Arch Linux Security Advisory ASA-202106-49
==========================================

Severity: Medium
Date    : 2021-06-22
CVE-ID  : CVE-2021-3592 CVE-2021-3593 CVE-2021-3594 CVE-2021-3595
Package : libslirp
Type    : information disclosure
Remote  : No
Link    : https://security.archlinux.org/AVG-2073

Summary
=======

The package libslirp before version 4.6.0-1 is vulnerable to
information disclosure.

Resolution
==========

Upgrade to 4.6.0-1.

# pacman -Syu "libslirp>=4.6.0-1"

The problems have been fixed upstream in version 4.6.0.

Workaround
==========

None.

Description
===========

- CVE-2021-3592 (information disclosure)

An invalid pointer initialization issue was found in the SLiRP
networking implementation of QEMU before version 4.6.0. The flaw exists
in the bootp_input() function and could occur while processing a UDP
packet that is smaller than the size of the 'bootp_t' structure. A
malicious guest could use this flaw to leak 10 bytes of uninitialized
heap memory from the host.

- CVE-2021-3593 (information disclosure)

An invalid pointer initialization issue was found in the SLiRP
networking implementation of QEMU before version 4.6.0. The flaw exists
in the udp6_input() function and could occur while processing a UDP
packet that is smaller than the size of the 'udphdr' structure. This
issue may lead to out-of-bounds read access or indirect host memory
disclosure to the guest.

- CVE-2021-3594 (information disclosure)

An invalid pointer initialization issue was found in the SLiRP
networking implementation of QEMU before version 4.6.0. The flaw exists
in the udp_input() function and could occur while processing a UDP
packet that is smaller than the size of the 'udphdr' structure. This
issue may lead to out-of-bounds read access or indirect host memory
disclosure to the guest.

- CVE-2021-3595 (information disclosure)

An invalid pointer initialization issue was found in the SLiRP
networking implementation of QEMU before version 4.6.0. The flaw exists
in the tftp_input() function and could occur while processing a UDP
packet that is smaller than the size of the 'tftp_t' structure. This
issue may lead to out-of-bounds read access or indirect host memory
disclosure to the guest.

Impact
======

A malicious guest could disclose contents of the host's memory using
crafted UDP packets.

References
==========

https://bugzilla.redhat.com/show_bug.cgi?id=1970484
https://gitlab.freedesktop.org/slirp/libslirp/-/issues/44
https://gitlab.freedesktop.org/slirp/libslirp/-/commit/93e645e72a056ec0b2c16e0299fc5c6b94e4ca17
https://gitlab.freedesktop.org/slirp/libslirp/-/commit/f13cad45b25d92760bb0ad67bec0300a4d7d5275
https://gitlab.freedesktop.org/slirp/libslirp/-/commit/2eca0838eee1da96204545e22cdaed860d9d7c6c
https://bugzilla.redhat.com/show_bug.cgi?id=1970487
https://gitlab.freedesktop.org/slirp/libslirp/-/issues/45
https://gitlab.freedesktop.org/slirp/libslirp/-/commit/de71c15de66ba9350bf62c45b05f8fbff166517b
https://bugzilla.redhat.com/show_bug.cgi?id=1970491
https://gitlab.freedesktop.org/slirp/libslirp/-/issues/47
https://gitlab.freedesktop.org/slirp/libslirp/-/commit/74572be49247c8c5feae7c6e0b50c4f569ca9824
https://bugzilla.redhat.com/show_bug.cgi?id=1970489
https://gitlab.freedesktop.org/slirp/libslirp/-/issues/46
https://gitlab.freedesktop.org/slirp/libslirp/-/commit/3f17948137155f025f7809fdc38576d5d2451c3d
https://gitlab.freedesktop.org/slirp/libslirp/-/commit/990163cf3ac86b7875559f49602c4d76f46f6f30
https://security.archlinux.org/CVE-2021-3592
https://security.archlinux.org/CVE-2021-3593
https://security.archlinux.org/CVE-2021-3594
https://security.archlinux.org/CVE-2021-3595