Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!

Bug 775713 (CVE-2021-20263, CVE-2021-3409)

Summary: <app-emulation/qemu-6.0.0: multiple vulnerabilities (CVE-2021-{3409,20263})
Product: Gentoo Security Reporter: John Helmert III <ajak>
Component: VulnerabilitiesAssignee: Gentoo Security <security>
Status: RESOLVED FIXED    
Severity: major CC: ajak, jaak, sam, tamiko, virtualization, zlogene
Priority: Normal    
Version: unspecified   
Hardware: All   
OS: Linux   
Whiteboard: C1 [glsa+]
Package list:
Runtime testing required: ---
Bug Depends on: 792624    
Bug Blocks:    

Description John Helmert III archtester Gentoo Infrastructure gentoo-dev Security 2021-03-13 04:49:19 UTC 
CVE-2021-3409 (https://www.openwall.com/lists/oss-security/2021/03/09/1):

QEMU upstream commit [1] was supposed to fix CVE-2020-17380 and
CVE-2020-25085, both involving a heap buffer overflow in the SDHCI
controller emulation code. In fact, commit [1] turned out to be
incomplete, in that it was still possible to reproduce the same
issue(s) with specially crafted input, inducing a bogus transfer and
subsequent out-of-bounds read/write access in sdhci_do_adma() or
sdhci_sdma_transfer_multi_blocks().

Old patch:
[1] https://git.qemu.org/?p=qemu.git;a=commit;h=dfba99f17feb6d4a129da19d38df1bcd8579d1c3

New patch series:
https://lists.nongnu.org/archive/html/qemu-devel/2021-03/msg00949.html

CVE-2021-20263 (https://www.openwall.com/lists/oss-security/2021/03/08/1):

A flaw was found in the virtio-fs shared file system daemon
(virtiofsd) of QEMU. Virtio-fs is meant to share a host file system
directory with a guest virtual machine. The new 'xattrmap' option may
cause the 'security.capability' xattr in the guest to not drop on file
write, potentially leading to a modified, privileged executable in the
guest. In rare circumstances, this flaw could be used by a malicious
user to elevate their privileges within the guest.

Upstream patch:
https://lists.gnu.org/archive/html/qemu-devel/2021-03/msg01244.html


Both patchsets seem to be unmerged.
Comment 1 Matthias Maier gentoo-dev 2021-04-04 19:39:11 UTC 
Second patch is applied, first patch series not yet in upstream main git branch.
Comment 2 NATTkA bot gentoo-dev 2021-07-29 17:23:41 UTC Comment hidden (obsolete)
Comment 3 NATTkA bot gentoo-dev 2021-07-29 17:32:06 UTC Comment hidden (obsolete)
Comment 4 NATTkA bot gentoo-dev 2021-07-29 17:39:59 UTC Comment hidden (obsolete)
Comment 5 NATTkA bot gentoo-dev 2021-07-29 17:48:10 UTC Comment hidden (obsolete)
Comment 6 NATTkA bot gentoo-dev 2021-07-29 18:04:06 UTC Comment hidden (obsolete)
Comment 7 NATTkA bot gentoo-dev 2021-07-29 18:12:24 UTC 
Package list is empty or all packages have requested keywords.
Comment 8 John Helmert III archtester Gentoo Infrastructure gentoo-dev Security 2021-10-17 19:24:59 UTC 
Everything seems to be in 6.0.0
Comment 9 John Helmert III archtester Gentoo Infrastructure gentoo-dev Security 2022-08-14 04:42:24 UTC 
GLSA request filed
Comment 10 Larry the Git Cow gentoo-dev 2022-08-14 16:09:50 UTC 
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/data/glsa.git/commit/?id=fd3b0a54cba850267bd5f7ed0ac9f66f91aa44ac

commit fd3b0a54cba850267bd5f7ed0ac9f66f91aa44ac
Author:     GLSAMaker <glsamaker@gentoo.org>
AuthorDate: 2022-08-14 16:09:07 +0000
Commit:     Sam James <sam@gentoo.org>
CommitDate: 2022-08-14 16:09:43 +0000

    [ GLSA 202208-27 ] QEMU: Multiple Vulnerabilities
    
    Bug: https://bugs.gentoo.org/733448
    Bug: https://bugs.gentoo.org/736605
    Bug: https://bugs.gentoo.org/773220
    Bug: https://bugs.gentoo.org/775713
    Bug: https://bugs.gentoo.org/780816
    Bug: https://bugs.gentoo.org/792624
    Bug: https://bugs.gentoo.org/807055
    Bug: https://bugs.gentoo.org/810544
    Bug: https://bugs.gentoo.org/820743
    Bug: https://bugs.gentoo.org/835607
    Bug: https://bugs.gentoo.org/839762
    Signed-off-by: GLSAMaker <glsamaker@gentoo.org>
    Signed-off-by: Sam James <sam@gentoo.org>

 glsa-202208-27.xml | 85 ++++++++++++++++++++++++++++++++++++++++++++++++++++++
 1 file changed, 85 insertions(+)
Comment 11 Sam James archtester Gentoo Infrastructure gentoo-dev Security 2022-08-14 16:11:36 UTC 
GLSA done, all done.