Security
Headlines
HeadlinesLatestCVEs

Headline

CVE-2021-20221: [SECURITY] [DLA 2560-1] qemu security update

An out-of-bounds heap buffer access issue was found in the ARM Generic Interrupt Controller emulator of QEMU up to and including qemu 4.2.0on aarch64 platform. The issue occurs because while writing an interrupt ID to the controller memory area, it is not masked to be 4 bits wide. It may lead to the said issue while updating controller state fields and their subsequent processing. A privileged guest user may use this flaw to crash the QEMU process on the host resulting in DoS scenario.

CVE
#vulnerability#debian#dos#ssl

-------------------------------------------------------------------------- Debian LTS Advisory DLA-2560-1 [email protected] https://www.debian.org/lts/security/ Sylvain Beucler February 18, 2021 https://wiki.debian.org/LTS


Package : qemu Version : 1:2.8+dfsg-6+deb9u13 CVE ID : CVE-2020-15469 CVE-2020-15859 CVE-2020-25084 CVE-2020-28916 CVE-2020-29130 CVE-2020-29443 CVE-2021-20181 CVE-2021-20221 Debian Bug : 970253 965978 970539 974687 976388

Several vulnerabilities were discovered in QEMU, a fast processor emulator (notably used in KVM and Xen HVM virtualization). An attacker could trigger a denial-of-service (DoS), information leak, and possibly execute arbitrary code with the privileges of the QEMU process on the host.

CVE-2020-15469

A MemoryRegionOps object may lack read/write callback methods,
leading to a NULL pointer dereference.

CVE-2020-15859

QEMU has a use-after-free in hw/net/e1000e\_core.c because a guest
OS user can trigger an e1000e packet with the data's address set
to the e1000e's MMIO address.

CVE-2020-25084

QEMU has a use-after-free in hw/usb/hcd-xhci.c because the
usb\_packet\_map return value is not checked.

CVE-2020-28916

hw/net/e1000e\_core.c has an infinite loop via an RX descriptor
with a NULL buffer address.

CVE-2020-29130

slirp.c has a buffer over-read because it tries to read a certain
amount of header data even if that exceeds the total packet
length.

CVE-2020-29443

ide\_atapi\_cmd\_reply\_end in hw/ide/atapi.c allows out-of-bounds
read access because a buffer index is not validated.

CVE-2021-20181

9pfs: ZDI-CAN-10904: QEMU Plan 9 file system TOCTOU privilege
escalation vulnerability.

CVE-2021-20221

aarch64: GIC: out-of-bound heap buffer access via an interrupt ID
field.

For Debian 9 stretch, these problems have been fixed in version 1:2.8+dfsg-6+deb9u13.

We recommend that you upgrade your qemu packages.

For the detailed security status of qemu please refer to its security tracker page at: https://security-tracker.debian.org/tracker/qemu

Further information about Debian LTS security advisories, how to apply these updates to your system and frequently asked questions can be found at: https://wiki.debian.org/LTS

Attachment: signature.asc
Description: PGP signature

Reply to:

  • [email protected]

  • Sylvain Beucler (on-list)

  • Sylvain Beucler (off-list)

  • Prev by Date: [SECURITY] [DLA 2563-1] openssl security update

  • Next by Date: [SECURITY] [DLA 2565-1] openssl1.0 security update

  • Previous by thread: [SECURITY] [DLA 2563-1] openssl security update

  • Next by thread: [SECURITY] [DLA 2565-1] openssl1.0 security update

  • Index(es):

    • Date
    • Thread

Related news

Gentoo Linux Security Advisory 202208-27

Gentoo Linux Security Advisory 202208-27 - Multiple vulnerabilities have been discovered in QEMU, the worst of which could result in remote code execution (guest sandbox escape). Versions less than 7.0.0 are affected.

RHSA-2021:4191: Red Hat Security Advisory: virt:rhel and virt-devel:rhel security, bug fix, and enhancement update

An update for the virt:rhel and virt-devel:rhel modules is now available for Red Hat Enterprise Linux 8. Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original. Related CVEs: * CVE-2020-15859: QEMU: net: e1000e: use-after-free while sending packets * CVE-2021-3592: QEMU: slirp: invalid pointer initialization may lead to information disclosure (bootp) * CVE-2021-3593: QEMU: slirp: invalid pointer initialization may lead to information disclosure (udp6) * CVE-2021-3594: QEMU: slirp: invalid pointer initi...

CVE-2021-20181: Invalid Bug ID

A race condition flaw was found in the 9pfs server implementation of QEMU up to and including 5.2.0. This flaw allows a malicious 9p client to cause a use-after-free error, potentially escalating their privileges on the system. The highest threat from this vulnerability is to confidentiality, integrity as well as system availability.

CVE-2020-25084: security - CVE-2020-25084 QEMU: usb: use-after-free issue while setting up packet

QEMU 5.0.0 has a use-after-free in hw/usb/hcd-xhci.c because the usb_packet_map return value is not checked.

CVE-2020-15859: [PATCH] e1000e: using bottom half to send packets

QEMU 4.2.0 has a use-after-free in hw/net/e1000e_core.c because a guest OS user can trigger an e1000e packet with the data's address set to the e1000e's MMIO address.

CVE-2020-15469: [PATCH v3 0/9] memory: assert and define MemoryRegionOps callbacks

In QEMU 4.2.0, a MemoryRegionOps object may lack read/write callback methods, leading to a NULL pointer dereference.

CVE: Latest News

CVE-2023-50976: Transactions API Authorization by oleiman · Pull Request #14969 · redpanda-data/redpanda
CVE-2023-6905
CVE-2023-6903
CVE-2023-6904
CVE-2023-3907