CVE-2014-7815 – qemu: vnc: insufficient bits_per_pixel from the client sanitization
https://notcve.org/view.php?id=CVE-2014-7815
The set_pixel_format function in ui/vnc.c in QEMU allows remote attackers to cause a denial of service (crash) via a small bytes_per_pixel value. La función set_pixel_format en ui/vnc.c en QEMU permite a atacantes remotos causar una denegación de servicio (caída) a través de valores pequeños de bytes_per_pixel. An uninitialized data structure use flaw was found in the way the set_pixel_format() function sanitized the value of bits_per_pixel. An attacker able to access a guest's VNC console could use this flaw to crash the guest. • http://git.qemu.org/?p=qemu.git%3Ba=commit%3Bh=e6908bfe8e07f2b452e78e677da1b45b1c0f6829 http://lists.opensuse.org/opensuse-security-announce/2015-10/msg00019.html http://rhn.redhat.com/errata/RHSA-2015-0349.html http://rhn.redhat.com/errata/RHSA-2015-0624.html http://secunia.com/advisories/61484 http://secunia.com/advisories/62143 http://secunia.com/advisories/62144 http://support.citrix.com/article/CTX200892 http://www.debian.org/security/2014/dsa-3066 http://www.debian.org/secu • CWE-20: Improper Input Validation •
CVE-2014-3615 – Qemu: information leakage when guest sets high resolution
https://notcve.org/view.php?id=CVE-2014-3615
The VGA emulator in QEMU allows local guest users to read host memory by setting the display to a high resolution. El emulador VGA en QEMU permite a usuarios locales invitados leer la memoria del anfitrión mediante la configuración de la pantalla a una resolución alta. An information leak flaw was found in the way QEMU's VGA emulator accessed frame buffer memory for high resolution displays. A privileged guest user could use this flaw to leak memory contents of the host to the guest by setting the display to use a high resolution in the guest. • http://git.qemu.org/?p=qemu.git%3Ba=commit%3Bh=ab9509cceabef28071e41bdfa073083859c949a7 http://git.qemu.org/?p=qemu.git%3Ba=commitdiff%3Bh=c1b886c45dc70f247300f549dce9833f3fa2def5 http://lists.opensuse.org/opensuse-security-announce/2015-04/msg00014.html http://rhn.redhat.com/errata/RHSA-2014-1669.html http://rhn.redhat.com/errata/RHSA-2014-1670.html http://rhn.redhat.com/errata/RHSA-2014-1941.html http://secunia.com/advisories/61829 http://support.citrix.com/article/CTX200892 http://www.de • CWE-200: Exposure of Sensitive Information to an Unauthorized Actor •
CVE-2014-7169 – GNU Bourne-Again Shell (Bash) Arbitrary Code Execution Vulnerability
https://notcve.org/view.php?id=CVE-2014-7169
GNU Bash through 4.3 bash43-025 processes trailing strings after certain malformed function definitions in the values of environment variables, which allows remote attackers to write to files or possibly have unknown other impact via a crafted environment, as demonstrated by vectors involving the ForceCommand feature in OpenSSH sshd, the mod_cgi and mod_cgid modules in the Apache HTTP Server, scripts executed by unspecified DHCP clients, and other situations in which setting the environment occurs across a privilege boundary from Bash execution. NOTE: this vulnerability exists because of an incomplete fix for CVE-2014-6271. GNU Bash hasta 4.3 bash43-025 procesa cadenas finales después de la definición malformada de funciones en los valores de variables de entorno, lo que permite a atacantes remotos escribir hacia ficheros o posiblemente tener otro impacto desconocido a través de un entorno manipulado, tal y como se ha demostrado por vectores que involucran la característica ForceCommand en sshd OpenSSH, los módulos mod_cgi y mod_cgid en el Apache HTTP Server, scripts ejecutados por clientes DHCP no especificados, y otras situaciones en la cual establecer el entorno ocurre a través de un límite privilegiado de la ejecución de Bash. Nota: Esta vulnerabilidad existe debido a una solución incompleta para CVE-2014-6271. It was found that the fix for CVE-2014-6271 was incomplete, and Bash still allowed certain characters to be injected into other environments via specially crafted environment variables. • https://www.exploit-db.com/exploits/34777 https://www.exploit-db.com/exploits/34895 https://www.exploit-db.com/exploits/34839 https://www.exploit-db.com/exploits/36503 https://www.exploit-db.com/exploits/36504 https://www.exploit-db.com/exploits/34766 https://www.exploit-db.com/exploits/35115 https://www.exploit-db.com/exploits/36933 https://www.exploit-db.com/exploits/34765 https://www.exploit-db.com/exploits/34860 https://www.exploit-db.com/exploits/34879 • CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') CWE-228: Improper Handling of Syntactically Invalid Structure •
CVE-2014-6271 – GNU Bourne-Again Shell (Bash) Arbitrary Code Execution Vulnerability
https://notcve.org/view.php?id=CVE-2014-6271
