https://bugzilla.redhat.com/show_bug.cgi?id=1927007

[debian-lts-announce] 20210218 [SECURITY] [DLA 2560-1] qemu security update

https://www.zerodayinitiative.com/advisories/ZDI-21-159/

According to the versions of the qemu packages installed, the EulerOS Virtualization installation on the remote host is affected by the following vulnerabilities :

  - A NULL pointer dereference flaw was found in the SCSI emulation support of QEMU in versions before 6.0.0.
    This flaw allows a privileged guest user to crash the QEMU process on the host, resulting in a denial of     service. The highest threat from this vulnerability is to system availability. (CVE-2020-35504)

  - A NULL pointer dereference flaw was found in the am53c974 SCSI host bus adapter emulation of QEMU in     versions before 6.0.0. This issue occurs while handling the 'Information Transfer' command. This flaw     allows a privileged guest user to crash the QEMU process on the host, resulting in a denial of service.
    The highest threat from this vulnerability is to system availability. (CVE-2020-35505)

  - A race condition flaw was found in the 9pfs server implementation of QEMU up to and including 5.2.0. This     flaw allows a malicious 9p client to cause a use-after-free error, potentially escalating their privileges     on the system. The highest threat from this vulnerability is to confidentiality, integrity as well as     system availability. (CVE-2021-20181)

  - An out-of-bounds heap buffer access issue was found in the ARM Generic Interrupt Controller emulator of     QEMU up to and including qemu 4.2.0on aarch64 platform. The issue occurs because while writing an     interrupt ID to the controller memory area, it is not masked to be 4 bits wide. It may lead to the said     issue while updating controller state fields and their subsequent processing. A privileged guest user may     use this flaw to crash the QEMU process on the host resulting in DoS scenario. (CVE-2021-20221)

  - A flaw was found in the USB redirector device (usb-redir) of QEMU. Small USB packets are combined into a     single, large transfer request, to reduce the overhead and improve performance. The combined size of the     bulk transfer is used to dynamically allocate a variable length array (VLA) on the stack without proper     validation. Since the total size is not bounded, a malicious guest could use this flaw to influence the     array length and cause the QEMU process to perform an excessive allocation on the stack, resulting in a     denial of service. (CVE-2021-3527)

  - A flaw was found in the USB redirector device emulation of QEMU in versions prior to 6.1.0-rc2. It occurs     when dropping packets during a bulk transfer from a SPICE client due to the packet queue being full. A     malicious SPICE client could use this flaw to make QEMU call free() with faked heap chunk metadata,     resulting in a crash of QEMU or potential code execution with the privileges of the QEMU process on the     host. (CVE-2021-3682)

Note that Tenable Network Security has extracted the preceding description block directly from the EulerOS security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

According to the versions of the qemu packages installed, the EulerOS Virtualization installation on the remote host is affected by the following vulnerabilities :

  - A NULL pointer dereference flaw was found in the SCSI     emulation support of QEMU in versions before 6.0.0.
    This flaw allows a privileged guest user to crash the     QEMU process on the host, resulting in a denial of     service. The highest threat from this vulnerability is     to system availability.(CVE-2020-35504)

  - An out-of-bounds heap buffer access issue was found in     the ARM Generic Interrupt Controller emulator of QEMU     up to and including qemu 4.2.0on aarch64 platform. The     issue occurs because while writing an interrupt ID to     the controller memory area, it is not masked to be 4     bits wide. It may lead to the said issue while updating     controller state fields and their subsequent     processing. A privileged guest user may use this flaw     to crash the QEMU process on the host resulting in DoS     scenario.(CVE-2021-20221)

  - A flaw was found in the USB redirector device     (usb-redir) of QEMU. Small USB packets are combined     into a single, large transfer request, to reduce the     overhead and improve performance. The combined size of     the bulk transfer is used to dynamically allocate a     variable length array (VLA) on the stack without proper     validation. Since the total size is not bounded, a     malicious guest could use this flaw to influence the     array length and cause the QEMU process to perform an     excessive allocation on the(CVE-2021-3527)

  - QEMU 5.0.0 has a use-after-free in hw/usb/hcd-xhci.c     because the usb_packet_map return value is not     checked.(CVE-2020-25084)

  - A NULL pointer dereference flaw was found in the     am53c974 SCSI host bus adapter emulation of QEMU in     versions before 6.0.0. This issue occurs while handling     the 'Information Transfer' command. This flaw allows a     privileged guest user to crash the QEMU process on the     host, resulting in a denial of service. The highest     threat from this vulnerability is to system     availability.(CVE-2020-35505)

  - An information disclosure vulnerability was found in     the virtio vhost-user GPU device (vhost-user-gpu) of     QEMU in versions up to and including 6.0. The flaw     exists in virgl_cmd_get_capset_info() in     contrib/vhost-user-gpu/virgl.c and could occur due to     the read of uninitialized memory. A malicious guest     could exploit this issue to leak memory from the host.
    (CVE-2021-3545)

