CVE-2021-3595

NameCVE-2021-3595
DescriptionAn invalid pointer initialization issue was found in the SLiRP networking implementation of QEMU. The flaw exists in the tftp_input() function and could occur while processing a udp packet that is smaller than the size of the 'tftp_t' structure. This issue may lead to out-of-bounds read access or indirect host memory disclosure to the guest. The highest threat from this vulnerability is to data confidentiality. This flaw affects libslirp versions prior to 4.6.0.
SourceCVE (at NVD; CERT, LWN, oss-sec, fulldisc, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, GitHub advisories/code/issues, web search, more)
ReferencesDLA-2753-1, DLA-3362-1
Debian Bugs989996

Vulnerable and fixed packages

The table below lists information on source packages.

Source PackageReleaseVersionStatus
libslirp (PTS)bullseye4.4.0-1+deb11u2fixed
bookworm4.7.0-1fixed
sid, trixie4.8.0-1fixed
qemu (PTS)bullseye1:5.2+dfsg-11+deb11u3fixed
bullseye (security)1:5.2+dfsg-11+deb11u4fixed
bookworm1:7.2+dfsg-7+deb12u13fixed
sid, trixie1:10.0.0+ds-2fixed

The information below is based on the following data on fixed versions.

PackageTypeReleaseFixed VersionUrgencyOriginDebian Bugs
libslirpsourcebullseye4.4.0-1+deb11u2
libslirpsource(unstable)4.6.1-1989996
qemusourcestretch1:2.8+dfsg-6+deb9u15DLA-2753-1
qemusourcebuster1:3.1+dfsg-8+deb10u10DLA-3362-1
qemusource(unstable)1:4.1-2

Notes

https://gitlab.freedesktop.org/slirp/libslirp/-/commit/93e645e72a056ec0b2c16e0299fc5c6b94e4ca17 (v4.6.0)
https://gitlab.freedesktop.org/slirp/libslirp/-/commit/3f17948137155f025f7809fdc38576d5d2451c3d (v4.6.0)
https://gitlab.freedesktop.org/slirp/libslirp/-/commit/990163cf3ac86b7875559f49602c4d76f46f6f30 (v4.6.0)
qemu 1:4.1-2 switched to system libslirp, marking that version as fixed.
Search for package or bug name: Reporting problems