SB2014042304 - Multiple vulnerabilities in QEMU
Published: April 23, 2014 Updated: August 10, 2020
Breakdown by Severity
- Low
- Medium
- High
- Critical
Description
This security bulletin contains information about 17 secuirty vulnerabilities.
1) Buffer overflow (CVE-ID: CVE-2013-4542)
The vulnerability allows a remote non-authenticated attacker to read and manipulate data.
The virtio_scsi_load_request function in hw/scsi/scsi-bus.c in QEMU before 1.7.2 might allow remote attackers to execute arbitrary code via a crafted savevm image, which triggers an out-of-bounds array access.
2) Code Injection (CVE-ID: CVE-2013-6399)
The vulnerability allows a remote non-authenticated attacker to read and manipulate data.
Array index error in the virtio_load function in hw/virtio/virtio.c in QEMU before 1.7.2 allows remote attackers to execute arbitrary code via a crafted savevm image.
3) Buffer overflow (CVE-ID: CVE-2014-0182)
The vulnerability allows a remote non-authenticated attacker to read and manipulate data.
Heap-based buffer overflow in the virtio_load function in hw/virtio/virtio.c in QEMU before 1.7.2 might allow remote attackers to execute arbitrary code via a crafted config length in a savevm image.
4) Heap-based buffer overflow (CVE-ID: CVE-2014-3461)
The vulnerability allows a remote attacker to execute arbitrary code on the target system.
The vulnerability exists due to a boundary error in hw/usb/bus.c in QEMU 1.6.2. A remote attacker can use crafted savevm data to trigger heap-based buffer overflow and execute arbitrary code on the target system.
Successful exploitation of this vulnerability may result in complete compromise of vulnerable system.
5) Buffer overflow (CVE-ID: CVE-2013-4526)
The vulnerability allows a remote non-authenticated attacker to read and manipulate data.
Buffer overflow in hw/ide/ahci.c in QEMU before 1.7.2 allows remote attackers to cause a denial of service and possibly execute arbitrary code via vectors related to migrating ports.
6) Buffer overflow (CVE-ID: CVE-2013-4527)
The vulnerability allows a remote non-authenticated attacker to read and manipulate data.
Buffer overflow in hw/timer/hpet.c in QEMU before 1.7.2 might allow remote attackers to execute arbitrary code via vectors related to the number of timers.
7) Buffer overflow (CVE-ID: CVE-2013-4529)
The vulnerability allows a remote non-authenticated attacker to read and manipulate data.
Buffer overflow in hw/pci/pcie_aer.c in QEMU before 1.7.2 allows remote attackers to cause a denial of service and possibly execute arbitrary code via a large log_num value in a savevm image.
8) Buffer overflow (CVE-ID: CVE-2013-4530)
The vulnerability allows a remote non-authenticated attacker to read and manipulate data.
Buffer overflow in hw/ssi/pl022.c in QEMU before 1.7.2 allows remote attackers to cause a denial of service or possibly execute arbitrary code via crafted tx_fifo_head and rx_fifo_head values in a savevm image.
9) Buffer overflow (CVE-ID: CVE-2013-4531)
The vulnerability allows a remote non-authenticated attacker to read and manipulate data.
Buffer overflow in target-arm/machine.c in QEMU before 1.7.2 allows remote attackers to cause a denial of service and possibly execute arbitrary code via a negative value in cpreg_vmstate_array_len in a savevm image.
10) Buffer overflow (CVE-ID: CVE-2013-4533)
The vulnerability allows a remote non-authenticated attacker to read and manipulate data.
Buffer overflow in the pxa2xx_ssp_load function in hw/arm/pxa2xx.c in QEMU before 1.7.2 allows remote attackers to cause a denial of service or possibly execute arbitrary code via a crafted s->rx_level value in a savevm image.
11) Buffer overflow (CVE-ID: CVE-2013-4534)
The vulnerability allows a remote non-authenticated attacker to read and manipulate data.
Buffer overflow in hw/intc/openpic.c in QEMU before 1.7.2 allows remote attackers to cause a denial of service or possibly execute arbitrary code via vectors related to IRQDest elements.
12) Code Injection (CVE-ID: CVE-2013-4537)
The vulnerability allows a remote non-authenticated attacker to read and manipulate data.
The ssi_sd_transfer function in hw/sd/ssi-sd.c in QEMU before 1.7.2 allows remote attackers to execute arbitrary code via a crafted arglen value in a savevm image.
13) Buffer overflow (CVE-ID: CVE-2013-4538)
The vulnerability allows a remote non-authenticated attacker to read and manipulate data.
Multiple buffer overflows in the ssd0323_load function in hw/display/ssd0323.c in QEMU before 1.7.2 allow remote attackers to cause a denial of service (memory corruption) or possibly execute arbitrary code via crafted (1) cmd_len, (2) row, or (3) col values; (4) row_start and row_end values; or (5) col_star and col_end values in a savevm image.
14) Buffer overflow (CVE-ID: CVE-2013-4539)
The vulnerability allows a remote non-authenticated attacker to read and manipulate data.