  - Several memory leaks were found in the virtio     vhost-user GPU device (vhost-user-gpu) of QEMU in     versions up to and including 6.0. They exist in     contrib/vhost-user-gpu/vhost-user-gpu.c and     contrib/vhost-user-gpu/virgl.c due to improper release     of memory (i.e., free) after effective     lifetime.(CVE-2021-3544)

  - A flaw was found in vhost-user-gpu of QEMU in versions     up to and including 6.0. An out-of-bounds write     vulnerability can allow a malicious guest to crash the     QEMU process on the host resulting in a denial of     service or potentially execute arbitrary code on the     host with the privileges of the QEMU process. The     highest threat from this vulnerability is to data     confidentiality and integrity as well as system     availability.(CVE-2021-3546)

  - A race condition flaw was found in the 9pfs server     implementation of QEMU up to and including 5.2.0. This     flaw allows a malicious 9p client to cause a     use-after-free error, potentially escalating their     privileges on the system. The highest threat from this     vulnerability is to confidentiality, integrity as well     as system availability.(CVE-2021-20181)

Note that Tenable Network Security has extracted the preceding description block directly from the EulerOS security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

The remote SUSE Linux SLES11 host has a package installed that is affected by multiple vulnerabilities as referenced in the SUSE-SU-2021:14704-1 advisory.

  - The vmware-vga driver (hw/display/vmware_vga.c) in QEMU allows local guest users to write to qemu memory     locations and gain privileges via unspecified parameters related to rectangle handling. (CVE-2014-3689)

  - The VNC websocket frame decoder in QEMU allows remote attackers to cause a denial of service (memory and     CPU consumption) via a large (1) websocket payload or (2) HTTP headers section. (CVE-2015-1779)

  - In QEMU through 5.0.0, an integer overflow was found in the SM501 display driver implementation. This flaw     occurs in the COPY_AREA macro while handling MMIO write operations through the sm501_2d_engine_write()     callback. A local attacker could abuse this flaw to crash the QEMU process in sm501_2d_operation() in     hw/display/sm501.c on the host, resulting in a denial of service. (CVE-2020-12829)

  - In QEMU 5.0.0 and earlier, es1370_transfer_audio in hw/audio/es1370.c does not properly validate the frame     count, which allows guest OS users to trigger an out-of-bounds access during an es1370_write() operation.
    (CVE-2020-13361)

  - In QEMU 5.0.0 and earlier, megasas_lookup_frame in hw/scsi/megasas.c has an out-of-bounds read via a     crafted reply_queue_head field from a guest OS user. (CVE-2020-13362)

  - rom_copy() in hw/core/loader.c in QEMU 4.0 and 4.1.0 does not validate the relationship between two     addresses, which allows attackers to trigger an invalid memory copy operation. (CVE-2020-13765)

  - An out-of-bounds read/write access flaw was found in the USB emulator of the QEMU in versions before     5.2.0. This issue occurs while processing USB packets from a guest when USBDevice 'setup_len' exceeds its     'data_buf[4096]' in the do_token_in, do_token_out routines. This flaw allows a guest user to crash the     QEMU process, resulting in a denial of service, or the potential execution of arbitrary code with the     privileges of the QEMU process on the host. (CVE-2020-14364)

  - QEMU 5.0.0 has a use-after-free in hw/usb/hcd-xhci.c because the usb_packet_map return value is not     checked. (CVE-2020-25084)

  - hw/usb/hcd-ohci.c in QEMU 5.0.0 has a stack-based buffer over-read via values obtained from the host     controller driver. (CVE-2020-25624)

  - hw/usb/hcd-ohci.c in QEMU 5.0.0 has an infinite loop when a TD list has a loop. (CVE-2020-25625)

  - A reachable assertion issue was found in the USB EHCI emulation code of QEMU. It could occur while     processing USB requests due to missing handling of DMA memory map failure. A malicious privileged user     within the guest may abuse this flaw to send bogus USB requests and crash the QEMU process on the host,     resulting in a denial of service. (CVE-2020-25723)

  - slirp.c in libslirp through 4.3.1 has a buffer over-read because it tries to read a certain amount of     header data even if that exceeds the total packet length. (CVE-2020-29130)

  - ide_atapi_cmd_reply_end in hw/ide/atapi.c in QEMU 5.1.0 allows out-of-bounds read access because a buffer     index is not validated. (CVE-2020-29443)

  - A race condition flaw was found in the 9pfs server implementation of QEMU up to and including 5.2.0. This     flaw allows a malicious 9p client to cause a use-after-free error, potentially escalating their privileges     on the system. The highest threat from this vulnerability is to confidentiality, integrity as well as     system availability. (CVE-2021-20181)

Note that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number.

