Vulnerabilities > CVE-2008-4539 - Improper Restriction of Operations within the Bounds of a Memory Buffer vulnerability in multiple products

047910
CVSS 0.0 - NONE
Attack vector
UNKNOWN
Attack complexity
UNKNOWN
Privileges required
UNKNOWN
Confidentiality impact
UNKNOWN
Integrity impact
UNKNOWN
Availability impact
UNKNOWN
kvm-qumranet
qemu
canonical
debian
CWE-119
nessus
NVD
Published: 2008-12-29
Updated: 2023-11-07

Summary

Heap-based buffer overflow in the Cirrus VGA implementation in (1) KVM before kvm-82 and (2) QEMU on Debian GNU/Linux and Ubuntu might allow local users to gain privileges by using the VNC console for a connection, aka the LGD-54XX "bitblt" heap overflow. NOTE: this issue exists because of an incorrect fix for CVE-2007-1320.

Vulnerable Configurations

Part Description Count
Application
Kvm_Qumranet
1
Application
Qemu
36
OS
Canonical
3
OS
Debian
3

Common Weakness Enumeration (CWE)

Common Attack Pattern Enumeration and Classification (CAPEC)

  • Buffer Overflow via Environment Variables
    This attack pattern involves causing a buffer overflow through manipulation of environment variables. Once the attacker finds that they can modify an environment variable, they may try to overflow associated buffers. This attack leverages implicit trust often placed in environment variables.
  • Overflow Buffers
    Buffer Overflow attacks target improper or missing bounds checking on buffer operations, typically triggered by input injected by an attacker. As a consequence, an attacker is able to write past the boundaries of allocated buffer regions in memory, causing a program crash or potentially redirection of execution as per the attackers' choice.
  • Client-side Injection-induced Buffer Overflow
    This type of attack exploits a buffer overflow vulnerability in targeted client software through injection of malicious content from a custom-built hostile service.
  • Filter Failure through Buffer Overflow
    In this attack, the idea is to cause an active filter to fail by causing an oversized transaction. An attacker may try to feed overly long input strings to the program in an attempt to overwhelm the filter (by causing a buffer overflow) and hoping that the filter does not fail securely (i.e. the user input is let into the system unfiltered).
  • MIME Conversion
    An attacker exploits a weakness in the MIME conversion routine to cause a buffer overflow and gain control over the mail server machine. The MIME system is designed to allow various different information formats to be interpreted and sent via e-mail. Attack points exist when data are converted to MIME compatible format and back.

Nessus

  • NASL familyFedora Local Security Checks
    NASL idFEDORA_2008-10000.NASL
    descriptionThis library allows to manipulate XML files. It includes support to read, modify and write XML and HTML files. There is DTDs support this includes parsing and validation even with complex DtDs, either at parse time or later once the document has been modified. The output can be a simple SAX stream or and in-memory DOM like representations. In this case one can use the built-in XPath and XPointer implementation to select subnodes or ranges. A flexible Input/Output mechanism is available, with existing HTTP and FTP modules and combined to an URI library. Update Information: Fixes a couple of security issues when overflowing text data size of buffer size.
    last seen2016-09-26
    modified2012-10-01
    plugin id37490
    published2009-04-23
    reporterTenable
    sourcehttps://www.tenable.com/plugins/index.php?view=single&id=37490
    titleFedora 10 2008-10000
    code
    #%NASL_MIN_LEVEL 999999

# @DEPRECATED@
#
# This script has been deprecated as the associated advisory is not
# security-related.
#
# Disabled on 2012/09/30.
#


#
# (C) Tenable Network Security, Inc.
#
# This plugin text was extracted from Fedora Security Advisory 2008-10000
#

include("compat.inc");

if ( ! defined_func("bn_random") ) exit(0);
if(description)
{
 script_id(37490);
 script_version ("1.8");
script_name(english: "Fedora 10 2008-10000");
 script_set_attribute(attribute: "synopsis", value: 
"The remote host is missing the patch for the advisory FEDORA-2008-10000.");
 script_set_attribute(attribute: "description", value:
"This library allows to manipulate XML files. It includes support
to read, modify and write XML and HTML files. There is DTDs support
this includes parsing and validation even with complex DtDs, either
at parse time or later once the document has been modified. The output
can be a simple SAX stream or and in-memory DOM like representations.
In this case one can use the built-in XPath and XPointer implementation
to select subnodes or ranges. A flexible Input/Output mechanism is
available, with existing HTTP and FTP modules and combined to an
URI library.

