Bug 51731 - qemu: Multiple issues (4.4)
qemu: Multiple issues (4.4)
Status: CLOSED FIXED
Product: UCS
Classification: Unclassified
Component: Security updates
UCS 4.4
All Linux
: P3 normal (vote)
: UCS 4.4-5-errata
Assigned To: Quality Assurance
Philipp Hahn
:
Depends on:
Blocks:
  Show dependency treegraph
 
Reported: 2020-07-27 06:37 CEST by Quality Assurance
Modified: 2020-07-29 16:50 CEST (History)
0 users

See Also:
What kind of report is it?: Security Issue
What type of bug is this?: ---
Who will be affected by this bug?: ---
How will those affected feel about the bug?: ---
User Pain:
Enterprise Customer affected?:
School Customer affected?:
ISV affected?:
Waiting Support:
Flags outvoted (downgraded) after PO Review:
Ticket number:
Bug group (optional):
Max CVSS v3 score: 6.5 (CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:N)


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Quality Assurance univentionstaff 2020-07-27 06:37:09 CEST
New Debian qemu 1:2.8+dfsg-6+deb9u10A~4.4.5.202007270634 fixes:
This update addresses the following issues:
* scsi: megasas: null pointer dereference while processing megasas command  (CVE-2017-9503)
* scsi: lsi: potential infinite loop when executing script in  lsi_execute_script (CVE-2019-12068)
* vnc: memory leakage upon disconnect (CVE-2019-20382)
* slirp: use-after-free in ip_reass() function in ip_input.c (CVE-2020-1983)
* Slirp: potential OOB access due to unsafe snprintf() usages (CVE-2020-8608)
* slirp: networking out-of-bounds read information disclosure vulnerability  (CVE-2020-10756)
* es1370: OOB access due to incorrect frame count leads to DoS  (CVE-2020-13361)
* megasas: OOB read access due to invalid index leads to DoS (CVE-2020-13362)
* exec: address_space_map returns NULL without setting length to zero may  lead to DoS (CVE-2020-13659)
* msix: OOB access during mmio operations may lead to DoS (CVE-2020-13754)
* loader: OOB access while loading registered ROM may lead to code execution  (CVE-2020-13765)
* stack-based overflow in xgmac_enet_send() in hw/net/xgmac.c  (CVE-2020-15863)
Comment 1 Quality Assurance univentionstaff 2020-07-27 07:44:14 CEST
--- mirror/ftp/4.4/unmaintained/4.4-4/source/qemu_2.8+dfsg-6+deb9u9A~4.4.3.202002050747.dsc
+++ apt/ucs_4.4-0-errata4.4-5/source/qemu_2.8+dfsg-6+deb9u10A~4.4.5.202007270634.dsc
@@ -1,4 +1,4 @@
-1:2.8+dfsg-6+deb9u9A~4.4.3.202002050747 [Wed, 05 Feb 2020 07:48:03 +0100] Univention builddaemon <buildd@univention.de>:
+1:2.8+dfsg-6+deb9u10A~4.4.5.202007270634 [Mon, 27 Jul 2020 06:37:26 +0200] Univention builddaemon <buildd@univention.de>:
 
   * UCS auto build. The following patches have been applied to the original source package
     0001-Disable-Xen-for-UCS
@@ -13,6 +13,66 @@
     1007-0008-x86-Work-around-SMI-migration-breakages
     1008-0009-migration-ram.c-do-not-set-postcopy_running-in-POSTC
 
