CVE-2020-7039
Published: 16 January 2020
tcp_emu in tcp_subr.c in libslirp 4.1.0, as used in QEMU 4.2.0, mismanages memory, as demonstrated by IRC DCC commands in EMU_IRC. This can cause a heap-based buffer overflow or other out-of-bounds access which can lead to a DoS or potential execute arbitrary code.
From the Ubuntu Security Team
It was discovered that the SLiRP networking implementation of the QEMU emulator did not properly manage memory under certain circumstances. An attacker could use this to cause a heap-based buffer overflow or other out-of-bounds access, which can lead to a denial of service (application crash) or potential execute arbitrary code.
Notes
| Author | Note |
|---|---|
| mdeslaur | possible better approach would be to disable tcp_emu completely https://gitlab.freedesktop.org/slirp/libslirp/commit/07c2a44b67e219ac14207f7a1b33704e1312cf91 |
Priority
Status
| Package | Release | Status |
|---|---|---|
|
libslirp Launchpad, Ubuntu, Debian |
bionic |
Does not exist
|
| disco |
Does not exist
|
|
| eoan |
Does not exist
|
|
| focal |
Not vulnerable
(4.1.0-2)
|
|
| groovy |
Not vulnerable
(4.1.0-2)
|
|
| hirsute |
Not vulnerable
(4.1.0-2)
|
|
| impish |
Not vulnerable
(4.1.0-2)
|
|
| jammy |
Not vulnerable
(4.1.0-2)
|
|
| kinetic |
Not vulnerable
(4.1.0-2)
|
|
| lunar |
Not vulnerable
(4.1.0-2)
|
|
| mantic |
Not vulnerable
(4.1.0-2)
|
|
| trusty |
Does not exist
|
|
| upstream |
Released
(4.1.0-2)
|
|
| xenial |
Does not exist
|
|
|
Patches: upstream: https://gitlab.freedesktop.org/slirp/libslirp/commit/2655fffed7a9e765bcb4701dd876e9dab975f289 upstream: https://gitlab.freedesktop.org/slirp/libslirp/commit/ce131029d6d4a405cb7d3ac6716d03e58fb4a5d9 upstream: https://gitlab.freedesktop.org/slirp/libslirp/commit/82ebe9c370a0e2970fb5695aa19aa5214a6a1c80 |
||
|
qemu Launchpad, Ubuntu, Debian |
bionic |
Released
(1:2.11+dfsg-1ubuntu7.23)
|
| disco |
Ignored
(end of life)
|
|
| eoan |
Released
(1:4.0+dfsg-0ubuntu9.4)
|
|
| focal |
Not vulnerable
(uses system libslirp)
|
|
| groovy |
Not vulnerable
(uses system libslirp)
|
|
| hirsute |
Not vulnerable
(uses system libslirp)
|
|
| impish |
Not vulnerable
(uses system libslirp)
|
|
| jammy |
Not vulnerable
(uses system libslirp)
|
|
| kinetic |
Not vulnerable
(uses system libslirp)
|
|
| lunar |
Not vulnerable
(uses system libslirp)
|
|
| mantic |
Not vulnerable
(uses system libslirp)
|
|
| trusty |
Needed
|
|
| upstream |
Released
(1:4.2-1)
|
|
| xenial |
Released
(1:2.5+dfsg-5ubuntu10.43)
|
|
|
qemu-kvm Launchpad, Ubuntu, Debian |
bionic |
Does not exist
|
| disco |
Does not exist
|
|
| eoan |
Does not exist
|
|
| focal |
Does not exist
|
|
| groovy |
Does not exist
|
|
| hirsute |
Does not exist
|
|
| impish |
Does not exist
|
|
| jammy |
Does not exist
|
|
| kinetic |
Does not exist
|
|
| lunar |
Does not exist
|
|
| mantic |
Does not exist
|
|
| trusty |
Does not exist
|
|
| upstream |
Needs triage
|
|
| xenial |
Does not exist
|
|
|
slirp Launchpad, Ubuntu, Debian |
bionic |
Released
(1:1.0.17-8ubuntu18.04.1)
|
| disco |
Ignored
(end of life)
|
|
| eoan |
Ignored
(end of life)
|
|
| focal |
Not vulnerable
(1:1.0.17-10)
|
|
| groovy |
Not vulnerable
(1:1.0.17-10)
|
|
| hirsute |
Not vulnerable
(1:1.0.17-10)
|
|
| impish |
Not vulnerable
(1:1.0.17-10)
|
|
| jammy |
Not vulnerable
(1:1.0.17-10)
|
|
| kinetic |
Not vulnerable
(1:1.0.17-10)
|
|
| lunar |
Not vulnerable
(1:1.0.17-10)
|
|
| mantic |
Not vulnerable
(1:1.0.17-10)
|
|
| trusty |
Released
(1:1.0.17-7+deb8u2build0.14.04.1+esm1)
Available with Ubuntu Pro or Ubuntu Pro (Infra-only) |
|
| upstream |
Needed
|
|
| xenial |
Released
(1:1.0.17-8ubuntu16.04.1)
|
|
Severity score breakdown
| Parameter | Value |
|---|---|
| Base score | 5.6 |
| Attack vector | Network |
| Attack complexity | High |
| Privileges required | None |
| User interaction | None |
| Scope | Unchanged |
| Confidentiality | Low |
| Integrity impact | Low |
| Availability impact | Low |
| Vector | CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:L |