Update Information:

Fixes a couple of security issues when overflowing text data size of buffer
size.
");
 script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C");
 script_cwe_id(59);
script_set_attribute(attribute: "solution", value: "Update the affected package(s) using, for example, 'yum update'.");
script_set_attribute(attribute:"plugin_type", value: "local");
 script_set_attribute(attribute:"plugin_publication_date", value: "2009/04/23");
 script_cvs_date("Date: 2018/07/20  0:18:52");
script_end_attributes();

 script_cve_id("CVE-2007-1320", "CVE-2008-4225", "CVE-2008-4226", "CVE-2008-4539", "CVE-2008-4989", "CVE-2008-5148");
script_summary(english: "Check for the version of the installed package(s).");
 
 script_category(ACT_GATHER_INFO);
 
 script_copyright(english:"This script is Copyright (C) 2009-2018 Tenable Network Security, Inc.");
 script_family(english: "Fedora Local Security Checks");
 script_dependencies("ssh_get_info.nasl");
 script_require_keys("Host/RedHat/rpm-list");
 exit(0);
}

# Deprecated.
exit(0, "The associated advisory is not security-related.");


include("rpm.inc");

flag = 0;
if ( rpm_check( reference:"cobbler-1.2.9-1.fc10", release:"FC10") ) flag ++;
if ( rpm_check( reference:"drupal-cck-6.x.2.0-3.fc10", release:"FC10") ) flag ++;
if ( rpm_check( reference:"geda-gnetlist-20080929-2.fc10", release:"FC10") ) flag ++;
if ( rpm_check( reference:"gnutls-2.4.2-3.fc10", release:"FC10") ) flag ++;
if ( rpm_check( reference:"kvm-74-6.fc10", release:"FC10") ) flag ++;
if ( rpm_check( reference:"libxml2-2.7.2-2.fc10", release:"FC10") ) flag ++;
if (flag)
{
 security_hole(port:0, extra:rpm_report_get());
 exit(0);
}
else
 exit(0, "Host is not affected");
  • NASL familyDebian Local Security Checks
    NASL idDEBIAN_DSA-1799.NASL
    descriptionSeveral vulnerabilities have been discovered in the QEMU processor emulator. The Common Vulnerabilities and Exposures project identifies the following problems : - CVE-2008-0928 Ian Jackson discovered that range checks of file operations on emulated disk devices were insufficiently enforced. - CVE-2008-1945 It was discovered that an error in the format auto detection of removable media could lead to the disclosure of files in the host system. - CVE-2008-4539 A buffer overflow has been found in the emulation of the Cirrus graphics adaptor.
    last seen2020-06-01
    modified2020-06-02
    plugin id38747
    published2009-05-13
    reporterThis script is Copyright (C) 2009-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/38747
    titleDebian DSA-1799-1 : qemu - several vulnerabilities
    code
    #%NASL_MIN_LEVEL 80502
#
# (C) Tenable Network Security, Inc.
#
# The descriptive text and package checks in this plugin were  
# extracted from Debian Security Advisory DSA-1799. The text 
# itself is copyright (C) Software in the Public Interest, Inc.
#

include("compat.inc");

if (description)
{
  script_id(38747);
  script_version("1.14");
  script_cvs_date("Date: 2019/08/02 13:32:22");

  script_cve_id("CVE-2008-0928", "CVE-2008-1945", "CVE-2008-4539");
  script_bugtraq_id(23731, 28001);
  script_xref(name:"DSA", value:"1799");

  script_name(english:"Debian DSA-1799-1 : qemu - several vulnerabilities");
  script_summary(english:"Checks dpkg output for the updated package");

  script_set_attribute(
    attribute:"synopsis", 
    value:"The remote Debian host is missing a security-related update."
  );
  script_set_attribute(
    attribute:"description", 
    value:
"Several vulnerabilities have been discovered in the QEMU processor
emulator. The Common Vulnerabilities and Exposures project identifies
the following problems :

  - CVE-2008-0928
    Ian Jackson discovered that range checks of file
    operations on emulated disk devices were insufficiently
    enforced.

