SB2015070816 - Input validation error in qemu (Alpine package)
Published: July 8, 2015
Security Bulletin ID
SB2015070816
CSH Severity
Low
Patch available
YES
Number of vulnerabilities
1
Exploitation vector
Remote access
Highest impact
Partial DoS
Breakdown by Severity
- Low
- Medium
- High
- Critical
Description
This security bulletin contains information about 1 vulnerability.
1) Input validation error (CVE-ID: CVE-2015-4037)
CWE-ID: CWE-20 - Improper input validation
CVSSv4: CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:A/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:U/U:Clear
The vulnerability allows a remote non-authenticated attacker to perform service disruption.
The slirp_smb function in net/slirp.c in QEMU 2.3.0 and earlier creates temporary files with predictable names, which allows local users to cause a denial of service (instantiation failure) by creating /tmp/qemu-smb.*-* files before the program.
Remediation
Install update from vendor's website.
References
- https://git.alpinelinux.org/aports/commit/?id=3f9dc4f4288ebdbcf2680465617abcdafbe010b8
- https://git.alpinelinux.org/aports/commit/?id=0affe33dcd2b871de43750519c7304b8b84a56c0
- https://git.alpinelinux.org/aports/commit/?id=786a06d135bec56c5f93b9b5a0099cb34957f1da
- https://git.alpinelinux.org/aports/commit/?id=b94b5d00e17a5abee66704ba7cff0caf610f1c2c
- https://git.alpinelinux.org/aports/commit/?id=3397c7cce9410a6c2e244bfd6727eac84eca7d8a
- https://git.alpinelinux.org/aports/commit/?id=579b620a7ad1e38e716b5019c72b33b5389643ae