Out-of-Bounds in qemu-common | CVE-2018-20815

Q: How to fix?

Upgrade Amazon-Linux:2 qemu-common to version 10:3.1.0-7.amzn2.0.1 or higher. This issue was patched in ALAS2-2019-1248 .

Threat Intelligence

Not Defined

1.07% (85^th percentile)

Do your applications use this vulnerable package?

In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.

Test your applications

Snyk IDSNYK-AMZN2-QEMUCOMMON-1671394
published27 Sept 2021
disclosed31 May 2019

Report a new vulnerability Found a mistake?

Introduced: 31 May 2019

CVE-2018-20815 (opens in a new tab) CWE-119 (opens in a new tab)

How to fix?

Upgrade Amazon-Linux:2 qemu-common to version 10:3.1.0-7.amzn2.0.1 or higher.
This issue was patched in ALAS2-2019-1248.

NVD Description

Note: Versions mentioned in the description apply only to the upstream qemu-common package and not the qemu-common package as distributed by Amazon-Linux. See How to fix? for Amazon-Linux:2 relevant fixed versions and status.

In QEMU 3.1.0, load_device_tree in device_tree.c calls the deprecated load_image function, which has a buffer overflow risk.

Out-of-Bounds Affecting qemu-common package, versions <10:3.1.0-7.amzn2.0.1

Severity

Threat Intelligence

Do your applications use this vulnerable package?

Introduced: 31 May 2019

How to fix?

NVD Description

References