This update for qemu fixes the following issues :

Fix OOB access in sm501 device emulation (CVE-2020-12829, bsc#1172385)

Fix OOB access possibility in MegaRAID SAS 8708EM2 emulation (CVE-2020-13362 bsc#1172383)

Fix use-after-free in usb xhci packet handling (CVE-2020-25723, bsc#1178934)

Fix use-after-free in usb ehci packet handling (CVE-2020-25084, bsc#1176673)

Fix OOB access in usb hcd-ohci emulation (CVE-2020-25624, bsc#1176682)

Fix infinite loop (DoS) in usb hcd-ohci emulation (CVE-2020-25625, bsc#1176684)

Fix guest triggerable assert in shared network handling code (CVE-2020-27617, bsc#1178174)

Fix OOB access in atapi emulation (CVE-2020-29443, bsc#1181108)

Fix NULL pointer deref. (DoS) in mmio ops (CVE-2020-15469, bsc#1173612)

Fix infinite loop (DoS) in e1000 device emulation (CVE-2021-20257, bsc#1182577)

Fix OOB access (stack overflow) in rtl8139 NIC emulation (CVE-2021-3416, bsc#1182968)

Fix OOB access (stack overflow) in other NIC emulations (CVE-2021-3416)

Fix OOB access in SLIRP ARP packet processing (CVE-2020-29130, bsc#1179467)

Fix NULL pointer dereference possibility (DoS) in MegaRAID SAS 8708EM2 emulation (CVE-2020-13659 bsc#1172386

Fix OOB access in iscsi (CVE-2020-11947 bsc#1180523)

Fix OOB access in vmxnet3 emulation (CVE-2021-20203 bsc#1181639)

Fix buffer overflow in the XGMAC device (CVE-2020-15863 bsc#1174386)

Fix DoS in packet processing of various emulated NICs (CVE-2020-16092 bsc#1174641)

Fix OOB access while processing USB packets (CVE-2020-14364 bsc#1175441)

Fix package scripts to not use hard-coded paths for temporary working directories and log files (bsc#1182425)

Fix potential privilege escalation in virtfs (CVE-2021-20181 bsc#1182137)

Fix OOB access possibility in ES1370 audio device emulation (CVE-2020-13361 bsc#1172384)

Fix OOB access in ROM loading (CVE-2020-13765 bsc#1172478)

Note that Tenable Network Security has extracted the preceding description block directly from the SUSE security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

This update for qemu fixes the following issues :

Fix OOB access in sm501 device emulation (CVE-2020-12829, bsc#1172385)

Fix OOB access possibility in MegaRAID SAS 8708EM2 emulation (CVE-2020-13362, bsc#1172383)

Fix use-after-free in usb xhci packet handling (CVE-2020-25723, bsc#1178934)

Fix use-after-free in usb ehci packet handling (CVE-2020-25084, bsc#1176673)

Fix OOB access in usb hcd-ohci emulation (CVE-2020-25624, bsc#1176682)

Fix infinite loop (DoS) in usb hcd-ohci emulation (CVE-2020-25625, bsc#1176684)

Fix guest triggerable assert in shared network handling code (CVE-2020-27617, bsc#1178174)

Fix infinite loop (DoS) in e1000e device emulation (CVE-2020-28916, bsc#1179468)

Fix OOB access in atapi emulation (CVE-2020-29443, bsc#1181108)

Fix NULL pointer deref. (DoS) in mmio ops (CVE-2020-15469, bsc#1173612)

Fix infinite loop (DoS) in e1000 device emulation (CVE-2021-20257, bsc#1182577)

Fix OOB access (stack overflow) in rtl8139 NIC emulation (CVE-2021-3416, bsc#1182968)

Fix OOB access (stack overflow) in other NIC emulations (CVE-2021-3416)

Fix OOB access in SLIRP ARP/NCSI packet processing (CVE-2020-29129, bsc#1179466, CVE-2020-29130, bsc#1179467)

Fix NULL pointer dereference possibility (DoS) in MegaRAID SAS 8708EM2 emulation (CVE-2020-13659, bsc#1172386)

Fix OOB access in iscsi (CVE-2020-11947, bsc#1180523)

Fix OOB access in vmxnet3 emulation (CVE-2021-20203, bsc#1181639)

Fix buffer overflow in the XGMAC device (CVE-2020-15863, bsc#1174386)

Fix DoS in packet processing of various emulated NICs (CVE-2020-16092, bsc#1174641)

Fix OOB access while processing USB packets (CVE-2020-14364, bsc#1175441)

Fix package scripts to not use hard-coded paths for temporary working directories and log files (bsc#1182425)

Fix potential privilege escalation in virtfs (CVE-2021-20181, bsc#1182137)

Fix OOB access possibility in ES1370 audio device emulation (CVE-2020-13361, bsc#1172384)

Fix OOB access in ROM loading (CVE-2020-13765, bsc#1172478)

Fix qemu-testsuite failure

Fix vm migration is failing with input/output error when nfs server is disconnected (bsc#1119115)

