openSUSE-SU-2020:0468

https://lists.gnu.org/archive/html/qemu-devel/2019-08/msg01959.html

USN-4372-1

DSA-4665

The remote Oracle Linux 7 host has packages installed that are affected by multiple vulnerabilities as referenced in the ELSA-2021-9034 advisory.

  - An out-of-bounds read/write access flaw was found in the USB emulator of the QEMU in versions before     5.2.0. This issue occurs while processing USB packets from a guest when USBDevice 'setup_len' exceeds its     'data_buf[4096]' in the do_token_in, do_token_out routines. This flaw allows a guest user to crash the     QEMU process, resulting in a denial of service, or the potential execution of arbitrary code with the     privileges of the QEMU process on the host. (CVE-2020-14364)

  - In QEMU through 5.0.0, an assertion failure can occur in the network packet processing. This issue affects     the e1000e and vmxnet3 network devices. A malicious guest user/process could use this flaw to abort the     QEMU process on the host, resulting in a denial of service condition in net_tx_pkt_add_raw_fragment in     hw/net/net_tx_pkt.c. (CVE-2020-16092)

  - hw/pci/msix.c in QEMU 4.2.0 allows guest OS users to trigger an out-of-bounds access via a crafted address     in an msi-x mmio operation. (CVE-2020-13754)

  - In QEMU 5.0.0 and earlier, megasas_lookup_frame in hw/scsi/megasas.c has an out-of-bounds read via a     crafted reply_queue_head field from a guest OS user. (CVE-2020-13362)

  - hw/net/tulip.c in QEMU 4.2.0 has a buffer overflow during the copying of tx/rx buffers because the frame     size is not validated against the r/w data length. (CVE-2020-11102)

  - hw/net/xgmac.c in the XGMAC Ethernet controller in QEMU before 07-20-2020 has a buffer overflow. This     occurs during packet transmission and affects the highbank and midway emulated machines. A guest user or     process could use this flaw to crash the QEMU process on the host, resulting in a denial of service or     potential privileged code execution. This was fixed in commit 5519724a13664b43e225ca05351c60b4468e4555.
    (CVE-2020-15863)

  - hw/pci/pci.c in QEMU 4.2.0 allows guest OS users to trigger an out-of-bounds access by providing an     address near the end of the PCI configuration space. (CVE-2020-13791)

  - address_space_map in exec.c in QEMU 4.2.0 can trigger a NULL pointer dereference related to BounceBuffer.
    (CVE-2020-13659)

  - sd_wp_addr in hw/sd/sd.c in QEMU 4.2.0 uses an unvalidated address, which leads to an out-of-bounds read     during sdhci_write() operations. A guest OS user can crash the QEMU process. (CVE-2020-13253)

  - A flaw was found in QEMU in the implementation of the Pointer Authentication (PAuth) support for ARM     introduced in version 4.0 and fixed in version 5.0.0. A general failure of the signature generation     process caused every PAuth-enforced pointer to be signed with the same signature. A local attacker could     obtain the signature of a protected pointer and abuse this flaw to bypass PAuth protection for all     programs running on QEMU. (CVE-2020-10702)

  - hw/display/bochs-display.c in QEMU 4.0.0 does not ensure a sufficient PCI config space allocation, leading     to a buffer overflow involving the PCIe extended config space. (CVE-2019-15034)

  - In QEMU through 5.0.0, an integer overflow was found in the SM501 display driver implementation. This flaw     occurs in the COPY_AREA macro while handling MMIO write operations through the sm501_2d_engine_write()     callback. A local attacker could abuse this flaw to crash the QEMU process in sm501_2d_operation() in     hw/display/sm501.c on the host, resulting in a denial of service. (CVE-2020-12829)

  - oss_write in audio/ossaudio.c in QEMU before 5.0.0 mishandles a buffer position. (CVE-2020-14415)

  - hw/usb/hcd-ohci.c in QEMU 5.0.0 has an infinite loop when a TD list has a loop. (CVE-2020-25625)

  - QEMU 5.0.0 has a use-after-free in hw/usb/hcd-xhci.c because the usb_packet_map return value is not     checked. (CVE-2020-25084)

