743649 – <app-emulation/qemu-5.1.0-r1: Out of bounds read/write in USB emulation (CVE-2020-14364)

Bug 743649 - <app-emulation/qemu-5.1.0-r1: Out of bounds read/write in USB emulation (CVE-2020-14364)

Summary: <app-emulation/qemu-5.1.0-r1: Out of bounds read/write in USB emulation (CVE-...

Status:	RESOLVED FIXED

Alias:	None

Product:	Gentoo Security
Classification:	Unclassified
Component:	Vulnerabilities (show other bugs)
Hardware:	All Linux

Importance:	Normal critical
Assignee:	Gentoo Security

URL:	https://www.openwall.com/lists/oss-se...
Whiteboard:	A1 [glsa++]
Keywords:

Depends on:
Blocks:

Reported:	2020-09-20 02:34 UTC by John Helmert III
Modified:	2020-11-11 03:50 UTC (History)
CC List:	3 users (show)

See Also:
Package list:	app-emulation/qemu-5.1.0-r2
Runtime testing required:	---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description John Helmert III archtester

2020-09-20 02:34:56 UTC

From $URL:

An out-of-bounds read/write access issue was found in the USB emulator of the 
QEMU. It occurs while processing USB packets from a guest, when 
'USBDevice->setup_len' exceeds the USBDevice->data_buf[4096], in 
do_token_{in,out} routines.

A guest user may use this flaw to crash the QEMU process resulting in DoS OR 
potentially execute arbitrary code with the privileges of the QEMU process on 
the host.



Patch: https://www.openwall.com/lists/oss-security/2020/08/24/3/1

Comment 1 Sergei Trofimovich (RETIRED) gentoo-dev

2020-09-20 08:15:27 UTC

Upstream commit: https://gitlab.com/qemu-project/qemu/-/commit/b946434f2659a182afc17e155be6791ebfb302eb

Comment 2 Larry the Git Cow gentoo-dev

2020-09-20 08:23:29 UTC

The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=bf5b7df71d5fa17a248529f6e8180098c1adc667

commit bf5b7df71d5fa17a248529f6e8180098c1adc667
Author:     Sergei Trofimovich <slyfox@gentoo.org>
AuthorDate: 2020-09-20 08:22:57 +0000
Commit:     Sergei Trofimovich <slyfox@gentoo.org>
CommitDate: 2020-09-20 08:23:26 +0000

    app-emulation/qemu: backport USB oob access (CVE-2020-14364)
    
    Reported-by: John Helmert III (ajak)
    Bug: https://bugs.gentoo.org/743649
    Package-Manager: Portage-3.0.7, Repoman-3.0.1
    Signed-off-by: Sergei Trofimovich <slyfox@gentoo.org>

 .../files/qemu-5.1.0-usb-oob-CVE-2020-14364.patch  |  90 +++
 app-emulation/qemu/qemu-5.1.0-r1.ebuild            | 846 +++++++++++++++++++++
 2 files changed, 936 insertions(+)

Comment 3 John Helmert III archtester

2020-09-20 15:50:21 UTC

Thanks. Please stable when ready.

Comment 4 Sam James archtester

2020-09-25 20:50:50 UTC

(In reply to John Helmert III (ajak) from comment #3)
> Thanks. Please stable when ready.

Ready?

Comment 5 Sam James archtester

2020-09-30 22:18:49 UTC

arm64 done

Comment 6 Sam James archtester

2020-10-02 00:15:02 UTC

amd64 done

Comment 7 Agostino Sarubbo gentoo-dev

2020-10-07 07:10:45 UTC

x86 stable.

Maintainer(s), please cleanup.
Security, please add it to the existing request, or file a new one.

Comment 8 NATTkA bot gentoo-dev

2020-11-07 01:21:00 UTC Comment hidden (obsolete)

Unable to check for sanity:

> no match for package: app-emulation/qemu-5.1.0-r1

Comment 9 Sam James archtester

2020-11-07 02:00:28 UTC

(In reply to Agostino Sarubbo from comment #7)
> x86 stable.
> 
> Maintainer(s), please cleanup.
> Security, please add it to the existing request, or file a new one.

Done in https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=09d8b2d015074015e7c732b8119bacf18283fe95.

Comment 10 GLSAMaker/CVETool Bot gentoo-dev

2020-11-11 03:50:02 UTC

This issue was resolved and addressed in
 GLSA 202011-09 at https://security.gentoo.org/glsa/202011-09
by GLSA coordinator Sam James (sam_c).

Comment 11 GLSAMaker/CVETool Bot gentoo-dev

2020-11-11 03:50:25 UTC

This issue was resolved and addressed in
 GLSA 202011-09 at https://security.gentoo.org/glsa/202011-09
by GLSA coordinator Sam James (sam_c).