CVE-2015-5154 – qemu: ide: atapi: heap overflow during I/O buffer memory access
https://notcve.org/view.php?id=CVE-2015-5154
Heap-based buffer overflow in the IDE subsystem in QEMU, as used in Xen 4.5.x and earlier, when the container has a CDROM drive enabled, allows local guest users to execute arbitrary code on the host via unspecified ATAPI commands. Desbordamiento del buffer basado en memoria dinámica en el subsistema IDE en QEMU, usado en Xen 4.5.x y versiones anteriores, cuando el contenedor tiene una unidad CDROM habilitada, permite a usuarios invitados locales ejecutar código arbitrario en el host a través de comandos ATAPI no especificados. A heap buffer overflow flaw was found in the way QEMU's IDE subsystem handled I/O buffer access while processing certain ATAPI commands. A privileged guest user in a guest with the CDROM drive enabled could potentially use this flaw to execute arbitrary code on the host with the privileges of the host's QEMU process corresponding to the guest. • http://lists.fedoraproject.org/pipermail/package-announce/2015-August/163472.html http://lists.fedoraproject.org/pipermail/package-announce/2015-August/163658.html http://lists.fedoraproject.org/pipermail/package-announce/2015-August/163681.html http://lists.opensuse.org/opensuse-security-announce/2015-07/msg00041.html http://lists.opensuse.org/opensuse-security-announce/2015-07/msg00042.html http://lists.opensuse.org/opensuse-security-announce/2015-08/msg00017.html http://lists.opensuse.org/opensuse-security-annou • CWE-119: Improper Restriction of Operations within the Bounds of a Memory Buffer •
CVE-2015-3214 – QEMU - Programmable Interrupt Timer Controller Heap Overflow
https://notcve.org/view.php?id=CVE-2015-3214
The pit_ioport_read in i8254.c in the Linux kernel before 2.6.33 and QEMU before 2.3.1 does not distinguish between read lengths and write lengths, which might allow guest OS users to execute arbitrary code on the host OS by triggering use of an invalid index. Vulnerabilidad en pit_ioport_read en i8254.c en el kernel de Linux en versiones anteriores a 2.6.33 y en QEMU en versiones anteriores a 2.3.1, no distingue entre longitudes de lectura y longitudes de escritura, lo que podría permitir a los usuarios invitados del SO ejecutar código arbitrario en el host del SO desencadenando el uso de un índice no válido. An out-of-bounds memory access flaw, leading to memory corruption or possibly an information leak, was found in QEMU's pit_ioport_read() function. A privileged guest user in a QEMU guest, which had QEMU PIT emulation enabled, could potentially, in rare cases, use this flaw to execute arbitrary code on the host with the privileges of the hosting QEMU process. • https://www.exploit-db.com/exploits/37990 http://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/commit/?id=ee73f656a604d5aa9df86a97102e4e462dd79924 http://mirror.linux.org.au/linux/kernel/v2.6/ChangeLog-2.6.33 http://rhn.redhat.com/errata/RHSA-2015-1507.html http://rhn.redhat.com/errata/RHSA-2015-1508.html http://rhn.redhat.com/errata/RHSA-2015-1512.html http://www.debian.org/security/2015/dsa-3348 http://www.openwall.com/lists/oss-security/2015/06/25/7 • CWE-119: Improper Restriction of Operations within the Bounds of a Memory Buffer •
CVE-2015-4037
https://notcve.org/view.php?id=CVE-2015-4037
The slirp_smb function in net/slirp.c in QEMU 2.3.0 and earlier creates temporary files with predictable names, which allows local users to cause a denial of service (instantiation failure) by creating /tmp/qemu-smb.*-* files before the program. Vulnerabilidad en la función slirp_smb en net/slirp.c en QEMU 2.3.0 y en versiones anteriores, crea archivos temporales con nombres predecibles, lo que permite a usuarios locales causar una denegación de servicio (fallo en la instanciación) creando archivos /tmp/qemu-smb.*-* antes que el programa. • http://lists.fedoraproject.org/pipermail/package-announce/2015-June/160058.html http://lists.fedoraproject.org/pipermail/package-announce/2015-June/160414.html http://lists.opensuse.org/opensuse-security-announce/2015-06/msg00027.html http://lists.opensuse.org/opensuse-security-announce/2015-09/msg00015.html http://lists.opensuse.org/opensuse-updates/2015-11/msg00063.html http://www.debian.org/security/2015/dsa-3284 http://www.debian.org/security/2015/dsa-3285 http://www.openwall.com/lists/ • CWE-17: DEPRECATED: Code •
CVE-2015-3209 – qemu: pcnet: multi-tmd buffer overflow in the tx path
https://notcve.org/view.php?id=CVE-2015-3209
Heap-based buffer overflow in the PCNET controller in QEMU allows remote attackers to execute arbitrary code by sending a packet with TXSTATUS_STARTPACKET set and then a crafted packet with TXSTATUS_DEVICEOWNS set. Desbordamiento de buffer basado en memoria dinámica en el controlador PCNET en QEMU permite a atacantes remotos ejecutar código arbitrario mediante el envío de un paquete con el juego TXSTATUS_STARTPACKET y posteriormente un paquete manipulado con el juego TXSTATUS_DEVICEOWNS. A flaw was found in the way QEMU's AMD PCnet Ethernet emulation handled multi-TMD packets with a length above 4096 bytes. A privileged guest user in a guest with an AMD PCNet ethernet card enabled could potentially use this flaw to execute arbitrary code on the host with the privileges of the hosting QEMU process. • http://kb.juniper.net/InfoCenter/index?page=content&id=JSA10698 http://lists.fedoraproject.org/pipermail/package-announce/2015-June/160669.html http://lists.fedoraproject.org/pipermail/package-announce/2015-June/160677.html http://lists.fedoraproject.org/pipermail/package-announce/2015-June/160685.html http://lists.opensuse.org/opensuse-security-announce/2015-06/msg00004.html http://lists.opensuse.org/opensuse-security-announce/2015-06/msg00007.html http://lists.opensuse.org/opensuse-security-announce/2015-06 • CWE-119: Improper Restriction of Operations within the Bounds of a Memory Buffer CWE-787: Out-of-bounds Write •
CVE-2015-4106
https://notcve.org/view.php?id=CVE-2015-4106
QEMU does not properly restrict write access to the PCI config space for certain PCI pass-through devices, which might allow local x86 HVM guests to gain privileges, cause a denial of service (host crash), obtain sensitive information, or possibly have other unspecified impact via unknown vectors. QEMU no restringe correctamente el acceso a escritura al espacio PCI config para ciertos dispositivos PCI pass-through, lo que podría permitir a invitados x86 HVM locales obtener privilegios, causar una denegación de servicio (caída de host), obtener información sensible o posiblemente tener otro impacto no especificado a través de vectores desconocidos. • http://lists.fedoraproject.org/pipermail/package-announce/2015-June/160154.html http://lists.fedoraproject.org/pipermail/package-announce/2015-June/160171.html http://lists.fedoraproject.org/pipermail/package-announce/2015-June/160685.html http://lists.opensuse.org/opensuse-security-announce/2015-06/msg00004.html http://lists.opensuse.org/opensuse-security-announce/2015-06/msg00007.html http://lists.opensuse.org/opensuse-security-announce/2015-06/msg00029.html http://lists.opensuse.org/opensuse-security-announce • CWE-863: Incorrect Authorization •