  - CVE-2008-1945
    It was discovered that an error in the format auto
    detection of removable media could lead to the
    disclosure of files in the host system.

  - CVE-2008-4539
    A buffer overflow has been found in the emulation of the
    Cirrus graphics adaptor."
  );
  script_set_attribute(
    attribute:"see_also",
    value:"https://security-tracker.debian.org/tracker/CVE-2008-0928"
  );
  script_set_attribute(
    attribute:"see_also",
    value:"https://security-tracker.debian.org/tracker/CVE-2008-1945"
  );
  script_set_attribute(
    attribute:"see_also",
    value:"https://security-tracker.debian.org/tracker/CVE-2008-4539"
  );
  script_set_attribute(
    attribute:"see_also",
    value:"https://www.debian.org/security/2009/dsa-1799"
  );
  script_set_attribute(
    attribute:"solution", 
    value:
"Upgrade the qemu packages.

For the old stable distribution (etch), these problems have been fixed
in version 0.8.2-4etch3.

For the stable distribution (lenny), these problems have been fixed in
version 0.9.1-10lenny1."
  );
  script_set_cvss_base_vector("CVSS2#AV:L/AC:L/Au:N/C:C/I:C/A:C");
  script_set_cvss_temporal_vector("CVSS2#E:ND/RL:OF/RC:C");
  script_set_attribute(attribute:"exploitability_ease", value:"No known exploits are available");
  script_set_attribute(attribute:"exploit_available", value:"false");
  script_cwe_id(119, 200, 264);

  script_set_attribute(attribute:"plugin_type", value:"local");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:qemu");
  script_set_attribute(attribute:"cpe", value:"cpe:/o:debian:debian_linux:4.0");
  script_set_attribute(attribute:"cpe", value:"cpe:/o:debian:debian_linux:5.0");

  script_set_attribute(attribute:"patch_publication_date", value:"2009/05/11");
  script_set_attribute(attribute:"plugin_publication_date", value:"2009/05/13");
  script_end_attributes();

  script_category(ACT_GATHER_INFO);
  script_copyright(english:"This script is Copyright (C) 2009-2019 and is owned by Tenable, Inc. or an Affiliate thereof.");
  script_family(english:"Debian Local Security Checks");

  script_dependencies("ssh_get_info.nasl");
  script_require_keys("Host/local_checks_enabled", "Host/Debian/release", "Host/Debian/dpkg-l");

  exit(0);
}


include("audit.inc");
include("debian_package.inc");


if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);
if (!get_kb_item("Host/Debian/release")) audit(AUDIT_OS_NOT, "Debian");
if (!get_kb_item("Host/Debian/dpkg-l")) audit(AUDIT_PACKAGE_LIST_MISSING);


flag = 0;
if (deb_check(release:"4.0", prefix:"qemu", reference:"0.8.2-4etch3")) flag++;
if (deb_check(release:"5.0", prefix:"qemu", reference:"0.9.1-10lenny1")) flag++;

