Bug 1607652 (CVE-2018-19665) - CVE-2018-19665 Qemu: bt: Integer overflow in Bluetooth routines allows memory corruption
Summary: CVE-2018-19665 Qemu: bt: Integer overflow in Bluetooth routines allows memory...
Keywords:
Status: CLOSED NOTABUG
Alias: CVE-2018-19665
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
medium
medium
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL:
Whiteboard:
: 1607666 1608610 1608611 (view as bug list)
Depends On: 1640543 1640544 1640545 1640546 1640547 1640548 1640549 1640550 1640551 1640552 1640553 1640554
Blocks: 1607659
TreeView+ depends on / blocked
 
Reported: 2018-07-24 00:18 UTC by Sam Fowler
Modified: 2021-02-16 23:55 UTC (History)
39 users (show)

Fixed In Version:
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed: 2019-06-10 10:34:08 UTC


Attachments (Terms of Use)

Description Sam Fowler 2018-07-24 00:18:20 UTC
An integer overflow resulting in memory corruption issue was found in various Bluetooth functions. It could occur in routines wherein 'len' parameter is a 'signed int' which subsequently converts to an unsigned integer resulting in memcpy() copying large amounts of memory.

A user inside guest could use this flaw to crash the Qemu process resulting in DoS.

Upstream patch:
---------------
  -> https://lists.gnu.org/archive/html/qemu-devel/2018-11/msg03570.html

Reference:
----------
  -> https://www.openwall.com/lists/oss-security/2018/11/29/1

Comment 1 Sam Fowler 2018-07-24 05:14:35 UTC
Acknowledgments:

Name: Arash Tohidi

Comment 2 Prasad J Pandit 2018-10-18 10:11:06 UTC
Created qemu tracking bugs for this issue:

Affects: fedora-all [bug 1640543]

Comment 6 Prasad J Pandit 2018-11-29 08:53:14 UTC
*** Bug 1607666 has been marked as a duplicate of this bug. ***

Comment 7 Prasad J Pandit 2018-11-29 08:53:55 UTC
*** Bug 1608611 has been marked as a duplicate of this bug. ***

Comment 8 Prasad J Pandit 2018-11-29 08:54:08 UTC
*** Bug 1608610 has been marked as a duplicate of this bug. ***


Note You need to log in before you can comment on or make changes to this bug.