CVE-2020-8608

Published: 6 February 2020

In libslirp 4.1.0, as used in QEMU 4.2.0, tcp_subr.c misuses snprintf return values, leading to a buffer overflow in later code.

From the Ubuntu Security Team

It was discovered that the SLiRP networking implementation of the QEMU emulator misuses snprintf return values. An attacker could use this to cause a denial of service (application crash) or potentially execute arbitrary code.

Notes

Author	Note
mdeslaur	possible better approach would be to disable tcp_emu completely https://gitlab.freedesktop.org/slirp/libslirp/commit/07c2a44b67e219ac14207f7a1b33704e1312cf91

Priority

Cvss 3 Severity Score

5.6

Score breakdown

Status

Package	Release	Status
libslirp Launchpad, Ubuntu, Debian	bionic	Does not exist
	eoan	Does not exist
	focal	Released (4.1.0-2ubuntu1)
	groovy	Released (4.1.0-2ubuntu1)
	hirsute	Released (4.1.0-2ubuntu1)
	impish	Released (4.1.0-2ubuntu1)
	jammy	Released (4.1.0-2ubuntu1)
	kinetic	Released (4.1.0-2ubuntu1)
	lunar	Released (4.1.0-2ubuntu1)
	mantic	Released (4.1.0-2ubuntu1)
	noble	Released (4.1.0-2ubuntu1)
	trusty	Does not exist
	upstream	Needs triage
	xenial	Does not exist
	Patches: upstream: https://gitlab.freedesktop.org/slirp/libslirp/commit/30648c03b27fb8d9611b723184216cd3174b6775 upstream: https://gitlab.freedesktop.org/slirp/libslirp/commit/68ccb8021a838066f0951d4b2817eb6b6f10a843
qemu Launchpad, Ubuntu, Debian	bionic	Released (1:2.11+dfsg-1ubuntu7.23)
	eoan	Released (1:4.0+dfsg-0ubuntu9.4)
	focal	Not vulnerable (uses system libslirp)
	groovy	Not vulnerable (uses system libslirp)
	hirsute	Not vulnerable (uses system libslirp)
	impish	Not vulnerable (uses system libslirp)
	jammy	Not vulnerable (uses system libslirp)
	kinetic	Not vulnerable (uses system libslirp)
	lunar	Not vulnerable (uses system libslirp)
	mantic	Not vulnerable (uses system libslirp)
	noble	Not vulnerable (uses system libslirp)
	trusty	Needs triage
	upstream	Needs triage
	xenial	Released (1:2.5+dfsg-5ubuntu10.43)
qemu-kvm Launchpad, Ubuntu, Debian	bionic	Does not exist
	eoan	Does not exist
	focal	Does not exist
	groovy	Does not exist
	hirsute	Does not exist
	impish	Does not exist
	jammy	Does not exist
	kinetic	Does not exist
	lunar	Does not exist
	mantic	Does not exist
	noble	Does not exist
	trusty	Does not exist
	upstream	Needs triage
	xenial	Does not exist
slirp Launchpad, Ubuntu, Debian	bionic	Released (1:1.0.17-8ubuntu18.04.1)
	eoan	Ignored (end of life)
	focal	Needed
	groovy	Ignored (end of life)
	hirsute	Ignored (end of life)
	impish	Ignored (end of life)
	jammy	Needed
	kinetic	Ignored (end of life, was needed)
	lunar	Ignored (end of life, was needed)
	mantic	Needed
	noble	Needed
	trusty	Released (1:1.0.17-7+deb8u2build0.14.04.1+esm1) Available with Ubuntu Pro or Ubuntu Pro (Infra-only)
	upstream	Needs triage
	xenial	Released (1:1.0.17-8ubuntu16.04.1)
slirp4netns Launchpad, Ubuntu, Debian	bionic	Does not exist
	eoan	Ignored (end of life)
	focal	Needs triage
	groovy	Not vulnerable (1.0.1-1)
	hirsute	Not vulnerable (1.0.1-1)
	impish	Not vulnerable (1.0.1-1)
	jammy	Not vulnerable (1.0.1-1)
	kinetic	Not vulnerable (1.0.1-1)
	lunar	Not vulnerable (1.0.1-1)
	mantic	Not vulnerable (1.0.1-1)
	noble	Not vulnerable (1.0.1-1)
	trusty	Does not exist
	upstream	Needs triage
	xenial	Does not exist

Severity score breakdown

Parameter	Value
Base score	5.6
Attack vector	Network
Attack complexity	High
Privileges required	None
User interaction	None
Scope	Unchanged
Confidentiality	Low
Integrity impact	Low
Availability impact	Low
Vector	CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:L

References

Join the discussion

Canonical is offering Expanded Security Maintenance

Canonical is offering Ubuntu Expanded Security Maintenance (ESM) for security fixes and essential packages.

Find out more about ESM ›