| Snyk

Threat Intelligence

0.08% (36^th percentile)

Do your applications use this vulnerable package?

In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.

Test your applications

Snyk IDSNYK-SLES150-QEMUBLOCKSSH-2752659
published14 Apr 2022
disclosed14 May 2019

Report a new vulnerability Found a mistake?

Introduced: 14 May 2019

CVE-2019-9824 (opens in a new tab) CWE-908 (opens in a new tab)

How to fix?

Upgrade SLES:15.0 qemu-block-ssh to version 2.11.2-9.25.1 or higher.

NVD Description

Note: Versions mentioned in the description apply only to the upstream qemu-block-ssh package and not the qemu-block-ssh package as distributed by SLES. See How to fix? for SLES:15.0 relevant fixed versions and status.

tcp_emu in slirp/tcp_subr.c (aka slirp/src/tcp_subr.c) in QEMU 3.0.0 uses uninitialized data in an snprintf call, leading to Information disclosure.

References

https://www.suse.com/security/cve/CVE-2019-9824.html
https://bugzilla.suse.com/1118900
https://bugzilla.suse.com/1129622
https://bugzilla.suse.com/1129623
https://bugzilla.suse.com/1178658
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/RVDHJB2QKXNDU7OFXIHIL5O5VN5QCSZL/
https://access.redhat.com/errata/RHSA-2019:1650
https://access.redhat.com/errata/RHSA-2019:2078
https://access.redhat.com/errata/RHSA-2019:2425
https://access.redhat.com/errata/RHSA-2019:2553
https://access.redhat.com/errata/RHSA-2019:3345
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/RVDHJB2QKXNDU7OFXIHIL5O5VN5QCSZL/
https://lists.gnu.org/archive/html/qemu-devel/2019-03/msg00400.html

Use of Uninitialized Resource Affecting qemu-block-ssh package, versions <2.11.2-9.25.1

Severity