Fix OOB access in ARM interrupt handling (CVE-2021-20221, bsc#1181933)

Fix slowness in arm32 emulation (bsc#1112499)

Fix OOB access in sm501 device emulation (CVE-2020-12829, bsc#1172385)

Fix OOB access possibility in MegaRAID SAS 8708EM2 emulation (CVE-2020-13362, bsc#1172383)

Fix use-after-free in usb xhci packet handling (CVE-2020-25723, bsc#1178934)

Fix use-after-free in usb ehci packet handling (CVE-2020-25084, bsc#1176673)

Fix OOB access in usb hcd-ohci emulation (CVE-2020-25624, bsc#1176682)

Fix infinite loop (DoS) in usb hcd-ohci emulation (CVE-2020-25625, bsc#1176684)

Fix guest triggerable assert in shared network handling code (CVE-2020-27617, bsc#1178174)

Fix infinite loop (DoS) in e1000e device emulation (CVE-2020-28916, bsc#1179468)

Fix OOB access in atapi emulation (CVE-2020-29443, bsc#1181108)

Fix NULL pointer deref. (DoS) in mmio ops (CVE-2020-15469, bsc#1173612)

Fix infinite loop (DoS) in e1000 device emulation (CVE-2021-20257, bsc#1182577)

Fix OOB access (stack overflow) in rtl8139 NIC emulation (CVE-2021-3416, bsc#1182968)

Fix OOB access (stack overflow) in other NIC emulations (CVE-2021-3416)

Fix OOB access in SLIRP ARP/NCSI packet processing (CVE-2020-29129, bsc#1179466, CVE-2020-29130, bsc#1179467)

Fix NULL pointer dereference possibility (DoS) in MegaRAID SAS 8708EM2 emulation (CVE-2020-13659, bsc#1172386)

Fix OOB access in iscsi (CVE-2020-11947, bsc#1180523)

Fix OOB access in vmxnet3 emulation (CVE-2021-20203, bsc#1181639)

Fix buffer overflow in the XGMAC device (CVE-2020-15863, bsc#1174386)

Fix DoS in packet processing of various emulated NICs (CVE-2020-16092, bsc#1174641)

Fix OOB access while processing USB packets (CVE-2020-14364, bsc#1175441)

Fix package scripts to not use hard-coded paths for temporary working directories and log files (bsc#1182425)

Fix potential privilege escalation in virtfs (CVE-2021-20181, bsc#1182137)

Fix OOB access possibility in ES1370 audio device emulation (CVE-2020-13361, bsc#1172384)

Fix OOB access in ROM loading (CVE-2020-13765, bsc#1172478)

Fix qemu-testsuite failure

Fix vm migration is failing with input/output error when nfs server is disconnected (bsc#1119115)

Fix OOB access in ARM interrupt handling (CVE-2021-20221, bsc#1181933)

Fix slowness in arm32 emulation (bsc#1112499)

Note that Tenable Network Security has extracted the preceding description block directly from the SUSE security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

This update for qemu fixes the following issues :

Fix OOB access in sm501 device emulation (CVE-2020-12829, bsc#1172385)

Fix OOB access possibility in MegaRAID SAS 8708EM2 emulation (CVE-2020-13362 bsc#1172383)

Fix use-after-free in usb xhci packet handling (CVE-2020-25723, bsc#1178934)

Fix use-after-free in usb ehci packet handling (CVE-2020-25084, bsc#1176673)

Fix OOB access in usb hcd-ohci emulation (CVE-2020-25624, bsc#1176682)

Fix infinite loop (DoS) in usb hcd-ohci emulation (CVE-2020-25625, bsc#1176684)

Fix guest triggerable assert in shared network handling code (CVE-2020-27617, bsc#1178174)

Fix infinite loop (DoS) in e1000e device emulation (CVE-2020-28916, bsc#1179468)

Fix OOB access in atapi emulation (CVE-2020-29443, bsc#1181108)

Fix NULL pointer deref. (DoS) in mmio ops (CVE-2020-15469, bsc#1173612)

Fix infinite loop (DoS) in e1000 device emulation (CVE-2021-20257, bsc#1182577)

Fix OOB access (stack overflow) in rtl8139 NIC emulation (CVE-2021-3416, bsc#1182968)

Fix OOB access (stack overflow) in other NIC emulations (CVE-2021-3416)

Fix OOB access in SLIRP ARP packet processing (CVE-2020-29130, bsc#1179467)

Fix NULL pointer dereference possibility (DoS) in MegaRAID SAS 8708EM2 emulation (CVE-2020-13659 bsc#1172386

Fix OOB access in iscsi (CVE-2020-11947 bsc#1180523)

Fix OOB access in vmxnet3 emulation (CVE-2021-20203 bsc#1181639)

Fix buffer overflow in the XGMAC device (CVE-2020-15863, bsc#1174386)

Fix DoS in packet processing of various emulated NICs (CVE-2020-16092 bsc#1174641)