+1:2.8+dfsg-6+deb9u10 [Sat, 25 Jul 2020 18:40:28 +0300] Michael Tokarev <mjt@tls.msk.ru>:
+
+  * vnc-fix-memory-leak-when-vnc-disconnect-CVE-2019-20382.patch
+    Fix misuse of libz in VNC disconnect, leading to memory leak
+    Closes: CVE-2019-20382
+  * scsi-lsi-exit-infinite-loop-while-executing-script-CVE-2019-12068.patch
+    Fix possible infinite loop in lsi_execute_script (LSI SCSI adapter)
+    Closes: CVE-2019-12068
+  * iscsi-fix-heap-buffer-overflow-in-iscsi_aio_ioctl_cb.patch
+    Fix heap buffer overflow in iSCSI's iscsi_aio_ioctl_cb()
+  * slirp-fix-use-afte-free-in-ip_reass-CVE-2020-1983.patch
+    Fix another use-after-free in ip_reass() in SLIRP code
+    Closes: CVE-2020-1983
+  * core-loader-fix-possible-crash-in-rom_copy-CVE-2020-13765.patch
+    rom_copy() in hw/core/loader.c allows triggering invalid mem copy op.
+    Closes: CVE-2020-13765
+  * revert-memory-accept-mismatching-sizes-in-memory_region_access_va...patch
+    Closes: CVE-2020-13754, possible OOB memory accesses in a bunch of qemu
+    devices which uses min_access_size and max_access_size Memory API fields.
+    Also closes: CVE-2020-13791
+  * acpi-accept-byte-and-word-access-to-core-ACPI-registers.patch
+    replace acpi-tmr-allow-2-byte-reads.patch with a more complete patch
+    Closes: #964793
+  * xhci-fix-valid.max_access_size-to-access-address-registers.patch
+    This is another issue revealed after the CVE-2020-13754 fix
+  * exec-set-map-length-to-zero-when-returning-NULL-CVE-2020-13659.patch
+    CVE-2020-13659: address_space_map in exec.c can trigger
+    a NULL pointer dereference related to BounceBuffer
+  * megasas-use-unsigned-type-for-reply_queue_head-and-check-index...patch
+    Closes: #961887, CVE-2020-13362, megasas_lookup_frame in hw/scsi/megasas.c
+    has an OOB read via a crafted reply_queue_head field from a guest OS user
+  * megasas-use-unsigned-type-for-positive-numeric-fields.patch
+    fix other possible cases like in CVE-2020-13362 (#961887)
+  * 5 more security patches for megasas, avoid TOC-TOU (time-to-check vs
+    time-to-use) issues reading various parameters from guest-supplied frame:
+    megasas-do-not-read-sense-length-more-than-once-from-frame.patch
+    megasas-do-not-read-iovec-count-more-than-once-from-frame.patch
+    megasas-do-not-read-DCMD-opcode-more-than-once-from-frame.patch
+    megasas-do-not-read-command-more-than-once-from-frame.patch
+    megasas-do-not-read-SCSI-req-parameters-more-than-once-from-frame.patch
+  * megasas-always-store-SCSIRequest-into-MegasasCmd-CVE-2017-9503.patch
+    possible NULL-pointer dereferece caused by privileged guest user
+    megasas hba command processing. Closes: #865754, CVE-2017-9503
+  * megasas-fix-possible-out-of-bounds-array-access.patch
+    Some tracepoints use a guest-controlled value as an index into the
+    mfi_frame_desc[] array. Thus a malicious guest could cause a very low
+    impact OOB errors here
+  * es1370-check-total-frame-count-against-current-frame-CVE-2020-13361.patch
+    Closes: #961888, CVE-2020-13361, es1370_transfer_audio in hw/audio/es1370.c
+    does not properly validate the frame count, which allows guest OS users
+    to trigger an out-of-bounds access during an es1370_write() operation
+  * slirp-drop-bogus-IPv6-messages-CVE-2020-10756.patch
+    Closes: CVE-2020-10756, possible OOB read in icmp6_send_echoreply()
+  * slirp-tcp_emu-fix-unsafe-snprintf-usages-CVE-2020-8608.patch
+    (and a preparational patch, slirp-add-fmt-helpers.patch)
+    Closes: CVE-2020-8608
+  * xgmac-fix-buffer-overflow-in-xgmac_enet_send-CVE-2020-15863.patch
+    ARM-only XGMAC NIC, possible buffer overflow during packet transmission
+    Closes: CVE-2020-15863
+
 1:2.8+dfsg-6+deb9u9 [Thu, 30 Jan 2020 23:16:06 +0300] Michael Tokarev <mjt@tls.msk.ru>:
 
   * slirp possible use-after-free in ip_reass(),

<http://10.200.17.11/4.4-5/#80294748818386014>
Comment 2 Philipp Hahn univentionstaff 2020-07-27 11:23:07 CEST
OK: yaml
OK: announce_errata
OK: patch
OK: piuparts

[4.4-5] dab6475e73 Bug #51731: qemu 1:2.8+dfsg-6+deb9u10A~4.4.5.202007270634
 doc/errata/staging/qemu.yaml | 41 +++++++++++++++++++++++++++++++++++++++++
 1 file changed, 41 insertions(+)