CVE-2016-3712 – qemu-kvm: Out-of-bounds read when creating weird vga screen surface
https://notcve.org/view.php?id=CVE-2016-3712
Integer overflow in the VGA module in QEMU allows local guest OS users to cause a denial of service (out-of-bounds read and QEMU process crash) by editing VGA registers in VBE mode. Desbordamiento de entero en el módulo VGA en QEMU permite a usuarios de SO invitado locales provocar una denegación de servicio (lectura fuera de límites y caída de proceso QEMU) editando registros VGA en modo VBE. An integer overflow flaw and an out-of-bounds read flaw were found in the way QEMU's VGA emulator set certain VGA registers while in VBE mode. A privileged guest user could use this flaw to crash the QEMU process instance. • http://rhn.redhat.com/errata/RHSA-2016-2585.html http://rhn.redhat.com/errata/RHSA-2017-0621.html http://support.citrix.com/article/CTX212736 http://www.debian.org/security/2016/dsa-3573 http://www.openwall.com/lists/oss-security/2016/05/09/4 http://www.oracle.com/technetwork/topics/security/ovmbulletinjul2016-3090546.html http://www.securityfocus.com/bid/90314 http://www.securitytracker.com/id/1035794 http://www.ubuntu.com/usn/USN-2974-1 http://xenbits.xen.org/ • CWE-125: Out-of-bounds Read CWE-190: Integer Overflow or Wraparound •
CVE-2016-3710 – qemu: incorrect banked access bounds checking in vga module
https://notcve.org/view.php?id=CVE-2016-3710
The VGA module in QEMU improperly performs bounds checking on banked access to video memory, which allows local guest OS administrators to execute arbitrary code on the host by changing access modes after setting the bank register, aka the "Dark Portal" issue. El módulo VGA en QEMU lleva a cabo incorrectamente comprobaciones de límites sobre acceso almacenado a la memoria de vídeo, lo que permite a administradores locales de SO invitado ejecutar código arbitrario sobre el anfitrión cambiando los modos de acceso después de establecer el banco de registros, también conocido como el problema "Dark Portal". An out-of-bounds read/write access flaw was found in the way QEMU's VGA emulation with VESA BIOS Extensions (VBE) support performed read/write operations using I/O port methods. A privileged guest user could use this flaw to execute arbitrary code on the host with the privileges of the host's QEMU process. • http://rhn.redhat.com/errata/RHSA-2016-0724.html http://rhn.redhat.com/errata/RHSA-2016-0725.html http://rhn.redhat.com/errata/RHSA-2016-0997.html http://rhn.redhat.com/errata/RHSA-2016-0999.html http://rhn.redhat.com/errata/RHSA-2016-1000.html http://rhn.redhat.com/errata/RHSA-2016-1001.html http://rhn.redhat.com/errata/RHSA-2016-1002.html http://rhn.redhat.com/errata/RHSA-2016-1019.html http://rhn.redhat.com/errata/RHSA-2016-1943.html http://suppor • CWE-119: Improper Restriction of Operations within the Bounds of a Memory Buffer •
CVE-2015-7704 – ntp: disabling synchronization via crafted KoD packet
https://notcve.org/view.php?id=CVE-2015-7704
The ntpd client in NTP 4.x before 4.2.8p4 and 4.3.x before 4.3.77 allows remote attackers to cause a denial of service via a number of crafted "KOD" messages. El cliente ntpd en NTP 4.x en versiones anteriores a 4.2.8p4, y 4.3.x en versiones anteriores a 4.3.77 permite que atacantes remotos provoquen una denegación de servicio empleando una serie de mensajes "KOD" manipulados. It was discovered that ntpd as a client did not correctly check timestamps in Kiss-of-Death packets. A remote attacker could use this flaw to send a crafted Kiss-of-Death packet to an ntpd client that would increase the client's polling interval value, and effectively disable synchronization with the server. • http://bugs.ntp.org/show_bug.cgi?id=2901 http://rhn.redhat.com/errata/RHSA-2015-1930.html http://rhn.redhat.com/errata/RHSA-2015-2520.html http://support.ntp.org/bin/view/Main/NtpBug2901 http://support.ntp.org/bin/view/Main/SecurityNotice#October_2015_NTP_4_2_8p4_Securit http://www.debian.org/security/2015/dsa-3388 http://www.oracle.com/technetwork/topics/security/bulletinapr2016-2952098.html http://www.securityfocus.com/bid/77280 http://www.securitytracker.com/id/1 • CWE-20: Improper Input Validation •