if (flag)
{
  if (report_verbosity > 0) security_hole(port:0, extra:deb_report_get());
  else security_hole(0);
  exit(0);
}
else audit(AUDIT_HOST_NOT, "affected");
  • NASL familyFedora Local Security Checks
    NASL idFEDORA_2008-11727.NASL
    description---------------------------------------------------------------------- ---------- ChangeLog : - Mon Dec 22 2008 Glauber Costa <glommer at redhat.com> - 74-10 - Fixed CVE-2008-2382. - Thu Dec 4 2008 Glauber Costa <glommer at redhat.com> - 74-9 - Fixed bug that corrupted gnome-panel #474703 - Tue Dec 2 2008 Glauber Costa <glommer at redhat.com> - 74-8 - Properly set flags for interrupt return #474059 - Mon Nov 24 2008 Glauber Costa <glommer at redhat.com> - 74-7 - added upstream patch kvm-restore-option-rom.patch - #470561 - Tue Nov 11 2008 Glauber Costa <glommer at redhat.com> - 74-6 - Fix cirrus vulnerability (CVE-2008-4539) - #471055 Note that Tenable Network Security has extracted the preceding description block directly from the Fedora security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen2020-06-01
    modified2020-06-02
    plugin id37268
    published2009-04-23
    reporterThis script is Copyright (C) 2009-2019 Tenable Network Security, Inc.
    sourcehttps://www.tenable.com/plugins/nessus/37268
    titleFedora 10 : kvm-74-10.fc10 (2008-11727)
    code
    #%NASL_MIN_LEVEL 80502
#
# (C) Tenable Network Security, Inc.
#
# The descriptive text and package checks in this plugin were  
# extracted from Fedora Security Advisory 2008-11727.
#

include("compat.inc");

if (description)
{
  script_id(37268);
  script_version ("1.12");
  script_cvs_date("Date: 2019/08/02 13:32:27");

  script_cve_id("CVE-2008-2382");
  script_xref(name:"FEDORA", value:"2008-11727");

  script_name(english:"Fedora 10 : kvm-74-10.fc10 (2008-11727)");
  script_summary(english:"Checks rpm output for the updated package.");

  script_set_attribute(
    attribute:"synopsis", 
    value:"The remote Fedora host is missing a security update."
  );
  script_set_attribute(
    attribute:"description", 
    value:
"----------------------------------------------------------------------
---------- ChangeLog :

  - Mon Dec 22 2008 Glauber Costa <glommer at redhat.com> -
    74-10

    - Fixed CVE-2008-2382.

    - Thu Dec 4 2008 Glauber Costa <glommer at redhat.com> -
      74-9

    - Fixed bug that corrupted gnome-panel #474703

    - Tue Dec 2 2008 Glauber Costa <glommer at redhat.com> -
      74-8

    - Properly set flags for interrupt return #474059

    - Mon Nov 24 2008 Glauber Costa <glommer at redhat.com>
      - 74-7

    - added upstream patch kvm-restore-option-rom.patch -
      #470561

    - Tue Nov 11 2008 Glauber Costa <glommer at redhat.com>
      - 74-6

    - Fix cirrus vulnerability (CVE-2008-4539) - #471055

Note that Tenable Network Security has extracted the preceding
description block directly from the Fedora security advisory. Tenable
has attempted to automatically clean and format it as much as possible
without introducing additional issues."
  );
  script_set_attribute(
    attribute:"see_also",
    value:"https://bugzilla.redhat.com/show_bug.cgi?id=477636"
  );
  # https://lists.fedoraproject.org/pipermail/package-announce/2008-December/018261.html
  script_set_attribute(
    attribute:"see_also",
    value:"http://www.nessus.org/u?1b87e988"
  );
  script_set_attribute(attribute:"solution", value:"Update the affected kvm package.");
  script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:N/I:N/A:P");
  script_cwe_id(399);

  script_set_attribute(attribute:"plugin_type", value:"local");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:fedoraproject:fedora:kvm");
  script_set_attribute(attribute:"cpe", value:"cpe:/o:fedoraproject:fedora:10");

  script_set_attribute(attribute:"patch_publication_date", value:"2008/12/24");
  script_set_attribute(attribute:"plugin_publication_date", value:"2009/04/23");
  script_end_attributes();

  script_category(ACT_GATHER_INFO);
  script_copyright(english:"This script is Copyright (C) 2009-2019 Tenable Network Security, Inc.");
  script_family(english:"Fedora Local Security Checks");

  script_dependencies("ssh_get_info.nasl");
  script_require_keys("Host/local_checks_enabled", "Host/RedHat/release", "Host/RedHat/rpm-list");

