user/qemu: multiple vulnerabilities
Bugzilla ID | 121 |
Alias(es) | CVE-2018-10839, CVE-2018-16867, CVE-2018-17958, CVE-2018-17962, CVE-2018-17963, CVE-2018-18849, CVE-2018-18954, CVE-2018-20815, CVE-2019-12067, CVE-2019-12068, CVE-2019-12155, CVE-2019-12247, CVE-2019-12928, CVE-2019-12929, CVE-2019-13164, CVE-2019-14378, CVE-2019-15890, CVE-2019-20175, CVE-2019-20382, CVE-2019-3812, CVE-2019-5008, CVE-2019-6501, CVE-2019-6778, CVE-2019-9824, CVE-2020-1711 |
Reporter | Max Rees (sroracle) |
Assignee | Max Rees (sroracle) |
Reported | 2019-07-29 03:15:14 -0500 |
Modified | 2020-03-29 02:23:17 -0500 |
Status | RESOLVED FIXED |
Version | 1.0-BETA3 |
Hardware | Adélie Linux / All |
Importance | --- / normal |
Description
CVE-2018-10839: https://nvd.nist.gov/vuln/detail/CVE-2018-10839
Qemu emulator <= 3.0.0 built with the NE2000 NIC emulation support is
vulnerable to an integer overflow, which could lead to buffer overflow
issue. It could occur when receiving packets over the network. A user
inside guest could use this flaw to crash the Qemu process resulting
in DoS.
CVE-2018-16867: https://nvd.nist.gov/vuln/detail/CVE-2018-16867
A flaw was found in qemu Media Transfer Protocol (MTP) before version
3.1.0. A path traversal in the in usb_mtp_write_data function in
hw/usb/dev-mtp.c due to an improper filename sanitization. When the
guest device is mounted in read-write mode, this allows to read/write
arbitrary files which may lead do DoS scenario OR possibly lead to
code execution on the host.
CVE-2018-18849: https://nvd.nist.gov/vuln/detail/CVE-2018-18849
In Qemu 3.0.0, lsi_do_msgin in hw/scsi/lsi53c895a.c allows
out-of-bounds access by triggering an invalid msg_len value.
CVE-2018-18954: https://nvd.nist.gov/vuln/detail/CVE-2018-18954
The pnv_lpc_do_eccb function in hw/ppc/pnv_lpc.c in Qemu before 3.1
allows out-of-bounds write or read access to PowerNV memory.
CVE-2019-3812: https://nvd.nist.gov/vuln/detail/CVE-2019-3812
QEMU, through version 2.10 and through version 3.1.0, is vulnerable to
an out-of-bounds read of up to 128 bytes in the
hw/i2c/i2c-ddc.c:i2c_ddc() function. A local attacker with permission
to execute i2c commands could exploit this to read stack memory of the
qemu process on the host.
CVE-2019-6778: https://nvd.nist.gov/vuln/detail/CVE-2019-6778
In QEMU 3.0.0, tcp_emu in slirp/tcp_subr.c has a heap-based buffer
overflow.
CVE-2019-9824: https://nvd.nist.gov/vuln/detail/CVE-2019-9824
tcp_emu in slirp/tcp_subr.c (aka slirp/src/tcp_subr.c) in QEMU 3.0.0
uses uninitialized data in an snprintf call, leading to Information
disclosure.
CVE-2019-12247: https://nvd.nist.gov/vuln/detail/CVE-2019-12247
** DISPUTED ** QEMU 3.0.0 has an Integer Overflow because the
qga/commands*.c files do not check the length of the argument list or
the number of environment variables. NOTE: This has been disputed as
not exploitable.