Skip to content

CVE-2019-9824 uninitialized data leak (QEMU)

Low
AkihiroSuda published GHSA-vp7q-v36g-7vq7 Aug 9, 2019 · 1 comment

Package

slirp4netns

Affected versions

v0.2.1, v0.3.0-alpha.2, and prior versions

Patched versions

v0.2.2, v0.3.0-beta.0, and later

Description

Impact

tcp_emu in slirp/tcp_subr.c (aka slirp/src/tcp_subr.c) in QEMU 3.0.0 uses uninitialized data in an snprintf call, leading to Information disclosure.

https://security-tracker.debian.org/tracker/CVE-2019-9824

Patches

On upstream qemu, the vulnerability was fixed on Mar 2, 2019: qemu/qemu@d322297

The fix was to applied to slirp4netns in:

  • 2e457f6 (Mar 10, 2019; included in v0.3.0-beta.0).
  • 0bfb596 (Jul 31, 2019; included in v0.2.2)

Severity

Low

CVE ID

CVE-2019-9824

Weaknesses

No CWEs