Bug 807055 (CVE-2021-3682)

Summary:	<app-emulation/qemu-6.1.0: code execution via malicious SPICE client (CVE-2021-3682)
Product:	Gentoo Security	Reporter:	John Helmert III <ajak>
Component:	Vulnerabilities	Assignee:	Gentoo Security <security>
Status:	RESOLVED FIXED
Severity:	major	CC:	ajak, sam, tamiko, virtualization, zlogene
Priority:	Normal	Keywords:	PullRequest
Version:	unspecified
Hardware:	All
OS:	Linux
URL:	https://gitlab.com/qemu-project/qemu/-/issues/491
See Also:	https://github.com/gentoo/gentoo/pull/23421
Whiteboard:	B1 [glsa+]
Package list:		Runtime testing required:	---
Bug Depends on:	829504
Bug Blocks:

Description John Helmert III archtester

2021-08-07 22:44:20 UTC

CVE-2021-3682 (https://bugzilla.redhat.com/show_bug.cgi?id=1989651):

A flaw was found in the USB redirector device emulation of QEMU in versions prior to 6.1.0-rc2. It occurs when dropping packets during a bulk transfer from a SPICE client due to the packet queue being full. A malicious SPICE client could use this flaw to make QEMU call free() with faked heap chunk metadata, resulting in a crash of QEMU or potential code execution with the privileges of the QEMU process on the host.

Unreleased patch: https://gitlab.com/qemu-project/qemu/-/commit/5e796671e6b8d5de4b0b423dce1b3eba144a92c9

Comment 1 Larry the Git Cow gentoo-dev

2021-12-20 06:42:33 UTC

The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=d4dbabb19b26f4203d67e25f78772c5bebf650ff

commit d4dbabb19b26f4203d67e25f78772c5bebf650ff
Author:     John Helmert III <ajak@gentoo.org>
AuthorDate: 2021-12-20 04:31:40 +0000
Commit:     Matthias Maier <tamiko@gentoo.org>
CommitDate: 2021-12-20 06:42:24 +0000

    app-emulation/qemu: drop 6.0.0-r4, 6.0.0-r54, 6.0.1-r1
    
    Bug: https://bugs.gentoo.org/807055
    Bug: https://bugs.gentoo.org/820743
    Closes: https://github.com/gentoo/gentoo/pull/23421
    Signed-off-by: John Helmert III <ajak@gentoo.org>
    Signed-off-by: Matthias Maier <tamiko@gentoo.org>

 app-emulation/qemu/Manifest                        |   2 -
 .../qemu/files/qemu-5.2.0-cleaner-werror.patch     |  40 -
 .../qemu/files/qemu-5.2.0-dce-locks.patch          |  18 -
 app-emulation/qemu/files/qemu-5.2.0-strings.patch  |  23 -
 app-emulation/qemu/qemu-6.0.0-r4.ebuild            | 910 --------------------
 app-emulation/qemu/qemu-6.0.0-r54.ebuild           | 911 ---------------------
 app-emulation/qemu/qemu-6.0.1-r1.ebuild            | 911 ---------------------
 7 files changed, 2815 deletions(-)

Comment 2 John Helmert III archtester

2022-08-14 04:42:26 UTC

GLSA request filed

Comment 3 Larry the Git Cow gentoo-dev

2022-08-14 16:09:49 UTC

The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/data/glsa.git/commit/?id=fd3b0a54cba850267bd5f7ed0ac9f66f91aa44ac

commit fd3b0a54cba850267bd5f7ed0ac9f66f91aa44ac
Author:     GLSAMaker <glsamaker@gentoo.org>
AuthorDate: 2022-08-14 16:09:07 +0000
Commit:     Sam James <sam@gentoo.org>
CommitDate: 2022-08-14 16:09:43 +0000

    [ GLSA 202208-27 ] QEMU: Multiple Vulnerabilities
    
    Bug: https://bugs.gentoo.org/733448
    Bug: https://bugs.gentoo.org/736605
    Bug: https://bugs.gentoo.org/773220
    Bug: https://bugs.gentoo.org/775713
    Bug: https://bugs.gentoo.org/780816
    Bug: https://bugs.gentoo.org/792624
    Bug: https://bugs.gentoo.org/807055
    Bug: https://bugs.gentoo.org/810544
    Bug: https://bugs.gentoo.org/820743
    Bug: https://bugs.gentoo.org/835607
    Bug: https://bugs.gentoo.org/839762
    Signed-off-by: GLSAMaker <glsamaker@gentoo.org>
    Signed-off-by: Sam James <sam@gentoo.org>

 glsa-202208-27.xml | 85 ++++++++++++++++++++++++++++++++++++++++++++++++++++++
 1 file changed, 85 insertions(+)

Comment 4 Sam James archtester

2022-08-14 16:12:04 UTC

GLSA done, all done.