Описание
Security update for qemu
This update for qemu fixes the following issues:
- Fix OOB access in sm501 device emulation (CVE-2020-12829, bsc#1172385)
- Fix OOB access possibility in MegaRAID SAS 8708EM2 emulation (CVE-2020-13362 bsc#1172383)
- Fix use-after-free in usb xhci packet handling (CVE-2020-25723, bsc#1178934)
- Fix use-after-free in usb ehci packet handling (CVE-2020-25084, bsc#1176673)
- Fix OOB access in usb hcd-ohci emulation (CVE-2020-25624, bsc#1176682)
- Fix infinite loop (DoS) in usb hcd-ohci emulation (CVE-2020-25625, bsc#1176684)
- Fix guest triggerable assert in shared network handling code (CVE-2020-27617, bsc#1178174)
- Fix OOB access in atapi emulation (CVE-2020-29443, bsc#1181108)
- Fix null pointer deref. (DoS) in mmio ops (CVE-2020-15469, bsc#1173612)
- Fix infinite loop (DoS) in e1000 device emulation (CVE-2021-20257, bsc#1182577)
- Fix OOB access (stack overflow) in rtl8139 NIC emulation (CVE-2021-3416, bsc#1182968)
- Fix OOB access (stack overflow) in other NIC emulations (CVE-2021-3416)
- Fix OOB access in SLIRP ARP packet processing (CVE-2020-29130, bsc#1179467)
- Fix null pointer dereference possibility (DoS) in MegaRAID SAS 8708EM2 emulation (CVE-2020-13659 bsc#1172386
- Fix OOB access in iscsi (CVE-2020-11947 bsc#1180523)
- Fix OOB access in vmxnet3 emulation (CVE-2021-20203 bsc#1181639)
- Fix buffer overflow in the XGMAC device (CVE-2020-15863 bsc#1174386)
- Fix DoS in packet processing of various emulated NICs (CVE-2020-16092 bsc#1174641)
- Fix OOB access while processing USB packets (CVE-2020-14364 bsc#1175441)
- Fix package scripts to not use hard coded paths for temporary working directories and log files (bsc#1182425)
- Fix potential privilege escalation in virtfs (CVE-2021-20181 bsc#1182137)
- Fix OOB access possibility in ES1370 audio device emulation (CVE-2020-13361 bsc#1172384)
- Fix OOB access in ROM loading (CVE-2020-13765 bsc#1172478)
Список пакетов
SUSE Linux Enterprise Server 12 SP2-BCL
Ссылки
- Link for SUSE-SU-2021:1305-1
- E-Mail link for SUSE-SU-2021:1305-1
- SUSE Security Ratings
- SUSE Bug 1172383
- SUSE Bug 1172384
- SUSE Bug 1172385
- SUSE Bug 1172386
- SUSE Bug 1172478
- SUSE Bug 1173612
- SUSE Bug 1174386
- SUSE Bug 1174641
- SUSE Bug 1175441
- SUSE Bug 1176673
- SUSE Bug 1176682
- SUSE Bug 1176684
- SUSE Bug 1178174
- SUSE Bug 1178934
- SUSE Bug 1179467
- SUSE Bug 1180523
- SUSE Bug 1181108
Описание
iscsi_aio_ioctl_cb in block/iscsi.c in QEMU 4.1.0 has a heap-based buffer over-read that may disclose unrelated information from process memory to an attacker.
Затронутые продукты
Ссылки
- CVE-2020-11947
- SUSE Bug 1180523
Описание
In QEMU through 5.0.0, an integer overflow was found in the SM501 display driver implementation. This flaw occurs in the COPY_AREA macro while handling MMIO write operations through the sm501_2d_engine_write() callback. A local attacker could abuse this flaw to crash the QEMU process in sm501_2d_operation() in hw/display/sm501.c on the host, resulting in a denial of service.
Затронутые продукты
Ссылки
- CVE-2020-12829
- SUSE Bug 1172385
Описание
In QEMU 5.0.0 and earlier, es1370_transfer_audio in hw/audio/es1370.c does not properly validate the frame count, which allows guest OS users to trigger an out-of-bounds access during an es1370_write() operation.
Затронутые продукты
Ссылки
- CVE-2020-13361
- SUSE Bug 1172384
Описание
In QEMU 5.0.0 and earlier, megasas_lookup_frame in hw/scsi/megasas.c has an out-of-bounds read via a crafted reply_queue_head field from a guest OS user.
Затронутые продукты
Ссылки
- CVE-2020-13362
- SUSE Bug 1172383
Описание
address_space_map in exec.c in QEMU 4.2.0 can trigger a NULL pointer dereference related to BounceBuffer.
Затронутые продукты
Ссылки
- CVE-2020-13659
- SUSE Bug 1172386
Описание
rom_copy() in hw/core/loader.c in QEMU 4.0 and 4.1.0 does not validate the relationship between two addresses, which allows attackers to trigger an invalid memory copy operation.
Затронутые продукты
Ссылки
- CVE-2020-13765
- SUSE Bug 1172478
Описание
An out-of-bounds read/write access flaw was found in the USB emulator of the QEMU in versions before 5.2.0. This issue occurs while processing USB packets from a guest when USBDevice 'setup_len' exceeds its 'data_buf[4096]' in the do_token_in, do_token_out routines. This flaw allows a guest user to crash the QEMU process, resulting in a denial of service, or the potential execution of arbitrary code with the privileges of the QEMU process on the host.
