Bugzilla – Bug 1211582
VUL-0: CVE-2023-1601: qemu: integer overflow in cursor_alloc
Last modified: 2024-05-07 11:40:43 UTC
This CVE exists because of an incomplete fix for CVE-2021-4206. The cursor_alloc() function still accepts a signed integer for both the cursor width and height. A specially crafted negative value could make datasize wrap around and cause the next allocation to be 0, potentially leading to a heap buffer overflow. Proposed upstream patch: https://lists.nongnu.org/archive/html/qemu-devel/2023-05/msg01907.html Original CVE-2021-4206: https://bugzilla.redhat.com/show_bug.cgi?id=2036998 References: http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2023-1601 https://bugzilla.redhat.com/show_bug.cgi?id=2208325
Tracking as affected: - SUSE:SLE-12-SP1:Update/qemu - SUSE:SLE-12-SP2:Update/qemu - SUSE:SLE-12-SP3:Update/qemu - SUSE:SLE-12-SP4:Update/qemu - SUSE:SLE-12-SP5:Update/qemu - SUSE:SLE-15-SP1:Update/qemu - SUSE:SLE-15-SP2:Update/qemu - SUSE:SLE-15-SP3:Update/qemu - SUSE:SLE-15-SP4:Update/qemu - SUSE:SLE-15-SP5:Update/qemu - openSUSE:Factory/qemu Proposed patch is: [0] https://lists.nongnu.org/archive/html/qemu-devel/2023-05/msg01907.html
(In reply to Gabriele Sonnu from comment #1) > Proposed patch is: > > [0] https://lists.nongnu.org/archive/html/qemu-devel/2023-05/msg01907.html > Seems like it's invalid, and the CVE (and potentially even the patch) will be dropped (or, at least, not applied anytime soon). Handing this back.
done