  exit(0);
}


include("audit.inc");
include("global_settings.inc");
include("rpm.inc");

if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);
release = get_kb_item("Host/RedHat/release");
if (isnull(release) || "Fedora" >!< release) audit(AUDIT_OS_NOT, "Fedora");
os_ver = eregmatch(pattern: "Fedora.*release ([0-9]+)", string:release);
if (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, "Fedora");
os_ver = os_ver[1];
if (! ereg(pattern:"^10([^0-9]|$)", string:os_ver)) audit(AUDIT_OS_NOT, "Fedora 10.x", "Fedora " + os_ver);

if (!get_kb_item("Host/RedHat/rpm-list")) audit(AUDIT_PACKAGE_LIST_MISSING);

cpu = get_kb_item("Host/cpu");
if (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);
if ("x86_64" >!< cpu && cpu !~ "^i[3-6]86$") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, "Fedora", cpu);

flag = 0;
if (rpm_check(release:"FC10", reference:"kvm-74-10.fc10")) flag++;


if (flag)
{
  if (report_verbosity > 0) security_warning(port:0, extra:rpm_report_get());
  else security_warning(0);
  exit(0);
}
else
{
  tested = pkg_tests_get();
  if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);
  else audit(AUDIT_PACKAGE_NOT_INSTALLED, "kvm");
}
  • NASL familySuSE Local Security Checks
    NASL idSUSE_11_0_QEMU-090325.NASL
    descriptionqemu update to version 0.10.1 fixes the following security issues : CVE-2008-0928: problems with range checks of block devices CVE-2008-1945: problems with removable media handling CVE-2008-2382: vnc server DoS CVE-2008-4539: fix a heap overflow in the cirrus VGA implementation CVE-2008-5714: off by one error in vnc password handling
    last seen2020-06-01
    modified2020-06-02
    plugin id40118
    published2009-07-21
    reporterThis script is Copyright (C) 2009-2019 Tenable Network Security, Inc.
    sourcehttps://www.tenable.com/plugins/nessus/40118
    titleopenSUSE Security Update : qemu (qemu-691)
    code
    #%NASL_MIN_LEVEL 80502
#
# (C) Tenable Network Security, Inc.
#
# The descriptive text and package checks in this plugin were
# extracted from openSUSE Security Update qemu-691.
#
# The text description of this plugin is (C) SUSE LLC.
#

include("compat.inc");

if (description)
{
  script_id(40118);
  script_version("1.12");
  script_cvs_date("Date: 2019/10/25 13:36:34");

  script_cve_id("CVE-2008-0928", "CVE-2008-1945", "CVE-2008-2382", "CVE-2008-4539", "CVE-2008-5714");

  script_name(english:"openSUSE Security Update : qemu (qemu-691)");
  script_summary(english:"Check for the qemu-691 patch");

  script_set_attribute(
    attribute:"synopsis", 
    value:"The remote openSUSE host is missing a security update."
  );
  script_set_attribute(
    attribute:"description", 
    value:
"qemu update to version 0.10.1 fixes the following security issues :

CVE-2008-0928: problems with range checks of block devices
CVE-2008-1945: problems with removable media handling CVE-2008-2382:
vnc server DoS CVE-2008-4539: fix a heap overflow in the cirrus VGA
implementation CVE-2008-5714: off by one error in vnc password
handling"
  );
  script_set_attribute(
    attribute:"see_also",
    value:"https://bugzilla.novell.com/show_bug.cgi?id=362956"
  );
  script_set_attribute(
    attribute:"see_also",
    value:"https://bugzilla.novell.com/show_bug.cgi?id=435135"
  );
  script_set_attribute(
    attribute:"see_also",
    value:"https://bugzilla.novell.com/show_bug.cgi?id=461565"
  );
  script_set_attribute(
    attribute:"see_also",
    value:"https://bugzilla.novell.com/show_bug.cgi?id=462502"
  );
  script_set_attribute(attribute:"solution", value:"Update the affected qemu package.");
  script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:C/I:N/A:N");
  script_cwe_id(119, 189, 200, 264, 399);

