Main Vulnerability Database SB20231017149

SB20231017149 - Anolis OS update for qemu

Published: October 17, 2023 Updated: March 28, 2025

Security Bulletin ID SB20231017149

Severity

Medium

Patch available

YES

Number of vulnerabilities 2

Exploitation vector Remote access

Highest impact Denial of service

Breakdown by Severity

Low
Medium
High
Critical

Description

This security bulletin contains information about 2 secuirty vulnerabilities.

1) Infinite loop (CVE-ID: CVE-2023-3255)

The vulnerability allows a remote user to perform a denial of service (DoS) attack.

The vulnerability exists due to infinite loop within the vnc_client_cut_text_ext function in ui/vnc-clipboard.c. A remote authenticated client who is able to send a clipboard to the QEMU built-in VNC server can perform a denial of service conditions.

2) Reachable Assertion (CVE-ID: CVE-2023-3301)

The vulnerability allows a remote user to perform a denial of service (DoS) attack.

The vulnerability exists due to a reachable assertion. When a peer nic is still attached to the vdpa backend, it is too early to free up the vhost-net and vdpa structures. If these structures are freed here, then QEMU crashes when the guest is being shut down.

Remediation

Install update from vendor's website.

References

https://anas.openanolis.cn/errata/detail/ANSA-2023:0569

Vulnerable Software

Anolis OS: 23
qemu-virtiofsd: before 7.2.6-1
qemu-user-binfmt: before 7.2.6-1
qemu-user: before 7.2.6-1
qemu-ui-spice-core: before 7.2.6-1
qemu-ui-spice-app: before 7.2.6-1
qemu-ui-opengl: before 7.2.6-1
qemu-ui-gtk: before 7.2.6-1
qemu-ui-egl-headless: before 7.2.6-1
qemu-ui-dbus: before 7.2.6-1
qemu-ui-curses: before 7.2.6-1
qemu-tools: before 7.2.6-1
qemu-tests: before 7.2.6-1
qemu-system-x86-core: before 7.2.6-1
qemu-system-x86: before 7.2.6-1
qemu-system-riscv-core: before 7.2.6-1
qemu-system-riscv: before 7.2.6-1
qemu-system-loongarch64-core: before 7.2.6-1
qemu-system-loongarch64: before 7.2.6-1
qemu-system-arm-core: before 7.2.6-1
qemu-system-arm: before 7.2.6-1
qemu-system-aarch64-core: before 7.2.6-1
qemu-system-aarch64: before 7.2.6-1
qemu-pr-helper: before 7.2.6-1
qemu-kvm-core: before 7.2.6-1
qemu-kvm: before 7.2.6-1
qemu-img: before 7.2.6-1
qemu-guest-agent: before 7.2.6-1
qemu-docs: before 7.2.6-1
qemu-device-usb-smartcard: before 7.2.6-1
qemu-device-usb-redirect: before 7.2.6-1
qemu-device-usb-host: before 7.2.6-1
qemu-device-display-virtio-vga-gl: before 7.2.6-1
qemu-device-display-virtio-vga: before 7.2.6-1
qemu-device-display-virtio-gpu-pci-gl: before 7.2.6-1
qemu-device-display-virtio-gpu-pci: before 7.2.6-1
qemu-device-display-virtio-gpu-gl: before 7.2.6-1
qemu-device-display-virtio-gpu-ccw: before 7.2.6-1
qemu-device-display-virtio-gpu: before 7.2.6-1
qemu-device-display-qxl: before 7.2.6-1
qemu-common: before 7.2.6-1
qemu-char-spice: before 7.2.6-1
qemu-char-baum: before 7.2.6-1
qemu-block-ssh: before 7.2.6-1
qemu-block-iscsi: before 7.2.6-1
qemu-block-gluster: before 7.2.6-1
qemu-block-dmg: before 7.2.6-1
qemu-block-curl: before 7.2.6-1
qemu-audio-spice: before 7.2.6-1
qemu-audio-pa: before 7.2.6-1
qemu-audio-oss: before 7.2.6-1
qemu-audio-dbus: before 7.2.6-1
qemu-audio-alsa: before 7.2.6-1
qemu: before 7.2.6-1

SB20231017149 - Anolis OS update for qemu

Breakdown by Severity

Description

Remediation

References

Please verify you're human