CVSS: 9.3EPSS: 2%CPEs: 24EXPL: 0CVE-2012-6075 – qemu: e1000 driver buffer overflow when processing large packets when SBP and LPE flags are disabled
https://notcve.org/view.php?id=CVE-2012-6075
Buffer overflow in the e1000_receive function in the e1000 device driver (hw/e1000.c) in QEMU 1.3.0-rc2 and other versions, when the SBP and LPE flags are disabled, allows remote attackers to cause a denial of service (guest OS crash) and possibly execute arbitrary guest code via a large packet. Desbordamiento de buffer en la función e1000_receive del controlador de dispositivo e1000 (hw/e1000.c) en QEMU v1.3.0-rc2 y otras versiones, cuando las banderas de PAS y LPE están deshabilitadas, permiten ataques remotos que provocan una denegación de servicios (errores en el sistema operativo invitado) y posiblemente ejecutar código arbitrario. • http://git.qemu.org/?p=qemu.git%3Ba=commitdiff%3Bh=b0d9ffcd0251161c7c92f94804dcf599dfa3edeb http://lists.fedoraproject.org/pipermail/package-announce/2013-January/097541.html http://lists.fedoraproject.org/pipermail/package-announce/2013-January/097575.html http://lists.fedoraproject.org/pipermail/package-announce/2013-January/097705.html http://lists.nongnu.org/archive/html/qemu-devel/2012-12/msg00533.html http://lists.opensuse.org/opensuse-security-announce/2014-03/msg00021.html http://lists.opensuse.org/opensuse • CWE-120: Buffer Copy without Checking Size of Input ('Classic Buffer Overflow') •
CVSS: 7.4EPSS: 0%CPEs: 33EXPL: 0CVE-2012-3515 – qemu: VT100 emulation vulnerability
https://notcve.org/view.php?id=CVE-2012-3515
Qemu, as used in Xen 4.0, 4.1 and possibly other products, when emulating certain devices with a virtual console backend, allows local OS guest users to gain privileges via a crafted escape VT100 sequence that triggers the overwrite of a "device model's address space." Qemu, tal como se utiliza en Xen v4.0, v4.1 y posiblemente otros productos, al emular ciertos dispositivos con una consola virtual, permite a los usuarios locales del SO invitado obtener privilegios a través de una secuencia VT100 de escape manipulada que desencadena la sobrescritura del espacio de direcciones de un "device model's address space." • http://git.qemu.org/?p=qemu-stable-0.15.git%3Ba=log http://lists.opensuse.org/opensuse-security-announce/2012-09/msg00001.html http://lists.opensuse.org/opensuse-security-announce/2012-09/msg00003.html http://lists.opensuse.org/opensuse-security-announce/2012-09/msg00004.html http://lists.opensuse.org/opensuse-security-announce/2012-09/msg00005.html http://lists.opensuse.org/opensuse-security-announce/2012-09/msg00012.html http://lists.opensuse.org/opensuse-security-announce/2012-09/msg00016.ht • CWE-20: Improper Input Validation CWE-119: Improper Restriction of Operations within the Bounds of a Memory Buffer •
CVSS: 6.8EPSS: 5%CPEs: 10EXPL: 0CVE-2011-4111 – qemu: ccid: buffer overflow in handling of VSC_ATR message
https://notcve.org/view.php?id=CVE-2011-4111
Buffer overflow in the ccid_card_vscard_handle_message function in hw/ccid-card-passthru.c in QEMU before 0.15.2 and 1.x before 1.0-rc4 allows remote attackers to cause a denial of service (crash) and possibly execute arbitrary code via a crafted VSC_ATR message. Desbordamiento de buffer en la función ccid_card_vscard_handle_message en hw/ccid-card-passthru.c en QEMU anterior a 0.15.2 y 1.x anterior a 1.0-rc4 permite a atacantes remotos causar una denegación de servicio (caída) y posiblemente ejecutar código arbitrario a través de un mensaje VSC_ATR manipulado. • http://git.qemu.org/?p=qemu-stable-0.15.git%3Ba=log http://git.qemu.org/?p=qemu.git%3Ba=log%3Bh=refs/heads/stable-1.0 http://rhn.redhat.com/errata/RHSA-2011-1777.html http://rhn.redhat.com/errata/RHSA-2011-1801.html https://bugzilla.redhat.com/show_bug.cgi?id=751310 https://access.redhat.com/security/cve/CVE-2011-4111 • CWE-119: Improper Restriction of Operations within the Bounds of a Memory Buffer •
CVSS: 7.4EPSS: 0%CPEs: 74EXPL: 0CVE-2011-1751 – qemu: acpi_piix4: missing hotplug check during device removal
https://notcve.org/view.php?id=CVE-2011-1751
The pciej_write function in hw/acpi_piix4.c in the PIIX4 Power Management emulation in qemu-kvm does not check if a device is hotpluggable before unplugging the PCI-ISA bridge, which allows privileged guest users to cause a denial of service (guest crash) and possibly execute arbitrary code by sending a crafted value to the 0xae08 (PCI_EJ_BASE) I/O port, which leads to a use-after-free related to "active qemu timers." La función pciej_write en hw/acpi_piix4.c en la emulación de PIIX4 Power Management en qemu-kvm no comprueba si un dispositivo es conectable en caliente antes de desconectar el puente PCI-ISA, lo que permite causar una denegación de servicio y posiblemente ejecutar código de su elección a los usuarios privilegiados invitados mediante el envío de un valor específico al puerto I/O 0xae08 (PCI_EJ_BASE), lo que provoca a un uso después de liberación relacionado con "temporizadores qemu activos". • http://blog.nelhage.com/2011/08/breaking-out-of-kvm http://git.kernel.org/?p=virt/kvm/qemu-kvm.git%3Ba=commit%3Bh=505597e4476a6bc219d0ec1362b760d71cb4fdca http://lists.nongnu.org/archive/html/qemu-devel/2011-05/msg01810.html http://lists.opensuse.org/opensuse-updates/2011-05/msg00043.html http://rhn.redhat.com/errata/RHSA-2011-0534.html http://secunia.com/advisories/44393 http://secunia.com/advisories/44458 http://secunia.com/advisories/44648 http://secunia.com/advisories/44658 • CWE-20: Improper Input Validation CWE-119: Improper Restriction of Operations within the Bounds of a Memory Buffer •