Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!

Bug 738040 (CVE-2020-14364, XSA-335)

Summary: <app-emulation/xen-4.13.1-r3: Out of bounds read/write in USB emulation (CVE-2020-14364)
Product: Gentoo Security Reporter: Sam James <sam>
Component: VulnerabilitiesAssignee: Gentoo Security <security>
Status: RESOLVED FIXED    
Severity: major CC: ajak, hydrapolic, mgorny, proxy-maint, xen
Priority: Normal Flags: nattka: sanity-check+
Version: unspecified   
Hardware: All   
OS: Linux   
See Also: https://github.com/gentoo/gentoo/pull/17384
https://bugs.gentoo.org/show_bug.cgi?id=744202
Whiteboard: B1 [glsa+]
Package list:
app-emulation/xen-4.13.1-r3 amd64 app-emulation/xen-pvgrub-4.13.1 app-emulation/xen-tools-4.13.1-r3
Runtime testing required: ---
Bug Depends on:    
Bug Blocks: 694800    

Description Sam James archtester Gentoo Infrastructure gentoo-dev Security 2020-08-19 19:02:19 UTC
ISSUE DESCRIPTION
=================

An out-of-bounds read/write access issue was found in the USB emulator
of the QEMU. It occurs while processing USB packets from a guest, when
'USBDevice->setup_len' exceeds the USBDevice->data_buf[4096], in
do_token_{in,out} routines.

IMPACT
======

A guest user may use this flaw to crash the QEMU process resulting in
DoS OR potentially execute arbitrary code with the privileges of the
QEMU process on the host.

VULNERABLE SYSTEMS
==================

The Xen security team are still analysing the extent of the vulnerable
systems.  An update will be sent out when we are more certain.

It is currently believed to be any x86 HVM guest, with any version of
qemu-upstream or qemu-traditional.

MITIGATION
==========

No mitigation is available.
Comment 1 Sam James archtester Gentoo Infrastructure gentoo-dev Security 2020-09-02 03:05:26 UTC
ping
Comment 2 Larry the Git Cow gentoo-dev 2020-09-12 18:39:12 UTC
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=c8e9934490fa854d278ff7f97d5308aeeb30b391

commit c8e9934490fa854d278ff7f97d5308aeeb30b391
Author:     Tomáš Mózes <hydrapolic@gmail.com>
AuthorDate: 2020-09-02 10:56:35 +0000
Commit:     Thomas Deutschmann <whissi@gentoo.org>
CommitDate: 2020-09-12 18:32:15 +0000

    app-emulation/xen-tools: add upstream and security patches
    
    Bug: https://bugs.gentoo.org/738040
    Signed-off-by: Tomáš Mózes <hydrapolic@gmail.com>
    Signed-off-by: Thomas Deutschmann <whissi@gentoo.org>

 app-emulation/xen-tools/Manifest                   |   5 +-
 app-emulation/xen-tools/xen-tools-4.12.3-r3.ebuild | 501 +++++++++++++++++++++
 ...4.13.1-r2.ebuild => xen-tools-4.13.1-r3.ebuild} |   7 +-
 ...ls-4.14.0.ebuild => xen-tools-4.14.0-r1.ebuild} |   7 +-
 4 files changed, 513 insertions(+), 7 deletions(-)
Comment 3 John Helmert III archtester Gentoo Infrastructure gentoo-dev Security 2020-09-12 21:16:22 UTC
Please stable 4.12.3-r3 when ready.
Comment 4 NATTkA bot gentoo-dev 2020-09-13 00:04:56 UTC
Unable to check for sanity:

> dependent bug #735214 has errors
Comment 5 Tomáš Mózes 2020-09-13 04:42:28 UTC
Let's stabilize 4.13 instead.
Comment 6 NATTkA bot gentoo-dev 2020-09-13 04:45:02 UTC
All sanity-check issues have been resolved
Comment 7 Tomáš Mózes 2020-09-13 04:45:50 UTC
*** Bug 735214 has been marked as a duplicate of this bug. ***
Comment 8 Thomas Deutschmann (RETIRED) gentoo-dev 2020-09-15 17:23:17 UTC
x86 stable
Comment 9 Agostino Sarubbo gentoo-dev 2020-09-18 15:05:30 UTC
amd64 stable.

Maintainer(s), please cleanup.
Security, please add it to the existing request, or file a new one.
Comment 10 Larry the Git Cow gentoo-dev 2020-09-19 08:04:48 UTC
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=b5ea55353ef99ee903abf4d9594553b0662f6ad8

commit b5ea55353ef99ee903abf4d9594553b0662f6ad8
Author:     Michał Górny <mgorny@gentoo.org>
AuthorDate: 2020-09-19 07:27:49 +0000
Commit:     Michał Górny <mgorny@gentoo.org>
CommitDate: 2020-09-19 08:04:34 +0000

    app-emulation/xen: Remove old
    
    Bug: https://bugs.gentoo.org/738040
    Signed-off-by: Michał Górny <mgorny@gentoo.org>

 app-emulation/xen/Manifest             |   3 -
 app-emulation/xen/xen-4.12.3-r2.ebuild | 165 ---------------------------------
 app-emulation/xen/xen-4.12.3-r3.ebuild | 165 ---------------------------------
 3 files changed, 333 deletions(-)
Comment 11 GLSAMaker/CVETool Bot gentoo-dev 2020-09-29 18:12:53 UTC
This issue was resolved and addressed in
 GLSA 202009-14 at https://security.gentoo.org/glsa/202009-14
by GLSA coordinator Sam James (sam_c).