qmp_guest_file_read in qga/commands-posix.c and qga/commands-win32.c in qemu-ga (aka QEMU Guest Agent) in QEMU 2.12.50 has an integer overflow causing a g_malloc0() call to trigger a segmentation fault when trying to allocate a large memory chunk. The vulnerability can be exploited by sending a crafted QMP command (including guest-file-read with a large count value) to the agent via the listening socket.
NOTE: The following CVSS v3.0 metrics and score provided are preliminary and subject to review.
|Base Score:||7.5||Base Metrics:||AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H|
|Access Vector:||Network||Attack Complexity:||Low|
|Privileges Required:||None||User Interaction:||None|
|Integrity Impact:||None||Availability Impact:||High|
|Oracle Linux version 7 (qemu)||ELSA-2018-4262||2018-10-29|
|Oracle Linux version 7 (qemu)||ELSA-2018-4285||2018-11-20|
|Oracle Linux version 7 (qemu)||ELSA-2018-4289||2018-11-28|
|Oracle Linux version 7 (qemu)||ELSA-2019-4585||2019-03-15|
This page is generated automatically and has not been checked for errors or omissions. For clarification or corrections please contact the Oracle Linux ULN team