Subject: [ASA-202106-49] libslirp: information disclosure Arch Linux Security Advisory ASA-202106-49 ========================================== Severity: Medium Date : 2021-06-22 CVE-ID : CVE-2021-3592 CVE-2021-3593 CVE-2021-3594 CVE-2021-3595 Package : libslirp Type : information disclosure Remote : No Link : https://security.archlinux.org/AVG-2073 Summary ======= The package libslirp before version 4.6.0-1 is vulnerable to information disclosure. Resolution ========== Upgrade to 4.6.0-1. # pacman -Syu "libslirp>=4.6.0-1" The problems have been fixed upstream in version 4.6.0. Workaround ========== None. Description =========== - CVE-2021-3592 (information disclosure) An invalid pointer initialization issue was found in the SLiRP networking implementation of QEMU before version 4.6.0. The flaw exists in the bootp_input() function and could occur while processing a UDP packet that is smaller than the size of the 'bootp_t' structure. A malicious guest could use this flaw to leak 10 bytes of uninitialized heap memory from the host. - CVE-2021-3593 (information disclosure) An invalid pointer initialization issue was found in the SLiRP networking implementation of QEMU before version 4.6.0. The flaw exists in the udp6_input() function and could occur while processing a UDP packet that is smaller than the size of the 'udphdr' structure. This issue may lead to out-of-bounds read access or indirect host memory disclosure to the guest. - CVE-2021-3594 (information disclosure) An invalid pointer initialization issue was found in the SLiRP networking implementation of QEMU before version 4.6.0. The flaw exists in the udp_input() function and could occur while processing a UDP packet that is smaller than the size of the 'udphdr' structure. This issue may lead to out-of-bounds read access or indirect host memory disclosure to the guest. - CVE-2021-3595 (information disclosure) An invalid pointer initialization issue was found in the SLiRP networking implementation of QEMU before version 4.6.0. The flaw exists in the tftp_input() function and could occur while processing a UDP packet that is smaller than the size of the 'tftp_t' structure. This issue may lead to out-of-bounds read access or indirect host memory disclosure to the guest. Impact ====== A malicious guest could disclose contents of the host's memory using crafted UDP packets. References ========== https://bugzilla.redhat.com/show_bug.cgi?id=1970484 https://gitlab.freedesktop.org/slirp/libslirp/-/issues/44 https://gitlab.freedesktop.org/slirp/libslirp/-/commit/93e645e72a056ec0b2c16e0299fc5c6b94e4ca17 https://gitlab.freedesktop.org/slirp/libslirp/-/commit/f13cad45b25d92760bb0ad67bec0300a4d7d5275 https://gitlab.freedesktop.org/slirp/libslirp/-/commit/2eca0838eee1da96204545e22cdaed860d9d7c6c https://bugzilla.redhat.com/show_bug.cgi?id=1970487 https://gitlab.freedesktop.org/slirp/libslirp/-/issues/45 https://gitlab.freedesktop.org/slirp/libslirp/-/commit/de71c15de66ba9350bf62c45b05f8fbff166517b https://bugzilla.redhat.com/show_bug.cgi?id=1970491 https://gitlab.freedesktop.org/slirp/libslirp/-/issues/47 https://gitlab.freedesktop.org/slirp/libslirp/-/commit/74572be49247c8c5feae7c6e0b50c4f569ca9824 https://bugzilla.redhat.com/show_bug.cgi?id=1970489 https://gitlab.freedesktop.org/slirp/libslirp/-/issues/46 https://gitlab.freedesktop.org/slirp/libslirp/-/commit/3f17948137155f025f7809fdc38576d5d2451c3d https://gitlab.freedesktop.org/slirp/libslirp/-/commit/990163cf3ac86b7875559f49602c4d76f46f6f30 https://security.archlinux.org/CVE-2021-3592 https://security.archlinux.org/CVE-2021-3593 https://security.archlinux.org/CVE-2021-3594 https://security.archlinux.org/CVE-2021-3595