critical
9.9
CWE
399 416 415
Advisory Published
CVE Published
Updated

CVE-2009-3616: Use After Free

First published: Fri Jun 12 2009(Updated: )

+++ This bug was initially created as a clone of <a class="bz_bug_link bz_secure " title="" href="show_bug.cgi?id=505640">Bug #505640</a> +++ Description of problem: I was attempting the implement the client side of QEMU's VNC extension for capturing audio streams. In doing so I typo'd and sent a uint8_t instead of a uint16_t for one of the fields. QEMU noticed the bogus data, printed a message and then crashed with double-free memory corruption. It is trivially reproduceable and allows a remote client to crash any QEMU instance running VNC I'm not sure whether this has security implications or not, so marked this bug security sensitive. Version-Release number of selected component (if applicable): qemu-0.10-16.fc11 How reproducible: Always Steps to Reproduce: 1. Run QEMU with /usr/bin/qemu -cdrom boot.iso -soundhw ac97 -vnc :5 2. Take a regular VNC client and modify its code to... 3. Send server a SetEncodings message including psuedo-encoding -259 4. Wait for server to send back a framebuffer update with encoding -259 5. Send the following 3 bytes to the server 255 1 0 Actual results: The server will now crash Invalid audio message 1 Msg: 1 *** glibc detected *** /usr/bin/qemu: double free or corruption (out): 0x000000000109e4a0 *** Missing separate debuginfo for /lib64/libgcc_s.so.1 Try: yum --enablerepo='*-debuginfo' install /usr/lib/debug/.build-id/2d/71efecf2876da5ca07c3b5acf28fe281c96942.debug ======= Backtrace: ========= /lib64/libc.so.6[0x33b0075a26] /usr/bin/qemu[0x496c83] /usr/bin/qemu[0x4983da] /usr/bin/qemu[0x496e8b] /usr/bin/qemu[0x409572] /usr/bin/qemu[0x40c59a] /lib64/libc.so.6(__libc_start_main+0xfd)[0x33b001ea2d] /usr/bin/qemu[0x406e39] ======= Memory map: ======== 00400000-005bc000 r-xp 00000000 fd:00 426968 /usr/bin/qemu 007bc000-007c1000 rw-p 001bc000 fd:00 426968 /usr/bin/qemu 007c1000-00b99000 rw-p 007c1000 00:00 0 00b99000-00b9a000 rwxp 00b99000 00:00 0 00b9a000-00bb0000 rw-p 00b9a000 00:00 0 00f68000-010bf000 rw-p 00f68000 00:00 0 [heap] 41bfc000-440fc000 rwxp 41bfc000 00:00 0 33afc00000-33afc1f000 r-xp 00000000 fd:00 408034 /lib64/ld-2.10.1.so 33afe1e000-33afe1f000 r--p 0001e000 fd:00 408034 /lib64/ld-2.10.1.so 33afe1f000-33afe20000 rw-p 0001f000 fd:00 408034 /lib64/ld-2.10.1.so 33b0000000-33b0164000 r-xp 00000000 fd:00 408128 /lib64/libc-2.10.1.so 33b0164000-33b0364000 ---p 00164000 fd:00 408128 /lib64/libc-2.10.1.so 33b0364000-33b0368000 r--p 00164000 fd:00 408128 /lib64/libc-2.10.1.so 33b0368000-33b0369000 rw-p 00168000 fd:00 408128 /lib64/libc-2.10.1.so 33b0369000-33b036e000 rw-p 33b0369000 00:00 0 33b0400000-33b0482000 r-xp 00000000 fd:00 844388 /lib64/libm-2.10.1.so 33b0482000-33b0682000 ---p 00082000 fd:00 844388 /lib64/libm-2.10.1.so 33b0682000-33b0683000 r--p 00082000 fd:00 844388 /lib64/libm-2.10.1.so 33b0683000-33b0684000 rw-p 00083000 fd:00 844388 /lib64/libm-2.10.1.so 33b0800000-33b0802000 r-xp 00000000 fd:00 844364 /lib64/libdl-2.10.1.so 33b0802000-33b0a02000 ---p 00002000 fd:00 844364 /lib64/libdl-2.10.1.so 33b0a02000-33b0a03000 r--p 00002000 fd:00 844364 /lib64/libdl-2.10.1.so 33b0a03000-33b0a04000 rw-p 00003000 fd:00 844364 /lib64/libdl-2.10.1.so 33b0c00000-33b0c17000 r-xp 00000000 fd:00 844472 /lib64/libpthread-2.10.1.so 33b0c17000-33b0e16000 ---p 00017000 fd:00 844472 /lib64/libpthread-2.10.1.so 33b0e16000-33b0e17000 r--p 00016000 fd:00 844472 /lib64/libpthread-2.10.1.so 33b0e17000-33b0e18000 rw-p 00017000 fd:00 844472 /lib64/libpthread-2.10.1.so 33b0e18000-33b0e1c000 rw-p 33b0e18000 00:00 0 33b1000000-33b1015000 r-xp 00000000 fd:00 956376 /lib64/libz.so.1.2.3 33b1015000-33b1214000 ---p 00015000 fd:00 956376 /lib64/libz.so.1.2.3 33b1214000-33b1215000 rw-p 00014000 fd:00 956376 /lib64/libz.so.1.2.3 33b1400000-33b1407000 r-xp 00000000 fd:00 844474 /lib64/librt-2.10.1.so 33b1407000-33b1606000 ---p 00007000 fd:00 844474 /lib64/librt-2.10.1.so 33b1606000-33b1607000 r--p 00006000 fd:00 844474 /lib64/librt-2.10.1.so 33b1607000-33b1608000 rw-p 00007000 fd:00 844474 /lib64/librt-2.10.1.so 33b1800000-33b181c000 r-xp 00000000 fd:00 408070 /lib64/libselinux.so.1 33b181c000-33b1a1b000 ---p 0001c000 fd:00 408070 /lib64/libselinux.so.1 33b1a1b000-33b1a1c000 r--p 0001b000 fd:00 408070 /lib64/libselinux.so.1 33b1a1c000-33b1a1d000 rw-p 0001c000 fd:00 408070 /lib64/libselinux.so.1 33b1a1d000-33b1a1e000 rw-p 33b1a1d000 00:00 0 33b2000000-33b206b000 r-xp 00000000 fd:00 163003 /usr/lib64/libSDL-1.2.so.0.11.2 33b206b000-33b226a000 ---p 0006b000 fd:00 163003 /usr/lib64/libSDL-1.2.so.0.11.2 33b226a000-33b226d000 rw-p 0006a000 fd:00 163003 /usr/lib64/libSDL-1.2.so.0.11.2 33b226d000-33b229d000 rw-p 33b226d000 00:00 0 33b2800000-33b2804000 r-xp 00000000 fd:00 844273 /lib64/libcap.so.2.16 33b2804000-33b2a03000 ---p 00004000 fd:00 844273 /lib64/libcap.so.2.16 33b2a03000-33b2a04000 rw-p 00003000 fd:00 844273 /lib64/libcap.so.2.16 33b2c00000-33b2c02000 r-xp 00000000 fd:00 427455 /usr/lib64/libXau.so.6.0.0 33b2c02000-33b2e01000 ---p 00002000 fd:00 427455 /usr/lib64/libXau.so.6.0.0 33b2e01000-33b2e02000 rw-p 00001000 fd:00 427455 /usr/lib64/libXau.so.6.0.0 33b3000000-33b301a000 r-xp 00000000 fd:00 430096 /usr/lib64/libxcb.so.1.1.0 33b301a000-33b321a000 ---p 0001a000 fd:00 430096 /usr/lib64/libxcb.so.1.1.0 33b321a000-33b321b000 rw-p 0001a000 fd:00 430096 /usr/lib64/libxcb.so.1.1.0 33b3400000-33b343d000 r-xp 00000000 fd:00 844324 /lib64/libdbus-1.so.3.4.0 33b343d000-33b363c000 ---p 0003d000 fd:00 844324 /lib64/libdbus-1.so.3.4.0 33b363c000-33b363d000 r--p 0003c000 fd:00 844324 /lib64/libdbus-1.so.3.4.0 33b363d000-33b363e000 rw-p 0003d000 fd:00 844324 /lib64/libdbus-1.so.3.4.0 33b3800000-33b3935000 r-xp 00000000 fd:00 430236 /usr/lib64/libX11.so.6.2.0 33b3935000-33b3b35000 ---p 00135000 fd:00 430236 /usr/lib64/libX11.so.6.2.0 33b3b35000-33b3b3b000 rw-p 00135000 fd:00 430236 /usr/lib64/libX11.so.6.2.0 33b4400000-33b4411000 r-xp 00000000 fd:00 429607 /usr/lib64/libXext.so.6.4.0 33b4411000-33b4611000 ---p 00011000 fd:00 429607 /usr/lib64/libXext.so.6.4.0 33b4611000-33b4612000 rw-p 00011000 fd:00 429607 /usr/lib64/libXext.so.6.4.0 