Bug 1829825 (CVE-2020-1983) - CVE-2020-1983 QEMU: slirp: use-after-free in ip_reass() function in ip_input.c
Summary: CVE-2020-1983 QEMU: slirp: use-after-free in ip_reass() function in ip_input.c
Keywords:
Status: CLOSED ERRATA
Alias: CVE-2020-1983
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
medium
medium
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL:
Whiteboard:
Depends On: 1829826 1829827 1835839 1836070 1836444 1836445 1837565 1837566 1837567 1837568 1837569 1837570 1837571 1837572 1838070 1838077 1838082 1910698
Blocks: 1835969
TreeView+ depends on / blocked
 
Reported: 2020-04-30 12:49 UTC by Guilherme de Almeida Suckevicz
Modified: 2023-10-09 11:27 UTC (History)
34 users (show)

Fixed In Version: libslirp 4.3.0
Doc Type: If docs needed, set a value
Doc Text:
A use-after-free flaw was found in the SLiRP networking implementation of the QEMU emulator. Specifically, this flaw occurs in the ip_reass() routine while reassembling incoming IP fragments whose combined size is bigger than 65k. This flaw allows an attacker to crash the QEMU process on the host, resulting in a denial of service.
Clone Of:
Environment:
Last Closed: 2020-07-21 19:27:55 UTC
Embargoed:

Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Red Hat Product Errata RHSA-2020:3053 0 None None None 2020-07-21 15:31:57 UTC
Red Hat Product Errata RHSA-2020:4079 0 None None None 2020-09-30 05:53:38 UTC
Red Hat Product Errata RHSA-2020:4290 0 None None None 2020-10-20 09:28:53 UTC
Red Hat Product Errata RHSA-2020:4676 0 None None None 2020-11-04 02:52:53 UTC
Red Hat Product Errata RHSA-2021:0346 0 None None None 2021-02-02 12:06:11 UTC
Red Hat Product Errata RHSA-2021:0459 0 None None None 2021-02-09 13:51:37 UTC
Red Hat Product Errata RHSA-2021:0934 0 None None None 2021-03-18 13:04:54 UTC

Description Guilherme de Almeida Suckevicz 2020-04-30 12:49:54 UTC 
A use after free vulnerability in ip_reass() in ip_input.c of libslirp 4.2.0 and prior releases allows crafted packets to cause a denial of service.

Reference:
https://gitlab.freedesktop.org/slirp/libslirp/-/issues/20

Upstream commit:
https://gitlab.freedesktop.org/slirp/libslirp/-/commit/9ac0371bb8c0a40f5d9f82a1c25129660e81df04
Comment 1 Guilherme de Almeida Suckevicz 2020-04-30 12:50:14 UTC 
Created libslirp tracking bugs for this issue:

Affects: epel-8 [bug 1829827]
Affects: fedora-all [bug 1829826]
Comment 2 Product Security DevOps Team 2020-04-30 16:31:50 UTC 
This CVE Bugzilla entry is for community support informational purposes only as it does not affect a package in a commercially supported Red Hat product. Refer to the dependent bugs for status of those individual community products.
Comment 5 Mauro Matteo Cascella 2020-05-14 15:11:34 UTC 
Created qemu tracking bugs for this issue:

Affects: fedora-all [bug 1835839]
Comment 6 Mark Cooper 2020-05-15 05:01:26 UTC 
OpenShift 4 packages slirp4netns which vendors in libslirp v4.1.0. 

Additionally, have checked that the patch for src/ip_input.c has not been already applied/backported.
Comment 15 errata-xmlrpc 2020-07-21 15:31:53 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8

Via RHSA-2020:3053 https://access.redhat.com/errata/RHSA-2020:3053
Comment 16 Product Security DevOps Team 2020-07-21 19:27:55 UTC 
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s):

https://access.redhat.com/security/cve/cve-2020-1983
Comment 19 errata-xmlrpc 2020-09-30 05:53:34 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 7

Via RHSA-2020:4079 https://access.redhat.com/errata/RHSA-2020:4079
Comment 20 errata-xmlrpc 2020-10-20 09:28:46 UTC 
This issue has been addressed in the following products:

  Advanced Virtualization for RHEL 8.1.1

Via RHSA-2020:4290 https://access.redhat.com/errata/RHSA-2020:4290
Comment 21 errata-xmlrpc 2020-11-04 02:52:50 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8

Via RHSA-2020:4676 https://access.redhat.com/errata/RHSA-2020:4676
Comment 23 errata-xmlrpc 2021-02-02 12:06:04 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 7

Via RHSA-2021:0346 https://access.redhat.com/errata/RHSA-2021:0346
Comment 24 errata-xmlrpc 2021-02-09 13:51:33 UTC 
This issue has been addressed in the following products:

  Red Hat Virtualization 4 for Red Hat Enterprise Linux 7
  Red Hat Virtualization Engine 4.3

Via RHSA-2021:0459 https://access.redhat.com/errata/RHSA-2021:0459
Comment 25 errata-xmlrpc 2021-03-18 13:04:47 UTC 
This issue has been addressed in the following products:

  Red Hat OpenStack Platform 13.0 (Queens)

Via RHSA-2021:0934 https://access.redhat.com/errata/RHSA-2021:0934
Note You need to log in before you can comment on or make changes to this bug.