Headline
CVE-2021-20221: [SECURITY] [DLA 2560-1] qemu security update
An out-of-bounds heap buffer access issue was found in the ARM Generic Interrupt Controller emulator of QEMU up to and including qemu 4.2.0on aarch64 platform. The issue occurs because while writing an interrupt ID to the controller memory area, it is not masked to be 4 bits wide. It may lead to the said issue while updating controller state fields and their subsequent processing. A privileged guest user may use this flaw to crash the QEMU process on the host resulting in DoS scenario.
- To: [email protected]
- Subject: [SECURITY] [DLA 2560-1] qemu security update
- From: Sylvain Beucler <[email protected]>
- Date: Thu, 18 Feb 2021 17:57:32 +0100
- Message-id: <[🔎] [email protected]>
- Mail-followup-to: [email protected]
- Reply-to: [email protected]
-------------------------------------------------------------------------- Debian LTS Advisory DLA-2560-1 [email protected] https://www.debian.org/lts/security/ Sylvain Beucler February 18, 2021 https://wiki.debian.org/LTS
Package : qemu Version : 1:2.8+dfsg-6+deb9u13 CVE ID : CVE-2020-15469 CVE-2020-15859 CVE-2020-25084 CVE-2020-28916 CVE-2020-29130 CVE-2020-29443 CVE-2021-20181 CVE-2021-20221 Debian Bug : 970253 965978 970539 974687 976388
Several vulnerabilities were discovered in QEMU, a fast processor emulator (notably used in KVM and Xen HVM virtualization). An attacker could trigger a denial-of-service (DoS), information leak, and possibly execute arbitrary code with the privileges of the QEMU process on the host.
CVE-2020-15469
A MemoryRegionOps object may lack read/write callback methods,
leading to a NULL pointer dereference.
CVE-2020-15859
QEMU has a use-after-free in hw/net/e1000e\_core.c because a guest
OS user can trigger an e1000e packet with the data's address set
to the e1000e's MMIO address.
CVE-2020-25084
QEMU has a use-after-free in hw/usb/hcd-xhci.c because the
usb\_packet\_map return value is not checked.
CVE-2020-28916
hw/net/e1000e\_core.c has an infinite loop via an RX descriptor
with a NULL buffer address.
CVE-2020-29130
slirp.c has a buffer over-read because it tries to read a certain
amount of header data even if that exceeds the total packet
length.
CVE-2020-29443
ide\_atapi\_cmd\_reply\_end in hw/ide/atapi.c allows out-of-bounds
read access because a buffer index is not validated.
CVE-2021-20181
9pfs: ZDI-CAN-10904: QEMU Plan 9 file system TOCTOU privilege
escalation vulnerability.
CVE-2021-20221
aarch64: GIC: out-of-bound heap buffer access via an interrupt ID
field.
For Debian 9 stretch, these problems have been fixed in version 1:2.8+dfsg-6+deb9u13.
We recommend that you upgrade your qemu packages.
For the detailed security status of qemu please refer to its security tracker page at: https://security-tracker.debian.org/tracker/qemu
Further information about Debian LTS security advisories, how to apply these updates to your system and frequently asked questions can be found at: https://wiki.debian.org/LTS
Attachment: signature.asc
Description: PGP signature
Reply to:
Sylvain Beucler (on-list)
Sylvain Beucler (off-list)
Prev by Date: [SECURITY] [DLA 2563-1] openssl security update
Next by Date: [SECURITY] [DLA 2565-1] openssl1.0 security update
Previous by thread: [SECURITY] [DLA 2563-1] openssl security update
Next by thread: [SECURITY] [DLA 2565-1] openssl1.0 security update
Index(es):
- Date
- Thread