  script_set_attribute(attribute:"plugin_type", value:"local");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:qemu");
  script_set_attribute(attribute:"cpe", value:"cpe:/o:novell:opensuse:11.0");

  script_set_attribute(attribute:"patch_publication_date", value:"2009/03/25");
  script_set_attribute(attribute:"plugin_publication_date", value:"2009/07/21");
  script_end_attributes();

  script_category(ACT_GATHER_INFO);
  script_copyright(english:"This script is Copyright (C) 2009-2019 Tenable Network Security, Inc.");
  script_family(english:"SuSE Local Security Checks");

  script_dependencies("ssh_get_info.nasl");
  script_require_keys("Host/local_checks_enabled", "Host/SuSE/release", "Host/SuSE/rpm-list", "Host/cpu");

  exit(0);
}


include("audit.inc");
include("global_settings.inc");
include("rpm.inc");

if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);
release = get_kb_item("Host/SuSE/release");
if (isnull(release) || release =~ "^(SLED|SLES)") audit(AUDIT_OS_NOT, "openSUSE");
if (release !~ "^(SUSE11\.0)$") audit(AUDIT_OS_RELEASE_NOT, "openSUSE", "11.0", release);
if (!get_kb_item("Host/SuSE/rpm-list")) audit(AUDIT_PACKAGE_LIST_MISSING);

ourarch = get_kb_item("Host/cpu");
if (!ourarch) audit(AUDIT_UNKNOWN_ARCH);
if (ourarch !~ "^(i586|i686|x86_64)$") audit(AUDIT_ARCH_NOT, "i586 / i686 / x86_64", ourarch);

flag = 0;

if ( rpm_check(release:"SUSE11.0", reference:"qemu-0.10.1-0.1") ) flag++;

if (flag)
{
  if (report_verbosity > 0) security_hole(port:0, extra:rpm_report_get());
  else security_hole(0);
  exit(0);
}
else
{
  tested = pkg_tests_get();
  if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);
  else audit(AUDIT_PACKAGE_NOT_INSTALLED, "qemu");
}
  • NASL familySuSE Local Security Checks
    NASL idSUSE_11_1_QEMU-090325.NASL
    descriptionqemu update to version 0.10.1 fixes the following security issues : CVE-2008-0928: problems with range checks of block devices CVE-2008-1945: problems with removable media handling CVE-2008-2382: vnc server DoS CVE-2008-4539: fix a heap overflow in the cirrus VGA implementation CVE-2008-5714: off by one error in vnc password handling
    last seen2020-06-01
    modified2020-06-02
    plugin id40302
    published2009-07-21
    reporterThis script is Copyright (C) 2009-2019 Tenable Network Security, Inc.
    sourcehttps://www.tenable.com/plugins/nessus/40302
    titleopenSUSE Security Update : qemu (qemu-691)
    code
    #%NASL_MIN_LEVEL 80502
#
# (C) Tenable Network Security, Inc.
#
# The descriptive text and package checks in this plugin were
# extracted from openSUSE Security Update qemu-691.
#
# The text description of this plugin is (C) SUSE LLC.
#

include("compat.inc");

if (description)
{
  script_id(40302);
  script_version("1.12");
  script_cvs_date("Date: 2019/10/25 13:36:35");

  script_cve_id("CVE-2008-0928", "CVE-2008-1945", "CVE-2008-2382", "CVE-2008-4539", "CVE-2008-5714");

  script_name(english:"openSUSE Security Update : qemu (qemu-691)");
  script_summary(english:"Check for the qemu-691 patch");

  script_set_attribute(
    attribute:"synopsis", 
    value:"The remote openSUSE host is missing a security update."
  );
  script_set_attribute(
    attribute:"description", 
    value:
"qemu update to version 0.10.1 fixes the following security issues :

