CVE-2011-1751 – qemu: acpi_piix4: missing hotplug check during device removal
https://notcve.org/view.php?id=CVE-2011-1751
The pciej_write function in hw/acpi_piix4.c in the PIIX4 Power Management emulation in qemu-kvm does not check if a device is hotpluggable before unplugging the PCI-ISA bridge, which allows privileged guest users to cause a denial of service (guest crash) and possibly execute arbitrary code by sending a crafted value to the 0xae08 (PCI_EJ_BASE) I/O port, which leads to a use-after-free related to "active qemu timers." La función pciej_write en hw/acpi_piix4.c en la emulación de PIIX4 Power Management en qemu-kvm no comprueba si un dispositivo es conectable en caliente antes de desconectar el puente PCI-ISA, lo que permite causar una denegación de servicio y posiblemente ejecutar código de su elección a los usuarios privilegiados invitados mediante el envío de un valor específico al puerto I/O 0xae08 (PCI_EJ_BASE), lo que provoca a un uso después de liberación relacionado con "temporizadores qemu activos". • http://blog.nelhage.com/2011/08/breaking-out-of-kvm http://git.kernel.org/?p=virt/kvm/qemu-kvm.git%3Ba=commit%3Bh=505597e4476a6bc219d0ec1362b760d71cb4fdca http://lists.nongnu.org/archive/html/qemu-devel/2011-05/msg01810.html http://lists.opensuse.org/opensuse-updates/2011-05/msg00043.html http://rhn.redhat.com/errata/RHSA-2011-0534.html http://secunia.com/advisories/44393 http://secunia.com/advisories/44458 http://secunia.com/advisories/44648 http://secunia.com/advisories/44658 • CWE-20: Improper Input Validation CWE-119: Improper Restriction of Operations within the Bounds of a Memory Buffer •
CVE-2011-1750 – virtio-blk: heap buffer overflow caused by unaligned requests
https://notcve.org/view.php?id=CVE-2011-1750
Multiple heap-based buffer overflows in the virtio-blk driver (hw/virtio-blk.c) in qemu-kvm 0.14.0 allow local guest users to cause a denial of service (guest crash) and possibly gain privileges via a (1) write request to the virtio_blk_handle_write function or (2) read request to the virtio_blk_handle_read function that is not properly aligned. Múltiples desbordamientos de bufer basado en memoria dinámica en el controlador virtio-BLK (hw/virtio-blk.c) en qemu-kvm v0.14.0 permiten causar una denegación de servicio y posiblemente obtener privilegios a los usuarios locales invitados a través de (1) una petición de escritura a la función virtio_blk_handle_write o (2) una solicitud de lectura a la función virtio_blk_handle_read que no está correctamente alineada. • http://git.kernel.org/?p=virt/kvm/qemu-kvm.git%3Ba=commitdiff%3Bh=52c050236eaa4f0b5e1d160cd66dc18106445c4d http://lists.fedoraproject.org/pipermail/package-announce/2012-June/081972.html http://lists.gnu.org/archive/html/qemu-devel/2011-03/msg03015.html http://lists.gnu.org/archive/html/qemu-devel/2011-03/msg03019.html http://lists.opensuse.org/opensuse-updates/2011-05/msg00043.html http://rhn.redhat.com/errata/RHSA-2011-0534.html http://secunia.com/advisories/44132 http://secunia.com • CWE-119: Improper Restriction of Operations within the Bounds of a Memory Buffer CWE-122: Heap-based Buffer Overflow •
CVE-2011-0011 – qemu-kvm: Setting VNC password to empty string silently disables all authentication
https://notcve.org/view.php?id=CVE-2011-0011