33b5c00000-33b5c15000 r-xp 00000000 fd:00 956393 /lib64/libresolv-2.10.1.so 33b5c15000-33b5e15000 ---p 00015000 fd:00 956393 /lib64/libresolv-2.10.1.so 33b5e15000-33b5e16000 r--p 00015000 fd:00 956393 /lib64/libresolv-2.10.1.so 33b5e16000-33b5e17000 rw-p 00016000 fd:00 956393 /lib64/libresolv-2.10.1.so 33b5e17000-33b5e19000 rw-p 33b5e17000 00:00 0 33b6000000-33b6003000 r-xp 00000000 fd:00 864380 /lib64/libuuid.so.1.2 33b6003000-33b6203000 ---p 00003000 fd:00 864380 /lib64/libuuid.so.1.2 33b6203000-33b6204000 rw-p 00003000 fd:00 864380 /lib64/libuuid.so.1.2 33b8400000-33b8419000 r-xp 00000000 fd:00 956383 /lib64/libgcc_s-4.4.0-20090506.so.1 33b8419000-33b8619000 ---p 00019000 fd:00 956383 /lib64/libgcc_s-4.4.0-20090506.so.1 33b8619000-33b861a000 rw-p 00019000 fd:00 956383 /lib64/libgcc_s-4.4.0-20090506.so.1 33ba400000-33ba407000 r-xp 00000000 fd:00 161524 /usr/lib64/libSM.so.6.0.0 33ba407000-33ba607000 ---p 00007000 fd:00 161524 /usr/lib64/libSM.so.6.0.0 33ba607000-33ba608000 rw-p 00007000 fd:00 161524 /usr/lib64/libSM.so.6.0.0 33bac00000-33bac17000 r-xp 00000000 fd:00 158488 /usr/lib64/libICE.so.6.3.0 33bac17000-33bae17000 ---p 00017000 fd:00 158488 /usr/lib64/libICE.so.6.3.0 33bae17000-33bae18000 rw-p 00017000 fd:00 158488 /usr/lib64/libICE.so.6.3.0 33bae18000-33bae1c000 rw-p 33bae18000 00:00 0 33bc200000-33bc206000 r-xp 00000000 fd:00 431351 /usr/lib64/libgdbm.so.2.0.0 33bc206000-33bc405000 ---p 00006000 fd:00 431351 /usr/lib64/libgdbm.so.2.0.0 33bc405000-33bc406000 rw-p 00005000 fd:00 431351 /usr/lib64/libgdbm.so.2.0.0 33bc600000-33bc608000 r-xp 00000000 fd:00 844403 /lib64/libwrap.so.0.7.6 33bc608000-33bc807000 ---p 00008000 fd:00 844403 /lib64/libwrap.so.0.7.6 33bc807000-33bc809000 rw-p 00007000 fd:00 844403 /lib64/libwrap.so.0.7.6 33bca00000-33bca0e000 r-xp 00000000 fd:00 425528 /usr/lib64/liblber-2.4.so.2.4.1 33bca0e000-33bcc0e000 ---p 0000e000 fd:00 425528 /usr/lib64/liblber-2.4.so.2.4.1 33bcc0e000-33bcc0f000 rw-p 0000e000 fd:00 425528 /usr/lib64/liblber-2.4.so.2.4.1 33bce00000-33bce05000 r-xp 00000000 fd:00 155202 /usr/lib64/libasyncns.so.0.3.1 33bce05000-33bd004000 ---p 00005000 fd:00 155202 /usr/lib64/libasyncns.so.0.3.1 33bd004000-33bd005000 rw-p 00004000 fd:00 155202 /usr/lib64/libasyncns.so.0.3.1 33bd200000-33bd259000 r-xp 00000000 fd:00 158446 /usr/lib64/libpulsecommon-0.9.15.so 33bd259000-33bd458000 ---p 00059000 fd:00 158446 /usr/lib64/libpulsecommon-0.9.15.so 33bd458000-33bd45a000 rw-p 00058000 fd:00 158446 /usr/lib64/libpulsecommon-0.9.15.so 33bd600000-33bd647000 r-xp 00000000 fd:00 427502 /usr/lib64/libpulse.so.0.8.0 33bd647000-33bd847000 ---p 00047000 fd:00 427502 /usr/lib64/libpulse.so.0.8.0 33bd847000-33bd849000 rw-p 00047000 fd:00 427502 /usr/lib64/libpulse.so.0.8.0 33bda00000-33bda2b000 r-xp 00000000 fd:00 162798 /usr/lib64/libgssapi_krb5.so.2.2 33bda2b000-33bdc2a000 ---p 0002b000 fd:00 162798 /usr/lib64/libgssapi_krb5.so.2.2 33bdc2a000-33bdc2c000 rw-p 0002a000 fd:00 162798 /usr/lib64/libgssapi_krb5.so.2.2 33be600000-33be64b000 r-xp 00000000 fd:00 163001 /usr/lib64/libssl.so.0.9.8k 33be64b000-33be84a000 ---p 