Univention Bugzilla – Bug 52820
qemu: Multiple issues (4.4)
Last modified: 2021-03-17 13:59:55 CET
New Debian qemu 1:2.8+dfsg-6+deb9u13A~4.4.7.202102220936 fixes: This update addresses the following issues: * MMIO ops null pointer dereference may lead to DoS (CVE-2020-15469) * net: e1000e: use-after-free while sending packets (CVE-2020-15859) * usb: use-after-free issue while setting up packet (CVE-2020-25084) * e1000e: infinite loop scenario in case of null packet descriptor (CVE-2020-28916) * slirp: out-of-bounds access while processing ARP/NCSI packets (CVE-2020-29130) * ide: atapi: OOB access while processing read commands (CVE-2020-29443) * 9pfs: TOCTOU privilege escalation vulnerability (CVE-2021-20181) * out-of-bound heap buffer access via an interrupt ID field (CVE-2021-20221)
--- mirror/ftp/4.4/unmaintained/component/4.4-7-errata/source/qemu_2.8+dfsg-6+deb9u12A~4.4.7.202012011517.dsc +++ apt/ucs_4.4-0-errata4.4-7/source/qemu_2.8+dfsg-6+deb9u13A~4.4.7.202102220936.dsc @@ -1,4 +1,4 @@ -1:2.8+dfsg-6+deb9u12A~4.4.7.202012011517 [Tue, 01 Dec 2020 15:22:01 +0100] Univention builddaemon <buildd@univention.de>: +1:2.8+dfsg-6+deb9u13A~4.4.7.202102220936 [Mon, 22 Feb 2021 10:03:20 +0100] Univention builddaemon <buildd@univention.de>: * UCS auto build. The following patches have been applied to the original source package 0001-Disable-Xen-for-UCS @@ -12,6 +12,28 @@ 1006-0007-Bug-38877-fix-qemu-kvm-1.1-piix4_pm-incompatibi 1007-0008-x86-Work-around-SMI-migration-breakages 1008-0009-migration-ram.c-do-not-set-postcopy_running-in-POSTC + +1:2.8+dfsg-6+deb9u13 [Fri, 12 Feb 2021 14:11:25 +0100] Sylvain Beucler <beuc@debian.org>: + + * Non-maintainer upload by the LTS Security Team. + * CVE-2020-15469: a MemoryRegionOps object may lack read/write callback + methods, leading to a NULL pointer dereference. + * CVE-2020-15859: QEMU has a use-after-free in hw/net/e1000e_core.c + because a guest OS user can trigger an e1000e packet with the data's + address set to the e1000e's MMIO address. + * CVE-2020-25084: QEMU has a use-after-free in hw/usb/hcd-xhci.c because + the usb_packet_map return value is not checked. + * CVE-2020-28916: hw/net/e1000e_core.c has an infinite loop via an RX + descriptor with a NULL buffer address. + * CVE-2020-29130: slirp.c has a buffer over-read because it tries to + read a certain amount of header data even if that exceeds the total + packet length. + * CVE-2020-29443: ide_atapi_cmd_reply_end in hw/ide/atapi.c allows + out-of-bounds read access because a buffer index is not validated. + * CVE-2021-20181: 9pfs: ZDI-CAN-10904: QEMU Plan 9 file system TOCTOU + privilege escalation vulnerability. + * CVE-2021-20221: aarch64: GIC: out-of-bound heap buffer access via an + interrupt ID field. 1:2.8+dfsg-6+deb9u12 [Sun, 29 Nov 2020 12:03:02 +0100] Thorsten Alteholz <debian@alteholz.de>: <http://piuparts.knut.univention.de/4.4-7/#5027599480473606941>
Fixed piuparts: <https://git.knut.univention.de/dist/repo-ng/-/merge_requests/22>
OK: yaml OK: announce_errata OK: patch OK: piuparts [4.4-7] b2deb03386 Bug #52820: qemu 1:2.8+dfsg-6+deb9u13A~4.4.7.202102220936 doc/errata/staging/qemu.yaml | 28 ++++++++++++++++++++++++++++ 1 file changed, 28 insertions(+)
<https://errata.software-univention.de/#/?erratum=4.4x919>