  - ati_2d_blt in hw/display/ati_2d.c in QEMU 4.2.1 can encounter an outside-limits situation in a     calculation. A guest can crash the QEMU process. (CVE-2020-27616)

  - ncsi.c in libslirp through 4.3.1 has a buffer over-read because it tries to read a certain amount of     header data even if that exceeds the total packet length. (CVE-2020-29129)

  - slirp.c in libslirp through 4.3.1 has a buffer over-read because it tries to read a certain amount of     header data even if that exceeds the total packet length. (CVE-2020-29130)

  - hw/usb/hcd-ohci.c in QEMU 5.0.0 has a stack-based buffer over-read via values obtained from the host     controller driver. (CVE-2020-25624)

  - hw/net/e1000e_core.c in QEMU 5.0.0 has an infinite loop via an RX descriptor with a NULL buffer address.
    (CVE-2020-28916)

  - An out-of-bounds read vulnerability was found in the SLiRP networking implementation of the QEMU emulator.
    This flaw occurs in the icmp6_send_echoreply() routine while replying to an ICMP echo request, also known     as ping. This flaw allows a malicious guest to leak the contents of the host memory, resulting in possible     information disclosure. This flaw affects versions of libslirp before 4.3.1. (CVE-2020-10756)

  - A reachable assertion issue was found in the USB EHCI emulation code of QEMU. It could occur while     processing USB requests due to missing handling of DMA memory map failure. A malicious privileged user     within the guest may abuse this flaw to send bogus USB requests and crash the QEMU process on the host,     resulting in a denial of service. (CVE-2020-25723)

Note that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number.

It was discovered that QEMU incorrectly handled bochs-display devices.
A local attacker in a guest could use this to cause a denial of service or possibly execute arbitrary code in the host. This issue only affected Ubuntu 19.10. (CVE-2019-15034)

It was discovered that QEMU incorrectly handled memory during certain VNC operations. A remote attacker could possibly use this issue to cause QEMU to consume resources, resulting in a denial of service.
This issue only affected Ubuntu 16.04 LTS, Ubuntu 18.04 LTS, and Ubuntu 19.10. (CVE-2019-20382)

It was discovered that QEMU incorrectly generated QEMU Pointer Authentication signatures on ARM. A local attacker could possibly use this issue to bypass PAuth. This issue only affected Ubuntu 19.10.
(CVE-2020-10702)

Ziming Zhang discovered that QEMU incorrectly handled ATI VGA emulation. A local attacker in a guest could use this issue to cause QEMU to crash, resulting in a denial of service. This issue only affected Ubuntu 20.04 LTS. (CVE-2020-11869)

Aviv Sasson discovered that QEMU incorrectly handled Slirp networking.
A remote attacker could use this issue to cause QEMU to crash, resulting in a denial of service, or possibly execute arbitrary code.
This issue only affected Ubuntu 16.04 LTS, Ubuntu 18.04 LTS, and Ubuntu 19.10. (CVE-2020-1983).

Note that Tenable Network Security has extracted the preceding description block directly from the Ubuntu security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

Multiple security issues were discovered in QEMU, a fast processor emulator, which could result in denial of service or the execution of arbitrary code.

This update for qemu fixes the following issues :

  - CVE-2020-7039: Fixed a heap buffer overflow in tcp_emu()     routine while emulating IRC and other protocols     (bsc#1161066).

  - CVE-2019-15034: Fixed a buffer overflow in     hw/display/bochs-display.c due to improper PCI config     space allocation (bsc#1166379).

  - CVE-2020-1711: Fixed an out of bounds heap buffer access     iscsi_co_block_status() routine which could have allowed     a remote denial of service or arbitrary code with     privileges of the QEMU process on the host     (bsc#1166240).

  - CVE-2019-6778: Fixed a heap buffer overflow in tcp_emu()     routine while emulating the identification protocol and     copying message data to a socket buffer (bsc#1123156).

  - CVE-2020-8608: Fixed a heap buffer overflow in tcp_emu()     routine while emulating IRC and other protocols     (bsc#1163018).