0004b000 fd:00 163001 /usr/lib64/libssl.so.0.9.8k 33be84a000-33be851000 rw-p 0004a000 fd:00 163001 /usr/lib64/libssl.so.0.9.8k 33bea00000-33bea02000 r-xp 00000000 fd:00 956398 /lib64/libutil-2.10.1.so 33bea02000-33bec01000 ---p 00002000 fd:00 956398 /lib64/libutil-2.10.1.so 33bec01000-33bec02000 r--p 00001000 fd:00 956398 /lib64/libutil-2.10.1.so 33bec02000-33bec03000 rw-p 00002000 fd:00 956398 /lib64/libutil-2.10.1.so 33bee00000-33bef5d000 r-xp 00000000 fd:00 163000 /usr/lib64/libcrypto.so.0.9.8k 33bef5d000-33bf15c000 ---p 0015d000 fd:00 163000 /usr/lib64/libcrypto.so.0.9.8k 33bf15c000-33bf182000 rw-p 0015c000 fd:00 163000 /usr/lib64/libcrypto.so.0.9.8k 33bf182000-33bf186000 rw-p 33bf182000 00:00 0 33bf200000-33bf203000 r-xp 00000000 fd:00 956396 /lib64/libgpg-error.so.0.4.0 33bf203000-33bf402000 ---p 00003000 fd:00 956396 /lib64/libgpg-error.so.0.4.0 33bf402000-33bf403000 rw-p 00002000 fd:00 956396 /lib64/libgpg-error.so.0.4.0 33bfa00000-33bfa70000 r-xp 00000000 fd:00 956397 /lib64/libgcrypt.so.11.5.2 33bfa70000-33bfc6f000 ---p 00070000 fd:00 956397 /lib64/libgcrypt.so.11.5.2 33bfc6f000-33bfc73000 rw-p 0006f000 fd:00 956397 /lib64/libgcrypt.so.11.5.2 33c1a00000-33c1a16000 r-xp 00000000 fd:00 844339 /lib64/libnsl-2.10.1.so 33c1a16000-33c1c16000 ---p 00016000 fd:00 844339 /lib64/libnsl-2.10.1.so 33c1c16000-33c1c17000 r--p 00016000 fd:00 844339 /lib64/libnsl-2.10.1.so 33c1c17000-33c1c18000 rw-p 00017000 fd:00 844339 /lib64/libnsl-2.10.1.so 33c1c18000-33c1c1a000 rw-p 33c1c18000 00:00 0 33c1e00000-33c1e05000 r-xp 00000000 fd:00 425807 /usr/lib64/libXtst.so.6.1.0 33c1e05000-33c2005000 ---p 00005000 fd:00 425807 /usr/lib64/libXtst.so.6.1.0 33c2005000-33c2006000 rw-p 00005000 fd:00 425807 /usr/lib64/libXtst.so.6.1.0 33c2600000-33c269f000 r-xp 00000000 fd:00 163002 /usr/lib64/libgnutls.so.26.11.7 33c269f000-33c289f000 ---p 0009f000 fd:00 163002 /usr/lib64/libgnutls.so.26.11.7 33c289f000-33c28aa000 rw-p 0009f000 fd:00 163002 /usr/lib64/libgnutls.so.26.11.7 33c2a00000-33c2a10000 r-xp 00000000 fd:00 430214 /usr/lib64/libtasn1.so.3.1.2 33c2a10000-33c2c10000 ---p 00010000 fd:00 430214 /usr/lib64/libtasn1.so.3.1.2 33c2c10000-33c2c11000 rw-p 00010000 fd:00 430214 /usr/lib64/libtasn1.so.3.1.2 33c6a00000-33c6add000 r-xp 00000000 fd:00 956395 /lib64/libasound.so.2.0.0 33c6add000-33c6cdc000 ---p 000dd000 fd:00 956395 /lib64/libasound.so.2.0.0 33c6cdc000-33c6ce4000 rw-p 000dc000 fd:00 956395 /lib64/libasound.so.2.0.0 37f1a00000-37f1a19000 r-xp 00000000 fd:00 157602 /usr/lib64/libsasl2.so.2.0.22 37f1a19000-37f1c19000 ---p 00019000 fd:00 157602 /usr/lib64/libsasl2.so.2.0.22 37f1c19000-37f1c1a000 rw-p 00019000 fd:00 157602 /usr/lib64/libsasl2.so.2.0.22 7f64fc000000-7f64fc021000 rw-p 7f64fc000000 00:00 0 7f64fc021000-7f6500000000 ---p 7f64fc021000 00:00 0 7f6501a03000-7f6501a04000 ---p 7f6501a03000 00:00 0 7f6501a04000-7f6502404000 rw-p 7f6501a04000 00:00 0 7f6503158000-7f6503159000 rw-p 7f6503158000 00:00 0 7f6503286000-7f6503327000 rw-p 7f6503286000 00:00 0 7f6503327000-7f650332a000 r-xp 00000000 fd:00 429437 /usr/lib64/libdes425.so.3.0 7f650332a000-7f6503529000 ---p 00003000 fd:00 429437 /usr/lib64/libdes425.so.3.0 7f6503529000-7f650352a000 rw-p 00002000 fd:00 429437 /usr/lib64/libdes425.so.3.0 7f650352a000-7f6503544000 r-xp 00000000 fd:00 425581 /usr/lib64/libkrb4.so.2.0 7f6503544000-7f6503744000 ---p 0001a000 fd:00 425581 /usr/lib64/libkrb4.so.2.0 7f6503744000-7f6503746000 rw-p 0001a000 fd:00 425581 /usr/lib64/libkrb4.so.2.0 7f6503746000-7f650374b000 rw-p 7f6503746000 00:00 0 7f650374b000-7f6503751000 r-xp 00000000 fd:00 449066 /usr/lib64/sasl2/libkerberos4.so.2.0.22 7f6503751000-7f6503950000 ---p 00006000 fd:00 449066 /usr/lib64/sasl2/libkerberos4.so.2.0.22 7f6503950000-7f6503951000 rw-p 00005000 fd:00 449066 /usr/lib64/sasl2/libkerberos4.so.2.0.22 7f6503951000-7f6503955000 r-xp 00000000 fd:00 450859 /usr/lib64/sasl2/libcrammd5.so.2.0.22 7f6503955000-7f6503b55000 ---p 00004000 fd:00 450859 /usr/lib64/sasl2/libcrammd5.so.2.0.22 7f6503b55000-7f6503b56000 rw-p 00004000 fd:00 450859 /usr/lib64/sasl2/libcrammd5.so.2.0.22 7f6503b56000-7f6503b9a000 r-xp 00000000 fd:00 161564 /usr/lib64/libldap-2.4.so.2.4.1 7f6503b9a000-7f6503d99000 ---p 00044000 fd:00 161564 /usr/lib64/libldap-2.4.so.2.4.1 7f6503d99000-7f6503d9c000 rw-p 00043000 fd:00 161564 /usr/lib64/libldap-2.4.so.2.4.1 7f6503d9c000-7f6503da0000 r-xp 00000000 fd:00 449078 /usr/lib64/sasl2/libldapdb.so.2.0.22 7f6503da0000-7f6503f9f000 ---p 00004000 fd:00 449078 /usr/lib64/sasl2/libldapdb.so.2.0.22 7f6503f9f000-7f6503fa0000 rw-p 00003000 fd:00 449078 /usr/lib64/sasl2/libldapdb.so.2.0.22 7f6503fa0000-7f6503fa7000 r-xp 00000000 fd:00 449069 /usr/lib64/sasl2/libgssapiv2.so.2.0.22 7f6503fa7000-7f65041a6000 ---p 00007000 fd:00 449069 /usr/lib64/sasl2/libgssapiv2.so.2.0.22 7f65041a6000-7f65041a7000 rw-p 00006000 fd:00 449069 /usr/lib64/sasl2/libgssapiv2.so.2.0.22 7f65041a7000-7f65041ab000 r-xp 00000000 fd:00 450474 /usr/lib64/sasl2/libplain.so.2.0.22 7f65041ab000-7f65043aa000 ---p 00004000 fd:00 450474 /usr/lib64/sasl2/libplain.so.2.0.22 7f65043aa000-7f65043ab000 rw-p 00003000 fd:00 450474 /usr/lib64/sasl2/libplain.so.2.0.22 7f65043ab000-7f65043b3000 r-xp 00000000 fd:00 449072 /usr/lib64/sasl2/libntlm.so.2.0.22 7f65043b3000-7f65045b2000 ---p 00008000 fd:00 449072 /usr/lib64/sasl2/libntlm.so.2.0.22 7f65045b2000-7f65045b3000 rw-p 00007000 fd:00 449072 /usr/lib64/sasl2/libntlm.so.2.0.22 7f65045b3000-7f65045b7000 r-xp 00000000 fd:00 450471 /usr/lib64/sasl2/liblogin.so.2.0.22 7f65045b7000-7f65047b6000 ---p 00004000 fd:00 450471 /usr/lib64/sasl2/liblogin.so.2.0.22 7f65047b6000-7f65047b7000 rw-p 00003000 fd:00 450471 /usr/lib64/sasl2/liblogin.so.2.0.22 7f65047b7000-7f65047b9000 r-xp 00000000 fd:00 956392 /lib64/libkeyutils-1.2.so 7f65047b9000-7f65049b8000 ---p 00002000 fd:00 956392 /lib64/libkeyutils-1.2.so 7f65049b8000-7f65049b9000 rw-p 00001000 fd:00 956392 /lib64/libkeyutils-1.2.so 7f65049b9000-7f65049c2000 r-xp 00000000 fd:00 430940 /usr/lib64/libkrb5support.so.0.1 7f65049c2000-7f6504bc1000 ---p 00009000 fd:00 430940 /usr/lib64/libkrb5support.so.0.1 7f6504bc1000-7f6504bc2000 rw-p 00008000 fd:00 430940 /usr/lib64/libkrb5support.so.0.1 7f6504bc2000-7f6504be6000 