Headline
Ubuntu Security Notice USN-7094-1
Ubuntu Security Notice 7094-1 - It was discovered that QEMU incorrectly handled memory during certain VNC operations. A remote attacker could possibly use this issue to cause QEMU to consume resources, resulting in a denial of service. This issue only affected Ubuntu 14.04 LTS. It was discovered that QEMU incorrectly handled certain memory copy operations when loading ROM contents. If a user were tricked into running an untrusted kernel image, a remote attacker could possibly use this issue to run arbitrary code. This issue only affected Ubuntu 14.04 LTS.
==========================================================================
Ubuntu Security Notice USN-7094-1
November 08, 2024
qemu vulnerabilities
A security issue affects these releases of Ubuntu and its derivatives:
- Ubuntu 24.10
- Ubuntu 24.04 LTS
- Ubuntu 22.04 LTS
- Ubuntu 20.04 LTS
- Ubuntu 18.04 LTS
- Ubuntu 16.04 LTS
- Ubuntu 14.04 LTS
Summary:
Several security issues were fixed in QEMU.
Software Description:
- qemu: Machine emulator and virtualizer
Details:
It was discovered that QEMU incorrectly handled memory during certain VNC
operations. A remote attacker could possibly use this issue to cause QEMU
to consume resources, resulting in a denial of service. This issue only
affected Ubuntu 14.04 LTS. (CVE-2019-20382)
It was discovered that QEMU incorrectly handled certain memory copy
operations when loading ROM contents. If a user were tricked into running
an untrusted kernel image, a remote attacker could possibly use this issue
to run arbitrary code. This issue only affected Ubuntu 14.04 LTS.
(CVE-2020-13765)
Aviv Sasson discovered that QEMU incorrectly handled Slirp networking. A
remote attacker could use this issue to cause QEMU to crash, resulting in a
denial of service, or possibly execute arbitrary code. This issue only
affected Ubuntu 14.04 LTS. (CVE-2020-1983)
It was discovered that the SLiRP networking implementation of the QEMU
emulator did not properly manage memory under certain circumstances. An
attacker could use this to cause a heap-based buffer overflow or other out-
of-bounds access, which can lead to a denial of service (application crash)
or potential execute arbitrary code. This issue only affected
Ubuntu 14.04 LTS. (CVE-2020-7039)
It was discovered that the SLiRP networking implementation of the QEMU
emulator misuses snprintf return values. An attacker could use this to
cause a denial of service (application crash) or potentially execute
arbitrary code. This issue only affected Ubuntu 14.04 LTS. (CVE-2020-8608)
It was discovered that QEMU SLiRP networking incorrectly handled certain
udp packets. An attacker inside a guest could possibly use this issue to
leak sensitive information from the host. This issue only affected
Ubuntu 14.04 LTS and Ubuntu 16.04 LTS. (CVE-2021-3592, CVE-2021-3594)
It was discovered that QEMU had a DMA reentrancy issue, leading to a
use-after-free vulnerability. An attacker could possibly use this issue
to cause a denial of service. This issue only affected Ubuntu 18.04 LTS,
Ubuntu 20.04 LTS and Ubuntu 22.04 LTS. (CVE-2023-3019)
It was discovered that QEMU had a flaw in Virtio PCI Bindings, leading
to a triggerable crash via vhost_net_stop. An attacker inside a guest
could possibly use this issue to cause a denial of service. This issue
only affected Ubuntu 24.04 LTS and Ubuntu 24.10. (CVE-2024-4693)
It was discovered that QEMU incorrectly handled memory in virtio-sound,
leading to a heap-based buffer overflow. An attacker could possibly use
this issue to cause a denial of service or execute arbitrary code. This
