ALT-PU-2024-6866-2
Closed vulnerabilities
BDU:2022-05840
Уязвимость эмулятора аппаратного обеспечения QEMU, связанная с выделением неограниченной памяти, позволяющая нарушителю вызвать отказ в обслуживании
BDU:2023-02140
Уязвимость компонента RDMA эмулятора аппаратного обеспечения QEMU, позволяющая нарушителю вызвать отказ в обслуживании
BDU:2023-04834
Уязвимость компонента lsi53c895a.c эмулятора аппаратного обеспечения QEMU, позволяющая нарушителю вызвать отказ в обслуживании
BDU:2023-05459
Уязвимость функции scsi_disk_reset() (hw/scsi/scsi-disk.c) эмулятора аппаратного обеспечения QEMU, позволяющая нарушителю вызвать отказ в обслуживании
BDU:2023-07853
Уязвимость функции ide_dma_cb() эмулятора аппаратного обеспечения QEMU, позволяющая нарушителю получить доступ на чтение, изменение или удаление данных или вызвать отказ в обслуживании
BDU:2024-00308
Уязвимость функции qemu_clipboard_request() встроенного сервера VNC эмулятора аппаратного обеспечения QEMU, позволяющая нарушителю вызвать отказ в обслуживании
BDU:2024-01711
Уязвимость функция register_vfs() (hw/pci/pcie_sriov.c) эмулятора аппаратного обеспечения QEMU, позволяющая нарушителю вызвать отказ в обслуживании
BDU:2024-01712
Уязвимость функция register_vfs() (hw/pci/pcie_sriov.c) эмулятора аппаратного обеспечения QEMU, позволяющая нарушителю вызвать отказ в обслуживании
Modified: 2024-11-21
CVE-2021-3527
A flaw was found in the USB redirector device (usb-redir) of QEMU. Small USB packets are combined into a single, large transfer request, to reduce the overhead and improve performance. The combined size of the bulk transfer is used to dynamically allocate a variable length array (VLA) on the stack without proper validation. Since the total size is not bounded, a malicious guest could use this flaw to influence the array length and cause the QEMU process to perform an excessive allocation on the stack, resulting in a denial of service.
- https://bugzilla.redhat.com/show_bug.cgi?id=1955695
- https://bugzilla.redhat.com/show_bug.cgi?id=1955695
- https://gitlab.com/qemu-project/qemu/-/commit/05a40b172e4d691371534828078be47e7fff524c
- https://gitlab.com/qemu-project/qemu/-/commit/05a40b172e4d691371534828078be47e7fff524c
- https://gitlab.com/qemu-project/qemu/-/commit/7ec54f9eb62b5d177e30eb8b1cad795a5f8d8986
- https://gitlab.com/qemu-project/qemu/-/commit/7ec54f9eb62b5d177e30eb8b1cad795a5f8d8986
- [debian-lts-announce] 20210902 [SECURITY] [DLA 2753-1] qemu security update
- [debian-lts-announce] 20210902 [SECURITY] [DLA 2753-1] qemu security update
- [debian-lts-announce] 20220905 [SECURITY] [DLA 3099-1] qemu security update
- [debian-lts-announce] 20220905 [SECURITY] [DLA 3099-1] qemu security update
- GLSA-202208-27
- GLSA-202208-27
- https://security.netapp.com/advisory/ntap-20210708-0008/
- https://security.netapp.com/advisory/ntap-20210708-0008/
- https://www.openwall.com/lists/oss-security/2021/05/05/5
- https://www.openwall.com/lists/oss-security/2021/05/05/5
Modified: 2024-11-21
CVE-2023-0330
A vulnerability in the lsi53c895a device affects the latest version of qemu. A DMA-MMIO reentrancy problem may lead to memory corruption bugs like stack overflow or use-after-free.
- https://access.redhat.com/security/cve/CVE-2023-0330
- https://access.redhat.com/security/cve/CVE-2023-0330
- RHBZ#2160151
- RHBZ#2160151
- [debian-lts-announce] 20231005 [SECURITY] [DLA 3604-1] qemu security update
- [debian-lts-announce] 20231005 [SECURITY] [DLA 3604-1] qemu security update
- https://lists.nongnu.org/archive/html/qemu-devel/2023-01/msg03411.html
- https://lists.nongnu.org/archive/html/qemu-devel/2023-01/msg03411.html
Modified: 2024-11-21
CVE-2023-1544
A flaw was found in the QEMU implementation of VMWare's paravirtual RDMA device. This flaw allows a crafted guest driver to allocate and initialize a huge number of page tables to be used as a ring of descriptors for CQ and async events, potentially leading to an out-of-bounds read and crash of QEMU.
- https://access.redhat.com/security/cve/CVE-2023-1544
- https://access.redhat.com/security/cve/CVE-2023-1544
- https://bugzilla.redhat.com/show_bug.cgi?id=2180364
- https://bugzilla.redhat.com/show_bug.cgi?id=2180364
- https://lists.nongnu.org/archive/html/qemu-devel/2023-03/msg00206.html
- https://lists.nongnu.org/archive/html/qemu-devel/2023-03/msg00206.html
- https://security.netapp.com/advisory/ntap-20230511-0005/
- https://security.netapp.com/advisory/ntap-20230511-0005/
Modified: 2024-11-21
CVE-2023-3019
A DMA reentrancy issue leading to a use-after-free error was found in the e1000e NIC emulation code in QEMU. This issue could allow a privileged guest user to crash the QEMU process on the host, resulting in a denial of service.