qemu-kvm before 0.11.0 disables VNC authentication when the password is cleared, which allows remote attackers to bypass authentication and establish VNC sessions. qemu-kvm antes de v0.11.0 deshabilita la autenticación VNC cuando la contraseña es eliminada, lo que permite a atacantes remotos eludir la autenticación y establecer sesiones VNC. • http://rhn.redhat.com/errata/RHSA-2011-0345.html http://secunia.com/advisories/42830 http://secunia.com/advisories/43272 http://secunia.com/advisories/43733 http://secunia.com/advisories/44393 http://ubuntu.com/usn/usn-1063-1 http://www.openwall.com/lists/oss-security/2011/01/10/3 http://www.openwall.com/lists/oss-security/2011/01/11/1 http://www.openwall.com/lists/oss-security/2011/01/12/2 http://www.osvdb.org/70992 https://bugs.launchpad.net • CWE-287: Improper Authentication •
CVE-2010-0741 – qemu: Improper handling of erroneous data provided by Linux virtio-net driver
https://notcve.org/view.php?id=CVE-2010-0741
The virtio_net_bad_features function in hw/virtio-net.c in the virtio-net driver in the Linux kernel before 2.6.26, when used on a guest OS in conjunction with qemu-kvm 0.11.0 or KVM 83, allows remote attackers to cause a denial of service (guest OS crash, and an associated qemu-kvm process exit) by sending a large amount of network traffic to a TCP port on the guest OS, related to a virtio-net whitelist that includes an improper implementation of TCP Segment Offloading (TSO). La funcion virtio_net_bad_features en hw/virtio-net.c en el driver virtio-net en el kernel de Linux anterior a v2.6.26, cuando utiliza un sistema operativo invitado en conjunción con qemu-kvm 0.11.0 o KVM 83, permite a atacantes remotos producir una denegación de servicio (caída del sistema operativo invitado, y una salida del proceso de asociación qemu-kvm) mediante el envío de una gran cantidad de trafico TCP al puerto del sistema operativo invitado, relacionado con la lista blanca de virtio-net que incluye una implementación inadecuada de TCP Segment Offloading (TSO). • http://git.kernel.org/?p=virt/kvm/qemu-kvm.git%3Ba=commit%3Bh=184bd0484533b725194fa517ddc271ffd74da7c9 http://lists.gnu.org/archive/html/qemu-devel/2009-10/msg02480.html http://lists.gnu.org/archive/html/qemu-devel/2009-10/msg02495.html http://openwall.com/lists/oss-security/2010/03/29/4 http://securitytracker.com/id?1023798 http://www.redhat.com/support/errata/RHSA-2010-0271.html http://www.vupen.com/english/advisories/2010/0760 https://bugs.edge.launchpad.net/ubuntu/+s • CWE-20: Improper Input Validation CWE-119: Improper Restriction of Operations within the Bounds of a Memory Buffer •
CVE-2010-0297 – kvm-userspace-rhel5: usb-linux.c: fix buffer overflow
https://notcve.org/view.php?id=CVE-2010-0297
Buffer overflow in the usb_host_handle_control function in the USB passthrough handling implementation in usb-linux.c in QEMU before 0.11.1 allows guest OS users to cause a denial of service (guest OS crash or hang) or possibly execute arbitrary code on the host OS via a crafted USB packet. Desbordamiento de búfer en la función usb_host_handle_control en la implementación del manejo a través de usb-linux.c en QEMU anterior a 0.11.1, permite a invitados del SO provocar una denegación de servicio (caída o cuelgue del sistema) o posiblemente la ejecución de código de su elección a través de un paquete USB manipulado. • http://git.savannah.gnu.org/cgit/qemu.git/commit/?id=babd03fde68093482528010a5435c14ce9128e3f http://marc.info/?l=oss-security&m=126510479211473&w=2 http://marc.info/?l=oss-security&m=126527304127254&w=2 http://wiki.qemu.org/ChangeLog http://www.mail-archive.com/kvm%40vger.kernel.org/msg18447.html http://www.mail-archive.com/kvm%40vger.kernel.org/msg19581.html http://www.mail-archive.com/kvm%40vger.kernel.org/msg19596.html http://www.securityfocus.com/bid/38158 https://bugzi • CWE-119: Improper Restriction of Operations within the Bounds of a Memory Buffer •