CVE-2008-0928: problems with range checks of block devices
CVE-2008-1945: problems with removable media handling CVE-2008-2382:
vnc server DoS CVE-2008-4539: fix a heap overflow in the cirrus VGA
implementation CVE-2008-5714: off by one error in vnc password
handling"
  );
  script_set_attribute(
    attribute:"see_also",
    value:"https://bugzilla.novell.com/show_bug.cgi?id=362956"
  );
  script_set_attribute(
    attribute:"see_also",
    value:"https://bugzilla.novell.com/show_bug.cgi?id=435135"
  );
  script_set_attribute(
    attribute:"see_also",
    value:"https://bugzilla.novell.com/show_bug.cgi?id=461565"
  );
  script_set_attribute(
    attribute:"see_also",
    value:"https://bugzilla.novell.com/show_bug.cgi?id=462502"
  );
  script_set_attribute(attribute:"solution", value:"Update the affected qemu package.");
  script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:C/I:N/A:N");
  script_cwe_id(119, 189, 200, 264, 399);

  script_set_attribute(attribute:"plugin_type", value:"local");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:qemu");
  script_set_attribute(attribute:"cpe", value:"cpe:/o:novell:opensuse:11.1");

  script_set_attribute(attribute:"patch_publication_date", value:"2009/03/25");
  script_set_attribute(attribute:"plugin_publication_date", value:"2009/07/21");
  script_end_attributes();

  script_category(ACT_GATHER_INFO);
  script_copyright(english:"This script is Copyright (C) 2009-2019 Tenable Network Security, Inc.");
  script_family(english:"SuSE Local Security Checks");

  script_dependencies("ssh_get_info.nasl");
  script_require_keys("Host/local_checks_enabled", "Host/SuSE/release", "Host/SuSE/rpm-list", "Host/cpu");

  exit(0);
}


include("audit.inc");
include("global_settings.inc");
include("rpm.inc");

if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);
release = get_kb_item("Host/SuSE/release");
if (isnull(release) || release =~ "^(SLED|SLES)") audit(AUDIT_OS_NOT, "openSUSE");
if (release !~ "^(SUSE11\.1)$") audit(AUDIT_OS_RELEASE_NOT, "openSUSE", "11.1", release);
if (!get_kb_item("Host/SuSE/rpm-list")) audit(AUDIT_PACKAGE_LIST_MISSING);

ourarch = get_kb_item("Host/cpu");
if (!ourarch) audit(AUDIT_UNKNOWN_ARCH);
if (ourarch !~ "^(i586|i686|x86_64)$") audit(AUDIT_ARCH_NOT, "i586 / i686 / x86_64", ourarch);

flag = 0;

if ( rpm_check(release:"SUSE11.1", reference:"qemu-0.10.1-0.1.1") ) flag++;

