CVE-2020-10756: An out-of-bounds read vulnerability was found in the SLiRP networking implementation of the QEMU emulator. This flaw occurs in the icmp6_send_echoreply() routine while replying to an ICMP echo request, also known as ping. This flaw allows a malicious guest to leak the contents of the host memory, resulting in possible information disclosure. This flaw affects versions of libslirp before 4.3.1.
Maintainer, please advise if we are vulnerable.
libslirp upstream fix is https://gitlab.freedesktop.org/slirp/libslirp/-/commit/c7ede54cbd2e2b25385325600958ba0124e31cc0 in src/ip6_input.c app-emulation/qemu-5.0.0 has no fix yet.
The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=55bb42729114274069f2c4d46cfbf7317c58c0f9 commit 55bb42729114274069f2c4d46cfbf7317c58c0f9 Author: Sergei Trofimovich <slyfox@gentoo.org> AuthorDate: 2020-07-09 22:55:34 +0000 Commit: Sergei Trofimovich <slyfox@gentoo.org> CommitDate: 2020-07-09 22:55:34 +0000 app-emulation/qemu: backport slirp ipv6 fix: CVE-2020-10756 Reported-by: John Helmert III (ajak) Bug: https://bugs.gentoo.org/731992 Package-Manager: Portage-2.3.103, Repoman-2.3.23 Signed-off-by: Sergei Trofimovich <slyfox@gentoo.org> .../qemu-5.0.0-ipv6-slirp-CVE-2020-10756.patch | 35 + app-emulation/qemu/qemu-5.0.0-r1.ebuild | 838 +++++++++++++++++++++ 2 files changed, 873 insertions(+)
Thanks, please proceed with stabilization when ready.
We can stabilize =app-emulation/qemu-5.0.0-r1
Did anyone bump the qemu-9999 package which has the same vuln?
amd64 stable
x86 stable. Maintainer(s), please cleanup. Security, please vote.