Univention Bugzilla – Bug 51731
qemu: Multiple issues (4.4)
Last modified: 2020-07-29 16:50:53 CEST
New Debian qemu 1:2.8+dfsg-6+deb9u10A~4.4.5.202007270634 fixes: This update addresses the following issues: * scsi: megasas: null pointer dereference while processing megasas command (CVE-2017-9503) * scsi: lsi: potential infinite loop when executing script in lsi_execute_script (CVE-2019-12068) * vnc: memory leakage upon disconnect (CVE-2019-20382) * slirp: use-after-free in ip_reass() function in ip_input.c (CVE-2020-1983) * Slirp: potential OOB access due to unsafe snprintf() usages (CVE-2020-8608) * slirp: networking out-of-bounds read information disclosure vulnerability (CVE-2020-10756) * es1370: OOB access due to incorrect frame count leads to DoS (CVE-2020-13361) * megasas: OOB read access due to invalid index leads to DoS (CVE-2020-13362) * exec: address_space_map returns NULL without setting length to zero may lead to DoS (CVE-2020-13659) * msix: OOB access during mmio operations may lead to DoS (CVE-2020-13754) * loader: OOB access while loading registered ROM may lead to code execution (CVE-2020-13765) * stack-based overflow in xgmac_enet_send() in hw/net/xgmac.c (CVE-2020-15863)
--- mirror/ftp/4.4/unmaintained/4.4-4/source/qemu_2.8+dfsg-6+deb9u9A~4.4.3.202002050747.dsc +++ apt/ucs_4.4-0-errata4.4-5/source/qemu_2.8+dfsg-6+deb9u10A~4.4.5.202007270634.dsc @@ -1,4 +1,4 @@ -1:2.8+dfsg-6+deb9u9A~4.4.3.202002050747 [Wed, 05 Feb 2020 07:48:03 +0100] Univention builddaemon <buildd@univention.de>: +1:2.8+dfsg-6+deb9u10A~4.4.5.202007270634 [Mon, 27 Jul 2020 06:37:26 +0200] Univention builddaemon <buildd@univention.de>: * UCS auto build. The following patches have been applied to the original source package 0001-Disable-Xen-for-UCS @@ -13,6 +13,66 @@ 1007-0008-x86-Work-around-SMI-migration-breakages 1008-0009-migration-ram.c-do-not-set-postcopy_running-in-POSTC +1:2.8+dfsg-6+deb9u10 [Sat, 25 Jul 2020 18:40:28 +0300] Michael Tokarev <mjt@tls.msk.ru>: + + * vnc-fix-memory-leak-when-vnc-disconnect-CVE-2019-20382.patch + Fix misuse of libz in VNC disconnect, leading to memory leak + Closes: CVE-2019-20382 + * scsi-lsi-exit-infinite-loop-while-executing-script-CVE-2019-12068.patch + Fix possible infinite loop in lsi_execute_script (LSI SCSI adapter) + Closes: CVE-2019-12068 + * iscsi-fix-heap-buffer-overflow-in-iscsi_aio_ioctl_cb.patch + Fix heap buffer overflow in iSCSI's iscsi_aio_ioctl_cb() + * slirp-fix-use-afte-free-in-ip_reass-CVE-2020-1983.patch + Fix another use-after-free in ip_reass() in SLIRP code + Closes: CVE-2020-1983 + * core-loader-fix-possible-crash-in-rom_copy-CVE-2020-13765.patch + rom_copy() in hw/core/loader.c allows triggering invalid mem copy op. + Closes: CVE-2020-13765 + * revert-memory-accept-mismatching-sizes-in-memory_region_access_va...patch + Closes: CVE-2020-13754, possible OOB memory accesses in a bunch of qemu + devices which uses min_access_size and max_access_size Memory API fields. + Also closes: CVE-2020-13791 + * acpi-accept-byte-and-word-access-to-core-ACPI-registers.patch + replace acpi-tmr-allow-2-byte-reads.patch with a more complete patch + Closes: #964793 + * xhci-fix-valid.max_access_size-to-access-address-registers.patch + This is another issue revealed after the CVE-2020-13754 fix + * exec-set-map-length-to-zero-when-returning-NULL-CVE-2020-13659.patch + CVE-2020-13659: address_space_map in exec.c can trigger + a NULL pointer dereference related to BounceBuffer + * megasas-use-unsigned-type-for-reply_queue_head-and-check-index...patch + Closes: #961887, CVE-2020-13362, megasas_lookup_frame in hw/scsi/megasas.c + has an OOB read via a crafted reply_queue_head field from a guest OS user + * megasas-use-unsigned-type-for-positive-numeric-fields.patch + fix other possible cases like in CVE-2020-13362 (#961887) + * 5 more security patches for megasas, avoid TOC-TOU (time-to-check vs + time-to-use) issues reading various parameters from guest-supplied frame: + megasas-do-not-read-sense-length-more-than-once-from-frame.patch + megasas-do-not-read-iovec-count-more-than-once-from-frame.patch + megasas-do-not-read-DCMD-opcode-more-than-once-from-frame.patch + megasas-do-not-read-command-more-than-once-from-frame.patch + megasas-do-not-read-SCSI-req-parameters-more-than-once-from-frame.patch + * megasas-always-store-SCSIRequest-into-MegasasCmd-CVE-2017-9503.patch + possible NULL-pointer dereferece caused by privileged guest user + megasas hba command processing. Closes: #865754, CVE-2017-9503 + * megasas-fix-possible-out-of-bounds-array-access.patch + Some tracepoints use a guest-controlled value as an index into the + mfi_frame_desc[] array. Thus a malicious guest could cause a very low + impact OOB errors here + * es1370-check-total-frame-count-against-current-frame-CVE-2020-13361.patch + Closes: #961888, CVE-2020-13361, es1370_transfer_audio in hw/audio/es1370.c + does not properly validate the frame count, which allows guest OS users + to trigger an out-of-bounds access during an es1370_write() operation + * slirp-drop-bogus-IPv6-messages-CVE-2020-10756.patch + Closes: CVE-2020-10756, possible OOB read in icmp6_send_echoreply() + * slirp-tcp_emu-fix-unsafe-snprintf-usages-CVE-2020-8608.patch + (and a preparational patch, slirp-add-fmt-helpers.patch) + Closes: CVE-2020-8608 + * xgmac-fix-buffer-overflow-in-xgmac_enet_send-CVE-2020-15863.patch + ARM-only XGMAC NIC, possible buffer overflow during packet transmission + Closes: CVE-2020-15863 + 1:2.8+dfsg-6+deb9u9 [Thu, 30 Jan 2020 23:16:06 +0300] Michael Tokarev <mjt@tls.msk.ru>: * slirp possible use-after-free in ip_reass(), <http://10.200.17.11/4.4-5/#80294748818386014>
OK: yaml OK: announce_errata OK: patch OK: piuparts [4.4-5] dab6475e73 Bug #51731: qemu 1:2.8+dfsg-6+deb9u10A~4.4.5.202007270634 doc/errata/staging/qemu.yaml | 41 +++++++++++++++++++++++++++++++++++++++++ 1 file changed, 41 insertions(+)
<https://errata.software-univention.de/#/?erratum=4.4x672>