Skip to content

CVE-2019-15890 use-after-free (libslirp)

Moderate
AkihiroSuda published GHSA-jx98-2j5v-w265 Sep 14, 2019 · 1 comment

Package

slirp4netns

Affected versions

< 0.3.3

Patched versions

0.4.0, 0.3.3, and later

Description

Impact

https://security-tracker.debian.org/tracker/CVE-2019-15890

libslirp 4.0.0, as used in QEMU 4.1.0, has a use-after-free in ip_reass in ip_input.c.

Patches

On upstream libslirp, the vulnerability was fixed on Aug 26, 2019: https://gitlab.freedesktop.org/slirp/libslirp/commit/c59279437eda91841b9d26079c70b8a540d41204

The fix was to applied to slirp4netns in:

  • c029132 (Aug 29, 2019; included in v0.4.0)
  • 802e677 (Aug 29, 2019; included in v0.3.3)

Severity

Moderate

CVE ID

CVE-2019-15890

Weaknesses

No CWEs