Описание
Security update for qemu
This update for qemu fixes the following issues:
-
bsc#1172033 (CVE-2020-13253)
-
bsc#1180207 (CVE-2020-14394)
-
bsc#1172382 (CVE-2020-13754)
-
bsc#1198038 (CVE-2022-0216)
-
bsc#1193880 (CVE-2021-3929)
-
bsc#1197653 (CVE-2022-1050)
-
bsc#1205808 (CVE-2022-4144), bsc#1198712 (CVE-2022-26354)
-
bsc#1175144 (CVE-2020-17380, CVE-2020-25085, CVE-2021-3409), bsc#1185000 (CVE-2021-3507), bsc#1201367, CVE-2022-35414
-
About bsc#1175144, see also bsc#1182282 (CVE-2021-3409)
-
bsc#1198035, CVE-2021-4206
Список пакетов
Image SLES12-SP5-EC2-ECS-On-Demand
SUSE Linux Enterprise Server 12 SP5
SUSE Linux Enterprise Server for SAP Applications 12 SP5
Ссылки
- Link for SUSE-SU-2023:0761-1
- E-Mail link for SUSE-SU-2023:0761-1
- SUSE Security Ratings
- SUSE Bug 1172033
- SUSE Bug 1172382
- SUSE Bug 1175144
- SUSE Bug 1180207
- SUSE Bug 1182282
- SUSE Bug 1185000
- SUSE Bug 1193880
- SUSE Bug 1197653
- SUSE Bug 1198035
- SUSE Bug 1198038
- SUSE Bug 1198712
- SUSE Bug 1201367
- SUSE Bug 1205808
- SUSE CVE CVE-2020-13253 page
- SUSE CVE CVE-2020-13754 page
- SUSE CVE CVE-2020-14394 page
- SUSE CVE CVE-2020-17380 page
Описание
sd_wp_addr in hw/sd/sd.c in QEMU 4.2.0 uses an unvalidated address, which leads to an out-of-bounds read during sdhci_write() operations. A guest OS user can crash the QEMU process.
Затронутые продукты
Ссылки
- CVE-2020-13253
- SUSE Bug 1172033
Описание
hw/pci/msix.c in QEMU 4.2.0 allows guest OS users to trigger an out-of-bounds access via a crafted address in an msi-x mmio operation.
Затронутые продукты
Ссылки
- CVE-2020-13754
- SUSE Bug 1172382
Описание
An infinite loop flaw was found in the USB xHCI controller emulation of QEMU while computing the length of the Transfer Request Block (TRB) Ring. This flaw allows a privileged guest user to hang the QEMU process on the host, resulting in a denial of service.
Затронутые продукты
Ссылки
- CVE-2020-14394
- SUSE Bug 1180207
Описание
A heap-based buffer overflow was found in QEMU through 5.0.0 in the SDHCI device emulation support. It could occur while doing a multi block SDMA transfer via the sdhci_sdma_transfer_multi_blocks() routine in hw/sd/sdhci.c. A guest user or process could use this flaw to crash the QEMU process on the host, resulting in a denial of service condition, or potentially execute arbitrary code with privileges of the QEMU process on the host.
Затронутые продукты
Ссылки
- CVE-2020-17380
- SUSE Bug 1175144
- SUSE Bug 1182282
Описание
QEMU 5.0.0 has a heap-based Buffer Overflow in flatview_read_continue in exec.c because hw/sd/sdhci.c mishandles a write operation in the SDHC_BLKSIZE case.
Затронутые продукты
Ссылки
- CVE-2020-25085
- SUSE Bug 1176681
- SUSE Bug 1182282
Описание
The patch for CVE-2020-17380/CVE-2020-25085 was found to be ineffective, thus making QEMU vulnerable to the out-of-bounds read/write access issues previously found in the SDHCI controller emulation code. This flaw allows a malicious privileged guest to crash the QEMU process on the host, resulting in a denial of service or potential code execution. QEMU up to (including) 5.2.0 is affected by this.
Затронутые продукты
Ссылки
- CVE-2021-3409
- SUSE Bug 1182282
Описание
A heap buffer overflow was found in the floppy disk emulator of QEMU up to 6.0.0 (including). It could occur in fdctrl_transfer_handler() in hw/block/fdc.c while processing DMA read data transfers from the floppy drive to the guest system. A privileged guest user could use this flaw to crash the QEMU process on the host resulting in DoS scenario, or potential information leakage from the host memory.
Затронутые продукты
Ссылки
- CVE-2021-3507
- SUSE Bug 1185000
Описание
A DMA reentrancy issue was found in the NVM Express Controller (NVME) emulation in QEMU. This CVE is similar to CVE-2021-3750 and, just like it, when the reentrancy write triggers the reset function nvme_ctrl_reset(), data structs will be freed leading to a use-after-free issue. A malicious guest could use this flaw to crash the QEMU process on the host, resulting in a denial of service condition or, potentially, executing arbitrary code within the context of the QEMU process on the host.
Затронутые продукты
Ссылки
- CVE-2021-3929
- SUSE Bug 1193880
Описание
A flaw was found in the QXL display device emulation in QEMU. An integer overflow in the cursor_alloc() function can lead to the allocation of a small cursor object followed by a subsequent heap-based buffer overflow. This flaw allows a malicious privileged guest user to crash the QEMU process on the host or potentially execute arbitrary code within the context of the QEMU process.
Затронутые продукты
Ссылки
- CVE-2021-4206
- SUSE Bug 1198035
- SUSE Bug 1211582
Описание
A use-after-free vulnerability was found in the LSI53C895A SCSI Host Bus Adapter emulation of QEMU. The flaw occurs while processing repeated messages to cancel the current SCSI request via the lsi_do_msgout function. This flaw allows a malicious privileged user within the guest to crash the QEMU process on the host, resulting in a denial of service.
Затронутые продукты
Ссылки
- CVE-2022-0216
- SUSE Bug 1198038
Описание
A flaw was found in the QEMU implementation of VMWare's paravirtual RDMA device. This flaw allows a crafted guest driver to execute HW commands when shared buffers are not yet allocated, potentially leading to a use-after-free condition.
Затронутые продукты
Ссылки
- CVE-2022-1050
- SUSE Bug 1197653
Описание
A flaw was found in the vhost-vsock device of QEMU. In case of error, an invalid element was not detached from the virtqueue before freeing its memory, leading to memory leakage and other unexpected results. Affected QEMU versions <= 6.2.0.
Затронутые продукты
Ссылки
- CVE-2022-26354
- SUSE Bug 1198712
Описание
** DISPUTED ** softmmu/physmem.c in QEMU through 7.0.0 can perform an uninitialized read on the translate_fail path, leading to an io_readx or io_writex crash. NOTE: a third party states that the Non-virtualization Use Case in the qemu.org reference applies here, i.e., "Bugs affecting the non-virtualization use case are not considered security bugs at this time."
Затронутые продукты
Ссылки
- CVE-2022-35414
- SUSE Bug 1201367
Описание
An out-of-bounds read flaw was found in the QXL display device emulation in QEMU. The qxl_phys2virt() function does not check the size of the structure pointed to by the guest physical address, potentially reading past the end of the bar space into adjacent pages. A malicious guest user could use this flaw to crash the QEMU process on the host causing a denial of service condition.
Затронутые продукты
Ссылки
- CVE-2022-4144
- SUSE Bug 1205808