r-xp 00000000 fd:00 162060 /usr/lib64/libk5crypto.so.3.1 7f6504be6000-7f6504de6000 ---p 00024000 fd:00 162060 /usr/lib64/libk5crypto.so.3.1 7f6504de6000-7f6504de8000 rw-p 00024000 fd:00 162060 /usr/lib64/libk5crypto.so.3.1 7f6504de8000-7f6504e31000 r-xp 00000000 fd:00 161566 /usr/lib64/libldap_r-2.4.so.2.4.1 7f6504e31000-7f6505031000 ---p 00049000 fd:00 161566 /usr/lib64/libldap_r-2.4.so.2.4.1 7f6505031000-7f6505034000 rw-p 00049000 fd:00 161566 /usr/lib64/libldap_r-2.4.so.2.4.1 7f6505034000-7f6505037000 rw-p 7f6505034000 00:00 0 7f6505037000-7f650503a000 r-xp 00000000 fd:00 956394 /lib64/libcom_err.so.2.1 7f650503a000-7f6505239000 ---p 00003000 fd:00 956394 /lib64/libcom_err.so.2.1 7f6505239000-7f650523a000 rw-p 00002000 fd:00 956394 /lib64/libcom_err.so.2.1 7f650523a000-7f65052d5000 r-xp 00000000 fd:00 162171 /usr/lib64/libkrb5.so.3.3 7f65052d5000-7f65054d5000 ---p 0009b000 fd:00 162171 /usr/lib64/libkrb5.so.3.3 7f65054d5000-7f65054d9000 rw-p 0009b000 fd:00 162171 /usr/lib64/libkrb5.so.3.3 7f65054d9000-7f65054fb000 r-xp 00000000 fd:00 161620 /usr/lib64/libpq.so.5.1 7f65054fb000-7f65056fb000 ---p 00022000 fd:00 161620 /usr/lib64/libpq.so.5.1 7f65056fb000-7f65056fd000 rw-p 00022000 fd:00 161620 /usr/lib64/libpq.so.5.1 7f65056fd000-7f6505831000 r-xp 00000000 fd:00 2744066 /usr/lib64/mysql/libmysqlclient.so.16.0.0 7f6505831000-7f6505a30000 ---p 00134000 fd:00 2744066 /usr/lib64/mysql/libmysqlclient.so.16.0.0 7f6505a30000-7f6505a7d000 rw-p 00133000 fd:00 2744066 /usr/lib64/mysql/libmysqlclient.so.16.0.0 7f6505a7d000-7f6505a7e000 rw-p 7f6505a7d000 00:00 0 7f6505a7e000-7f6505a84000 r-xp 00000000 fd:00 449075 /usr/lib64/sasl2/libsql.so.2.0.22 7f6505a84000-7f6505c83000 ---p 00006000 fd:00 449075 /usr/lib64/sasl2/libsql.so.2.0.22 7f6505c83000-7f6505c84000 rw-p 00005000 fd:00 449075 /usr/lib64/sasl2/libsql.so.2.0.22 7f6505c84000-7f6505c88000 r-xp 00000000 fd:00 450216 /usr/lib64/sasl2/libanonymous.so.2.0.22 7f6505c88000-7f6505e87000 ---p 00004000 fd:00 450216 /usr/lib64/sasl2/libanonymous.so.2.0.22 7f6505e87000-7f6505e88000 rw-p 00003000 fd:00 450216 /usr/lib64/sasl2/libanonymous.so.2.0.22 7f6505e88000-7f6505e94000 r-xp 00000000 fd:00 450862 /usr/lib64/sasl2/libdigestmd5.so.2.0.22 7f6505e94000-7f6506093000 ---p 0000c000 fd:00 450862 /usr/lib64/sasl2/libdigestmd5.so.2.0.22 7f6506093000-7f6506094000 rw-p 0000b000 fd:00 450862 /usr/lib64/sasl2/libdigestmd5.so.2.0.22 7f6506094000-7f6506201000 r-xp 00000000 fd:00 844471 /lib64/libdb-4.7.so 7f6506201000-7f6506400000 ---p 0016d000 fd:00 844471 /lib64/libdb-4.7.so 7f6506400000-7f6506406000 rw-p 0016c000 fd:00 844471 /lib64/libdb-4.7.so 7f6506406000-7f650640b000 r-xp 00000000 fd:00 450219 /usr/lib64/sasl2/libsasldb.so.2.0.22 7f650640b000-7f650660a000 ---p 00005000 fd:00 450219 /usr/lib64/sasl2/libsasldb.so.2.0.22 7f650660a000-7f650660b000 rw-p 00004000 fd:00 450219 /usr/lib64/sasl2/libsasldb.so.2.0.22 7f650660b000-7f650660f000 r-xp 00000000 fd:00 844251 /lib64/libattr.so.1.1.0 7f650660f000-7f650680e000 ---p 00004000 fd:00 844251 /lib64/libattr.so.1.1.0 7f650680e000-7f650680f000 rw-p 00003000 fd:00 844251 /lib64/libattr.so.1.1.0 7f650680f000-7f6506813000 r-xp 00000000 fd:00 430687 /usr/lib64/libpulse-simple.so.0.0.2 7f6506813000-7f6506a12000 ---p 00004000 fd:00 430687 /usr/lib64/libpulse-simple.so.0.0.2 7f6506a12000-7f6506a13000 rw-p 00003000 fd:00 430687 /usr/lib64/libpulse-simple.so.0.0.2 7f6506a2d000-7f65120e2000 rw-p 7f6506a2d000 00:00 0 7f65120e2000-7f65120e7000 r-xp 00000000 fd:00 958096 /lib64/libnss_dns-2.10.1.so 7f65120e7000-7f65122e6000 ---p 00005000 fd:00 958096 /lib64/libnss_dns-2.10.1.so 7f65122e6000-7f65122e7000 r--p 00004000 fd:00 958096 /lib64/libnss_dns-2.10.1.so 7f65122e7000-7f65122e8000 rw-p 00005000 fd:00 958096 /lib64/libnss_dns-2.10.1.so 7f65122e8000-7f65122f4000 r-xp 00000000 fd:00 958097 /lib64/libnss_files-2.10.1.so 7f65122f4000-7f65124f3000 ---p 0000c000 fd:00 958097 /lib64/libnss_files-2.10.1.so 7f65124f3000-7f65124f4000 r--p 0000b000 fd:00 958097 /lib64/libnss_files-2.10.1.so 7f65124f4000-7f65124f5000 rw-p 0000c000 fd:00 958097 /lib64/libnss_files-2.10.1.so 7f65124f5000-7f65124f8000 rw-p 7f65124f5000 00:00 0 7f65124f8000-7f6512551000 r-xp 00000000 fd:00 957313 /lib64/libfreebl3.so 7f6512551000-7f6512750000 ---p 00059000 fd:00 957313 /lib64/libfreebl3.so 7f6512750000-7f6512751000 rw-p 00058000 fd:00 957313 /lib64/libfreebl3.so 7f6512751000-7f6512757000 rw-p 7f6512751000 00:00 0 7f6512757000-7f651275f000 r-xp 00000000 fd:00 957069 /lib64/libcrypt-2.10.1.so 7f651275f000-7f651295e000 ---p 00008000 fd:00 957069 /lib64/libcrypt-2.10.1.so 7f651295e000-7f651295f000 r--p 00007000 fd:00 957069 /lib64/libcrypt-2.10.1.so 7f651295f000-7f6512960000 rw-p 00008000 fd:00 957069 /lib64/libcrypt-2.10.1.so 7f6512960000-7f6512993000 rw-p 7f6512960000 00:00 0 7f65129a6000-7f65129ad000 r--s 00000000 fd:00 472373 /usr/lib64/gconv/gconv-modules.cache 7f65129ad000-7f65129af000 rw-p 7f65129ad000 00:00 0 7fff1a999000-7fff1a9ae000 rw-p 7ffffffea000 00:00 0 [stack] 7fff1a9fe000-7fff1a9ff000 r-xp 7fff1a9fe000 00:00 0 [vdso] ffffffffff600000-ffffffffff601000 r-xp 00000000 00:00 0 [vsyscall] Program received signal SIGABRT, Aborted. 0x00000033b00332f5 in raise () from /lib64/libc.so.6 (gdb) bt #0 0x00000033b00332f5 in raise () from /lib64/libc.so.6 #1 0x00000033b0034b20 in abort () from /lib64/libc.so.6 #2 0x00000033b007005d in __libc_message () from /lib64/libc.so.6 #3 0x00000033b0075a26 in malloc_printerr () from /lib64/libc.so.6 #4 0x0000000000496c83 in vnc_client_io_error (vs=0x1096020, ret=&lt;value optimized out&gt;, last_errno=&lt;value optimized out&gt;) at vnc.c:870 #5 0x00000000004983da in protocol_client_msg (vs=0x1096020, data=0x109e4a0 "\1", len=&lt;value optimized out&gt;) at vnc.c:1729 #6 0x0000000000496e8b in vnc_client_read (opaque=&lt;value optimized out&gt;) at vnc.c:1095 #7 0x0000000000409572 in main_loop_wait (timeout=&lt;value optimized out&gt;) at /usr/src/debug/qemu-kvm-0.10/qemu/vl.c:3774 #8 0x000000000040c59a in main_loop () at /usr/src/debug/qemu-kvm-0.10/qemu/vl.c:3972 #9 main () at /usr/src/debug/qemu-kvm-0.10/qemu/vl.c:6126 Expected results: Server reports invalid message and drops the client connection Additional info:

Credit: secalert@redhat.com secalert@redhat.com

Affected SoftwareAffected VersionHow to fix
QEMU qemu<=0.10.6
QEMU qemu=0.1.0
QEMU qemu=0.1.1
QEMU qemu=0.1.2
QEMU qemu=0.1.3
QEMU qemu=0.1.4
QEMU qemu=0.1.5
QEMU qemu=0.1.6
QEMU qemu=0.2.0
QEMU qemu=0.3.0
QEMU qemu=0.4.0
QEMU qemu=0.4.1
QEMU qemu=0.4.2
QEMU qemu=0.4.3
QEMU qemu=0.5.0
QEMU qemu=0.5.1
QEMU qemu=0.5.2
QEMU qemu=0.5.3
QEMU qemu=0.5.4
QEMU qemu=0.5.5
QEMU qemu=0.6.0
QEMU qemu=0.6.1
QEMU qemu=0.7.0
QEMU qemu=0.7.1
QEMU qemu=0.7.2
QEMU qemu=0.8.0
QEMU qemu=0.8.1
QEMU qemu=0.8.2
QEMU qemu=0.9.0
QEMU qemu=0.9.1
QEMU qemu=0.10.0
QEMU qemu=0.10.1
QEMU qemu=0.10.2
QEMU qemu=0.10.3
QEMU qemu=0.10.4
QEMU qemu=0.10.5
Redhat Enterprise Linux Server=5.0
Redhat Enterprise Linux Workstation=5.0
redhat/kvm<83-82.el5
83-82.el5

Remedy

http://www.openwall.com/lists/oss-security/2009/10/16/5

Remedy

http://www.openwall.com/lists/oss-security/2009/10/16/8

Remedy

https://bugzilla.redhat.com/show_bug.cgi?id=501131

Never miss a vulnerability like this again

Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.

Read MoreStart Free Trial

Reference Links

Company

Resources

Contact

SecAlerts Pty Ltd.
132 Wickham Terrace
Fortitude Valley,
QLD 4006, Australia
info@secalerts.co
By using SecAlerts services, you agree to our services end-user license agreement. This website is safeguarded by reCAPTCHA and governed by the Google Privacy Policy and Terms of Service. All names, logos, and brands of products are owned by their respective owners, and any usage of these names, logos, and brands for identification purposes only does not imply endorsement. If you possess any content that requires removal, please get in touch with us.
© 2025 SecAlerts Pty Ltd.
ABN: 70 645 966 203, ACN: 645 966 203