Univention Bugzilla – Bug 55881
qemu: Multiple issues (5.0)
Last modified: 2023-03-22 13:58:44 CET
New Debian qemu 1:3.1+dfsg-8+deb10u10 fixes: This update addresses the following issues: * infinite loop in xhci_ring_chain_length() in hw/usb/hcd-xhci.c (CVE-2020-14394) * heap buffer overflow in sdhci_sdma_transfer_multi_blocks() in hw/sd/sdhci.c (CVE-2020-17380) * slirp: out-of-bounds access while processing ARP/NCSI packets (CVE-2020-29130) * sdhci: incomplete fix for CVE-2020-17380/CVE-2020-25085 (CVE-2021-3409) * slirp: invalid pointer initialization may lead to information disclosure (bootp) (CVE-2021-3592) * slirp: invalid pointer initialization may lead to information disclosure (udp6) (CVE-2021-3593) * slirp: invalid pointer initialization may lead to information disclosure (udp) (CVE-2021-3594) * slirp: invalid pointer initialization may lead to information disclosure (tftp) (CVE-2021-3595) * use-after-free in lsi_do_msgout function in hw/scsi/lsi53c895a.c (CVE-2022-0216) * pvrdma: use-after-free issue in pvrdma_exec_cmd() (CVE-2022-1050)
--- mirror/ftp/pool/main/q/qemu/qemu_3.1+dfsg-8+deb10u9.dsc +++ apt/ucs_5.0-0-errata5.0-3/source/qemu_3.1+dfsg-8+deb10u10.dsc @@ -1,3 +1,57 @@ +1:3.1+dfsg-8+deb10u10 [Tue, 14 Mar 2023 15:06:39 +0100] Sylvain Beucler <beuc@debian.org>: + + * Non-maintainer upload by the LTS Security Team. + * CVE-2020-14394: An infinite loop flaw was found in the USB xHCI + controller emulation of QEMU while computing the length of the + Transfer Request Block (TRB) Ring. This flaw allows a privileged guest + user to hang the QEMU process on the host, resulting in a denial of + service. (Closes: #979677) + * CVE-2020-17380/CVE-2021-3409: A heap-based buffer overflow was found + in QEMU in the SDHCI device emulation support. It could occur while + doing a multi block SDMA transfer via the + sdhci_sdma_transfer_multi_blocks() routine in hw/sd/sdhci.c. A guest + user or process could use this flaw to crash the QEMU process on the + host, resulting in a denial of service condition, or potentially + execute arbitrary code with privileges of the QEMU process on the + host. (Closes: #970937, #986795) + * CVE-2020-29130: slirp.c has a buffer over-read because it tries to + read a certain amount of header data even if that exceeds the total + packet length. + * CVE-2021-3592: An invalid pointer initialization issue was found in + the SLiRP networking implementation of QEMU. The flaw exists in the + bootp_input() function and could occur while processing a udp packet + that is smaller than the size of the 'bootp_t' structure. A malicious + guest could use this flaw to leak 10 bytes of uninitialized heap + memory from the host. (Closes: #989993) + * CVE-2021-3593: An invalid pointer initialization issue was found in + the SLiRP networking implementation of QEMU. The flaw exists in the + udp6_input() function and could occur while processing a udp packet + that is smaller than the size of the 'udphdr' structure. This issue + may lead to out-of-bounds read access or indirect host memory + disclosure to the guest. (Closes: #989994) + * CVE-2021-3594: An invalid pointer initialization issue was found in + the SLiRP networking implementation of QEMU. The flaw exists in the + udp_input() function and could occur while processing a udp packet + that is smaller than the size of the 'udphdr' structure. This issue + may lead to out-of-bounds read access or indirect host memory + disclosure to the guest. (Closes: #989995) + * CVE-2021-3595: An invalid pointer initialization issue was found in + the SLiRP networking implementation of QEMU. The flaw exists in the + tftp_input() function and could occur while processing a udp packet + that is smaller than the size of the 'tftp_t' structure. This issue + may lead to out-of-bounds read access or indirect host memory + disclosure to the guest. (Closes: #989996) + * CVE-2022-0216: A use-after-free vulnerability was found in the + LSI53C895A SCSI Host Bus Adapter emulation of QEMU. The flaw occurs + while processing repeated messages to cancel the current SCSI request + via the lsi_do_msgout function. This flaw allows a malicious + privileged user within the guest to crash the QEMU process on the + host, resulting in a denial of service. (Closes: #1014590) + * CVE-2022-1050: A flaw was found in the QEMU implementation of VMWare's + paravirtual RDMA device. This flaw allows a crafted guest driver to + execute HW commands when shared buffers are not yet allocated, + potentially leading to a use-after-free condition. (Closes: #1014589) + 1:3.1+dfsg-8+deb10u9 [Sat, 02 Jul 2022 18:06:35 +0530] Abhijith PA <abhijith@debian.org>: * Non-maintainer upload by the Security Team. <http://piuparts.knut.univention.de/5.0-3/#6795312332388877144>
OK: bug OK: yaml OK: announce_errata OK: patch OK: piuparts [5.0-3] 43fcb7d71d Bug #55881: qemu 1:3.1+dfsg-8+deb10u10 doc/errata/staging/qemu.yaml | 24 +++++++++--------------- 1 file changed, 9 insertions(+), 15 deletions(-) [5.0-3] d4c8c0812c Bug #55881: qemu 1:3.1+dfsg-8+deb10u10 doc/errata/staging/qemu.yaml | 39 +++++++++++++++++++++++++++++++++++++++ 1 file changed, 39 insertions(+)
<https://errata.software-univention.de/#/?erratum=5.0x618>