Description
It was found that the Cirrus blit region checks were insufficient. A privileged
guest user could use this flaw to write outside of VRAM-allocated buffer
boundaries in the host's QEMU process address space with attacker-provided data.
(CVE-2014-8106)
An uninitialized data structure use flaw was found in the way the
set_pixel_format() function sanitized the value of bits_per_pixel. An attacker
able to access a guest's VNC console could use this flaw to crash the guest.
(CVE-2014-7815)
It was found that certain values that were read when loading RAM during
migration were not validated. A user able to alter the savevm data (either on
the disk or over the wire during migration) could use either of these flaws to
corrupt QEMU process memory on the (destination) host, which could potentially
result in arbitrary code execution on the host with the privileges of the QEMU
process. (CVE-2014-7840)
A NULL pointer dereference flaw was found in the way QEMU handled UDP packets
with a source port and address of 0 when QEMU's user networking was in use. A
local guest user could use this flaw to crash the guest. (CVE-2014-3640)