SB2019032903 - OpenSUSE Linux update for qemu

CSH
CYBERSECURITY HELP
Sign In REGISTER

Main Vulnerability Database SB2019032903

SB2019032903 - OpenSUSE Linux update for qemu

Published: March 29, 2019 Updated: May 15, 2019

Security Bulletin ID SB2019032903
CSH Severity
Low
Patch available
YES
Number of vulnerabilities 8
Exploitation vector Remote access
Highest impact Code execution

Breakdown by Severity

Low 100%
  • Low
  • Medium
  • High
  • Critical

Description

This security bulletin contains information about 8 vulnerabilities.


1) Out-of-bounds read (CVE-ID: CVE-2017-13672)

CWE-ID: CWE-125 - Out-of-bounds read

CVSSv4: CVSS:4.0/AV:A/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear


The vulnerability allows an adjacent unauthenticated attacker to cause DoS condition on the target system.

The weakness exists due to out-of-bounds read. An adjacent attacker can trigger memory corruption and cause the service to crash.

2) Improper input validation (CVE-ID: CVE-2017-13673)

CWE-ID: CWE-20 - Improper input validation

CVSSv4: CVSS:4.0/AV:A/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:U/U:Clear


The vulnerability allows an adjacent authenticated attacker to cause DoS condition on the target system.

The vulnerability exists in the vga display update in mis-calculated the region for the dirty bitmap snapshot in case split screen mode in the cpu_physical_memory_snapshot_get_dirty function due to assertion failure. An adjacent attacker can cause the service to crash.


3) Path traversal (CVE-ID: CVE-2018-16872)

CWE-ID: CWE-22 - Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')

CVSSv4: CVSS:4.0/AV:A/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear


The vulnerability allows an adjacent attacker to obtain potentially sensitive information on the target system.

The vulnerability exists in qemu Media Transfer Protocol (MTP) due to the code opening files in usb_mtp_get_object and usb_mtp_get_partial_object and directories in usb_mtp_object_readdir doesn't consider that the underlying filesystem may have changed since the time lstat(2) was called in usb_mtp_object_alloc, a classical TOCTTOU problem. An adjacent attacker with write access to the host filesystem shared with a guest can use this property to navigate the host filesystem in the context of the QEMU process and read any file the QEMU process has access to.


4) Use-after-free error (CVE-ID: CVE-2018-19364)

CWE-ID: CWE-416 - Use After Free

CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear


The vulnerability allows a remote authenticated attacker to cause DoS condition on the target system.

The vulnerability exists due to use-after-free condition in the VirtFS component. A remote attacker can access the system and maliciously updatу the fid path in worker threads by using the v9fs_path_copy() function while accessing files on a shared host directory, trigger memory corruption and cause the service to crash.


5) Race condition (CVE-ID: CVE-2018-19489)

CWE-ID: CWE-362 - Concurrent Execution using Shared Resource with Improper Synchronization ('Race Condition')

CVSSv4: CVSS:4.0/AV:A/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear


The vulnerability allows an adjacent attacker to cause DoS condition on the target system.

The vulnerability exists due to race condition while renaming files on a shared host directory. An adjacent attacker can use-after-free flaw in the VirtFS, host directory sharing via Plan 9 File System(9pfs) support and cause the service to crash.


6) Out-of-bounds read (CVE-ID: CVE-2018-7858)

CWE-ID: CWE-125 - Out-of-bounds read

CVSSv4: CVSS:4.0/AV:A/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:U/U:Clear


The vulnerability allows an adjacent attacker to cause DoS condition on the target system.

The weakness exists due to improper VGA display updates. An adjacent attacker can use incorrect region calculations during VGA display updates, trigger out-of-bounds read and cause the service to crash.

7) Heap-based buffer overflow (CVE-ID: CVE-2019-6778)

CWE-ID: CWE-122 - Heap-based Buffer Overflow

CVSSv4: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear


The vulnerability allows a local user to perform denial of service (DoS) attack.

The vulnerability exists due to a boundary error within the tcp_emu() function in slirp/tcp_subr.c. A local user can send specially crafted networking packets, trigger heap-based buffer overflow and crash the affected system.


8) Buffer overflow (CVE-ID: CVE-2018-18954)

CWE-ID: CWE-119 - Memory corruption

CVSSv4: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear


The vulnerability allows a local user to escalate privileges on the system.

The vulnerability exists due to a boundary error within the pnv_lpc_do_eccb() function in hw/ppc/pnv_lpc.c. A local user can create a specially crafted application and gain read and write access to PowerNV memory.


Remediation

Install update from vendor's website.

References