GNU Bash through 4.3 processes trailing strings after function definitions in the values of environment variables, which allows remote attackers to execute arbitrary code via a crafted environment, as demonstrated by vectors involving the ForceCommand feature in OpenSSH sshd, the mod_cgi and mod_cgid modules in the Apache HTTP Server, scripts executed by unspecified DHCP clients, and other situations in which setting the environment occurs across a privilege boundary from Bash execution, aka "ShellShock." NOTE: the original fix for this issue was incorrect; CVE-2014-7169 has been assigned to cover the vulnerability that is still present after the incorrect fix. GNU Bash hasta la versión 4.3 procesa cadenas finales después de las definiciones de funciones en los valores de variables de entorno, lo que permite a atacantes remotos ejecutar código arbitrario a través de un entorno manipulado, tal como se ha demostrado por vectores que involucran la característica ForceCommand en sshd OpenSSH, los módulos mod_cgi y mod_cgid en el Apache HTTP Server, scripts ejecutados por clientes DHCP no especificados, y otras situaciones en las cuales el ajuste de entorno ocurre a través de un límite privilegiado de la ejecución de Bash, también conocido como "ShellShock." NOTA: la reparación original para este problema era incorrecta; CVE-2014-7169 ha sido asignada para cubrir la vulnerabilidad que todavía está presente después de la solución incorrecta. A flaw was found in the way Bash evaluated certain specially crafted environment variables. • https://github.com/darrenmartyn/visualdoor https://www.exploit-db.com/exploits/38849 https://www.exploit-db.com/exploits/34777 https://www.exploit-db.com/exploits/39918 https://www.exploit-db.com/exploits/34895 https://www.exploit-db.com/exploits/34839 https://www.exploit-db.com/exploits/40619 https://www.exploit-db.com/exploits/36503 https://www.exploit-db.com/exploits/36504 https://www.exploit-db.com/exploits/40938 https://www.exploit-db.com/exploits/34900 https • CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') CWE-94: Improper Control of Generation of Code ('Code Injection') •
CVE-2014-5177 – libvirt: unsafe parsing of XML documents allows libvirt DoS and/or arbitrary file read
https://notcve.org/view.php?id=CVE-2014-5177
libvirt 1.0.0 through 1.2.x before 1.2.5, when fine grained access control is enabled, allows local users to read arbitrary files via a crafted XML document containing an XML external entity declaration in conjunction with an entity reference to the (1) virDomainDefineXML, (2) virNetworkCreateXML, (3) virNetworkDefineXML, (4) virStoragePoolCreateXML, (5) virStoragePoolDefineXML, (6) virStorageVolCreateXML, (7) virDomainCreateXML, (8) virNodeDeviceCreateXML, (9) virInterfaceDefineXML, (10) virStorageVolCreateXMLFrom, (11) virConnectDomainXMLFromNative, (12) virConnectDomainXMLToNative, (13) virSecretDefineXML, (14) virNWFilterDefineXML, (15) virDomainSnapshotCreateXML, (16) virDomainSaveImageDefineXML, (17) virDomainCreateXMLWithFiles, (18) virConnectCompareCPU, or (19) virConnectBaselineCPU API method, related to an XML External Entity (XXE) issue. NOTE: this issue was SPLIT from CVE-2014-0179 per ADT3 due to different affected versions of some vectors. libvirt 1.0.0 hasta 1.2.x anterior a 1.2.5, cuando el control de acceso detallado está habilitado, permite a usuarios locales leer ficheros arbitrarios a través de un documento XML manipulado que contiene una declaración de entidad externa XML en conjunto con una referencia de entidad en el método API (1) virDomainDefineXML, (2) virNetworkCreateXML, (3) virNetworkDefineXML, (4) virStoragePoolCreateXML, (5) virStoragePoolDefineXML, (6) virStorageVolCreateXML, (7) virDomainCreateXML, (8) virNodeDeviceCreateXML, (9) virInterfaceDefineXML, (10) virStorageVolCreateXMLFrom, (11) virConnectDomainXMLFromNative, (12) virConnectDomainXMLToNative, (13) virSecretDefineXML, (14) virNWFilterDefineXML, (15) virDomainSnapshotCreateXML, (16) virDomainSaveImageDefineXML, (17) virDomainCreateXMLWithFiles, (18) virConnectCompareCPU o (19) virConnectBaselineCPU, relacionado con un problema de entidad externa XML (XXE). NOTA: este problema ha sido dividido (SPLIT) del CVE-2014-0179 por ADT3 debido a las diferentes versiones afectadas de algunos vectores. It was found that libvirt passes the XML_PARSE_NOENT flag when parsing XML documents using the libxml2 library, in which case all XML entities in the parsed documents are expanded. A user able to force libvirtd to parse an XML document with an entity pointing to a file could use this flaw to read the contents of that file (limited to libvirt as shipped with Red Hat Enterprise Linux 7); parsing an XML document with an entity pointing to a special file that blocks on read access could cause libvirtd to hang indefinitely, resulting in a denial of service on the system. • http://libvirt.org/news.html http://lists.opensuse.org/opensuse-updates/2014-05/msg00048.html http://lists.opensuse.org/opensuse-updates/2014-05/msg00052.html http://rhn.redhat.com/errata/RHSA-2014-0560.html http://secunia.com/advisories/60895 http://security.gentoo.org/glsa/glsa-201412-04.xml http://security.libvirt.org/2014/0003.html http://www.ubuntu.com/usn/USN-2366-1 https://access.redhat.com/security/cve/CVE-2014-5177 https://bugzilla.redhat.com/show_bug.cg • CWE-20: Improper Input Validation CWE-611: Improper Restriction of XML External Entity Reference •