Vigil@nce - Qemu: unreachable memory reading via bits_per_pixel
November 2014 by Vigil@nce
This bulletin was written by Vigil@nce : http://vigilance.fr/offer
SYNTHESIS OF THE VULNERABILITY
An attacker can force a read at an invalid address in the
bits_per_pixel() function of Qemu, in order to trigger a denial of
service.
Impacted products: Debian, Fedora, MBS, Ubuntu, Unix (platform)
Severity: 1/4
Creation date: 24/11/2014
DESCRIPTION OF THE VULNERABILITY
The Qemu product implements the support for VNC clients.
However, if the size requested in the set_pixel_format() function
of the ui/vnc.c file is too short, it tries to read a memory area
which is not reachable, which triggers a fatal error.
An attacker can therefore force a read at an invalid address in
the bits_per_pixel() function of Qemu, in order to trigger a
denial of service.
ACCESS TO THE COMPLETE VIGIL@NCE BULLETIN
http://vigilance.fr/vulnerability/Qemu-unreachable-memory-reading-via-bits-per-pixel-15693