SB2019022711 - OpenSUSE Linux update for qemu

CSH
CYBERSECURITY HELP
Sign In REGISTER

Main Vulnerability Database SB2019022711

SB2019022711 - OpenSUSE Linux update for qemu

Published: February 27, 2019 Updated: May 15, 2019

Security Bulletin ID SB2019022711
Severity
Low
Patch available
YES
Number of vulnerabilities 5
Exploitation vector Remote access
Highest impact Code execution

Breakdown by Severity

Low 100%
  • Low
  • Medium
  • High
  • Critical

Description

This security bulletin contains information about 5 secuirty vulnerabilities.


1) Path traversal (CVE-ID: CVE-2018-16872)

The vulnerability allows an adjacent attacker to obtain potentially sensitive information on the target system.

The vulnerability exists in qemu Media Transfer Protocol (MTP) due to the code opening files in usb_mtp_get_object and usb_mtp_get_partial_object and directories in usb_mtp_object_readdir doesn't consider that the underlying filesystem may have changed since the time lstat(2) was called in usb_mtp_object_alloc, a classical TOCTTOU problem. An adjacent attacker with write access to the host filesystem shared with a guest can use this property to navigate the host filesystem in the context of the QEMU process and read any file the QEMU process has access to.


2) Buffer overflow (CVE-ID: CVE-2018-18954)

The vulnerability allows a local user to escalate privileges on the system.

The vulnerability exists due to a boundary error within the pnv_lpc_do_eccb() function in hw/ppc/pnv_lpc.c. A local user can create a specially crafted application and gain read and write access to PowerNV memory.


3) Use-after-free error (CVE-ID: CVE-2018-19364)

The vulnerability allows a remote authenticated attacker to cause DoS condition on the target system.

The vulnerability exists due to use-after-free condition in the VirtFS component. A remote attacker can access the system and maliciously updatу the fid path in worker threads by using the v9fs_path_copy() function while accessing files on a shared host directory, trigger memory corruption and cause the service to crash.


4) Race condition (CVE-ID: CVE-2018-19489)

The vulnerability allows an adjacent attacker to cause DoS condition on the target system.

The vulnerability exists due to race condition while renaming files on a shared host directory. An adjacent attacker can use-after-free flaw in the VirtFS, host directory sharing via Plan 9 File System(9pfs) support and cause the service to crash.


5) Heap-based buffer overflow (CVE-ID: CVE-2019-6778)

The vulnerability allows a local user to perform denial of service (DoS) attack.

The vulnerability exists due to a boundary error within the tcp_emu() function in slirp/tcp_subr.c. A local user can send specially crafted networking packets, trigger heap-based buffer overflow and crash the affected system.


Remediation

Install update from vendor's website.

References