Fix OOB access while processing USB packets (CVE-2020-14364 bsc#1175441)

Fix package scripts to not use hard-coded paths for temporary working directories and log files (bsc#1182425)

Fix potential privilege escalation in virtfs (CVE-2021-20181 bsc#1182137)

Fix OOB access possibility in ES1370 audio device emulation (CVE-2020-13361 bsc#1172384)

Fix OOB access in ROM loading (CVE-2020-13765 bsc#1172478)

Note that Tenable Network Security has extracted the preceding description block directly from the SUSE security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

This update for qemu fixes the following issues :

Fix OOB access in sm501 device emulation (CVE-2020-12829, bsc#1172385)

Fix OOB access possibility in MegaRAID SAS 8708EM2 emulation (CVE-2020-13362 bsc#1172383)

Fix use-after-free in usb xhci packet handling (CVE-2020-25723, bsc#1178934)

Fix use-after-free in usb ehci packet handling (CVE-2020-25084, bsc#1176673)

Fix OOB access in usb hcd-ohci emulation (CVE-2020-25624, bsc#1176682)

Fix infinite loop (DoS) in usb hcd-ohci emulation (CVE-2020-25625, bsc#1176684)

Fix guest triggerable assert in shared network handling code (CVE-2020-27617, bsc#1178174)

Fix infinite loop (DoS) in e1000e device emulation (CVE-2020-28916, bsc#1179468)

Fix OOB access in atapi emulation (CVE-2020-29443, bsc#1181108)

Fix NULL pointer deref. (DoS) in mmio ops (CVE-2020-15469, bsc#1173612)

Fix infinite loop (DoS) in e1000 device emulation (CVE-2021-20257, bsc#1182577)

Fix OOB access (stack overflow) in rtl8139 NIC emulation (CVE-2021-3416, bsc#1182968)

Fix OOB access (stack overflow) in other NIC emulations (CVE-2021-3416)

Fix OOB access in SLIRP ARP/NCSI packet processing (CVE-2020-29129, bsc#1179466, CVE-2020-29130, bsc#1179467)

Fix NULL pointer dereference possibility (DoS) in MegaRAID SAS 8708EM2 emulation (CVE-2020-13659 bsc#1172386

Fix OOB access in iscsi (CVE-2020-11947 bsc#1180523)

Fix OOB access in vmxnet3 emulation (CVE-2021-20203 bsc#1181639)

Fix buffer overflow in the XGMAC device (CVE-2020-15863 bsc#1174386)

Fix DoS in packet processing of various emulated NICs (CVE-2020-16092 bsc#1174641)

Fix OOB access while processing USB packets (CVE-2020-14364 bsc#1175441)

Fix package scripts to not use hard-coded paths for temporary working directories and log files (bsc#1182425)

Fix potential privilege escalation in virtfs (CVE-2021-20181 bsc#1182137)

Drop the 'ampersand 0x25 shift altgr' line in pt-br keymap file (bsc#1129962)

Fix migration failure with error message: 'error while loading state section id 3(ram) (bsc#1154790)

Fix OOB access possibility in ES1370 audio device emulation (CVE-2020-13361 bsc#1172384)

Fix OOB access in ROM loading (CVE-2020-13765 bsc#1172478)

Fix OOB access in ARM interrupt handling (CVE-2021-20221 bsc#1181933)

Tweaks to spec file for better formatting, and remove not needed BuildRequires for e2fsprogs-devel and libpcap-devel

Use '%service_del_postun_without_restart' instead of '%service_del_postun' to avoid 'Failed to try-restart qemu-ga@.service' error while updating the qemu-guest-agent.
(bsc#1178565)

Fix OOB access in sm501 device emulation (CVE-2020-12829, bsc#1172385)

Note that Tenable Network Security has extracted the preceding description block directly from the SUSE security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

This update for qemu fixes the following issues :

Fix OOB access in sm501 device emulation (CVE-2020-12829, bsc#1172385)

Fix OOB access possibility in MegaRAID SAS 8708EM2 emulation (CVE-2020-13362 bsc#1172383)

Fix use-after-free in usb xhci packet handling (CVE-2020-25723, bsc#1178934)

Fix use-after-free in usb ehci packet handling (CVE-2020-25084, bsc#1176673)

Fix OOB access in usb hcd-ohci emulation (CVE-2020-25624, bsc#1176682)

Fix infinite loop (DoS) in usb hcd-ohci emulation (CVE-2020-25625, bsc#1176684)

Fix guest triggerable assert in shared network handling code (CVE-2020-27617, bsc#1178174)

Fix infinite loop (DoS) in e1000e device emulation (CVE-2020-28916, bsc#1179468)

Fix OOB access in atapi emulation (CVE-2020-29443, bsc#1181108)

Fix heap overflow in MSIx emulation (CVE-2020-27821, bsc#1179686)

Fix NULL pointer deref. (DoS) in mmio ops (CVE-2020-15469, bsc#1173612)

Fix infinite loop (DoS) in e1000 device emulation (CVE-2021-20257, bsc#1182577)

Fix OOB access (stack overflow) in rtl8139 NIC emulation (CVE-2021-3416, bsc#1182968)

Fix OOB access (stack overflow) in other NIC emulations (CVE-2021-3416)

Fix OOB access in SLIRP ARP/NCSI packet processing (CVE-2020-29129, bsc#1179466, CVE-2020-29130, bsc#1179467)

Fix NULL pointer dereference possibility (DoS) in MegaRAID SAS 8708EM2 emulation (CVE-2020-13659 bsc#1172386)

Fix issue where s390 guest fails to find zipl boot menu index (bsc#1183979)

Fix OOB access in iscsi (CVE-2020-11947 bsc#1180523)

Fix OOB access in vmxnet3 emulation (CVE-2021-20203 bsc#1181639)

Fix package scripts to not use hard-coded paths for temporary working directories and log files (bsc#1182425)

Fix potential privilege escalation in virtfs (CVE-2021-20181 bsc#1182137)

Apply fixes to qemu scsi passthrough with respect to timeout and error conditions, including using more correct status codes. (bsc#1178049)

Fix OOB access in ARM interrupt handling (CVE-2021-20221 bsc#1181933)

Tweaks to spec file for better formatting, and remove not needed BuildRequires for e2fsprogs-devel and libpcap-devel

Fix OOB access possibility in ES1370 audio device emulation (CVE-2020-13361 bsc#1172384)

Fix OOB access in ROM loading (CVE-2020-13765 bsc#1172478)

Fix OOB access while processing USB packets (CVE-2020-14364 bsc#1175441)

Fix DoS in packet processing of various emulated NICs (CVE-2020-16092 bsc#1174641)

Fix buffer overflow in the XGMAC device (CVE-2020-15863 bsc#1174386)

Use '%service_del_postun_without_restart' instead of '%service_del_postun' to avoid 'Failed to try-restart qemu-ga@.service' error while updating the qemu-guest-agent.
(bsc#1178565)

Note that Tenable Network Security has extracted the preceding description block directly from the SUSE security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

This update for qemu fixes the following issues :

Fix OOB access in sm501 device emulation (CVE-2020-12829, bsc#1172385)

Fix OOB access possibility in MegaRAID SAS 8708EM2 emulation (CVE-2020-13362 bsc#1172383)

Fix use-after-free in usb xhci packet handling (CVE-2020-25723, bsc#1178934)

Fix use-after-free in usb iehci packet handling (CVE-2020-25084, bsc#1176673)

Fix infinite loop (DoS) in usb hcd-ohci emulation (CVE-2020-25625, bsc#1176684)

Fix OOB access in usb hcd-ohci emulation (CVE-2020-25624, bsc#1176682)

Fix guest triggerable assert in shared network handling code (CVE-2020-27617, bsc#1178174)

Fix infinite loop (DoS) in e1000e device emulation (CVE-2020-28916, bsc#1179468)

Fix OOB access in atapi emulation (CVE-2020-29443, bsc#1181108)

Fix heap overflow in MSIx emulation (CVE-2020-27821, bsc#1179686)

Fix NULL pointer deref. (DoS) in mmio ops (CVE-2020-15469, bsc#1173612)

Fix infinite loop (DoS) in e1000 device emulation (CVE-2021-20257, bsc#1182577)

Fix OOB access (stack overflow) in rtl8139 NIC emulation (CVE-2021-3416, bsc#1182968)

Fix OOB access (stack overflow) in other NIC emulations (CVE-2021-3416)

Fix OOB access in SLIRP ARP/NCSI packet processing (CVE-2020-29129, bsc#1179466, CVE-2020-29130, bsc#1179467)

Fix NULL pointer dereference possibility (DoS) in MegaRAID SAS 8708EM2 emulation (CVE-2020-13659 bsc#1172386)

Fix issue where s390 guest fails to find zipl boot menu index (bsc#1183979)

Fix OOB access in iscsi (CVE-2020-11947 bsc#1180523)

Fix OOB access in vmxnet3 emulation (CVE-2021-20203 bsc#1181639)

Fix package scripts to not use hard-coded paths for temporary working directories and log files (bsc#1182425)

Fix potential privilege escalation in virtfs (CVE-2021-20181 bsc#1182137)

Apply fixes to qemu scsi passthrough with respect to timeout and error conditions, including using more correct status codes. (bsc#1178049)

Fix OOB access in ARM interrupt handling (CVE-2021-20221 bsc#1181933)

Make note that this patch previously included addresses (CVE-2020-13765 bsc#1172478)

Tweaks to spec file for better formatting, and remove not needed BuildRequires for e2fsprogs-devel and libpcap-devel

Fix vfio-pci device on s390 enters error state (bsc#1179725)

Fix PCI devices are unavailable after a subsystem reset. (bsc#1179726)

Note that Tenable Network Security has extracted the preceding description block directly from the SUSE security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

The remote Oracle Linux 7 host has packages installed that are affected by multiple vulnerabilities as referenced in the ELSA-2021-9109 advisory.

  - iscsi_aio_ioctl_cb in block/iscsi.c in QEMU 4.1.0 has a heap-based buffer over-read that may disclose     unrelated information from process memory to an attacker. (CVE-2020-11947)

  - ide_atapi_cmd_reply_end in hw/ide/atapi.c in QEMU 5.1.0 allows out-of-bounds read access because a buffer     index is not validated. (CVE-2020-29443)

  - eth_get_gso_type in net/eth.c in QEMU 4.2.1 allows guest OS users to trigger an assertion failure. A guest     can crash the QEMU process via packet data that lacks a valid Layer 3 protocol. (CVE-2020-27617)

  - In QEMU 4.1.0, an out-of-bounds read flaw was found in the ATI VGA implementation. It occurs in the     ati_cursor_define() routine while handling MMIO write operations through the ati_mm_write() callback. A     malicious guest could abuse this flaw to crash the QEMU process, resulting in a denial of service.
    (CVE-2019-20808)

Note that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number.

The remote Oracle Linux 7 host has packages installed that are affected by multiple vulnerabilities as referenced in the ELSA-2021-9104 advisory.

  - iscsi_aio_ioctl_cb in block/iscsi.c in QEMU 4.1.0 has a heap-based buffer over-read that may disclose     unrelated information from process memory to an attacker. (CVE-2020-11947)

  - ide_atapi_cmd_reply_end in hw/ide/atapi.c in QEMU 5.1.0 allows out-of-bounds read access because a buffer     index is not validated. (CVE-2020-29443)

  - eth_get_gso_type in net/eth.c in QEMU 4.2.1 allows guest OS users to trigger an assertion failure. A guest     can crash the QEMU process via packet data that lacks a valid Layer 3 protocol. (CVE-2020-27617)

  - In QEMU 4.1.0, an out-of-bounds read flaw was found in the ATI VGA implementation. It occurs in the     ati_cursor_define() routine while handling MMIO write operations through the ati_mm_write() callback. A     malicious guest could abuse this flaw to crash the QEMU process, resulting in a denial of service.
    (CVE-2019-20808)

Note that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number.

This update for qemu fixes the following issues :

  - Fixed potential privilege escalation in virtfs     (CVE-2021-20181 bsc#1182137)

  - Fixed out-of-bound access in iscsi (CVE-2020-11947     bsc#1180523)

  - Fixed out-of-bound access in vmxnet3 emulation     (CVE-2021-20203 bsc#1181639)

  - Fixed out-of-bound access in ARM interrupt handling     (CVE-2021-20221 bsc#1181933)

  - Fixed vfio-pci device on s390 enters error state     (bsc#1179717 bsc#1179719)

  - Fixed 'Failed to try-restart qemu-ga@.service' error     while updating the qemu-guest-agent. (bsc#1178565)

  - Apply fixes to qemu scsi passthrough with respect to     timeout and error conditions, including using more     correct status codes. Add more qemu tracing which helped     track down these issues (bsc#1178049)

This update was imported from the SUSE:SLE-15-SP2:Update update project.

This update for qemu fixes the following issues :

Fixed potential privilege escalation in virtfs (CVE-2021-20181 bsc#1182137)

Fixed out-of-bound access in iscsi (CVE-2020-11947 bsc#1180523)

Fixed out-of-bound access in vmxnet3 emulation (CVE-2021-20203 bsc#1181639)

Fixed out-of-bound access in ARM interrupt handling (CVE-2021-20221 bsc#1181933)

Fixed vfio-pci device on s390 enters error state (bsc#1179717 bsc#1179719)

Fixed 'Failed to try-restart qemu-ga@.service' error while updating the qemu-guest-agent. (bsc#1178565)

Apply fixes to qemu scsi passthrough with respect to timeout and error conditions, including using more correct status codes. Add more qemu tracing which helped track down these issues (bsc#1178049)

Note that Tenable Network Security has extracted the preceding description block directly from the SUSE security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

Several vulnerabilities were discovered in QEMU, a fast processor emulator (notably used in KVM and Xen HVM virtualization). An attacker could trigger a denial of service (DoS), information leak, and possibly execute arbitrary code with the privileges of the QEMU process on the host.

CVE-2020-15469

A MemoryRegionOps object may lack read/write callback methods, leading to a NULL pointer dereference.

CVE-2020-15859

QEMU has a use-after-free in hw/net/e1000e_core.c because a guest OS user can trigger an e1000e packet with the data's address set to the e1000e's MMIO address.

CVE-2020-25084

QEMU has a use-after-free in hw/usb/hcd-xhci.c because the usb_packet_map return value is not checked.

CVE-2020-28916

hw/net/e1000e_core.c has an infinite loop via an RX descriptor with a NULL buffer address.

