SB2016110407 - Input validation error in QEMU

Description

This security bulletin contains information about 1 security vulnerability.

1) Input validation error (CVE-ID: CVE-2016-8909)

The vulnerability allows local guest OS administrators to perform a denial of service (DoS) attack.

The vulnerability exists due to insufficient validation of user-supplied input. A remote attacker can cause a denial of service (infinite loop and CPU consumption) via an entry with the same value for buffer length and pointer position.

Remediation

Cybersecurity Help is not aware of any official remediation provided by the vendor.

References

• http://lists.opensuse.org/opensuse-updates/2016-12/msg00140.html
• http://www.openwall.com/lists/oss-security/2016/10/24/1
• http://www.openwall.com/lists/oss-security/2016/10/24/4
• http://www.securityfocus.com/bid/93842
• https://access.redhat.com/errata/RHSA-2017:2392
• https://access.redhat.com/errata/RHSA-2017:2408
• https://lists.debian.org/debian-lts-announce/2018/11/msg00038.html
• https://lists.gnu.org/archive/html/qemu-devel/2016-10/msg04682.html
• https://security.gentoo.org/glsa/201611-11