| Name | CVE-2021-3592 |
| Description | An invalid pointer initialization issue was found in the SLiRP networking implementation of QEMU. The flaw exists in the bootp_input() function and could occur while processing a udp packet that is smaller than the size of the 'bootp_t' structure. A malicious guest could use this flaw to leak 10 bytes of uninitialized heap memory from the host. The highest threat from this vulnerability is to data confidentiality. This flaw affects libslirp versions prior to 4.6.0. |
| Source | CVE (at NVD; CERT, LWN, oss-sec, fulldisc, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, GitHub advisories/code/issues, web search, more) |
| References | DLA-3362-1 |
| Debian Bugs | 989993 |
Vulnerable and fixed packages
The table below lists information on source packages.
| Source Package | Release | Version | Status |
|---|
| libslirp (PTS) | bullseye | 4.4.0-1+deb11u2 | fixed |
| sid, trixie, bookworm | 4.7.0-1 | fixed |
| qemu (PTS) | jessie, jessie (lts) | 1:2.1+dfsg-12+deb8u23 | vulnerable |
| stretch (security) | 1:2.8+dfsg-6+deb9u17 | vulnerable |
| stretch (lts), stretch | 1:2.8+dfsg-6+deb9u19 | vulnerable |
| buster | 1:3.1+dfsg-8+deb10u8 | vulnerable |
| buster (security) | 1:3.1+dfsg-8+deb10u12 | fixed |
| bullseye | 1:5.2+dfsg-11+deb11u3 | fixed |
| bullseye (security) | 1:5.2+dfsg-11+deb11u2 | fixed |
| bookworm | 1:7.2+dfsg-7+deb12u5 | fixed |
| trixie | 1:8.2.1+ds-2 | fixed |
| sid | 1:8.2.3+ds-1 | fixed |
The information below is based on the following data on fixed versions.
| Package | Type | Release | Fixed Version | Urgency | Origin | Debian Bugs |
|---|
| libslirp | source | bullseye | 4.4.0-1+deb11u2 | | | |
| libslirp | source | (unstable) | 4.6.1-1 | | | 989993 |
| qemu | source | buster | 1:3.1+dfsg-8+deb10u10 | | DLA-3362-1 | |
| qemu | source | (unstable) | 1:4.1-2 | | | |
Notes
[stretch] - qemu <ignored> (Introduces a regression. See Debian bug #994080. Reverted in DLA-2753-2)
https://gitlab.freedesktop.org/slirp/libslirp/-/commit/93e645e72a056ec0b2c16e0299fc5c6b94e4ca17 (v4.6.0)
https://gitlab.freedesktop.org/slirp/libslirp/-/commit/f13cad45b25d92760bb0ad67bec0300a4d7d5275 (v4.6.0)
https://gitlab.freedesktop.org/slirp/libslirp/-/commit/2eca0838eee1da96204545e22cdaed860d9d7c6c (v4.6.0)
Regression fix: https://gitlab.freedesktop.org/slirp/libslirp/-/commit/c9f314f6e315a5518432761fea864196a290f799 (v4.6.1)
qemu 1:4.1-2 switched to system libslirp, marking that version as fixed.
The patch introduced a regression, see Debian bug #994080 for more information.
[jessie] - qemu <postponed> (Introduces a regression. See Debian bug #994080. Reverted in ELA-481-2)