CVE-2021-4207

NameCVE-2021-4207
DescriptionA flaw was found in the QXL display device emulation in QEMU. A double fetch of guest controlled values `cursor->header.width` and `cursor->header.height` can lead to the allocation of a small cursor object followed by a subsequent heap-based buffer overflow. A malicious privileged guest user could use this flaw to crash the QEMU process on the host or potentially execute arbitrary code within the context of the QEMU process.
SourceCVE (at NVD; CERT, LWN, oss-sec, fulldisc, bugtraq, EDB, Metasploit, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, Mageia, GitHub code/issues, web search, more)
ReferencesDSA-5133-1
NVD severitymedium

Vulnerable and fixed packages

The table below lists information on source packages.

Source PackageReleaseVersionStatus
qemu (PTS)stretch1:2.8+dfsg-6+deb9u9vulnerable
stretch (security)1:2.8+dfsg-6+deb9u17vulnerable
buster, buster (security)1:3.1+dfsg-8+deb10u8vulnerable
bullseye1:5.2+dfsg-11+deb11u1vulnerable
bullseye (security)1:5.2+dfsg-11+deb11u2fixed
bookworm1:7.0+dfsg-6fixed
sid1:7.0+dfsg-7fixed

The information below is based on the following data on fixed versions.

PackageTypeReleaseFixed VersionUrgencyOriginDebian Bugs
qemusourcebullseye1:5.2+dfsg-11+deb11u2DSA-5133-1
qemusource(unstable)1:7.0+dfsg-1

Notes

https://bugzilla.redhat.com/show_bug.cgi?id=2036966
https://starlabs.sg/advisories/22-4207/
Fixed by: https://gitlab.com/qemu-project/qemu/-/commit/9569f5cb5b4bffa9d3ebc8ba7da1e03830a9a895 (v7.0.0-rc4)

Search for package or bug name: Reporting problems