issue only affected Ubuntu 24.04 LTS and Ubuntu 24.10. (CVE-2024-7730)
Update instructions:
The problem can be corrected by updating your system to the following
package versions:
Ubuntu 24.10
qemu-system 1:9.0.2+ds-4ubuntu5.1
qemu-system-arm 1:9.0.2+ds-4ubuntu5.1
qemu-system-mips 1:9.0.2+ds-4ubuntu5.1
qemu-system-misc 1:9.0.2+ds-4ubuntu5.1
qemu-system-ppc 1:9.0.2+ds-4ubuntu5.1
qemu-system-s390x 1:9.0.2+ds-4ubuntu5.1
qemu-system-sparc 1:9.0.2+ds-4ubuntu5.1
qemu-system-x86 1:9.0.2+ds-4ubuntu5.1
qemu-system-x86-xen 1:9.0.2+ds-4ubuntu5.1
qemu-system-xen 1:9.0.2+ds-4ubuntu5.1
Ubuntu 24.04 LTS
qemu-system 1:8.2.2+ds-0ubuntu1.4
qemu-system-arm 1:8.2.2+ds-0ubuntu1.4
qemu-system-mips 1:8.2.2+ds-0ubuntu1.4
qemu-system-misc 1:8.2.2+ds-0ubuntu1.4
qemu-system-ppc 1:8.2.2+ds-0ubuntu1.4
qemu-system-s390x 1:8.2.2+ds-0ubuntu1.4
qemu-system-sparc 1:8.2.2+ds-0ubuntu1.4
qemu-system-x86 1:8.2.2+ds-0ubuntu1.4
qemu-system-x86-xen 1:8.2.2+ds-0ubuntu1.4
qemu-system-xen 1:8.2.2+ds-0ubuntu1.4
Ubuntu 22.04 LTS
qemu 1:6.2+dfsg-2ubuntu6.24
qemu-system 1:6.2+dfsg-2ubuntu6.24
qemu-system-arm 1:6.2+dfsg-2ubuntu6.24
qemu-system-mips 1:6.2+dfsg-2ubuntu6.24
qemu-system-misc 1:6.2+dfsg-2ubuntu6.24
qemu-system-ppc 1:6.2+dfsg-2ubuntu6.24
qemu-system-s390x 1:6.2+dfsg-2ubuntu6.24
qemu-system-sparc 1:6.2+dfsg-2ubuntu6.24
qemu-system-x86 1:6.2+dfsg-2ubuntu6.24
qemu-system-x86-microvm 1:6.2+dfsg-2ubuntu6.24
qemu-system-x86-xen 1:6.2+dfsg-2ubuntu6.24
Ubuntu 20.04 LTS
qemu 1:4.2-3ubuntu6.30
qemu-system 1:4.2-3ubuntu6.30
qemu-system-arm 1:4.2-3ubuntu6.30
qemu-system-mips 1:4.2-3ubuntu6.30
qemu-system-misc 1:4.2-3ubuntu6.30
qemu-system-ppc 1:4.2-3ubuntu6.30
qemu-system-s390x 1:4.2-3ubuntu6.30
qemu-system-sparc 1:4.2-3ubuntu6.30
qemu-system-x86 1:4.2-3ubuntu6.30
qemu-system-x86-microvm 1:4.2-3ubuntu6.30
qemu-system-x86-xen 1:4.2-3ubuntu6.30
Ubuntu 18.04 LTS
qemu 1:2.11+dfsg-1ubuntu7.42+esm2
Available with Ubuntu Pro
qemu-system 1:2.11+dfsg-1ubuntu7.42+esm2
Available with Ubuntu Pro
qemu-system-arm 1:2.11+dfsg-1ubuntu7.42+esm2
Available with Ubuntu Pro
qemu-system-mips 1:2.11+dfsg-1ubuntu7.42+esm2
Available with Ubuntu Pro
qemu-system-misc 1:2.11+dfsg-1ubuntu7.42+esm2
Available with Ubuntu Pro
qemu-system-ppc 1:2.11+dfsg-1ubuntu7.42+esm2
Available with Ubuntu Pro
qemu-system-s390x 1:2.11+dfsg-1ubuntu7.42+esm2
Available with Ubuntu Pro
qemu-system-sparc 1:2.11+dfsg-1ubuntu7.42+esm2
Available with Ubuntu Pro
qemu-system-x86 1:2.11+dfsg-1ubuntu7.42+esm2
Available with Ubuntu Pro
Ubuntu 16.04 LTS
qemu 1:2.5+dfsg-5ubuntu10.51+esm3
Available with Ubuntu Pro
qemu-system 1:2.5+dfsg-5ubuntu10.51+esm3
Available with Ubuntu Pro
qemu-system-aarch64 1:2.5+dfsg-5ubuntu10.51+esm3
Available with Ubuntu Pro
qemu-system-arm 1:2.5+dfsg-5ubuntu10.51+esm3
Available with Ubuntu Pro
qemu-system-common 1:2.5+dfsg-5ubuntu10.51+esm3
Available with Ubuntu Pro
qemu-system-mips 1:2.5+dfsg-5ubuntu10.51+esm3
Available with Ubuntu Pro
qemu-system-misc 1:2.5+dfsg-5ubuntu10.51+esm3
Available with Ubuntu Pro
qemu-system-ppc 1:2.5+dfsg-5ubuntu10.51+esm3
Available with Ubuntu Pro
qemu-system-s390x 1:2.5+dfsg-5ubuntu10.51+esm3
Available with Ubuntu Pro
qemu-system-sparc 1:2.5+dfsg-5ubuntu10.51+esm3
Available with Ubuntu Pro
qemu-system-x86 1:2.5+dfsg-5ubuntu10.51+esm3
Available with Ubuntu Pro
Ubuntu 14.04 LTS
qemu 2.0.0+dfsg-2ubuntu1.47+esm4
Available with Ubuntu Pro
qemu-system 2.0.0+dfsg-2ubuntu1.47+esm4
Available with Ubuntu Pro
qemu-system-aarch64 2.0.0+dfsg-2ubuntu1.47+esm4
Available with Ubuntu Pro
qemu-system-arm 2.0.0+dfsg-2ubuntu1.47+esm4
Available with Ubuntu Pro
qemu-system-common 2.0.0+dfsg-2ubuntu1.47+esm4
Available with Ubuntu Pro
