openSUSE-SU-2019:1274

openSUSE-SU-2019:1405

107059

https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2019-3812

FEDORA-2019-88a98ce795

FEDORA-2019-0664c7724d

20190531 [SECURITY] [DSA 4454-1] qemu security update

USN-3923-1

DSA-4454

According to the versions of the qemu-kvm packages installed, the EulerOS Virtualization installation on the remote host is affected by the following vulnerabilities :

  - Memory leak in hw/audio/es1370.c in QEMU (aka Quick     Emulator) allows local guest OS privileged users to     cause a denial of service (host memory consumption and     QEMU process crash) via a large number of device unplug     operations.(CVE-2017-5526)

  - Memory leak in hw/audio/ac97.c in QEMU (aka Quick     Emulator) allows local guest OS privileged users to     cause a denial of service (host memory consumption and     QEMU process crash) via a large number of device unplug     operations.(CVE-2017-5525)

  - The xhci_kick_epctx function in hw/usb/hcd-xhci.c in     QEMU (aka Quick Emulator) allows local guest OS     privileged users to cause a denial of service (infinite     loop and QEMU process crash) via vectors related to     control transfer descriptor sequence.(CVE-2017-5973)

  - The sdhci_sdma_transfer_multi_blocks function in     hw/sd/sdhci.c in QEMU (aka Quick Emulator) allows local     OS guest privileged users to cause a denial of service     (infinite loop and QEMU process crash) via vectors     involving the transfer mode register during multi block     transfer.(CVE-2017-5987)

  - Memory leak in the megasas_handle_dcmd function in     hw/scsi/megasas.c in QEMU (aka Quick Emulator) allows     local guest OS privileged users to cause a denial of     service (host memory consumption) via MegaRAID Firmware     Interface (MFI) commands with the sglist size set to a     value over 2 Gb.(CVE-2017-5856)

  - qemu_deliver_packet_iov in net/net.c in Qemu accepts     packet sizes greater than INT_MAX, which allows     attackers to cause a denial of service or possibly have     unspecified other impact.(CVE-2018-17963)

  - qemu-bridge-helper.c in QEMU 4.0.0 does not ensure that     a network interface name (obtained from bridge.conf or     a --br=bridge option) is limited to the IFNAMSIZ size,     which can lead to an ACL bypass.(CVE-2019-13164)

  - Buffer overflow in the 'megasas_mmio_write' function in     Qemu 2.9.0 allows remote attackers to have unspecified     impact via unknown vectors.(CVE-2017-8380)

  - Quick Emulator (Qemu) built with the VirtFS, host     directory sharing via Plan 9 File System(9pfs) support,     is vulnerable to an improper access control issue. It     could occur while accessing virtfs metadata files in     mapped-file security mode. A guest user could use this     flaw to escalate their privileges inside     guest.(CVE-2017-7493)

  - In QEMU 3.1.0, load_device_tree in device_tree.c calls     the deprecated load_image function, which has a buffer     overflow risk.(CVE-2018-20815)

  - Use-after-free vulnerability in the sofree function in     slirp/socket.c in QEMU (aka Quick Emulator) allows     attackers to cause a denial of service (QEMU instance     crash) by leveraging failure to properly clear ifq_so     from pending packets.(CVE-2017-13711)

  - Stack-based buffer overflow in hw/usb/redirect.c in     QEMU (aka Quick Emulator) allows local guest OS users     to cause a denial of service (QEMU process crash) via     vectors related to logging debug     messages.(CVE-2017-10806)

  - The dhcp_decode function in slirp/bootp.c in QEMU (aka     Quick Emulator) allows local guest OS users to cause a     denial of service (out-of-bounds read and QEMU process     crash) via a crafted DHCP options     string.(CVE-2017-11434)

  - The imx_fec_do_tx function in hw/net/imx_fec.c in QEMU     (aka Quick Emulator) does not properly limit the buffer     descriptor count when transmitting packets, which     allows local guest OS administrators to cause a denial     of service (infinite loop and QEMU process crash) via     vectors involving a buffer descriptor with a length of     0 and crafted values in bd.flags.(CVE-2016-7907)

  - tcp_emu in slirp/tcp_subr.c (aka slirp/src/tcp_subr.c)     in QEMU 3.0.0 uses uninitialized data in an snprintf     call, leading to Information disclosure.(CVE-2019-9824)

  - interface_release_resource in hw/display/qxl.c in QEMU     4.0.0 has a NULL pointer dereference.(CVE-2019-12155)

  - hw/scsi/vmw_pvscsi.c in QEMU (aka Quick Emulator)     allows local guest OS privileged users to cause a     denial of service (infinite loop and CPU consumption)     via the message ring page count.(CVE-2017-8112)

  - Qemu has a Buffer Overflow in rtl8139_do_receive in     hw/net/rtl8139.c because an incorrect integer data type     is used.(CVE-2018-17958)

  - TSX Asynchronous Abort condition on some CPUs utilizing     speculative execution may allow an authenticated user     to potentially enable information disclosure via a side     channel with local access.(CVE-2019-11135)

  - In QEMU 1:4.1-1, 1:2.1+dfsg-12+deb8u6,     1:2.8+dfsg-6+deb9u8, 1:3.1+dfsg-8~deb10u1,     1:3.1+dfsg-8+deb10u2, and 1:2.1+dfsg-12+deb8u12     (fixed), when executing script in lsi_execute_script(),     the LSI scsi adapter emulator advances 's->dsp' index     to read next opcode. This can lead to an infinite loop     if the next opcode is empty. Move the existing loop     exit after 10k iterations so that it covers no-op     opcodes as well.(CVE-2019-12068)

  - qemu-seccomp.c in QEMU might allow local OS guest users     to cause a denial of service (guest crash) by     leveraging mishandling of the seccomp policy for     threads other than the main thread.(CVE-2018-15746)

  - Qemu has a Buffer Overflow in pcnet_receive in     hw/net/pcnet.c because an incorrect integer data type     is used.(CVE-2018-17962)

  - Quick Emulator(Qemu) built with the VMWARE PVSCSI     paravirtual SCSI bus emulation support is vulnerable to     an OOB r/w access issue. It could occur while     processing SCSI commands 'PVSCSI_CMD_SETUP_RINGS' or     'PVSCSI_CMD_SETUP_MSG_RING'. A privileged user inside     guest could use this flaw to crash the Qemu process     resulting in DoS.(CVE-2016-4952)

  - m_cat in slirp/mbuf.c in Qemu has a heap-based buffer     overflow via incoming fragmented     datagrams.(CVE-2018-11806)

  - In Qemu 3.0.0, lsi_do_msgin in hw/scsi/lsi53c895a.c     allows out-of-bounds access by triggering an invalid     msg_len value.(CVE-2018-18849)

  - hw/9pfs/cofile.c and hw/9pfs/9p.c in QEMU can modify an     fid path while it is being accessed by a second thread,     leading to (for example) a use-after-free     outcome.(CVE-2018-19364)

  - v9fs_wstat in hw/9pfs/9p.c in QEMU allows guest OS     users to cause a denial of service (crash) because of a     race condition during file renaming.(CVE-2018-19489)

  - QEMU, through version 2.10 and through version 3.1.0,     is vulnerable to an out-of-bounds read of up to 128     bytes in the hw/i2c/i2c-ddc.c:i2c_ddc() function. A     local attacker with permission to execute i2c commands     could exploit this to read stack memory of the qemu     process on the host.(CVE-2019-3812)

  - A flaw was found in QEMU's Media Transfer Protocol     (MTP). The code opening files in usb_mtp_get_object and     usb_mtp_get_partial_object and directories in     usb_mtp_object_readdir doesn't consider that the     underlying filesystem may have changed since the time     lstat(2) was called in usb_mtp_object_alloc, a     classical TOCTTOU problem. An attacker with write     access to the host filesystem, shared with a guest, can     use this property to navigate the host filesystem in     the context of the QEMU process and read any file the     QEMU process has access to. Access to the filesystem     may be local or via a network share protocol such as     CIFS.(CVE-2018-16872)

  - ** DISPUTED ** An issue was discovered in ide_dma_cb()     in hw/ide/core.c in QEMU 2.4.0 through 4.2.0. The guest     system can crash the QEMU process in the host system     via a special SCSI_IOCTL_SEND_COMMAND. It hits an     assertion that implies that the size of successful DMA     transfers there must be a multiple of 512 (the size of     a sector). NOTE: a member of the QEMU security team     disputes the significance of this issue because a     'privileged guest user has many ways to cause similar     DoS effect, without triggering this     assert.'(CVE-2019-20175)

  - Quick Emulator (QEMU) built with Network Block Device     (NBD) Server support was vulnerable to a null-pointer     dereference issue. The flaw could occur when releasing     a client that was not initialized due to failed     negotiation. A remote user or process could exploit     this flaw to crash the qemu-nbd server (denial of     service).(CVE-2017-9524)

  - Qemu has integer overflows because IOReadHandler and     its associated functions use a signed integer data type     for a size value.(CVE-2018-18438)

  - The Bluetooth subsystem in QEMU mishandles negative     values for length variables, leading to memory     corruption.(CVE-2018-19665)

Note that Tenable Network Security has extracted the preceding description block directly from the EulerOS security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

According to the versions of the qemu-kvm packages installed, the EulerOS Virtualization for ARM 64 installation on the remote host is affected by the following vulnerabilities :

  - In QEMU 3.0.0, tcp_emu in slirp/tcp_subr.c has a     heap-based buffer overflow.(CVE-2019-6778)

  - A flaw was found in QEMU's Media Transfer Protocol     (MTP). The code opening files in usb_mtp_get_object and     usb_mtp_get_partial_object and directories in     usb_mtp_object_readdir doesn't consider that the     underlying filesystem may have changed since the time     lstat(2) was called in usb_mtp_object_alloc, a     classical TOCTTOU problem. An attacker with write     access to the host filesystem, shared with a guest, can     use this property to navigate the host filesystem in     the context of the QEMU process and read any file the     QEMU process has access to. Access to the filesystem     may be local or via a network share protocol such as     CIFS.(CVE-2018-16872)

  - hw/9pfs/cofile.c and hw/9pfs/9p.c in QEMU can modify an     fid path while it is being accessed by a second thread,     leading to (for example) a use-after-free     outcome.(CVE-2018-19364)

  - v9fs_wstat in hw/9pfs/9p.c in QEMU allows guest OS     users to cause a denial of service (crash) because of a     race condition during file renaming.(CVE-2018-19489)

  - QEMU, through version 2.10 and through version 3.1.0,     is vulnerable to an out-of-bounds read of up to 128     bytes in the hw/i2c/i2c-ddc.c:i2c_ddc() function. A     local attacker with permission to execute i2c commands     could exploit this to read stack memory of the qemu     process on the host.(CVE-2019-3812)

  - Memory leak in hw/audio/ac97.c in QEMU (aka Quick     Emulator) allows local guest OS privileged users to     cause a denial of service (host memory consumption and     QEMU process crash) via a large number of device unplug     operations.(CVE-2017-5525)

  - Memory leak in hw/audio/es1370.c in QEMU (aka Quick     Emulator) allows local guest OS privileged users to     cause a denial of service (host memory consumption and     QEMU process crash) via a large number of device unplug     operations.(CVE-2017-5526)

  - The sdhci_sdma_transfer_multi_blocks function in     hw/sd/sdhci.c in QEMU (aka Quick Emulator) allows local     OS guest privileged users to cause a denial of service     (infinite loop and QEMU process crash) via vectors     involving the transfer mode register during multi block     transfer.(CVE-2017-5987)

  - An integer overflow flaw was found in Quick Emulator     (QEMU) in the CCID Card device support. The flaw could     occur while passing messages via command/response     packets to and from the host. A privileged user inside     a guest could use this flaw to crash the QEMU     process.(CVE-2017-5898)

  - The xhci_kick_epctx function in hw/usb/hcd-xhci.c in     QEMU (aka Quick Emulator) allows local guest OS     privileged users to cause a denial of service (infinite     loop and QEMU process crash) via vectors related to     control transfer descriptor sequence.(CVE-2017-5973)

Note that Tenable Network Security has extracted the preceding description block directly from the EulerOS security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

According to the versions of the qemu-kvm packages installed, the EulerOS Virtualization for ARM 64 installation on the remote host is affected by the following vulnerabilities :

  - In QEMU 3.0.0, tcp_emu in slirp/tcp_subr.c has a     heap-based buffer overflow.(CVE-2019-6778)

  - A flaw was found in QEMU's Media Transfer Protocol     (MTP). The code opening files in usb_mtp_get_object and     usb_mtp_get_partial_object and directories in     usb_mtp_object_readdir doesn't consider that the     underlying filesystem may have changed since the time     lstat(2) was called in usb_mtp_object_alloc, a     classical TOCTTOU problem. An attacker with write     access to the host filesystem, shared with a guest, can     use this property to navigate the host filesystem in     the context of the QEMU process and read any file the     QEMU process has access to. Access to the filesystem     may be local or via a network share protocol such as     CIFS.(CVE-2018-16872)

  - hw/9pfs/cofile.c and hw/9pfs/9p.c in QEMU can modify an     fid path while it is being accessed by a second thread,     leading to (for example) a use-after-free     outcome.(CVE-2018-19364)

  - v9fs_wstat in hw/9pfs/9p.c in QEMU allows guest OS     users to cause a denial of service (crash) because of a     race condition during file renaming.(CVE-2018-19489)

  - QEMU, through version 2.10 and through version 3.1.0,     is vulnerable to an out-of-bounds read of up to 128     bytes in the hw/i2c/i2c-ddc.c:i2c_ddc() function. A     local attacker with permission to execute i2c commands     could exploit this to read stack memory of the qemu     process on the host.(CVE-2019-3812)

Note that Tenable Network Security has extracted the preceding description block directly from the EulerOS security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

According to the versions of the qemu-kvm packages installed, the EulerOS installation on the remote host is affected by the following vulnerabilities :

  - A flaw was found in QEMU's Media Transfer Protocol     (MTP) where a path traversal in the in     usb_mtp_write_data function in hw/usb/dev-mtp.c due to     an improper file name sanitization. Reading and writing     of arbitrary files is allowed when a guest device is     mounted which may lead to a denial of service scenario     or possibly lead to code execution on the     host.(CVE-2018-16867)

  - A flaw was found in QEMU's Media Transfer Protocol     (MTP). The code opening files in usb_mtp_get_object and     usb_mtp_get_partial_object and directories in     usb_mtp_object_readdir doesn't consider that the     underlying filesystem may have changed since the time     lstat(2) was called in usb_mtp_object_alloc, a     classical TOCTTOU problem. An attacker with write     access to the host filesystem, shared with a guest, can     use this property to navigate the host filesystem in     the context of the QEMU process and read any file the     QEMU process has access to. Access to the filesystem     may be local or via a network share protocol such as     CIFS.(CVE-2018-16872)

  - hw/9pfs/cofile.c and hw/9pfs/9p.c in QEMU can modify an     fid path while it is being accessed by a second thread,     leading to (for example) a use-after-free     outcome.(CVE-2018-19364)

  - v9fs_wstat in hw/9pfs/9p.c in QEMU allows guest OS     users to cause a denial of service (crash) because of a     race condition during file renaming.(CVE-2018-19489)

  - hw/rdma/vmw/pvrdma_main.c in QEMU does not implement a     read operation (such as uar_read by analogy to     uar_write), which allows attackers to cause a denial of     service (NULL pointer dereference).(CVE-2018-20191)

  - QEMU, through version 2.10 and through version 3.1.0,     is vulnerable to an out-of-bounds read of up to 128     bytes in the hw/i2c/i2c-ddc.c:i2c_ddc() function. A     local attacker with permission to execute i2c commands     could exploit this to read stack memory of the qemu     process on the host.(CVE-2019-3812)

  - In QEMU 3.0.0, tcp_emu in slirp/tcp_subr.c has a     heap-based buffer overflow.(CVE-2019-6778)

Note that Tenable Network Security has extracted the preceding description block directly from the EulerOS security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

Multiple security issues were discovered in QEMU, a fast processor emulator, which could result in denial of service, the execution of arbitrary code or information disclosure.

In addition this update backports support to passthrough the new md-clear CPU flag added in the intel-microcode update shipped in DSA 4447 to x86-based guests.

This update for qemu fixes the following issues :

Security issues fixed :

  - CVE-2019-9824: Fixed an information leak in slirp     (bsc#1129622)

  - CVE-2019-8934: Added method to specify whether or not to     expose certain ppc64 host information, which can be     considered a security issue (bsc#1126455)

  - CVE-2019-3812: Fixed OOB memory access and information     leak in virtual monitor interface (bsc#1125721)

  - CVE-2018-20815: Fix DOS possibility in device tree     processing (bsc#1130675)

  - Adjust fix for CVE-2019-8934 (bsc#1126455) to match the     latest upstream adjustments for the same. Basically now     the security fix is to provide a dummy host-model and     host-serial value, which overrides getting that value     from the host

  - CVE-2018-12126 CVE-2018-12127 CVE-2018-12130     CVE-2019-11091: Added x86 cpu feature 'md-clear'     (bsc#1111331)

Other bugs fixed :

  - Use a new approach to handling the file input to -smbios     option, which accepts either legacy or per-spec formats     regardless of the machine type.

This update was imported from the SUSE:SLE-15:Update update project.

- fix crash with virgl enabled (bz #1692323)

  - linux-user: make pwrite64/pread64(fd, NULL, 0, offset)     return 0 (bz #1174267)

  - Fix build with latest gluster (bz #1684298)

  - CVE-2018-20123: pvrdma: memory leakage in device hotplug     (bz #1658964)

  - CVE-2018-16872: usb-mtp: path traversal issue (bz     #1659150)

  - CVE-2018-20191: pvrdma: uar_read leads to NULL deref (bz     #1660315)

  - CVE-2019-6501: scsi-generic: possible OOB access (bz     #1669005)

  - CVE-2019-6778: slirp: heap buffer overflow (bz #1669072)

  - CVE-2019-3812: Out-of-bounds read in hw/i2c/i2c-ddc.c     allows for memory disclosure (bz #1678081)

Note that Tenable Network Security has extracted the preceding description block directly from the Fedora update system website.
Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

This update for qemu fixes the following issues :

Security issues fixed :

  - CVE-2019-9824: Fixed information leak in slirp     (bsc#1129622).

  - CVE-2019-8934: Added method to specify whether or not to     expose certain ppc64 hostinformation (bsc#1126455).

  - CVE-2019-3812: Fixed Out-of-bounds memory access and     information leak in virtual monitor interface     (bsc#1125721).

  - CVE-2018-20815: Fixed a denial of service possibility in     device tree processing (bsc#1130675).

Non-security issue fixed :

  - Backported Skylake-Server vcpu model support from qemu     v2.11 (FATE#327261 bsc#1131955).

  - Added ability to set virtqueue size using virtqueue_size     parameter (FATE#327255 bsc#1118900).

This update was imported from the SUSE:SLE-12-SP3:Update update project.

Michael Hanselmann discovered that QEMU incorrectly handled the Media Transfer Protocol (MTP). An attacker inside the guest could use this issue to read or write arbitrary files and cause a denial of service, or possibly execute arbitrary code. This issue only affected Ubuntu 18.10. (CVE-2018-16867)

Michael Hanselmann discovered that QEMU incorrectly handled the Media Transfer Protocol (MTP). An attacker inside the guest could use this issue to read arbitrary files, contrary to expectations. This issue only affected Ubuntu 18.04 LTS and Ubuntu 18.10. (CVE-2018-16872)

