An out-of-bounds access issue was found in the Tulip NIC emulator built into QEMU. It could occur while copying network data to/from its tx/rx frame buffers, as it does not check frame size against the data length. A remote user/process could use this flaw to crash the QEMU process resulting in Dos OR potentially execute arbitrary code with the privileges of the QEMU process on the host. Upstream Patch: https://git.qemu.org/?p=qemu.git;a=commit;h=8ffb7265af64ec81748335ec8f20e7ab542c3850 References: https://www.openwall.com/lists/oss-security/2020/04/06/1 https://lists.gnu.org/archive/html/qemu-devel/2020-03/msg08322.html https://nvd.nist.gov/vuln/detail/CVE-2020-11102 https://vulmon.com/vulnerabilitydetails?qid=CVE-2020-11102
Thanks for this, I saw it and had it open to report. Not sure what happened there... @maintainer(s), please create an appropriate ebuild.
The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=5ba2de3e653a5476467ef25d3389118f49d3f9ac commit 5ba2de3e653a5476467ef25d3389118f49d3f9ac Author: Matthias Maier <tamiko@gentoo.org> AuthorDate: 2020-04-08 18:50:34 +0000 Commit: Matthias Maier <tamiko@gentoo.org> CommitDate: 2020-04-08 18:51:16 +0000 app-emulation/qemu: fix buffer overflow, CVE-2020-11102 Bug: https://bugs.gentoo.org/716518 Package-Manager: Portage-2.3.96, Repoman-2.3.22 Signed-off-by: Matthias Maier <tamiko@gentoo.org> .../qemu/files/qemu-4.2.0-CVE-2020-11102.patch | 144 ++++ app-emulation/qemu/qemu-4.2.0-r3.ebuild | 835 +++++++++++++++++++++ 2 files changed, 979 insertions(+)
This is an automatic message. @maintainer(s): I'm getting test-failure(s) (that were already reported) on amd64. If you want the package to pass my CI environment and got stabilized, please carry out the necessary operations to make sure that src_test() won't fail. Thanks.
Unable to check for sanity: > no match for package: app-emulation/qemu-4.2.0-r3
This issue was resolved and addressed in GLSA 202005-02 at https://security.gentoo.org/glsa/202005-02 by GLSA coordinator Thomas Deutschmann (whissi).