The cursor_alloc() function still accepts a signed integer for both the cursor width and height. A specially crafted negative value could make datasize wrap around and cause the next allocation to be 0, potentially leading to a heap buffer overflow. Proposed upstream patch: https://lists.nongnu.org/archive/html/qemu-devel/2023-05/msg01907.html Original CVE-2021-4206: https://bugzilla.redhat.com/show_bug.cgi?id=2036998 *** EDIT *** CVE-2023-1601 was originally allocated because of an alleged incomplete fix for CVE-2021-4206. The CVE was subsequently rejected as the flaw was not confirmed. See https://lists.nongnu.org/archive/html/qemu-devel/2023-05/msg05546.html.
Created qemu tracking bugs for this issue: Affects: epel-all [bug 2208328] Affects: fedora-all [bug 2208327]
Hi Should this CVE be rejected? According to https://lists.nongnu.org/archive/html/qemu-devel/2023-05/msg05546.html there seems to be no code path which can trigger the overflow. Regards, Salvatore
Hi, yes I'm going to reject this CVE. Thanks.
Updated patch: https://lists.nongnu.org/archive/html/qemu-devel/2023-05/msg05867.html
Upstream commit: https://gitlab.com/qemu-project/qemu/-/commit/4c93ce54e7114aae33100d2ee4f2b36e451a1d06