CVE-2019-15034: 
NixOS vulnerability analysis and mitigation

CVE-2019-15034 affects QEMU 4.0.0, specifically in the hw/display/bochs-display.c component. The vulnerability was discovered in August 2019 and involves insufficient PCI config space allocation, which leads to a buffer overflow when handling the PCIe extended config space (NVD, MITRE).

The vulnerability stems from improper PCI config space allocation in the bochs-display.c component. The issue occurs when the device doesn't ensure sufficient space allocation for PCIe extended config space operations, resulting in a buffer overflow condition. The vulnerability has a CVSS v3.1 Base Score of 5.8 (Medium) with the vector string CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:L/I:L/A:H (NVD).

The vulnerability can lead to a denial of service condition or potentially allow arbitrary code execution in the host when exploited by a local attacker in a guest environment (Ubuntu Security).

The vulnerability was patched by setting QEMU_PCI_CAP_EXPRESS unconditionally in init() and then clearing it in realize() when the device is not connected to a PCIe bus. Multiple Linux distributions have released security updates to address this vulnerability, including Ubuntu 19.10 (version 1:4.0+dfsg-0ubuntu9.6), Debian (version 1:3.1+dfsg-8+deb10u5), and openSUSE Leap 15.1 (QEMU Patch, Ubuntu Security, Debian Security).