CVE-2017-15118 (retired)

Priority
Description
A stack-based buffer overflow vulnerability was found in NBD server
implementation in qemu before 2.11 allowing a client to request an export
name of size up to 4096 bytes, which in fact should be limited to 256
bytes, causing an out-of-bounds stack write in the qemu process. If NBD
server requires TLS, the attacker cannot trigger the buffer overflow
without first successfully negotiating TLS.
Notes
 mdeslaur> introduced in qemu 2.10
Package
Source: qemu (LP Ubuntu Debian)
Upstream:released (2.11)
Ubuntu 12.04 ESM (Precise Pangolin):DNE
Ubuntu 14.04 LTS (Trusty Tahr):not-affected (code not present)
Ubuntu 16.04 LTS (Xenial Xerus):not-affected (code not present)
Ubuntu 18.04 LTS (Bionic Beaver):not-affected (1:2.11+dfsg-1ubuntu1)
Patches:
Upstream:https://git.qemu.org/?p=qemu.git;a=commit;h=51ae4f8455c9e32c54770c4ebc25bf86a8128183
Package
Upstream:needs-triage
Ubuntu 12.04 ESM (Precise Pangolin):not-affected (code not present)
Ubuntu 14.04 LTS (Trusty Tahr):DNE
Ubuntu 16.04 LTS (Xenial Xerus):DNE
Ubuntu 18.04 LTS (Bionic Beaver):DNE
More Information

Updated: 2019-03-26 12:25:09 UTC (commit ccdecfcf0fead22bd291e5f4ea745a46872dcb15)