user/qemu: multiple vulnerabilities
|Alias(es)||CVE-2018-10839, CVE-2018-16867, CVE-2018-17958, CVE-2018-17962, CVE-2018-17963, CVE-2018-18849, CVE-2018-18954, CVE-2018-20815, CVE-2019-12067, CVE-2019-12068, CVE-2019-12155, CVE-2019-12247, CVE-2019-12928, CVE-2019-12929, CVE-2019-13164, CVE-2019-14378, CVE-2019-15890, CVE-2019-20175, CVE-2019-20382, CVE-2019-3812, CVE-2019-5008, CVE-2019-6501, CVE-2019-6778, CVE-2019-9824, CVE-2020-1711|
|Reporter||Max Rees (sroracle)|
|Assignee||Max Rees (sroracle)|
|Reported||2019-07-29 03:15:14 -0500|
|Modified||2020-03-29 02:23:17 -0500|
|Hardware||Adélie Linux / All|
|Importance||--- / normal|
Qemu emulator <= 3.0.0 built with the NE2000 NIC emulation support is
vulnerable to an integer overflow, which could lead to buffer overflow
issue. It could occur when receiving packets over the network. A user
inside guest could use this flaw to crash the Qemu process resulting
A flaw was found in qemu Media Transfer Protocol (MTP) before version
3.1.0. A path traversal in the in usb_mtp_write_data function in
hw/usb/dev-mtp.c due to an improper filename sanitization. When the
guest device is mounted in read-write mode, this allows to read/write
arbitrary files which may lead do DoS scenario OR possibly lead to
code execution on the host.
In Qemu 3.0.0, lsi_do_msgin in hw/scsi/lsi53c895a.c allows
out-of-bounds access by triggering an invalid msg_len value.
The pnv_lpc_do_eccb function in hw/ppc/pnv_lpc.c in Qemu before 3.1
allows out-of-bounds write or read access to PowerNV memory.
QEMU, through version 2.10 and through version 3.1.0, is vulnerable to
an out-of-bounds read of up to 128 bytes in the
hw/i2c/i2c-ddc.c:i2c_ddc() function. A local attacker with permission
to execute i2c commands could exploit this to read stack memory of the
qemu process on the host.
In QEMU 3.0.0, tcp_emu in slirp/tcp_subr.c has a heap-based buffer
tcp_emu in slirp/tcp_subr.c (aka slirp/src/tcp_subr.c) in QEMU 3.0.0
uses uninitialized data in an snprintf call, leading to Information
** DISPUTED ** QEMU 3.0.0 has an Integer Overflow because the
qga/commands*.c files do not check the length of the argument list or
the number of environment variables. NOTE: This has been disputed as