CVE-2013-4537

Description

The ssi_sd_transfer function in hw/sd/ssi-sd.c in QEMU before 1.7.2 allows remote attackers to execute arbitrary code via a crafted arglen value in a savevm image.

CVSS Metrics

• v2.0•HIGH•Score: 7.5AV:N/AC:L/Au:N/C:P/I:P/A:P

EPSS Trends

Current EPSS score: 1.90%• Percentile: 84%

Techniques & Countermeasures

• CWE-94•Improper Control of Generation of Code ('Code Injection')

  The product constructs all or part of a code segment using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the syntax or behavior of the intended code segment.

Affected Systems

• qemu•qemu

  ≤ 1.7.1 | 0.1.0 | 0.1.1 | 0.1.2 | 0.1.3 | 0.1.4 | 0.1.5 | 0.1.6 | 0.2.0 | 0.3.0 | 0.4.0 | 0.4.1 | 0.4.2 | 0.4.3 | 0.5.0 | 0.5.1 | 0.5.2 | 0.5.3 | 0.5.4 | 0.5.5 | 0.6.0 | 0.6.1 | 0.7.0 | 0.7.1 | 0.7.2 | 0.8.0 | 0.8.1 | 0.8.2 | 0.9.0 | 0.9.1 | 0.9.1-5 | 0.10.0 | 0.10.1 | 0.10.2 | 0.10.3 | 0.10.4 | 0.10.5 | 0.10.6 | 0.11.0 | 0.11.0:rc0 | 0.11.0:rc1 | 0.11.0:rc2 | 0.11.0-rc0 | 0.11.0-rc1 | 0.11.0-rc2 | 0.11.1 | 0.12.0 | 0.12.0:rc1 | 0.12.0:rc2 | 0.12.1 | 0.12.2 | 0.12.3 | 0.12.4 | 0.12.5 | 0.13.0 | 0.13.0:rc0 | 0.13.0:rc1 | 0.14.0 | 0.14.0:rc0 | 0.14.0:rc1 | 0.14.0:rc2 | 0.14.1 | 0.15.0:rc1 | 0.15.0:rc2 | 0.15.1 | 0.15.2 | 1.0 | 1.0:rc1 | 1.0:rc2 | 1.0:rc3 | 1.0:rc4 | 1.0.1 | 1.1 | 1.1:rc1 | 1.1:rc2 | 1.1:rc3 | 1.1:rc4 | 1.4.1 | 1.4.2 | 1.5.0 | 1.5.0:rc1 | 1.5.0:rc2 | 1.5.0:rc3 | 1.5.1 | 1.5.2 | 1.5.3 | 1.6.0 | 1.6.0:rc1 | 1.6.0:rc2 | 1.6.0:rc3 | 1.6.1 | 1.6.2

References (4)

• http://lists.nongnu.org/archive/html/qemu-stable/2014-07/msg00187.html
• http://lists.gnu.org/archive/html/qemu-devel/2013-12/msg00394.html
• http://lists.fedoraproject.org/pipermail/package-announce/2014-May/133345.html
• http://git.qemu.org/?p=qemu.git%3Ba=commit%3Bh=a9c380db3b8c6af19546a68145c8d1438a09c92b