Multiple buffer overflows in the tsc210x_load function in hw/input/tsc210x.c in QEMU before 1.7.2 might allow remote attackers to execute arbitrary code via a crafted (1) precision, (2) nextprecision, (3) function, or (4) nextfunction value in a savevm image.
15) Buffer overflow (CVE-ID: CVE-2013-4540)
The vulnerability allows a remote non-authenticated attacker to read and manipulate data.
Buffer overflow in scoop_gpio_handler_update in QEMU before 1.7.2 might allow remote attackers to execute arbitrary code via a large (1) prev_level, (2) gpio_level, or (3) gpio_dir value in a savevm image.
16) Buffer overflow (CVE-ID: CVE-2013-4541)
The vulnerability allows a remote non-authenticated attacker to read and manipulate data.
The usb_device_post_load function in hw/usb/bus.c in QEMU before 1.7.2 might allow remote attackers to execute arbitrary code via a crafted savevm image, related to a negative setup_len or setup_index value.
17) Input validation error (CVE-ID: CVE-2014-2894)
The vulnerability allows a remote non-authenticated attacker to execute arbitrary code.
Off-by-one error in the cmd_smart function in the smart self test in hw/ide/core.c in QEMU before 2.0 allows local users to have unspecified impact via a SMART EXECUTE OFFLINE command that triggers a buffer underflow and memory corruption.
Remediation
Cybersecurity Help is not aware of any official remediation provided by the vendor.
References
- http://git.qemu.org/?p=qemu.git;a=commitdiff;h=3c3ce981423e0d6c18af82ee62f1850c2cda5976
- http://lists.fedoraproject.org/pipermail/package-announce/2014-May/133345.html
- http://lists.nongnu.org/archive/html/qemu-stable/2014-07/msg00187.html
- http://rhn.redhat.com/errata/RHSA-2014-0743.html
- http://rhn.redhat.com/errata/RHSA-2014-0744.html
- http://git.qemu.org/?p=qemu.git;a=commitdiff;h=4b53c2c72cb5541cf394033b528a6fe2a86c0ac1
- http://git.qemu.org/?p=qemu.git;a=commitdiff;h=a890a2f9137ac3cf5b607649e66a6f3a5512d8dc
- http://article.gmane.org/gmane.comp.emulators.qemu/272092
- http://lists.fedoraproject.org/pipermail/package-announce/2014-June/134053.html
- http://git.qemu.org/?p=qemu.git;a=commit;h=ae2158ad6ce0845b2fae2a22aa7f19c0d7a71ce5
- http://lists.gnu.org/archive/html/qemu-devel/2013-12/msg00394.html
- http://git.qemu.org/?p=qemu.git;a=commitdiff;h=3f1c49e2136fa08ab1ef3183fd55def308829584
- http://rhn.redhat.com/errata/RHSA-2014-0927.html
- http://git.qemu.org/?p=qemu.git;a=commitdiff;h=d8d0a0bc7e194300e53a346d25fe5724fd588387
- http://git.qemu.org/?p=qemu.git;a=commit;h=d2ef4b61fe6d33d2a5dcf100a9b9440de341ad62
- http://git.qemu.org/?p=qemu.git;a=commitdiff;h=caa881abe0e01f9931125a0977ec33c5343e4aa7
- http://git.qemu.org/?p=qemu.git;a=commitdiff;h=73d963c0a75cb99c6aaa3f6f25e427aa0b35a02e
- http://git.qemu.org/?p=qemu.git;a=commit;h=a9c380db3b8c6af19546a68145c8d1438a09c92b
- http://git.qemu.org/?p=qemu.git;a=commit;h=ead7a57df37d2187813a121308213f41591bd811
- http://git.qemu.org/?p=qemu.git;a=commit;h=5193be3be35f29a35bc465036cd64ad60d43385f
- http://git.qemu.org/?p=qemu.git;a=commit;h=52f91c3723932f8340fe36c8ec8b18a757c37b2b
- http://lists.opensuse.org/opensuse-security-announce/2014-10/msg00002.html
- http://lists.opensuse.org/opensuse-security-announce/2014-10/msg00003.html
- http://git.qemu.org/?p=qemu.git;a=commitdiff;h=9f8e9895c504149d7048e9fc5eb5cbb34b16e49a
- http://rhn.redhat.com/errata/RHSA-2014-0704.html
- http://secunia.com/advisories/57945
- http://secunia.com/advisories/58191
- http://www.openwall.com/lists/oss-security/2014/04/15/4
- http://www.openwall.com/lists/oss-security/2014/04/18/5
- http://www.securityfocus.com/bid/66932
- http://www.ubuntu.com/usn/USN-2182-1
- https://lists.nongnu.org/archive/html/qemu-devel/2014-04/msg02016.html
- https://lists.nongnu.org/archive/html/qemu-devel/2014-04/msg02095.html
- https://lists.nongnu.org/archive/html/qemu-devel/2014-04/msg02152.html