Vulnerability Description
Buffer overflow in the vnc_refresh_server_surface function in the VNC display driver in QEMU before 2.4.0.1 allows guest users to cause a denial of service (heap memory corruption and process crash) or possibly execute arbitrary code on the host via unspecified vectors, related to refreshing the server display surface.
CVSS Score
HIGH
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Redhat | Openstack | 5.0 |
| Fedoraproject | Fedora | 21 |
| Qemu | Qemu | <= 2.4.0 |
Related Weaknesses (CWE)
References
- http://lists.fedoraproject.org/pipermail/package-announce/2015-October/169039.ht
- http://lists.fedoraproject.org/pipermail/package-announce/2015-September/165484.
- http://lists.fedoraproject.org/pipermail/package-announce/2015-September/166798.
- http://rhn.redhat.com/errata/RHSA-2015-1772.html
- http://rhn.redhat.com/errata/RHSA-2015-1837.html
- http://www.debian.org/security/2015/dsa-3348
- http://www.openwall.com/lists/oss-security/2015/08/21/6
- http://www.securityfocus.com/bid/76506
- http://www.securitytracker.com/id/1033547
- https://lists.gnu.org/archive/html/qemu-devel/2015-08/msg02495.html
- https://lists.gnu.org/archive/html/qemu-devel/2015-09/msg05832.htmlPatchVendor Advisory
- https://security.gentoo.org/glsa/201602-01
- http://lists.fedoraproject.org/pipermail/package-announce/2015-October/169039.ht
- http://lists.fedoraproject.org/pipermail/package-announce/2015-September/165484.
- http://lists.fedoraproject.org/pipermail/package-announce/2015-September/166798.
FAQ
What is CVE-2015-5225?
CVE-2015-5225 is a vulnerability with a CVSS score of 7.2 (HIGH). Buffer overflow in the vnc_refresh_server_surface function in the VNC display driver in QEMU before 2.4.0.1 allows guest users to cause a denial of service (heap memory corruption and process crash) o...
How severe is CVE-2015-5225?
CVE-2015-5225 has been rated HIGH with a CVSS base score of 7.2/10. Review the CVSS metrics above for detailed severity breakdown.
Is there a patch for CVE-2015-5225?
Check the references section above for vendor advisories and patch information. Affected products include: Redhat Openstack, Fedoraproject Fedora, Qemu Qemu.