if (flag)
{
  if (report_verbosity > 0) security_hole(port:0, extra:rpm_report_get());
  else security_hole(0);
  exit(0);
}
else
{
  tested = pkg_tests_get();
  if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);
  else audit(AUDIT_PACKAGE_NOT_INSTALLED, "qemu");
}
  • NASL familyUbuntu Local Security Checks
    NASL idUBUNTU_USN-776-2.NASL
    descriptionUSN-776-1 fixed vulnerabilities in KVM. Due to an incorrect fix, a regression was introduced in Ubuntu 8.04 LTS that caused KVM to fail to boot virtual machines started via libvirt. This update fixes the problem. We apologize for the inconvenience. Avi Kivity discovered that KVM did not correctly handle certain disk formats. A local attacker could attach a malicious partition that would allow the guest VM to read files on the VM host. (CVE-2008-1945, CVE-2008-2004) Alfredo Ortega discovered that KVM
    last seen2020-06-01
    modified2020-06-02
    plugin id38777
    published2009-05-14
    reporterUbuntu Security Notice (C) 2009-2019 Canonical, Inc. / NASL script (C) 2009-2018 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/38777
    titleUbuntu 8.04 LTS : kvm regression (USN-776-2)
  • NASL familySuSE Local Security Checks
    NASL idSUSE_QEMU-6123.NASL
    descriptionqemu update to version 0.10.1 fixes the following security issues : CVE-2008-0928: problems with range checks of block devices CVE-2008-1945: problems with removable media handling CVE-2008-2382: vnc server DoS CVE-2008-4539: fix a heap overflow in the cirrus VGA implementation CVE-2008-5714: off by one error in vnc password handling
    last seen2020-06-01
    modified2020-06-02
    plugin id36082
    published2009-04-03
    reporterThis script is Copyright (C) 2009-2019 Tenable Network Security, Inc.
    sourcehttps://www.tenable.com/plugins/nessus/36082
    titleopenSUSE 10 Security Update : qemu (qemu-6123)
  • NASL familyFedora Local Security Checks
    NASL idFEDORA_2008-11705.NASL
    description---------------------------------------------------------------------- ---------- ChangeLog : - Mon Dec 22 2008 Glauber Costa <gcosta at redhat.com> - 65-15.fc9 - Fixed CVE-2008-2382. - Thu Dec 4 2008 Glauber Costa <gcosta at redhat.com> - 65-14.fc9 - Fixed bug that corrupted gnome-panel #474702 - Tue Dec 2 2008 Glauber Costa <gcosta at redhat.com> - 65-12.fc9 - Properly set flags for interrupt return #464304 - Tue Nov 11 2008 Glauber Costa <gcosta at redhat.com> - 65-11.fc9 - Fix CVE-2008-4539 #448525 - Mon Oct 13 2008 Glauber Costa <gcosta at redhat.com> - 65-10.fc9 - Fix sysenter save in 64-bit hosts #457649 - Thu Aug 28 2008 Glauber Costa <gcosta at redhat.com> - 65-9.fc9 - there
    last seen2020-06-01
    modified2020-06-02
    plugin id35266
    published2008-12-26
    reporterThis script is Copyright (C) 2008-2019 Tenable Network Security, Inc.
    sourcehttps://www.tenable.com/plugins/nessus/35266
    titleFedora 9 : kvm-65-15.fc9 (2008-11705)
  • NASL familyFreeBSD Local Security Checks
    NASL idFREEBSD_PKG_07BB3BD2A92011DD85030211060005DF.NASL
    descriptionAurelien Jarno reports : CVE-2008-4539: fix a heap overflow in Cirrus emulation The code in hw/cirrus_vga.c has changed a lot between CVE-2007-1320 has been announced and the patch has been applied. As a consequence it has wrongly applied and QEMU is still vulnerable to this bug if using VNC.
    last seen2020-06-01
    modified2020-06-02
    plugin id34685
    published2008-11-03
    reporterThis script is Copyright (C) 2008-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/34685
    titleFreeBSD : qemu -- Heap overflow in Cirrus emulation (07bb3bd2-a920-11dd-8503-0211060005df)
  • NASL familyFedora Local Security Checks
    NASL idFEDORA_2008-10083.NASL
    description - Tue Nov 11 2008 Glauber Costa <glommer at redhat.com> - 74-6 - Fix cirrus vulnerability (CVE-2008-4539) - #471055 Note that Tenable Network Security has extracted the preceding description block directly from the Fedora security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen2020-06-01
    modified2020-06-02
    plugin id62274
    published2012-09-24
    reporterThis script is Copyright (C) 2012-2019 Tenable Network Security, Inc.
    sourcehttps://www.tenable.com/plugins/nessus/62274
    titleFedora 10 : kvm-74-6.fc10 (2008-10083)
  • NASL familyUbuntu Local Security Checks
    NASL idUBUNTU_USN-776-1.NASL
    descriptionAvi Kivity discovered that KVM did not correctly handle certain disk formats. A local attacker could attach a malicious partition that would allow the guest VM to read files on the VM host. (CVE-2008-1945, CVE-2008-2004) Alfredo Ortega discovered that KVM
    last seen2020-06-01
    modified2020-06-02
    plugin id38759
    published2009-05-13
    reporterUbuntu Security Notice (C) 2009-2019 Canonical, Inc. / NASL script (C) 2009-2018 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/38759
    titleUbuntu 8.04 LTS / 8.10 : kvm vulnerabilities (USN-776-1)

References