DLA-3362-1

Source
https://storage.googleapis.com/debian-osv/dla-osv/DLA-3362-1.json
Aliases
Published
2023-03-14T00:00:00Z
Modified
2023-03-14T22:36:44.195759Z
Details

Multiple security issues were discovered in QEMU, a fast processor emulator, which could result in denial of service, information leak, or potentially the execution of arbitrary code.

  • CVE-2020-14394 An infinite loop flaw was found in the USB xHCI controller emulation of QEMU while computing the length of the Transfer Request Block (TRB) Ring. This flaw allows a privileged guest user to hang the QEMU process on the host, resulting in a denial of service.
  • CVE-2020-17380/CVE-2021-3409 A heap-based buffer overflow was found in QEMU in the SDHCI device emulation support. It could occur while doing a multi block SDMA transfer via the sdhci_sdma_transfer_multi_blocks() routine in hw/sd/sdhci.c. A guest user or process could use this flaw to crash the QEMU process on the host, resulting in a denial of service condition, or potentially execute arbitrary code with privileges of the QEMU process on the host.
  • CVE-2020-29130 slirp.c has a buffer over-read because it tries to read a certain amount of header data even if that exceeds the total packet length.
  • CVE-2021-3592 An invalid pointer initialization issue was found in the SLiRP networking implementation of QEMU. The flaw exists in the bootp_input() function and could occur while processing a udp packet that is smaller than the size of the bootp_t structure. A malicious guest could use this flaw to leak 10 bytes of uninitialized heap memory from the host.
  • CVE-2021-3593 An invalid pointer initialization issue was found in the SLiRP networking implementation of QEMU. The flaw exists in the udp6_input() function and could occur while processing a udp packet that is smaller than the size of the udphdr structure. This issue may lead to out-of-bounds read access or indirect host memory disclosure to the guest.
  • CVE-2021-3594 An invalid pointer initialization issue was found in the SLiRP networking implementation of QEMU. The flaw exists in the udp_input() function and could occur while processing a udp packet that is smaller than the size of the udphdr structure. This issue may lead to out-of-bounds read access or indirect host memory disclosure to the guest.
  • CVE-2021-3595 An invalid pointer initialization issue was found in the SLiRP networking implementation of QEMU. The flaw exists in the tftp_input() function and could occur while processing a udp packet that is smaller than the size of the tftp_t structure. This issue may lead to out-of-bounds read access or indirect host memory disclosure to the guest.
  • CVE-2022-0216 A use-after-free vulnerability was found in the LSI53C895A SCSI Host Bus Adapter emulation of QEMU. The flaw occurs while processing repeated messages to cancel the current SCSI request via the lsi_do_msgout function. This flaw allows a malicious privileged user within the guest to crash the QEMU process on the host, resulting in a denial of service.
  • CVE-2022-1050 A flaw was found in the QEMU implementation of VMWare's paravirtual RDMA device. This flaw allows a crafted guest driver to execute HW commands when shared buffers are not yet allocated, potentially leading to a use-after-free condition. Note: PVRDMA is disabled in buster, but this was fixed preventively in case this changes in the future.

For Debian 10 buster, these problems have been fixed in version 1:3.1+dfsg-8+deb10u10.

We recommend that you upgrade your qemu packages.

For the detailed security status of qemu please refer to its security tracker page at: https://security-tracker.debian.org/tracker/qemu

Further information about Debian LTS security advisories, how to apply these updates to your system and frequently asked questions can be found at: https://wiki.debian.org/LTS

References

Affected packages

Debian:10 / qemu

qemu

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0
Fixed
1:3.1+dfsg-8+deb10u10

Affected versions

1:3.*

1:3.1+dfsg-8
1:3.1+dfsg-8+deb10u2
1:3.1+dfsg-8+deb10u3
1:3.1+dfsg-8+deb10u4
1:3.1+dfsg-8+deb10u5
1:3.1+dfsg-8+deb10u6
1:3.1+dfsg-8+deb10u7
1:3.1+dfsg-8+deb10u8
1:3.1+dfsg-8+deb10u9
1:3.1+dfsg-8~deb10u1