Затронутые продукты
Ссылки
- CVE-2020-14364
- SUSE Bug 1175441
- SUSE Bug 1175534
- SUSE Bug 1176494
- SUSE Bug 1177130
Описание
In QEMU 4.2.0, a MemoryRegionOps object may lack read/write callback methods, leading to a NULL pointer dereference.
Затронутые продукты
Ссылки
- CVE-2020-15469
- SUSE Bug 1173612
Описание
hw/net/xgmac.c in the XGMAC Ethernet controller in QEMU before 07-20-2020 has a buffer overflow. This occurs during packet transmission and affects the highbank and midway emulated machines. A guest user or process could use this flaw to crash the QEMU process on the host, resulting in a denial of service or potential privileged code execution. This was fixed in commit 5519724a13664b43e225ca05351c60b4468e4555.
Затронутые продукты
Ссылки
- CVE-2020-15863
- SUSE Bug 1174386
Описание
In QEMU through 5.0.0, an assertion failure can occur in the network packet processing. This issue affects the e1000e and vmxnet3 network devices. A malicious guest user/process could use this flaw to abort the QEMU process on the host, resulting in a denial of service condition in net_tx_pkt_add_raw_fragment in hw/net/net_tx_pkt.c.
Затронутые продукты
Ссылки
- CVE-2020-16092
- SUSE Bug 1174641
Описание
QEMU 5.0.0 has a use-after-free in hw/usb/hcd-xhci.c because the usb_packet_map return value is not checked.
Затронутые продукты
Ссылки
- CVE-2020-25084
- SUSE Bug 1176673
Описание
hw/usb/hcd-ohci.c in QEMU 5.0.0 has a stack-based buffer over-read via values obtained from the host controller driver.
Затронутые продукты
Ссылки
- CVE-2020-25624
- SUSE Bug 1176682
Описание
hw/usb/hcd-ohci.c in QEMU 5.0.0 has an infinite loop when a TD list has a loop.
Затронутые продукты
Ссылки
- CVE-2020-25625
- SUSE Bug 1176684
Описание
A reachable assertion issue was found in the USB EHCI emulation code of QEMU. It could occur while processing USB requests due to missing handling of DMA memory map failure. A malicious privileged user within the guest may abuse this flaw to send bogus USB requests and crash the QEMU process on the host, resulting in a denial of service.
Затронутые продукты
Ссылки
- CVE-2020-25723
- SUSE Bug 1178934
- SUSE Bug 1178935
Описание
eth_get_gso_type in net/eth.c in QEMU 4.2.1 allows guest OS users to trigger an assertion failure. A guest can crash the QEMU process via packet data that lacks a valid Layer 3 protocol.
Затронутые продукты
Ссылки
- CVE-2020-27617
- SUSE Bug 1178174
Описание
slirp.c in libslirp through 4.3.1 has a buffer over-read because it tries to read a certain amount of header data even if that exceeds the total packet length.
Затронутые продукты
Ссылки
- CVE-2020-29130
- SUSE Bug 1178658
- SUSE Bug 1179467
- SUSE Bug 1179477
Описание
ide_atapi_cmd_reply_end in hw/ide/atapi.c in QEMU 5.1.0 allows out-of-bounds read access because a buffer index is not validated.
Затронутые продукты
Ссылки
- CVE-2020-29443
- SUSE Bug 1181108
Описание
A race condition flaw was found in the 9pfs server implementation of QEMU up to and including 5.2.0. This flaw allows a malicious 9p client to cause a use-after-free error, potentially escalating their privileges on the system. The highest threat from this vulnerability is to confidentiality, integrity as well as system availability.
Затронутые продукты
Ссылки
- CVE-2021-20181
- SUSE Bug 1182137
Описание
An integer overflow issue was found in the vmxnet3 NIC emulator of the QEMU for versions up to v5.2.0. It may occur if a guest was to supply invalid values for rx/tx queue size or other NIC parameters. A privileged guest user may use this flaw to crash the QEMU process on the host resulting in DoS scenario.
Затронутые продукты
Ссылки
- CVE-2021-20203
- SUSE Bug 1181639
Описание
An infinite loop flaw was found in the e1000 NIC emulator of the QEMU. This issue occurs while processing transmits (tx) descriptors in process_tx_desc if various descriptor fields are initialized with invalid values. This flaw allows a guest to consume CPU cycles on the host, resulting in a denial of service. The highest threat from this vulnerability is to system availability.
Затронутые продукты
Ссылки
- CVE-2021-20257
- SUSE Bug 1182577
- SUSE Bug 1182846
Описание
A potential stack overflow via infinite loop issue was found in various NIC emulators of QEMU in versions up to and including 5.2.0. The issue occurs in loopback mode of a NIC wherein reentrant DMA checks get bypassed. A guest user/process may use this flaw to consume CPU cycles or crash the QEMU process on the host resulting in DoS scenario.
Затронутые продукты
Ссылки
- CVE-2021-3416
- SUSE Bug 1182968
- SUSE Bug 1186473