ArchLinux: 202106-49: libslirp: information disclosure
Summary
- CVE-2021-3592 (information disclosure)
An invalid pointer initialization issue was found in the SLiRP
networking implementation of QEMU before version 4.6.0. The flaw exists
in the bootp_input() function and could occur while processing a UDP
packet that is smaller than the size of the 'bootp_t' structure. A
malicious guest could use this flaw to leak 10 bytes of uninitialized
heap memory from the host.
- CVE-2021-3593 (information disclosure)
An invalid pointer initialization issue was found in the SLiRP
networking implementation of QEMU before version 4.6.0. The flaw exists
in the udp6_input() function and could occur while processing a UDP
packet that is smaller than the size of the 'udphdr' structure. This
issue may lead to out-of-bounds read access or indirect host memory
disclosure to the guest.
- CVE-2021-3594 (information disclosure)
An invalid pointer initialization issue was found in the SLiRP
networking implementation of QEMU before version 4.6.0. The flaw exists
in the udp_input() function and could occur while processing a UDP
packet that is smaller than the size of the 'udphdr' structure. This
issue may lead to out-of-bounds read access or indirect host memory
disclosure to the guest.
- CVE-2021-3595 (information disclosure)
An invalid pointer initialization issue was found in the SLiRP
networking implementation of QEMU before version 4.6.0. The flaw exists
in the tftp_input() function and could occur while processing a UDP
packet that is smaller than the size of the 'tftp_t' structure. This
issue may lead to out-of-bounds read access or indirect host memory
disclosure to the guest.
Resolution
Upgrade to 4.6.0-1.
# pacman -Syu "libslirp>=4.6.0-1"
The problems have been fixed upstream in version 4.6.0.
References
https://bugzilla.redhat.com/show_bug.cgi?id=1970484 https://gitlab.freedesktop.org/slirp/libslirp/-/commit/93e645e72a056ec0b2c16e0299fc5c6b94e4ca17 https://gitlab.freedesktop.org/slirp/libslirp/-/commit/f13cad45b25d92760bb0ad67bec0300a4d7d5275 https://gitlab.freedesktop.org/slirp/libslirp/-/commit/2eca0838eee1da96204545e22cdaed860d9d7c6c https://bugzilla.redhat.com/show_bug.cgi?id=1970487 https://gitlab.freedesktop.org/slirp/libslirp/-/commit/de71c15de66ba9350bf62c45b05f8fbff166517b https://bugzilla.redhat.com/show_bug.cgi?id=1970491 https://gitlab.freedesktop.org/slirp/libslirp/-/commit/74572be49247c8c5feae7c6e0b50c4f569ca9824 https://bugzilla.redhat.com/show_bug.cgi?id=1970489 https://gitlab.freedesktop.org/slirp/libslirp/-/commit/3f17948137155f025f7809fdc38576d5d2451c3d https://gitlab.freedesktop.org/slirp/libslirp/-/commit/990163cf3ac86b7875559f49602c4d76f46f6f30 https://security.archlinux.org/CVE-2021-3592 https://security.archlinux.org/CVE-2021-3593 https://security.archlinux.org/CVE-2021-3594 https://security.archlinux.org/CVE-2021-3595
Workaround
None.