SB2021072002 - Gentoo update for libslirp

Description

This security bulletin contains information about 4 secuirty vulnerabilities.

1) Release of invalid pointer or reference (CVE-ID: CVE-2021-3592)

The vulnerability allows a remote attacker to gain access to sensitive information.

The vulnerability exists due to invalid pointer initialization within the bootp_input() function while processing UDP packets in the SLiRP networking implementation of QEMU. A malicious guest could use this flaw to leak 10 bytes of uninitialized heap memory from the host.

2) Release of invalid pointer or reference (CVE-ID: CVE-2021-3593)

The vulnerability allows a remote attacker to gain access to sensitive information.

The vulnerability exists due to invalid pointer initialization within the udp6_input() function while processing UDP packets in the SLiRP networking implementation of QEMU. A malicious guest could use this vulnerability to read host memory.

3) Release of invalid pointer or reference (CVE-ID: CVE-2021-3594)

The vulnerability allows a remote attacker to gain access to sensitive information.

The vulnerability exists due to invalid pointer initialization within the udp_input() function while processing UDP packets in the SLiRP networking implementation of QEMU. A malicious guest could use this vulnerability to read host memory.

4) Release of invalid pointer or reference (CVE-ID: CVE-2021-3595)

The vulnerability allows a remote attacker to gain access to sensitive information.

The vulnerability exists due to invalid pointer initialization within the tftp_input() function while processing UDP packets in the SLiRP networking implementation of QEMU. A malicious guest could use this vulnerability to read host memory.

Remediation

Install update from vendor's website.

References

• https://security.gentoo.org/
• https://security.gentoo.org/glsa/202107-44