CVE-2016-5126 – Qemu: block: iscsi: buffer overflow in iscsi_aio_ioctl
https://notcve.org/view.php?id=CVE-2016-5126
Heap-based buffer overflow in the iscsi_aio_ioctl function in block/iscsi.c in QEMU allows local guest OS users to cause a denial of service (QEMU process crash) or possibly execute arbitrary code via a crafted iSCSI asynchronous I/O ioctl call. Desbordamiento de buffer basado en memoria dinámica en la función iscsi_aio_ioctl en block/iscsi.c en QEMU permite a usuarios locales del SO invitado provocar una denegación de servicio (caída del proceso QEMU) o posiblemente ejecutar código arbitrario a través de una llamada iSCSI ioctl I/O asíncrona manipulada. Quick Emulator(QEMU) built with the Block driver for iSCSI images support (virtio-blk) is vulnerable to a heap-based buffer overflow issue. The flaw could occur while processing iSCSI asynchronous I/O ioctl(2) calls. A user inside a guest could exploit this flaw to crash the QEMU process resulting in denial of service, or potentially leverage it to execute arbitrary code with QEMU-process privileges on the host. • http://git.qemu.org/?p=qemu.git%3Ba=commit%3Bh=a6b3167fa0e825aebb5a7cd8b437b6d41584a196 http://rhn.redhat.com/errata/RHSA-2016-1606.html http://rhn.redhat.com/errata/RHSA-2016-1607.html http://rhn.redhat.com/errata/RHSA-2016-1653.html http://rhn.redhat.com/errata/RHSA-2016-1654.html http://rhn.redhat.com/errata/RHSA-2016-1655.html http://rhn.redhat.com/errata/RHSA-2016-1756.html http://rhn.redhat.com/errata/RHSA-2016-1763.html http://www.openwall.com/lists/oss-secu • CWE-120: Buffer Copy without Checking Size of Input ('Classic Buffer Overflow') CWE-787: Out-of-bounds Write •
CVE-2016-4448 – libxml2: Format string vulnerability
https://notcve.org/view.php?id=CVE-2016-4448
Format string vulnerability in libxml2 before 2.9.4 allows attackers to have unspecified impact via format string specifiers in unknown vectors. Vulnerabilidad de formato de cadena en libxml2 en versiones anteriores a 2.9.4 permite a atacantes tener un impacto no especificado a través de especificadores de formato de cadena en vectores desconocidos. • http://lists.apple.com/archives/security-announce/2016/Jul/msg00000.html http://lists.apple.com/archives/security-announce/2016/Jul/msg00001.html http://lists.apple.com/archives/security-announce/2016/Jul/msg00002.html http://lists.apple.com/archives/security-announce/2016/Jul/msg00003.html http://lists.apple.com/archives/security-announce/2016/Jul/msg00005.html http://rhn.redhat.com/errata/RHSA-2016-2957.html http://www.openwall.com/lists/oss-security/2016/05/25/2 http://www • CWE-134: Use of Externally-Controlled Format String •
CVE-2016-3710 – qemu: incorrect banked access bounds checking in vga module
https://notcve.org/view.php?id=CVE-2016-3710
The VGA module in QEMU improperly performs bounds checking on banked access to video memory, which allows local guest OS administrators to execute arbitrary code on the host by changing access modes after setting the bank register, aka the "Dark Portal" issue. El módulo VGA en QEMU lleva a cabo incorrectamente comprobaciones de límites sobre acceso almacenado a la memoria de vídeo, lo que permite a administradores locales de SO invitado ejecutar código arbitrario sobre el anfitrión cambiando los modos de acceso después de establecer el banco de registros, también conocido como el problema "Dark Portal". An out-of-bounds read/write access flaw was found in the way QEMU's VGA emulation with VESA BIOS Extensions (VBE) support performed read/write operations using I/O port methods. A privileged guest user could use this flaw to execute arbitrary code on the host with the privileges of the host's QEMU process. • http://rhn.redhat.com/errata/RHSA-2016-0724.html http://rhn.redhat.com/errata/RHSA-2016-0725.html http://rhn.redhat.com/errata/RHSA-2016-0997.html http://rhn.redhat.com/errata/RHSA-2016-0999.html http://rhn.redhat.com/errata/RHSA-2016-1000.html http://rhn.redhat.com/errata/RHSA-2016-1001.html http://rhn.redhat.com/errata/RHSA-2016-1002.html http://rhn.redhat.com/errata/RHSA-2016-1019.html http://rhn.redhat.com/errata/RHSA-2016-1943.html http://suppor • CWE-119: Improper Restriction of Operations within the Bounds of a Memory Buffer •