  - CVE-2019-20382: Fixed a memory leak in the VNC display     driver which could have led to exhaustion of the host     memory leading to a potential Denial of service     (bsc#1165776).

  - Fixed a live migration error (bsc#1154790).

  - Fixed an issue where migrating VMs on KVM gets missing     features:ospke error (bsc#1162729).

This update was imported from the SUSE:SLE-15-SP1:Update update project.

This update for qemu fixes the following issues :

CVE-2020-7039: Fixed a heap buffer overflow in tcp_emu() routine while emulating IRC and other protocols (bsc#1161066).

CVE-2019-15034: Fixed a buffer overflow in hw/display/bochs-display.c due to improper PCI config space allocation (bsc#1166379).

CVE-2020-1711: Fixed an out of bounds heap buffer access iscsi_co_block_status() routine which could have allowed a remote denial of service or arbitrary code with privileges of the QEMU process on the host (bsc#1166240).

CVE-2019-6778: Fixed a heap buffer overflow in tcp_emu() routine while emulating the identification protocol and copying message data to a socket buffer (bsc#1123156).

CVE-2020-8608: Fixed a heap buffer overflow in tcp_emu() routine while emulating IRC and other protocols (bsc#1163018).

CVE-2019-20382: Fixed a memory leak in the VNC display driver which could have led to exhaustion of the host memory leading to a potential Denial of service (bsc#1165776).

Fixed live migration errors (bsc#1154790, bsc#1156794, bsc#1156642).

Fixed an issue where migrating VMs on KVM gets missing features:ospke error (bsc#1162729).

Fixed an issue where booting up a guest system with mdev passthrough device as installation device was failing (bsc#1158880).

Note that Tenable Network Security has extracted the preceding description block directly from the SUSE security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

This update for qemu fixes the following issues :

CVE-2020-7039: Fixed a heap buffer overflow in tcp_emu() routine while emulating IRC and other protocols (bsc#1161066).

CVE-2019-15034: Fixed a buffer overflow in hw/display/bochs-display.c due to improper PCI config space allocation (bsc#1166379).

CVE-2020-1711: Fixed an out of bounds heap buffer access iscsi_co_block_status() routine which could have allowed a remote denial of service or arbitrary code with privileges of the QEMU process on the host (bsc#1166240).

CVE-2019-6778: Fixed a heap buffer overflow in tcp_emu() routine while emulating the identification protocol and copying message data to a socket buffer (bsc#1123156).

CVE-2020-8608: Fixed a heap buffer overflow in tcp_emu() routine while emulating IRC and other protocols (bsc#1163018).

CVE-2019-20382: Fixed a memory leak in the VNC display driver which could have led to exhaustion of the host memory leading to a potential Denial of service (bsc#1165776).

Fixed a live migration error (bsc#1154790).

Fixed an issue where migrating VMs on KVM gets missing features:ospke error (bsc#1162729).

Note that Tenable Network Security has extracted the preceding description block directly from the SUSE security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

ID	Name	Product	Family	Severity
146269	Oracle Linux 7 : qemu (ELSA-2021-9034)	Nessus	Oracle Linux Local Security Checks	medium
136803	Ubuntu 16.04 LTS / 18.04 LTS / 19.10 / 20.04 : QEMU vulnerabilities (USN-4372-1)	Nessus	Ubuntu Local Security Checks	medium
136069	Debian DSA-4665-1 : qemu - security update	Nessus	Debian Local Security Checks	medium
135265	openSUSE Security Update : qemu (openSUSE-2020-468)	Nessus	SuSE Local Security Checks	medium
135169	SUSE SLES12 Security Update : qemu (SUSE-SU-2020:0845-1)	Nessus	SuSE Local Security Checks	medium
135168	SUSE SLED15 / SLES15 Security Update : qemu (SUSE-SU-2020:0844-1)	Nessus	SuSE Local Security Checks	medium

CVE-2019-15034

medium

New! CVE Severity Now Using CVSS v3

Description

References

Details

Risk Information

CVSS v2

CVSS v3

Vulnerable Software

Configuration 1

Tenable Plugins

medium

medium

medium

medium

medium

medium