qemu-system-mips 2.0.0+dfsg-2ubuntu1.47+esm4
Available with Ubuntu Pro
qemu-system-misc 2.0.0+dfsg-2ubuntu1.47+esm4
Available with Ubuntu Pro
qemu-system-ppc 2.0.0+dfsg-2ubuntu1.47+esm4
Available with Ubuntu Pro
qemu-system-sparc 2.0.0+dfsg-2ubuntu1.47+esm4
Available with Ubuntu Pro
qemu-system-x86 2.0.0+dfsg-2ubuntu1.47+esm4
Available with Ubuntu Pro
After a standard system update you need to restart all QEMU virtual
machines to make all the necessary changes.
References:
https://ubuntu.com/security/notices/USN-7094-1
CVE-2019-20382, CVE-2020-13765, CVE-2020-1983, CVE-2020-7039,
CVE-2020-8608, CVE-2021-3592, CVE-2021-3594, CVE-2023-3019,
CVE-2024-4693, CVE-2024-7730,
https://bugs.launchpad.net/ubuntu/+source/qemu/+bug/2084210
Package Information:
https://launchpad.net/ubuntu/+source/qemu/1:9.0.2+ds-4ubuntu5.1
https://launchpad.net/ubuntu/+source/qemu/1:8.2.2+ds-0ubuntu1.4
https://launchpad.net/ubuntu/+source/qemu/1:6.2+dfsg-2ubuntu6.24
https://launchpad.net/ubuntu/+source/qemu/1:4.2-3ubuntu6.30
Related news
A DMA reentrancy issue leading to a use-after-free error was found in the e1000e NIC emulation code in QEMU. This issue could allow a privileged guest user to crash the QEMU process on the host, resulting in a denial of service.
An update for the virt:rhel and virt-devel:rhel modules is now available for Red Hat Enterprise Linux 8. Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original. Related CVEs: * CVE-2020-15859: QEMU: net: e1000e: use-after-free while sending packets * CVE-2021-3592: QEMU: slirp: invalid pointer initialization may lead to information disclosure (bootp) * CVE-2021-3593: QEMU: slirp: invalid pointer initialization may lead to information disclosure (udp6) * CVE-2021-3594: QEMU: slirp: invalid pointer initi...
An update for the virt:rhel and virt-devel:rhel modules is now available for Red Hat Enterprise Linux 8. Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original. Related CVEs: * CVE-2020-15859: QEMU: net: e1000e: use-after-free while sending packets * CVE-2021-3592: QEMU: slirp: invalid pointer initialization may lead to information disclosure (bootp) * CVE-2021-3593: QEMU: slirp: invalid pointer initialization may lead to information disclosure (udp6) * CVE-2021-3594: QEMU: slirp: invalid pointer initi...
An invalid pointer initialization issue was found in the SLiRP networking implementation of QEMU. The flaw exists in the bootp_input() function and could occur while processing a udp packet that is smaller than the size of the 'bootp_t' structure. A malicious guest could use this flaw to leak 10 bytes of uninitialized heap memory from the host. The highest threat from this vulnerability is to data confidentiality. This flaw affects libslirp versions prior to 4.6.0.
An invalid pointer initialization issue was found in the SLiRP networking implementation of QEMU. The flaw exists in the udp_input() function and could occur while processing a udp packet that is smaller than the size of the 'udphdr' structure. This issue may lead to out-of-bounds read access or indirect host memory disclosure to the guest. The highest threat from this vulnerability is to data confidentiality. This flaw affects libslirp versions prior to 4.6.0.
rom_copy() in hw/core/loader.c in QEMU 4.0 and 4.1.0 does not validate the relationship between two addresses, which allows attackers to trigger an invalid memory copy operation.
QEMU 4.1.0 has a memory leak in zrle_compress_data in ui/vnc-enc-zrle.c during a VNC disconnect operation because libz is misused, resulting in a situation where memory allocated in deflateInit2 is not freed in deflateEnd.