CVE-2007-5729Improper Restriction of Operations within the Bounds of a Memory Buffer in Qemu

CWE-119Improper Restriction of Operations within the Bounds of a Memory Buffer12 documents6 sources
Severity
7.2HIGHNVD
EPSS
0.1%
top 65.23%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
6
QemuDebian QemuDebian Linux+3 more
Timeline
PublishedOct 30
Latest updateMay 1

Description

The NE2000 emulator in QEMU 0.8.2 allows local users to execute arbitrary code by writing Ethernet frames with a size larger than the MTU to the EN0_TCNT register, which triggers a heap-based buffer overflow in the slirp library, aka NE2000 "mtu" heap overflow. NOTE: some sources have used CVE-2007-1321 to refer to this issue as part of "NE2000 network driver and the socket code," but this is the correct identifier for the mtu overflow vulnerability.

CVSS vector

AV:L/AC:L/C:C/I:C/A:CExploitability: 3.9 | Impact: 10.0

Affected Packages5 packages

debiandebian/qemu< qemu 0.9.0-2 (bookworm)
Debianqemu/qemu< 0.9.0-2+3
NVDqemu/qemu0.8.2
NVDopensuse/opensuse11.0, 11.1+1

Also affects: Debian Linux 3.1, 4.0, Fedora 7

🔴Vulnerability Details

4
GHSA
GHSA-793p-rv2q-qv42: Integer signedness error in the NE2000 emulator in QEMU 02022-05-01
GHSA
GHSA-pqgp-87m3-3238: The NE2000 emulator in QEMU 02022-05-01
OSV
CVE-2007-5729: The NE2000 emulator in QEMU 02007-10-30
OSV
CVE-2007-1321: Integer signedness error in the NE2000 emulator in QEMU 02007-10-30

📋Vendor Advisories

5
Red Hat
QEMU Buffer overflow via crafted "net socket listen" option2007-10-23
Red Hat
xen QEMU NE2000 emulation issues2007-04-20
Debian
CVE-2007-1321: qemu - Integer signedness error in the NE2000 emulator in QEMU 0.8.2, as used in Xen an...2007
Debian
CVE-2007-5729: qemu - The NE2000 emulator in QEMU 0.8.2 allows local users to execute arbitrary code b...2007
Red Hat
QEMU NE2000 Buffer overflow triggerable by frames larger than MTU

💬Community

1
Bugzilla
CVE-2007-5729 QEMU NE2000 Buffer overflow triggerable by frames larger than MTU2007-10-31