CVE-2017-8379
medium
CVSS v3
6.5
CVSS v2
4.9
VIR risk
6.5
Description
Memory leak in the keyboard input event handlers support in QEMU (aka Quick Emulator) allows local guest OS privileged users to cause a denial of service (host memory consumption) by rapidly generating large keyboard events.
Predictions
Exploit likelihood
65%
Patch ETA
—
Heuristic predictions, AS-IS, for prioritization only.
Mitigations
Vendor advisory: debian — https://security-tracker.debian.org/tracker/CVE-2017-8379
Vendor advisory: suse — https://www.suse.com/security/cve/CVE-2017-8379.html
Vendor advisory: cve@mitre.org — https://lists.gnu.org/archive/html/qemu-devel/2017-04/msg05599.html
Vendor advisory: cve@mitre.org — http://www.openwall.com/lists/oss-security/2017/05/03/2
OS impact
| OS | Version | Status | Fixed in |
|---|---|---|---|
| sles | affected | | |
| debian | 8.0 | affected | |
| debian | bookworm | fixed | 1:2.8+dfsg-5 |
| debian | bullseye | fixed | 1:2.8+dfsg-5 |
| debian | forky | fixed | 1:2.8+dfsg-5 |
| debian | sid | fixed | 1:2.8+dfsg-5 |
| debian | trixie | fixed | 1:2.8+dfsg-5 |
References
- http://www.openwall.com/lists/oss-security/2017/05/03/2
- http://www.securityfocus.com/bid/98277
- https://access.redhat.com/errata/RHSA-2017:2408
- https://lists.debian.org/debian-lts-announce/2018/09/msg00007.html
- https://lists.gnu.org/archive/html/qemu-devel/2017-04/msg05599.html
- https://security.gentoo.org/glsa/201706-03
- https://www.suse.com/security/cve/CVE-2017-8379.html
- https://security-tracker.debian.org/tracker/CVE-2017-8379
CWEs
CWE-772
Verify integrity in audit chain (admin only). AS-IS.