CVE-2018-17963 – QEMU: net: ignore packets with large size
https://notcve.org/view.php?id=CVE-2018-17963
qemu_deliver_packet_iov in net/net.c in Qemu accepts packet sizes greater than INT_MAX, which allows attackers to cause a denial of service or possibly have unspecified other impact. qemu_deliver_packet_iov en net/net.c en Qemu acepta tamaños de paquetes mayores a INT_MAX, lo que permite que los atacantes provoquen una denegación de servicio (DoS) o tengan otro tipo de impacto sin especificar. A potential integer overflow issue was found in the networking back-end of QEMU. It could occur while receiving packets, because it accepted packets with large size value. Such overflow could lead to OOB buffer access issue. A user inside guest could use this flaw to crash the QEMU process resulting in DoS. • http://www.openwall.com/lists/oss-security/2018/10/08/1 https://access.redhat.com/errata/RHSA-2019:2166 https://access.redhat.com/errata/RHSA-2019:2425 https://access.redhat.com/errata/RHSA-2019:2553 https://lists.debian.org/debian-lts-announce/2018/11/msg00038.html https://lists.gnu.org/archive/html/qemu-devel/2018-09/msg03267.html https://lists.gnu.org/archive/html/qemu-devel/2018-11/msg06054.html https://usn.ubuntu.com/3826-1 https://www.debian.org/securi • CWE-121: Stack-based Buffer Overflow CWE-190: Integer Overflow or Wraparound •
CVE-2018-15746 – QEMU: seccomp: blacklist is not applied to all threads
https://notcve.org/view.php?id=CVE-2018-15746
qemu-seccomp.c in QEMU might allow local OS guest users to cause a denial of service (guest crash) by leveraging mishandling of the seccomp policy for threads other than the main thread. qemu-seccomp.c en QEMU podría permitir que usuarios locales del sistema operativo provoquen una denegación de servicio (cierre inesperado del guest) aprovechando la gestión incorrecta de la política seccomp para hilos diferentes al principal. • http://www.openwall.com/lists/oss-security/2018/08/28/6 https://access.redhat.com/errata/RHSA-2019:2425 https://lists.gnu.org/archive/html/qemu-devel/2018-08/msg04892.html https://access.redhat.com/security/cve/CVE-2018-15746 https://bugzilla.redhat.com/show_bug.cgi?id=1615637 • CWE-184: Incomplete List of Disallowed Inputs •
CVE-2018-12617 – QEMU Guest Agent 2.12.50 - Denial of Service
https://notcve.org/view.php?id=CVE-2018-12617
qmp_guest_file_read in qga/commands-posix.c and qga/commands-win32.c in qemu-ga (aka QEMU Guest Agent) in QEMU 2.12.50 has an integer overflow causing a g_malloc0() call to trigger a segmentation fault when trying to allocate a large memory chunk. The vulnerability can be exploited by sending a crafted QMP command (including guest-file-read with a large count value) to the agent via the listening socket. qmp_guest_file_read en qga/commands-posix.c y qga/commands-win32.c en qemu-ga (también conocido como QEMU Guest Agent) en QEMU 2.12.50 tiene un desbordamiento de enteros que provoca que una llamada g_malloc0() desencadene un fallo de segmentación al intentar asignar un gran fragmento de memoria. La vulnerabilidad puede ser explotada mediante el envío de un comando QMP manipulado (incluyendo guest-file-read con un valor largo de conteo) al agente mediante el socket en escucha. QEMU Guest Agent version 2.12.50 suffers from a denial of service vulnerability. • https://www.exploit-db.com/exploits/44925 http://www.securityfocus.com/bid/104531 https://gist.github.com/fakhrizulkifli/c7740d28efa07dafee66d4da5d857ef6 https://lists.debian.org/debian-lts-announce/2019/02/msg00041.html https://lists.gnu.org/archive/html/qemu-devel/2018-06/msg03385.html https://seclists.org/bugtraq/2019/May/76 https://usn.ubuntu.com/3826-1 https://www.debian.org/security/2019/dsa-4454 • CWE-190: Integer Overflow or Wraparound •
CVE-2018-11806 – Qemu Slirp Networking Heap-based Buffer Overflow Privilege Escalation Vulnerability
https://notcve.org/view.php?id=CVE-2018-11806
m_cat in slirp/mbuf.c in Qemu has a heap-based buffer overflow via incoming fragmented datagrams. m_cat en slirp/mbuf.c en Qemu tiene un desbordamiento de búfer basado en memoria dinámica (heap) mediante los datagramas entrantes fragmentados. A heap buffer overflow issue was found in the way SLiRP networking back-end in QEMU processes fragmented packets. It could occur while reassembling the fragmented datagrams of an incoming packet. A privileged user/process inside guest could use this flaw to crash the QEMU process resulting in DoS or potentially leverage it to execute arbitrary code on the host with privileges of the QEMU process. This vulnerability allows local attackers to execute arbitrary code on vulnerable installations of Qemu. • http://www.openwall.com/lists/oss-security/2018/06/07/1 http://www.securityfocus.com/bid/104400 https://access.redhat.com/errata/RHSA-2018:2462 https://access.redhat.com/errata/RHSA-2018:2762 https://access.redhat.com/errata/RHSA-2018:2822 https://access.redhat.com/errata/RHSA-2018:2887 https://access.redhat.com/errata/RHSA-2019:2892 https://bugzilla.redhat.com/show_bug.cgi?id=1586245 https://lists.debian.org/debian-lts-announce/2019/05/msg00010.html https://li • CWE-122: Heap-based Buffer Overflow CWE-787: Out-of-bounds Write •