CVE-2016-3627 – libxml2: stack exhaustion while parsing xml files in recovery mode
https://notcve.org/view.php?id=CVE-2016-3627
The xmlStringGetNodeList function in tree.c in libxml2 2.9.3 and earlier, when used in recovery mode, allows context-dependent attackers to cause a denial of service (infinite recursion, stack consumption, and application crash) via a crafted XML document. La función xmlStringGetNodeList en tree.c en libxml2.2.9.3 y versiones anteriores, cuando se utiliza en modo de recuperación, permite a atacantes dependientes del contexto provocar una denegación de servicio (bucle infinito, consumo de pila y caída de la aplicación) a través de un docuumento XML manipulado. Missing recursive loop detection checks were found in the xmlParserEntityCheck() and xmlStringGetNodeList() functions of libxml2, causing application using the library to crash by stack exhaustion while building the associated data. An attacker able to send XML data to be parsed in recovery mode could launch a Denial of Service on the application. libxml versions prior to 2.9.3 suffer from a stack overflow vulnerability when parsing a malicious file. • http://lists.opensuse.org/opensuse-updates/2016-05/msg00055.html http://lists.opensuse.org/opensuse-updates/2016-05/msg00127.html http://rhn.redhat.com/errata/RHSA-2016-2957.html http://seclists.org/fulldisclosure/2016/May/10 http://www.openwall.com/lists/oss-security/2016/03/21/2 http://www.openwall.com/lists/oss-security/2016/03/21/3 http://www.oracle.com/technetwork/topics/security/bulletinjul2016-3090568.html http://www.oracle.com/technetwork/topics/security/linuxbulletinjul2016& • CWE-674: Uncontrolled Recursion •
CVE-2016-2857 – Qemu: net: out of bounds read in net_checksum_calculate()
https://notcve.org/view.php?id=CVE-2016-2857
The net_checksum_calculate function in net/checksum.c in QEMU allows local guest OS users to cause a denial of service (out-of-bounds heap read and crash) via the payload length in a crafted packet. La función net_checksum_calculate en net/checksum.c en QEMU permite a usuarios del SO invitado provocar una denegación de servicio (lectura de memoria dinámica fuera de rango y caída) a través de una longitud de la carga útil en un paquete manipulado. An out-of-bounds read-access flaw was found in the QEMU emulator built with IP checksum routines. The flaw could occur when computing a TCP/UDP packet's checksum, because a QEMU function used the packet's payload length without checking against the data buffer's size. A user inside a guest could use this flaw to crash the QEMU process (denial of service). • http://git.qemu.org/?p=qemu.git%3Ba=commitdiff%3Bh=362786f14a753d8a5256ef97d7c10ed576d6572b http://rhn.redhat.com/errata/RHSA-2016-2670.html http://rhn.redhat.com/errata/RHSA-2016-2671.html http://rhn.redhat.com/errata/RHSA-2016-2704.html http://rhn.redhat.com/errata/RHSA-2016-2705.html http://rhn.redhat.com/errata/RHSA-2016-2706.html http://rhn.redhat.com/errata/RHSA-2017-0083.html http://rhn.redhat.com/errata/RHSA-2017-0309.html http://rhn.redhat.com/errata/RHSA- • CWE-119: Improper Restriction of Operations within the Bounds of a Memory Buffer CWE-125: Out-of-bounds Read •