Описание
Security update for kvm
This update for kvm fixes the following issues:
- Fix OOB read and write due to integer overflow in sm501_2d_operation() in hw/display/sm501.c (CVE-2020-12829, bsc#1172385)
- Fix OOB access possibility in MegaRAID SAS 8708EM2 emulation (CVE-2020-13362 bsc#1172383)
- Fix use-after-free in usb xhci packet handling (CVE-2020-25723, bsc#1178934)
- Fix use-after-free in usb ehci packet handling (CVE-2020-25084, bsc#1176673)
- Fix OOB access in usb hcd-ohci emulation (CVE-2020-25624, bsc#1176682)
- Fix infinite loop (DoS) in usb hcd-ohci emulation (CVE-2020-25625, bsc#1176684)
- Fix OOB access in atapi emulation (CVE-2020-29443, bsc#1181108)
- Fix DoS in e1000 emulated device (CVE-2021-20257 bsc#1182577)
- Fix OOB access in SLIRP ARP packet processing (CVE-2020-29130, bsc#1179467)
- Fix OOB access while processing USB packets (CVE-2020-14364 bsc#1175441)
- Fix potential privilege escalation in virtfs (CVE-2021-20181 bsc#1182137)
- Fix package scripts to not use hard coded paths for temporary working directories and log files (bsc#1182425)
- Fix OOB access possibility in ES1370 audio device emulation (CVE-2020-13361 bsc#1172384)
- Fix OOB access in ROM loading (CVE-2020-13765 bsc#1172478)
Список пакетов
SUSE Linux Enterprise Server 11 SP4-LTSS
Ссылки
- Link for SUSE-SU-2021:14704-1
- E-Mail link for SUSE-SU-2021:14704-1
- SUSE Security Ratings
- SUSE Bug 1172383
- SUSE Bug 1172384
- SUSE Bug 1172385
- SUSE Bug 1172478
- SUSE Bug 1175441
- SUSE Bug 1176673
- SUSE Bug 1176682
- SUSE Bug 1176684
- SUSE Bug 1178934
- SUSE Bug 1179467
- SUSE Bug 1181108
- SUSE Bug 1182137
- SUSE Bug 1182425
- SUSE Bug 1182577
- SUSE CVE CVE-2014-3689 page
- SUSE CVE CVE-2015-1779 page
- SUSE CVE CVE-2020-12829 page
Описание
The vmware-vga driver (hw/display/vmware_vga.c) in QEMU allows local guest users to write to qemu memory locations and gain privileges via unspecified parameters related to rectangle handling.
Затронутые продукты
Ссылки
- CVE-2014-3689
- SUSE Bug 1072223
- SUSE Bug 1189862
- SUSE Bug 901508
- SUSE Bug 962611
Описание
The VNC websocket frame decoder in QEMU allows remote attackers to cause a denial of service (memory and CPU consumption) via a large (1) websocket payload or (2) HTTP headers section.
Затронутые продукты
Ссылки
- CVE-2015-1779
- SUSE Bug 924018
- SUSE Bug 962632
Описание
In QEMU through 5.0.0, an integer overflow was found in the SM501 display driver implementation. This flaw occurs in the COPY_AREA macro while handling MMIO write operations through the sm501_2d_engine_write() callback. A local attacker could abuse this flaw to crash the QEMU process in sm501_2d_operation() in hw/display/sm501.c on the host, resulting in a denial of service.
Затронутые продукты
Ссылки
- CVE-2020-12829
- SUSE Bug 1172385
Описание
In QEMU 5.0.0 and earlier, es1370_transfer_audio in hw/audio/es1370.c does not properly validate the frame count, which allows guest OS users to trigger an out-of-bounds access during an es1370_write() operation.
Затронутые продукты
Ссылки
- CVE-2020-13361
- SUSE Bug 1172384
Описание
In QEMU 5.0.0 and earlier, megasas_lookup_frame in hw/scsi/megasas.c has an out-of-bounds read via a crafted reply_queue_head field from a guest OS user.
Затронутые продукты
Ссылки
- CVE-2020-13362
- SUSE Bug 1172383
Описание
rom_copy() in hw/core/loader.c in QEMU 4.0 and 4.1.0 does not validate the relationship between two addresses, which allows attackers to trigger an invalid memory copy operation.
Затронутые продукты
Ссылки
- CVE-2020-13765
- SUSE Bug 1172478
Описание
An out-of-bounds read/write access flaw was found in the USB emulator of the QEMU in versions before 5.2.0. This issue occurs while processing USB packets from a guest when USBDevice 'setup_len' exceeds its 'data_buf[4096]' in the do_token_in, do_token_out routines. This flaw allows a guest user to crash the QEMU process, resulting in a denial of service, or the potential execution of arbitrary code with the privileges of the QEMU process on the host.
Затронутые продукты
Ссылки
- CVE-2020-14364
- SUSE Bug 1175441
- SUSE Bug 1175534
- SUSE Bug 1176494
- SUSE Bug 1177130
Описание
QEMU 5.0.0 has a use-after-free in hw/usb/hcd-xhci.c because the usb_packet_map return value is not checked.
Затронутые продукты
Ссылки
- CVE-2020-25084
- SUSE Bug 1176673
Описание
hw/usb/hcd-ohci.c in QEMU 5.0.0 has a stack-based buffer over-read via values obtained from the host controller driver.
Затронутые продукты
Ссылки
- CVE-2020-25624
- SUSE Bug 1176682
Описание
hw/usb/hcd-ohci.c in QEMU 5.0.0 has an infinite loop when a TD list has a loop.
Затронутые продукты
Ссылки
- CVE-2020-25625
- SUSE Bug 1176684
Описание
A reachable assertion issue was found in the USB EHCI emulation code of QEMU. It could occur while processing USB requests due to missing handling of DMA memory map failure. A malicious privileged user within the guest may abuse this flaw to send bogus USB requests and crash the QEMU process on the host, resulting in a denial of service.
Затронутые продукты
Ссылки
- CVE-2020-25723
- SUSE Bug 1178934
- SUSE Bug 1178935
Описание
slirp.c in libslirp through 4.3.1 has a buffer over-read because it tries to read a certain amount of header data even if that exceeds the total packet length.
Затронутые продукты
Ссылки
- CVE-2020-29130
- SUSE Bug 1178658
- SUSE Bug 1179467
- SUSE Bug 1179477
Описание
ide_atapi_cmd_reply_end in hw/ide/atapi.c in QEMU 5.1.0 allows out-of-bounds read access because a buffer index is not validated.
Затронутые продукты
Ссылки
- CVE-2020-29443
- SUSE Bug 1181108
Описание
A race condition flaw was found in the 9pfs server implementation of QEMU up to and including 5.2.0. This flaw allows a malicious 9p client to cause a use-after-free error, potentially escalating their privileges on the system. The highest threat from this vulnerability is to confidentiality, integrity as well as system availability.
Затронутые продукты
Ссылки
- CVE-2021-20181
- SUSE Bug 1182137
Описание
An infinite loop flaw was found in the e1000 NIC emulator of the QEMU. This issue occurs while processing transmits (tx) descriptors in process_tx_desc if various descriptor fields are initialized with invalid values. This flaw allows a guest to consume CPU cycles on the host, resulting in a denial of service. The highest threat from this vulnerability is to system availability.
Затронутые продукты
Ссылки
- CVE-2021-20257
- SUSE Bug 1182577
- SUSE Bug 1182846