7.2 High
CVSS2
Access Vector
LOCAL
Access Complexity
LOW
Authentication
NONE
Confidentiality Impact
COMPLETE
Integrity Impact
COMPLETE
Availability Impact
COMPLETE
AV:L/AC:L/Au:N/C:C/I:C/A:C
0.002 Low
EPSS
Percentile
58.0%
An out-of-bounds memory access flaw, leading to memory corruption or
possibly an information leak, was found in QEMU’s pit_ioport_read()
function. A privileged guest user in a QEMU guest, which had QEMU PIT
emulation enabled, could potentially, in rare cases, use this flaw to
execute arbitrary code on the host with the privileges of the hosting
QEMU process.
A heap overflow flaw was found in the way QEMU’s IDE subsystem handled
I/O buffer access while processing certain ATAPI commands. A privileged
guest user in a guest with CDROM drive enabled could potentially use
this flaw to execute arbitrary code on the host with the privileges of
the host’s QEMU process corresponding to the guest.
This is a guest-triggerable buffer overflow. The scsi_cdb_length returns
-1 as an error value, but the caller does not check it. Luckily, the
massive overflow means that QEMU will just SIGSEGV, leading to denial of
service of the guest system.
xenbits.xen.org/xsa/advisory-138.html
access.redhat.com/security/cve/CVE-2015-3214
access.redhat.com/security/cve/CVE-2015-5154
access.redhat.com/security/cve/CVE-2015-5158
github.com/qemu/qemu/commit/03441c3a4a42
github.com/qemu/qemu/commit/c170aad8b057
github.com/qemu/qemu/commit/cb72cba83021
github.com/qemu/qemu/commit/d2ff85854512
github.com/qemu/qemu/commit/d4862a87e31a