Bug 53054 – qemu: Multiple issues (4.4)

Bug 53054 - qemu: Multiple issues (4.4)


Summary:	qemu: Multiple issues (4.4)

Status:	CLOSED FIXED

Product:	UCS
Classification:	Unclassified
Component:	Security updates
Version:	UCS 4.4
Hardware:	All Linux

Importance:	P3 normal (vote)
Target Milestone:	UCS 4.4-7-errata
Assigned To:	Quality Assurance
QA Contact:	Philipp Hahn

URL:
Keywords:

Depends on:
Blocks:
	Show dependency tree / graph

Reported:	2021-04-12 08:49 CEST by Quality Assurance
Modified:	2021-04-14 12:06 CEST (History)
CC List:	0 users

See Also:
What kind of report is it?:	Security Issue
What type of bug is this?:	---
Who will be affected by this bug?:	---
How will those affected feel about the bug?:	---
User Pain:
Enterprise Customer affected?:
School Customer affected?:
ISV affected?:
Waiting Support:
Flags outvoted (downgraded) after PO Review:
Ticket number:
Bug group (optional):
Max CVSS v3 score:	5.7 (CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:C/C:L/I:L/A:L)

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Quality Assurance

2021-04-12 08:49:02 CEST

New Debian qemu 1:2.8+dfsg-6+deb9u14A~4.4.7.202104120844 fixes:
This update addresses the following issues:
* heap buffer overflow in sdhci_sdma_transfer_multi_blocks() in hw/sd/sdhci.c  (CVE-2020-17380)
* scsi: mptsas: use-after-free while processing io requests (CVE-2021-3392)
* sdhci: incomplete fix for CVE-2020-17380/CVE-2020-25085 (CVE-2021-3409)
* net: infinite loop in loopback mode may lead to stack overflow  (CVE-2021-3416)
* Failed malloc in vmxnet3_activate_device() in hw/net/vmxnet3.c  (CVE-2021-20203)
* net: eepro100: stack overflow via infinite recursion (CVE-2021-20255)
* net: e1000: infinite loop while processing transmit descriptors  (CVE-2021-20257)

Comment 1 Quality Assurance

2021-04-12 10:00:26 CEST

--- mirror/ftp/4.4/unmaintained/component/4.4-7-errata/source/qemu_2.8+dfsg-6+deb9u13A~4.4.7.202102220936.dsc
+++ apt/ucs_4.4-0-errata4.4-7/source/qemu_2.8+dfsg-6+deb9u14A~4.4.7.202104120844.dsc
@@ -1,4 +1,4 @@
-1:2.8+dfsg-6+deb9u13A~4.4.7.202102220936 [Mon, 22 Feb 2021 10:03:20 +0100] Univention builddaemon <buildd@univention.de>:
+1:2.8+dfsg-6+deb9u14A~4.4.7.202104120844 [Mon, 12 Apr 2021 08:49:29 +0200] Univention builddaemon <buildd@univention.de>:
 
   * UCS auto build. The following patches have been applied to the original source package
     0001-Disable-Xen-for-UCS
@@ -12,6 +12,42 @@
     1006-0007-Bug-38877-fix-qemu-kvm-1.1-piix4_pm-incompatibi
     1007-0008-x86-Work-around-SMI-migration-breakages
     1008-0009-migration-ram.c-do-not-set-postcopy_running-in-POSTC
+
+1:2.8+dfsg-6+deb9u14 [Sat, 10 Apr 2021 16:38:50 +0200] Markus Koschany <apo@debian.org>:
+
+  * Non-maintainer upload by the LTS team.
+  * Fix CVE-2021-20257:
+    net: e1000: infinite loop while processing transmit descriptors
+  * Fix CVE-2021-20255:
+    A stack overflow via an infinite recursion vulnerability was found in the
+    eepro100 i8255x device emulator of QEMU. This issue occurs while processing
+    controller commands due to a DMA reentry issue. This flaw allows a guest
+    user or process to consume CPU cycles or crash the QEMU process on the
+    host, resulting in a denial of service.
+  * Fix CVE-2021-20203:
+    An integer overflow issue was found in the vmxnet3 NIC emulator of the QEMU
+    for versions up to v5.2.0. It may occur if a guest was to supply invalid
+    values for rx/tx queue size or other NIC parameters. A privileged guest
+    user may use this flaw to crash the QEMU process on the host resulting in
+    DoS scenario.
+  * Fix CVE-2021-3416:
+    A potential stack overflow via infinite loop issue was found in various NIC
+    emulators of QEMU in versions up to and including 5.2.0. The issue occurs
+    in loopback mode of a NIC wherein reentrant DMA checks get bypassed. A
+    guest user/process may use this flaw to consume CPU cycles or crash the
+    QEMU process on the host resulting in DoS scenario.
+  * Fix CVE-2021-3409/CVE-2020-17380:
+    The patch for CVE-2020-17380/CVE-2020-25085 was found to be ineffective,
+    thus making QEMU vulnerable to the out-of-bounds read/write access issues
+    previously found in the SDHCI controller emulation code. This flaw allows a
+    malicious privileged guest to crash the QEMU process on the host, resulting
+    in a denial of service or potential code execution.
+  * Fix CVE-2021-3392:
+    A use-after-free flaw was found in the MegaRAID emulator of QEMU. This issue
+    occurs while processing SCSI I/O requests in the case of an error
+    mptsas_free_request() that does not dequeue the request object 'req' from
+    a pending requests queue. This flaw allows a privileged guest user to
+    crash the QEMU process on the host, resulting in a denial of service.
 
 1:2.8+dfsg-6+deb9u13 [Fri, 12 Feb 2021 14:11:25 +0100] Sylvain Beucler <beuc@debian.org>:
 

<http://piuparts.knut.univention.de/4.4-7/#5105366278897184371>

Comment 2 Philipp Hahn

2021-04-12 10:52:35 CEST

OK: yaml
OK: announce_errata
OK: patch
OK: piuparts

[4.4-7] df4a1a5a6f Bug #53054: qemu 1:2.8+dfsg-6+deb9u14A~4.4.7.202104120844
 doc/errata/staging/qemu.yaml | 6 +++---
 1 file changed, 3 insertions(+), 3 deletions(-)

[4.4-7] e92bca1fd6 Bug #53054: qemu 1:2.8+dfsg-6+deb9u14A~4.4.7.202104120844
 doc/errata/staging/qemu.yaml | 29 +++++++++++++++++++++++++++++
 1 file changed, 29 insertions(+)

Comment 3 Erik Damrose

2021-04-14 12:06:20 CEST

<https://errata.software-univention.de/#/?erratum=4.4x952>