USN-4632-1

It was discovered that the SLiRP networking implementation of the QEMU emulator did not properly manage memory under certain circumstances. An attacker could use this to cause a heap-based buffer overflow or other out- of-bounds access, which can lead to a denial of service (application crash) or potentially execute arbitrary code. (CVE-2020-7039)

It was discovered that the SLiRP networking implementation of the QEMU emulator misuses snprintf return values. An attacker could use this to cause a denial of service (application crash) or potentially execute arbitrary code. (CVE-2020-8608)

References

Affected packages

Ubuntu:16.04:LTS / slirp

Package

Name: slirp
Purl: pkg:deb/ubuntu/slirp@1:1.0.17-8ubuntu16.04.1?arch=source&distro=xenial

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Fixed

1:1.0.17-8ubuntu16.04.1

Affected versions

1:1.*

1:1.0.17-8

Ecosystem specific

{
    "availability": "No subscription required",
    "binaries": [
        {
            "binary_version": "1:1.0.17-8ubuntu16.04.1",
            "binary_name": "slirp"
        }
    ]
}

Database specific

cves_map

{
    "ecosystem": "Ubuntu:16.04:LTS",
    "cves": [
        {
            "id": "CVE-2020-7039",
            "severity": [
                {
                    "type": "CVSS_V3",
                    "score": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:L"
                },
                {
                    "type": "Ubuntu",
                    "score": "medium"
                }
            ]
        },
        {
            "id": "CVE-2020-8608",
            "severity": [
                {
                    "type": "CVSS_V3",
                    "score": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:L"
                },
                {
                    "type": "Ubuntu",
                    "score": "medium"
                }
            ]
        }
    ]
}

Ubuntu:18.04:LTS / slirp