Zhibin Hu discovered that QEMU incorrectly handled the Plan 9 File System support. An attacker inside the guest could use this issue to cause QEMU to crash, resulting in a denial of service.
(CVE-2018-19489)

Li Quang and Saar Amar discovered multiple issues in the QEMU PVRDMA device. An attacker inside the guest could use these issues to cause a denial of service, or possibly execute arbitrary code. This issue only affected Ubuntu 18.10. These issues were resolved by disabling PVRDMA support in Ubuntu 18.10. (CVE-2018-20123, CVE-2018-20124, CVE-2018-20125, CVE-2018-20126, CVE-2018-20191, CVE-2018-20216)

Michael Hanselmann discovered that QEMU incorrectly handled certain i2c commands. A local attacker could possibly use this issue to read QEMU process memory. This issue only affected Ubuntu 18.04 LTS and Ubuntu 18.10. (CVE-2019-3812)

It was discovered that QEMU incorrectly handled the Slirp networking back-end. An attacker inside the guest could use this issue to cause QEMU to crash, resulting in a denial of service, or possibly execute arbitrary code on the host. In the default installation, when QEMU is used with libvirt, attackers would be isolated by the libvirt AppArmor profile. (CVE-2019-6778).

Note that Tenable Network Security has extracted the preceding description block directly from the Ubuntu security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

- CVE-2018-19364: 9pfs: use-after-free (bz #1651359)

  - CVE-2018-19489: 9pfs: use-after-free renaming files (bz     #1653157)

  - CVE-2018-16867: usb-mtp: path traversal issue (bz     #1656746)

  - CVE-2018-16872: usb-mtp: path traversal issue (bz     #1659150)

  - CVE-2018-20191: pvrdma: uar_read leads to NULL deref (bz     #1660315)

  - CVE-2019-6778: slirp: heap buffer overflow (bz #1669072)

  - CVE-2019-3812: Out-of-bounds read in hw/i2c/i2c-ddc.c     allows for memory disclosure (bz #1678081)

Note that Tenable Network Security has extracted the preceding description block directly from the Fedora update system website.
Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

ID	Name	Product	Family	Severity
138009	EulerOS Virtualization 3.0.6.0 : qemu-kvm (EulerOS-SA-2020-1790)	Nessus	Huawei Local Security Checks	critical
134555	EulerOS Virtualization for ARM 64 3.0.2.0 : qemu-kvm (EulerOS-SA-2020-1266)	Nessus	Huawei Local Security Checks	high
131517	EulerOS Virtualization for ARM 64 3.0.3.0 : qemu-kvm (EulerOS-SA-2019-2352)	Nessus	Huawei Local Security Checks	high
128184	EulerOS 2.0 SP8 : qemu-kvm (EulerOS-SA-2019-1815)	Nessus	Huawei Local Security Checks	high
125609	Debian DSA-4454-1 : qemu - security update	Nessus	Debian Local Security Checks	high
125302	openSUSE Security Update : qemu (openSUSE-2019-1405) (MDSUM/RIDL) (MFBDS/RIDL/ZombieLoad) (MLPDS/RIDL) (MSBDS/Fallout)	Nessus	SuSE Local Security Checks	critical
124467	Fedora 30 : 2:qemu (2019-0664c7724d)	Nessus	Fedora Local Security Checks	high
124311	openSUSE Security Update : qemu (openSUSE-2019-1274)	Nessus	SuSE Local Security Checks	critical
123457	Ubuntu 14.04 LTS / 16.04 LTS / 18.04 LTS / 18.10 : QEMU vulnerabilities (USN-3923-1)	Nessus	Ubuntu Local Security Checks	high
123101	Fedora 29 : 2:qemu (2019-88a98ce795)	Nessus	Fedora Local Security Checks	high

CVE-2019-3812

MEDIUM

New! CVE Severity Now Using CVSS v3

Description

References

Details

Risk Information

CVSS v2

CVSS v3

Vulnerable Software

Configuration 1

Configuration 2

Configuration 3

Configuration 4

Tenable Plugins

critical

high

high

high

high

critical

high

critical

high

high