Back to bug 2208325

Who	When	What	Removed	Added
Mauro Matteo Cascella	2023-05-18 15:28:48 UTC	Depends On		2208328, 2208327
Mauro Matteo Cascella	2023-05-18 15:29:36 UTC	Blocks		2208329
Mauro Matteo Cascella	2023-05-18 15:32:22 UTC	Depends On		2208330, 2208331
Salvatore Bonaccorso	2023-05-23 10:19:40 UTC	Flags		needinfo?(security-response-team)
		CC		carnil, security-response-team
Mauro Matteo Cascella	2023-05-23 15:00:44 UTC	Flags	needinfo?(security-response-team)
Mauro Matteo Cascella	2023-05-24 08:44:23 UTC	Resolution	---	NOTABUG
		Status	NEW	CLOSED
		Last Closed		2023-05-24 08:44:23 UTC
Mauro Matteo Cascella	2023-05-24 08:52:39 UTC	Doc Text	This CVE exists because of an incomplete fix for CVE-2021-4206. The cursor_alloc() function still accepts a signed integer for both the cursor width and height. A specially crafted negative value could make datasize wrap around and cause the next allocation to be 0, potentially leading to a heap buffer overflow. A malicious privileged guest user could use this flaw to crash the QEMU process on the host or potentially execute arbitrary code within the context of the QEMU process.	This CVE was originally allocated because of an incomplete fix for CVE-2021-4206. The CVE was subsequently rejected as the flaw was not confirmed.
Mauro Matteo Cascella	2023-05-29 09:27:24 UTC	Summary	CVE-2023-1601 QEMU: QXL: integer overflow in cursor_alloc (incomplete fix for CVE-2021-4206)	QEMU: ui/cursor: make width/height unsigned 16-bit integer
		Doc Text	This CVE was originally allocated because of an incomplete fix for CVE-2021-4206. The CVE was subsequently rejected as the flaw was not confirmed.	CVE-2023-1601 was originally allocated because of an incomplete fix for CVE-2021-4206. The CVE was subsequently rejected as the flaw was not confirmed.
Mauro Matteo Cascella	2023-05-29 09:54:49 UTC	Doc Type	---	If docs needed, set a value
		Alias	CVE-2023-1601
Mauro Matteo Cascella	2023-05-29 10:05:32 UTC	Comment	0	updated

Back to bug 2208325