Gentoo update for libslirp



Published: 2021-07-20
Risk Low
Patch available YES
Number of vulnerabilities 4
CVE ID CVE-2021-3592
CVE-2021-3593
CVE-2021-3594
CVE-2021-3595
CWE ID CWE-763
Exploitation vector Local
Public exploit N/A
Vulnerable software
Subscribe
Gentoo Linux
Operating systems & Components / Operating system

Vendor Gentoo

Security Advisory

1) Release of invalid pointer or reference

Risk: Low

CVSSv3.1: 3.8 [CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:C/C:L/I:N/A:N/E:U/RL:O/RC:C]

CVE-ID: CVE-2021-3592

CWE-ID: CWE-763 - Release of invalid pointer or reference

Exploit availability: No

Description

The vulnerability allows a remote attacker to gain access to sensitive information.

The vulnerability exists due to invalid pointer initialization within the bootp_input() function while processing UDP packets in the SLiRP networking implementation of QEMU. A malicious guest could use this flaw to leak 10 bytes of uninitialized heap memory from the host.

Mitigation

Update the affected packages.
net-libs/libslirp to version: 4.6.0

Vulnerable software versions

Gentoo Linux: All versions

CPE External links

https://security.gentoo.org/
https://security.gentoo.org/glsa/202107-44

Q & A

Can this vulnerability be exploited remotely?

No. This vulnerability can be exploited locally. The attacker should have authentication credentials and successfully authenticate on the system.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

2) Release of invalid pointer or reference

Risk: Low

CVSSv3.1: 3.8 [CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:C/C:L/I:N/A:N/E:U/RL:O/RC:C]

CVE-ID: CVE-2021-3593

CWE-ID: CWE-763 - Release of invalid pointer or reference

Exploit availability: No

Description

The vulnerability allows a remote attacker to gain access to sensitive information.

The vulnerability exists due to invalid pointer initialization within the udp6_input() function while processing UDP packets in the SLiRP networking implementation of QEMU. A malicious guest could use this vulnerability to read host memory.

Mitigation

Update the affected packages.
net-libs/libslirp to version: 4.6.0

Vulnerable software versions

Gentoo Linux: All versions

CPE External links

https://security.gentoo.org/
https://security.gentoo.org/glsa/202107-44

Q & A

Can this vulnerability be exploited remotely?

No. This vulnerability can be exploited locally. The attacker should have authentication credentials and successfully authenticate on the system.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

3) Release of invalid pointer or reference

Risk: Low

CVSSv3.1: 3.8 [CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:C/C:L/I:N/A:N/E:U/RL:O/RC:C]

CVE-ID: CVE-2021-3594

CWE-ID: CWE-763 - Release of invalid pointer or reference

Exploit availability: No

Description

The vulnerability allows a remote attacker to gain access to sensitive information.

The vulnerability exists due to invalid pointer initialization within the udp_input() function while processing UDP packets in the SLiRP networking implementation of QEMU. A malicious guest could use this vulnerability to read host memory.

Mitigation

Update the affected packages.
net-libs/libslirp to version: 4.6.0

Vulnerable software versions

Gentoo Linux: All versions

CPE External links

https://security.gentoo.org/
https://security.gentoo.org/glsa/202107-44

Q & A

Can this vulnerability be exploited remotely?

No. This vulnerability can be exploited locally. The attacker should have authentication credentials and successfully authenticate on the system.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

4) Release of invalid pointer or reference

Risk: Low

CVSSv3.1: 3.8 [CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:C/C:L/I:N/A:N/E:U/RL:O/RC:C]

CVE-ID: CVE-2021-3595

CWE-ID: CWE-763 - Release of invalid pointer or reference

Exploit availability: No

Description

The vulnerability allows a remote attacker to gain access to sensitive information.

The vulnerability exists due to invalid pointer initialization within the tftp_input() function while processing UDP packets in the SLiRP networking implementation of QEMU. A malicious guest could use this vulnerability to read host memory.

Mitigation

Update the affected packages.
net-libs/libslirp to version: 4.6.0

Vulnerable software versions

Gentoo Linux: All versions

CPE External links

https://security.gentoo.org/
https://security.gentoo.org/glsa/202107-44

Q & A

Can this vulnerability be exploited remotely?

No. This vulnerability can be exploited locally. The attacker should have authentication credentials and successfully authenticate on the system.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.



###SIDEBAR###