CVE-2020-29130

slirp.c has a buffer over-read because it tries to read a certain amount of header data even if that exceeds the total packet length.

CVE-2020-29443

ide_atapi_cmd_reply_end in hw/ide/atapi.c allows out-of-bounds read access because a buffer index is not validated.

CVE-2021-20181

9pfs: ZDI-CAN-10904: QEMU Plan 9 file system TOCTOU privilege escalation vulnerability.

CVE-2021-20221

aarch64: GIC: out-of-bound heap buffer access via an interrupt ID field.

For Debian 9 stretch, these problems have been fixed in version 1:2.8+dfsg-6+deb9u13.

We recommend that you upgrade your qemu packages.

For the detailed security status of qemu please refer to its security tracker page at: https://security-tracker.debian.org/tracker/qemu

NOTE: Tenable Network Security has extracted the preceding description block directly from the DLA security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

The remote Ubuntu 16.04 LTS / 18.04 LTS / 20.04 LTS / 20.10 host has packages installed that are affected by multiple vulnerabilities as referenced in the USN-4725-1 advisory.

  - iscsi_aio_ioctl_cb in block/iscsi.c in QEMU 4.1.0 has a heap-based buffer over-read that may disclose     unrelated information from process memory to an attacker. (CVE-2020-11947)

  - QEMU 4.2.0 has a use-after-free in hw/net/e1000e_core.c because a guest OS user can trigger an e1000e     packet with the data's address set to the e1000e's MMIO address. (CVE-2020-15859)

  - A flaw was found in the memory management API of QEMU during the initialization of a memory region cache.
    This issue could lead to an out-of-bounds write access to the MSI-X table while performing MMIO     operations. A guest user may abuse this flaw to crash the QEMU process on the host, resulting in a denial     of service. This flaw affects QEMU versions prior to 5.2.0. (CVE-2020-27821)

  - hw/net/e1000e_core.c in QEMU 5.0.0 has an infinite loop via an RX descriptor with a NULL buffer address.
    (CVE-2020-28916)

  - ide_atapi_cmd_reply_end in hw/ide/atapi.c in QEMU 5.1.0 allows out-of-bounds read access because a buffer     index is not validated. (CVE-2020-29443)

Note that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number.

ID	Name	Product	Family	Severity
156382	EulerOS Virtualization 3.0.2.0 : qemu (EulerOS-SA-2021-2844)	Nessus	Huawei Local Security Checks	high
151564	EulerOS Virtualization 2.9.1 : qemu (EulerOS-SA-2021-2192)	Nessus	Huawei Local Security Checks	high
151557	EulerOS Virtualization 2.9.0 : qemu (EulerOS-SA-2021-2211)	Nessus	Huawei Local Security Checks	high
150537	SUSE SLES11 Security Update : kvm (SUSE-SU-2021:14704-1)	Nessus	SuSE Local Security Checks	high
148966	SUSE SLES12 Security Update : qemu (SUSE-SU-2021:1305-1)	Nessus	SuSE Local Security Checks	high
148761	SUSE SLES12 Security Update : qemu (SUSE-SU-2021:1241-1)	Nessus	SuSE Local Security Checks	high
148758	SUSE SLES12 Security Update : qemu (SUSE-SU-2021:1240-1)	Nessus	SuSE Local Security Checks	high
148757	SUSE SLES15 Security Update : qemu (SUSE-SU-2021:1244-1)	Nessus	SuSE Local Security Checks	high
148752	SUSE SLES15 Security Update : qemu (SUSE-SU-2021:1245-1)	Nessus	SuSE Local Security Checks	high
148751	SUSE SLES12 Security Update : qemu (SUSE-SU-2021:1242-1)	Nessus	SuSE Local Security Checks	high
148545	Oracle Linux 7 : qemu (ELSA-2021-9109)	Nessus	Oracle Linux Local Security Checks	high
148544	Oracle Linux 7 : qemu (ELSA-2021-9104)	Nessus	Oracle Linux Local Security Checks	high
146938	openSUSE Security Update : qemu (openSUSE-2021-363)	Nessus	SuSE Local Security Checks	high
146643	SUSE SLED15 / SLES15 Security Update : qemu (SUSE-SU-2021:0521-1)	Nessus	SuSE Local Security Checks	high
146609	Debian DLA-2560-1 : qemu security update	Nessus	Debian Local Security Checks	high
146303	Ubuntu 16.04 LTS / 18.04 LTS / 20.04 LTS / 20.10 : QEMU vulnerabilities (USN-4725-1)	Nessus	Ubuntu Local Security Checks	high

CVE-2021-20181

high

New! CVE Severity Now Using CVSS v3

Description

References

Details

Risk Information

CVSS v2

CVSS v3

Vulnerable Software

Configuration 1

Configuration 2

Tenable Plugins

high

high

high

high

high

high

high

high

high

high

high

high

high

high

high

high