CVE-2009-3616

Published: 23 October 2009

Multiple use-after-free vulnerabilities in vnc.c in the VNC server in QEMU 0.10.6 and earlier might allow guest OS users to execute arbitrary code on the host OS by establishing a connection from a VNC client and then (1) disconnecting during data transfer, (2) sending a message using incorrect integer data types, or (3) using the Fuzzy Screen Mode protocol, related to double free vulnerabilities.

Priority

High

Status

Package Release Status
kvm
Launchpad, Ubuntu, Debian
Upstream Needs triage

qemu
Launchpad, Ubuntu, Debian
Upstream
Released (0.10.7)
Patches:
Upstream: http://git.savannah.gnu.org/cgit/qemu.git/commit/?h=stable-0.10&id=c2723a9606
qemu-kvm
Launchpad, Ubuntu, Debian
Upstream
Released (0.11.0)
Patches:
Vendor: http://git.savannah.gnu.org/cgit/qemu.git/commit/?id=198a0039c5

Notes

AuthorNote
jdstrand
versions 0.9.1 and earlier are not affected. Need the following
commit to be affected:
http://git.savannah.gnu.org/cgit/qemu.git/commit/?id=753b405331. This came in
0.10.0 (from ChangeLog: 'Multiple VNC clients are now supported')
kvm-84 as included in Ubuntu 9.04 does not contain the affected
code (it has a pre-release version of qemu 0.10.0)
kvm-84 in hardy-backports and intrepid-backports are not affected
(they are based on kvm-84 from Ubuntu 9.04)
simply search for VncDisplay in vnc.c to see if might be affected

References