[SECURITY] [DLA 2288-1] qemu security update
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
- -----------------------------------------------------------------------
Debian LTS Advisory DLA-2288-1 debian-lts@lists.debian.org
https://www.debian.org/lts/security/ Utkarsh Gupta
July 25, 2020 https://wiki.debian.org/LTS
- -----------------------------------------------------------------------
Package : qemu
Version : 1:2.8+dfsg-6+deb9u10
CVE ID : CVE-2017-9503 CVE-2019-12068 CVE-2019-20382
CVE-2020-1983 CVE-2020-8608 CVE-2020-10756
CVE-2020-13361 CVE-2020-13362 CVE-2020-13659
CVE-2020-13754 CVE-2020-13765 CVE-2020-15863
Debian Bug : 865754 961887 961888 964793
The following CVE(s) were reported against src:qemu:
CVE-2017-9503
QEMU (aka Quick Emulator), when built with MegaRAID SAS 8708EM2
Host Bus Adapter emulation support, allows local guest OS
privileged users to cause a denial of service (NULL pointer
dereference and QEMU process crash) via vectors involving megasas
command processing.
CVE-2019-12068
In QEMU 1:4.1-1 (1:2.8+dfsg-6+deb9u8), when executing script in
lsi_execute_script(), the LSI scsi adapter emulator advances
's->dsp' index to read next opcode. This can lead to an infinite
loop if the next opcode is empty. Move the existing loop exit
after 10k iterations so that it covers no-op opcodes as well.
CVE-2019-20382
QEMU 4.1.0 has a memory leak in zrle_compress_data in
ui/vnc-enc-zrle.c during a VNC disconnect operation because libz
is misused, resulting in a situation where memory allocated in
deflateInit2 is not freed in deflateEnd.
CVE-2020-1983
A use after free vulnerability in ip_reass() in ip_input.c of
libslirp 4.2.0 and prior releases allows crafted packets to cause
a denial of service.
CVE-2020-8608
In libslirp 4.1.0, as used in QEMU 4.2.0, tcp_subr.c misuses
snprintf return values, leading to a buffer overflow in later
code.
CVE-2020-10756
An out-of-bounds read vulnerability was found in the SLiRP
networking implementation of the QEMU emulator. This flaw occurs
in the icmp6_send_echoreply() routine while replying to an ICMP
echo request, also known as ping. This flaw allows a malicious
guest to leak the contents of the host memory, resulting in
possible information disclosure. This flaw affects versions of
libslirp before 4.3.1.
CVE-2020-13361
In QEMU 5.0.0 and earlier, es1370_transfer_audio in
hw/audio/es1370.c does not properly validate the frame count,
which allows guest OS users to trigger an out-of-bounds access
during an es1370_write() operation.
CVE-2020-13362
In QEMU 5.0.0 and earlier, megasas_lookup_frame in
hw/scsi/megasas.c has an out-of-bounds read via a crafted
reply_queue_head field from a guest OS user.
CVE-2020-13659
address_space_map in exec.c in QEMU 4.2.0 can trigger a NULL
pointer dereference related to BounceBuffer.
CVE-2020-13754
hw/pci/msix.c in QEMU 4.2.0 allows guest OS users to trigger
an out-of-bounds access via a crafted address in an msi-x mmio
operation.
CVE-2020-13765
rom_copy() in hw/core/loader.c in QEMU 4.1.0 does not validate
the relationship between two addresses, which allows attackers
to trigger an invalid memory copy operation.
CVE-2020-15863
Stack-based overflow in xgmac_enet_send() in hw/net/xgmac.c.
For Debian 9 stretch, these problems have been fixed in version
1:2.8+dfsg-6+deb9u10.
We recommend that you upgrade your qemu packages.
For the detailed security status of qemu please refer to
its security tracker page at:
https://security-tracker.debian.org/tracker/qemu
Further information about Debian LTS security advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://wiki.debian.org/LTS
Best,
Utkarsh
-----BEGIN PGP SIGNATURE-----
iQIzBAEBCAAdFiEEbJ0QSEqa5Mw4X3xxgj6WdgbDS5YFAl8dbjoACgkQgj6WdgbD
S5b6nA//d6GQMouWOSCQ1juZ6Ej71f8ILXLirILUi9dQ6HyJfnCEus0sZGvG/F5k
200hsZfT5LLp7zZcMdCnYtyEjKC+fwaroX+g73gcRVlsxQfsyeipUMOvvFUE6zhP
cx4KgnYhhYHwLLuyVL4FXdI2o7aWGBeurN2mw1WVTLf+vNvgbz/33mDqMRzBybhZ
PRnSjYeqlInjG75Sxo5rEgHW2cQltGyG0pJ1xwOC0chg5932kDy9YirTHQtRfFCe
P3WDe3jgP6EdPlDh1y+iEAM+nkKAuURnl3IV5EC0V3xxPQLIhchEOhDluDM0fJry
xoH7REXCdRvxsUaCaBZLeTz/9t4q7mvsSZoDD1g2ZPKe0Giyw+gfSsKMb7HqUhDi
RK7rnJABUvxIHgYfH1hOBuBeRy7ExLrXM79FUVbVyU7vfE/BCMlsi+AVtT/GhMc+
zfIrm3zVBUdW45u/MSwpBW/qzoAkfJLr1ddfAkDpYPcbC4Ru/bRiPwrJHVSQf7fJ
Jh/Gm28KoeYm1yANEiZuW9SiSgd+LJXGMRzMTEjoCTFrRJrtP9XJuEZGqAFGQ9C4
+4ehusq+C3Zi7ngRJi9Wcx2mg0y2ojGHXTZS83SZ1WZ4reu3ub1ezQhvPh4hYdcB
Dza4xIu2m7xUi8AshEqleI5pTmXI0rIjh3KY4p8f/X4yCm2jYeo=
=3RkF
-----END PGP SIGNATURE-----
Reply to: