Headline
CVE-2021-20221: [SECURITY] [DLA 2560-1] qemu security update
An out-of-bounds heap buffer access issue was found in the ARM Generic Interrupt Controller emulator of QEMU up to and including qemu 4.2.0on aarch64 platform. The issue occurs because while writing an interrupt ID to the controller memory area, it is not masked to be 4 bits wide. It may lead to the said issue while updating controller state fields and their subsequent processing. A privileged guest user may use this flaw to crash the QEMU process on the host resulting in DoS scenario.
- To: [email protected]
- Subject: [SECURITY] [DLA 2560-1] qemu security update
- From: Sylvain Beucler <[email protected]>
- Date: Thu, 18 Feb 2021 17:57:32 +0100
- Message-id: <[🔎] [email protected]>
- Mail-followup-to: [email protected]
- Reply-to: [email protected]
-------------------------------------------------------------------------- Debian LTS Advisory DLA-2560-1 [email protected] https://www.debian.org/lts/security/ Sylvain Beucler February 18, 2021 https://wiki.debian.org/LTS
Package : qemu Version : 1:2.8+dfsg-6+deb9u13 CVE ID : CVE-2020-15469 CVE-2020-15859 CVE-2020-25084 CVE-2020-28916 CVE-2020-29130 CVE-2020-29443 CVE-2021-20181 CVE-2021-20221 Debian Bug : 970253 965978 970539 974687 976388
Several vulnerabilities were discovered in QEMU, a fast processor emulator (notably used in KVM and Xen HVM virtualization). An attacker could trigger a denial-of-service (DoS), information leak, and possibly execute arbitrary code with the privileges of the QEMU process on the host.
CVE-2020-15469
A MemoryRegionOps object may lack read/write callback methods,
leading to a NULL pointer dereference.
CVE-2020-15859
QEMU has a use-after-free in hw/net/e1000e\_core.c because a guest
OS user can trigger an e1000e packet with the data's address set
to the e1000e's MMIO address.
CVE-2020-25084
QEMU has a use-after-free in hw/usb/hcd-xhci.c because the
usb\_packet\_map return value is not checked.
CVE-2020-28916
hw/net/e1000e\_core.c has an infinite loop via an RX descriptor
with a NULL buffer address.
CVE-2020-29130
slirp.c has a buffer over-read because it tries to read a certain
amount of header data even if that exceeds the total packet
length.
CVE-2020-29443
ide\_atapi\_cmd\_reply\_end in hw/ide/atapi.c allows out-of-bounds
read access because a buffer index is not validated.
CVE-2021-20181
9pfs: ZDI-CAN-10904: QEMU Plan 9 file system TOCTOU privilege
escalation vulnerability.
CVE-2021-20221
aarch64: GIC: out-of-bound heap buffer access via an interrupt ID
field.
For Debian 9 stretch, these problems have been fixed in version 1:2.8+dfsg-6+deb9u13.
We recommend that you upgrade your qemu packages.
For the detailed security status of qemu please refer to its security tracker page at: https://security-tracker.debian.org/tracker/qemu
Further information about Debian LTS security advisories, how to apply these updates to your system and frequently asked questions can be found at: https://wiki.debian.org/LTS
Attachment: signature.asc
Description: PGP signature
Reply to:
Sylvain Beucler (on-list)
Sylvain Beucler (off-list)
Prev by Date: [SECURITY] [DLA 2563-1] openssl security update
Next by Date: [SECURITY] [DLA 2565-1] openssl1.0 security update
Previous by thread: [SECURITY] [DLA 2563-1] openssl security update
Next by thread: [SECURITY] [DLA 2565-1] openssl1.0 security update
Index(es):
- Date
- Thread
Related news
Gentoo Linux Security Advisory 202208-27 - Multiple vulnerabilities have been discovered in QEMU, the worst of which could result in remote code execution (guest sandbox escape). Versions less than 7.0.0 are affected.
An update for the virt:rhel and virt-devel:rhel modules is now available for Red Hat Enterprise Linux 8. Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original. Related CVEs: * CVE-2020-15859: QEMU: net: e1000e: use-after-free while sending packets * CVE-2021-3592: QEMU: slirp: invalid pointer initialization may lead to information disclosure (bootp) * CVE-2021-3593: QEMU: slirp: invalid pointer initialization may lead to information disclosure (udp6) * CVE-2021-3594: QEMU: slirp: invalid pointer initi...
A race condition flaw was found in the 9pfs server implementation of QEMU up to and including 5.2.0. This flaw allows a malicious 9p client to cause a use-after-free error, potentially escalating their privileges on the system. The highest threat from this vulnerability is to confidentiality, integrity as well as system availability.
QEMU 5.0.0 has a use-after-free in hw/usb/hcd-xhci.c because the usb_packet_map return value is not checked.
QEMU 4.2.0 has a use-after-free in hw/net/e1000e_core.c because a guest OS user can trigger an e1000e packet with the data's address set to the e1000e's MMIO address.
In QEMU 4.2.0, a MemoryRegionOps object may lack read/write callback methods, leading to a NULL pointer dereference.