
CVE-2019-12929
https://notcve.org/view.php?id=CVE-2019-12929
24 Jun 2019 — The QMP guest_exec command in QEMU 4.0.0 and earlier is prone to OS command injection, which allows the attacker to achieve code execution, denial of service, or information disclosure by sending a crafted QMP command to the listening server. Note: This has been disputed as a non-issue since QEMU's -qmp interface is meant to be used by trusted users. If one is able to access this interface via a tcp socket open to the internet, then it is an insecure configuration issue **EN DISPUTA** El comando QMP guest_e... • https://fakhrizulkifli.github.io/posts/2019/06/06/CVE-2019-12929 • CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') CWE-668: Exposure of Resource to Wrong Sphere •

CVE-2019-12928
https://notcve.org/view.php?id=CVE-2019-12928
24 Jun 2019 — The QMP migrate command in QEMU version 4.0.0 and earlier is vulnerable to OS command injection, which allows the remote attacker to achieve code execution, denial of service, or information disclosure by sending a crafted QMP command to the listening server. Note: This has been disputed as a non-issue since QEMU's -qmp interface is meant to be used by trusted users. If one is able to access this interface via a tcp socket open to the internet, then it is an insecure configuration issue ** EN DISPUTA ** El ... • https://fakhrizulkifli.github.io/posts/2019/06/05/CVE-2019-12928 • CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') CWE-668: Exposure of Resource to Wrong Sphere •

CVE-2019-12247
https://notcve.org/view.php?id=CVE-2019-12247
22 May 2019 — QEMU 3.0.0 has an Integer Overflow because the qga/commands*.c files do not check the length of the argument list or the number of environment variables. NOTE: This has been disputed as not exploitable ** EN DISPUTA ** QEMU 3.0.0 tiene un desbordamiento de enteros (Integer Overflow) porque los archivos qga / command * .c no verifican la longitud de la lista de argumentos o el número de variables de entorno. NOTA: esta vulnerabilidad está siendo discutida como no explotable. • http://www.securityfocus.com/bid/108434 • CWE-190: Integer Overflow or Wraparound •

CVE-2019-9824 – QEMU: slirp: information leakage in tcp_emu() due to uninitialized stack variables
https://notcve.org/view.php?id=CVE-2019-9824
25 Apr 2019 — tcp_emu in slirp/tcp_subr.c (aka slirp/src/tcp_subr.c) in QEMU 3.0.0 uses uninitialized data in an snprintf call, leading to Information disclosure. tcp_emu en slirp / tcp_subr.c (conocido como slirp / src / tcp_subr.c) en QEMU 3.0.0 usa datos no inicializados en una llamada a snprintf, lo que lleva a la revelación de información. Ke Sun, Henrique Kawakami, Kekai Hu, Rodrigo Branco, Giorgi Maisuradze, Dan Horea Lutas, Andrei Lutas, Volodymyr Pikhur, Stephan van Schaik, Alyssa Milburn, Sebastian Österlund, P... • https://access.redhat.com/errata/RHSA-2019:1650 • CWE-200: Exposure of Sensitive Information to an Unauthorized Actor CWE-908: Use of Uninitialized Resource •

CVE-2019-8934
https://notcve.org/view.php?id=CVE-2019-8934
17 Mar 2019 — hw/ppc/spapr.c in QEMU through 3.1.0 allows Information Exposure because the hypervisor shares the /proc/device-tree/system-id and /proc/device-tree/model system attributes with a guest. hw/ppc/spapr.c en QEMU, hasta la versión 3.1.0, permite la exposición de información debido a que el hipervisor comparte los atributos del sistema en /proc/device-tree/system-id and /proc/device-tree/model con un invitado. • http://lists.opensuse.org/opensuse-security-announce/2019-04/msg00094.html • CWE-668: Exposure of Resource to Wrong Sphere •

