Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [day] [month] [year] [list]
Message-ID: <nycvar.YSQ.7.76.2003051452250.5086@xnncv>
Date: Thu, 5 Mar 2020 14:59:17 +0530 (IST)
From: P J P <ppandit@...hat.com>
To: oss security list <oss-security@...ts.openwall.com>
Subject: CVE-2019-20382 QEMU: vnc: memory leakage upon disconnect

   Hello,

A memory leakage flaw was found in the way VNC display driver of QEMU handled 
connection disconnect, when ZRLE, Tight encoding is enabled. It creates two 
vncState objects, one of which allocates memory for Zlib's data object. This 
allocated memory is not free'd upon disconnection resulting in the said memory 
leakage issue.

A user able to connect to the VNC server could use this flaw to leak host 
memory leading to a potential DoS scenario.

Upstream patch:
---------------
   -> https://git.qemu.org/?p=qemu.git;a=commitdiff;h=6bf21f3d83e95bcc4ba35a7a07cc6655e8b010b0

CVE-2019-20382 assigned via -> https://cveform.mitre.org/

Thank you.
--
Prasad J Pandit / Red Hat Product Security Team
8685 545E B54C 486B C6EB 271E E285 8B5A F050 DE8D

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.