- RHSA-2024:0135
- RHSA-2024:0135
- RHSA-2024:0404
- RHSA-2024:0404
- RHSA-2024:0569
- RHSA-2024:0569
- RHSA-2024:2135
- RHSA-2024:2135
- https://access.redhat.com/security/cve/CVE-2023-3019
- https://access.redhat.com/security/cve/CVE-2023-3019
- RHBZ#2222351
- RHBZ#2222351
- https://security.netapp.com/advisory/ntap-20230831-0005/
Modified: 2024-11-21
CVE-2023-3255
A flaw was found in the QEMU built-in VNC server while processing ClientCutText messages. A wrong exit condition may lead to an infinite loop when inflating an attacker controlled zlib buffer in the `inflate_buffer` function. This could allow a remote authenticated client who is able to send a clipboard to the VNC server to trigger a denial of service.
Modified: 2024-11-21
CVE-2023-40360
QEMU through 8.0.4 accesses a NULL pointer in nvme_directive_receive in hw/nvme/ctrl.c because there is no check for whether an endurance group is configured before checking whether Flexible Data Placement is enabled.
- https://gitlab.com/birkelund/qemu/-/commit/6c8f8456cb0b239812dee5211881426496da7b98
- https://gitlab.com/birkelund/qemu/-/commit/6c8f8456cb0b239812dee5211881426496da7b98
- https://gitlab.com/qemu-project/qemu/-/issues/1815
- https://gitlab.com/qemu-project/qemu/-/issues/1815
- https://security.netapp.com/advisory/ntap-20230915-0004/
- https://security.netapp.com/advisory/ntap-20230915-0004/
- https://www.qemu.org/docs/master/system/security.html
- https://www.qemu.org/docs/master/system/security.html
Modified: 2024-11-21
CVE-2023-42467
QEMU through 8.0.0 could trigger a division by zero in scsi_disk_reset in hw/scsi/scsi-disk.c because scsi_disk_emulate_mode_select does not prevent s->qdev.blocksize from being 256. This stops QEMU and the guest immediately.
- https://gitlab.com/qemu-project/qemu/-/commit/7cfcc79b0ab800959716738aff9419f53fc68c9c
- https://gitlab.com/qemu-project/qemu/-/commit/7cfcc79b0ab800959716738aff9419f53fc68c9c
- https://gitlab.com/qemu-project/qemu/-/issues/1813
- https://gitlab.com/qemu-project/qemu/-/issues/1813
- https://security.netapp.com/advisory/ntap-20231103-0005/
- https://security.netapp.com/advisory/ntap-20231103-0005/
Modified: 2024-11-21
CVE-2023-5088
A bug in QEMU could cause a guest I/O operation otherwise addressed to an arbitrary disk offset to be targeted to offset 0 instead (potentially overwriting the VM's boot code). This could be used, for example, by L2 guests with a virtual disk (vdiskL2) stored on a virtual disk of an L1 (vdiskL1) hypervisor to read and/or write data to LBA 0 of vdiskL1, potentially gaining control of L1 at its next reboot.
- RHSA-2024:2135
- RHSA-2024:2135
- RHSA-2024:2962
- RHSA-2024:2962
- https://access.redhat.com/security/cve/CVE-2023-5088
- https://access.redhat.com/security/cve/CVE-2023-5088
- RHBZ#2247283
- RHBZ#2247283
- https://lists.debian.org/debian-lts-announce/2024/03/msg00012.html
- https://lore.kernel.org/all/20230921160712.99521-1-simon.rowe@nutanix.com/T/
- https://lore.kernel.org/all/20230921160712.99521-1-simon.rowe@nutanix.com/T/
- https://security.netapp.com/advisory/ntap-20231208-0005/
Modified: 2024-11-21
CVE-2023-6683
A flaw was found in the QEMU built-in VNC server while processing ClientCutText messages. The qemu_clipboard_request() function can be reached before vnc_server_cut_text_caps() was called and had the chance to initialize the clipboard peer, leading to a NULL pointer dereference. This could allow a malicious authenticated VNC client to crash QEMU and trigger a denial of service.
Modified: 2024-11-21
CVE-2023-6693
A stack based buffer overflow was found in the virtio-net device of QEMU. This issue occurs when flushing TX in the virtio_net_flush_tx function if guest features VIRTIO_NET_F_HASH_REPORT, VIRTIO_F_VERSION_1 and VIRTIO_NET_F_MRG_RXBUF are enabled. This could allow a malicious user to overwrite local variables allocated on the stack. Specifically, the `out_sg` variable could be used to read a part of process memory and send it to the wire, causing an information leak.
- RHSA-2024:2962
- RHSA-2024:2962
- https://access.redhat.com/security/cve/CVE-2023-6693
- https://access.redhat.com/security/cve/CVE-2023-6693
- RHBZ#2254580
- RHBZ#2254580
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/OYGUN5HVOXESW7MSNM44E4AE2VNXQB6Y/
- https://security.netapp.com/advisory/ntap-20240208-0004/
Modified: 2024-11-21
CVE-2024-26327
An issue was discovered in QEMU 7.1.0 through 8.2.1. register_vfs in hw/pci/pcie_sriov.c mishandles the situation where a guest writes NumVFs greater than TotalVFs, leading to a buffer overflow in VF implementations.
Modified: 2024-11-21
CVE-2024-26328
An issue was discovered in QEMU 7.1.0 through 8.2.1. register_vfs in hw/pci/pcie_sriov.c does not set NumVFs to PCI_SRIOV_TOTAL_VF, and thus interaction with hw/nvme/ctrl.c is mishandled.