CVE-2019-6778 – QEMU: slirp: heap buffer overflow in tcp_emu()
https://notcve.org/view.php?id=CVE-2019-6778
17 Mar 2019 — In QEMU 3.0.0, tcp_emu in slirp/tcp_subr.c has a heap-based buffer overflow. En QEMU 3.0.0, tcp_emu en slirp/tcp_subr.c tiene un desbordamiento de búfer basado en memoria dinámica (heap). A heap buffer overflow issue was found in the SLiRP networking implementation of the QEMU emulator. It occurs in tcp_emu() routine while emulating the Identification protocol and copying message data to a socket buffer. A user or process could use this flaw to crash the QEMU process on the host resulting in a DoS or potent... • http://lists.opensuse.org/opensuse-security-announce/2019-02/msg00073.html • CWE-122: Heap-based Buffer Overflow CWE-787: Out-of-bounds Write •

CVE-2019-3812 – Ubuntu Security Notice USN-3923-1
https://notcve.org/view.php?id=CVE-2019-3812
19 Feb 2019 — QEMU, through version 2.10 and through version 3.1.0, is vulnerable to an out-of-bounds read of up to 128 bytes in the hw/i2c/i2c-ddc.c:i2c_ddc() function. A local attacker with permission to execute i2c commands could exploit this to read stack memory of the qemu process on the host. QEMU, hasta la versión 2.10 y la 3.1.0, es vulnerable a una lectura fuera de límites de hasta 128 bytes en la función hw/i2c/i2c-ddc.c:i2c_ddc(). Un atacante local con permisos para ejecutar comandos i2c podría aprovechar este... • http://lists.opensuse.org/opensuse-security-announce/2019-04/msg00094.html • CWE-119: Improper Restriction of Operations within the Bounds of a Memory Buffer CWE-125: Out-of-bounds Read •

CVE-2018-20124 – Ubuntu Security Notice USN-3923-1
https://notcve.org/view.php?id=CVE-2018-20124
20 Dec 2018 — hw/rdma/rdma_backend.c in QEMU allows guest OS users to trigger out-of-bounds access via a PvrdmaSqWqe ring element with a large num_sge value. hw/rdma/rdma_backend.c en QEMU permite que los usuarios invitados del sistema operativo desencadenen un acceso fuera de límites mediante un elemento de anillo PvrdmaSqWqe con un valor num_sge grande. Michael Hanselmann discovered that QEMU incorrectly handled the Media Transfer Protocol. An attacker inside the guest could use this issue to read or write arbitrary fi... • http://www.openwall.com/lists/oss-security/2018/12/18/2 • CWE-125: Out-of-bounds Read •

CVE-2018-20191 – Ubuntu Security Notice USN-3923-1
https://notcve.org/view.php?id=CVE-2018-20191
20 Dec 2018 — hw/rdma/vmw/pvrdma_main.c in QEMU does not implement a read operation (such as uar_read by analogy to uar_write), which allows attackers to cause a denial of service (NULL pointer dereference). hw/rdma/vmw/pvrdma_main.c en QEMU no implementa una operación de lectura (como uar_read por analogía con uar_write), lo que permite que los atacantes provoquen una denegación de servicio (desreferencia de puntero NULL). Michael Hanselmann discovered that QEMU incorrectly handled the Media Transfer Protocol. An attack... • http://www.openwall.com/lists/oss-security/2018/12/18/1 • CWE-476: NULL Pointer Dereference •

CVE-2018-20125
https://notcve.org/view.php?id=CVE-2018-20125
20 Dec 2018 — hw/rdma/vmw/pvrdma_cmd.c in QEMU allows attackers to cause a denial of service (NULL pointer dereference or excessive memory allocation) in create_cq_ring or create_qp_rings. hw/rdma/vmw/pvrdma_cmd.c en QEMU permite que los atacantes provoquen una denegación de servicio (desreferencia de puntero NULL o asignación de memoria excesiva) en create_cq_ring o create_qp_rings. • http://www.openwall.com/lists/oss-security/2018/12/19/3 • CWE-476: NULL Pointer Dereference •