is vulnerable to an OOB r/w access issue. The crash can occur if a privileged user inside a guest conducts certain DMA operations, resulting in a DoS. • http://www.debian.org/security/2017/dsa-3925 http://www.openwall.com/lists/oss-security/2017/07/17/4 http://www.securityfocus.com/bid/99895 https://access.redhat.com/errata/RHSA-2017:3369 https://access.redhat.com/errata/RHSA-2017:3466 https://access.redhat.com/errata/RHSA-2017:3470 https://access.redhat.com/errata/RHSA-2017:3471 https://access.redhat.com/errata/RHSA-2017:3472 https://access.redhat.com/errata/RHSA-2017:3473 https://access.redhat.com/errata/RH • CWE-125: Out-of-bounds Read CWE-787: Out-of-bounds Write •
CVE-2017-10664 – Qemu: qemu-nbd: server breaks with SIGPIPE upon client abort
https://notcve.org/view.php?id=CVE-2017-10664
qemu-nbd in QEMU (aka Quick Emulator) does not ignore SIGPIPE, which allows remote attackers to cause a denial of service (daemon crash) by disconnecting during a server-to-client reply attempt. qemu-nbd en QEMU (Quick Emulator) no ignora la señal SIGPIPE, lo que permite a atacantes remotos provocar una denegación de servicio desconectando el proceso durante un intento de respuesta de servidor a cliente. Quick Emulator (QEMU) built with the Network Block Device (NBD) Server support is vulnerable to a crash via a SIGPIPE signal. The crash can occur if a client aborts a connection due to any failure during negotiation or read operation. A remote user/process could use this flaw to crash the qemu-nbd server resulting in a Denial of Service (DoS). • http://www.debian.org/security/2017/dsa-3920 http://www.openwall.com/lists/oss-security/2017/06/29/1 http://www.securityfocus.com/bid/99513 https://access.redhat.com/errata/RHSA-2017:2390 https://access.redhat.com/errata/RHSA-2017:2445 https://access.redhat.com/errata/RHSA-2017:3466 https://access.redhat.com/errata/RHSA-2017:3470 https://access.redhat.com/errata/RHSA-2017:3471 https://access.redhat.com/errata/RHSA-2017:3472 https://access.redhat.com/errata/RH • CWE-248: Uncaught Exception •