Skip to content

GitLab

Closed
Created by Emily@emily🤖

user/qemu: multiple vulnerabilities
Bugzilla ID 121
Alias(es) CVE-2018-10839, CVE-2018-16867, CVE-2018-17958, CVE-2018-17962, CVE-2018-17963, CVE-2018-18849, CVE-2018-18954, CVE-2018-20815, CVE-2019-12067, CVE-2019-12068, CVE-2019-12155, CVE-2019-12247, CVE-2019-12928, CVE-2019-12929, CVE-2019-13164, CVE-2019-14378, CVE-2019-15890, CVE-2019-20175, CVE-2019-20382, CVE-2019-3812, CVE-2019-5008, CVE-2019-6501, CVE-2019-6778, CVE-2019-9824, CVE-2020-1711
Reporter Max Rees (sroracle)
Assignee Max Rees (sroracle)
Reported 2019-07-29 03:15:14 -0500
Modified 2020-03-29 02:23:17 -0500
Status RESOLVED FIXED
Version 1.0-BETA3
Hardware Adélie Linux / All
Importance --- / normal

Description

CVE-2018-10839: https://nvd.nist.gov/vuln/detail/CVE-2018-10839

Qemu emulator <= 3.0.0 built with the NE2000 NIC emulation support is
vulnerable to an integer overflow, which could lead to buffer overflow
issue. It could occur when receiving packets over the network. A user
inside guest could use this flaw to crash the Qemu process resulting
in DoS.

CVE-2018-16867: https://nvd.nist.gov/vuln/detail/CVE-2018-16867

A flaw was found in qemu Media Transfer Protocol (MTP) before version
3.1.0. A path traversal in the in usb_mtp_write_data function in
hw/usb/dev-mtp.c due to an improper filename sanitization. When the
guest device is mounted in read-write mode, this allows to read/write
arbitrary files which may lead do DoS scenario OR possibly lead to
code execution on the host.

CVE-2018-18849: https://nvd.nist.gov/vuln/detail/CVE-2018-18849

In Qemu 3.0.0, lsi_do_msgin in hw/scsi/lsi53c895a.c allows
out-of-bounds access by triggering an invalid msg_len value.

CVE-2018-18954: https://nvd.nist.gov/vuln/detail/CVE-2018-18954

The pnv_lpc_do_eccb function in hw/ppc/pnv_lpc.c in Qemu before 3.1
allows out-of-bounds write or read access to PowerNV memory.

CVE-2019-3812: https://nvd.nist.gov/vuln/detail/CVE-2019-3812

QEMU, through version 2.10 and through version 3.1.0, is vulnerable to
an out-of-bounds read of up to 128 bytes in the
hw/i2c/i2c-ddc.c:i2c_ddc() function. A local attacker with permission
to execute i2c commands could exploit this to read stack memory of the
qemu process on the host.

CVE-2019-6778: https://nvd.nist.gov/vuln/detail/CVE-2019-6778

In QEMU 3.0.0, tcp_emu in slirp/tcp_subr.c has a heap-based buffer
overflow.

CVE-2019-9824: https://nvd.nist.gov/vuln/detail/CVE-2019-9824

tcp_emu in slirp/tcp_subr.c (aka slirp/src/tcp_subr.c) in QEMU 3.0.0
uses uninitialized data in an snprintf call, leading to Information
disclosure.

CVE-2019-12247: https://nvd.nist.gov/vuln/detail/CVE-2019-12247

** DISPUTED ** QEMU 3.0.0 has an Integer Overflow because the
qga/commands*.c files do not check the length of the argument list or
the number of environment variables. NOTE: This has been disputed as
not exploitable.