Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!

Bug 835607 (CVE-2022-26353, CVE-2022-26354)

Summary: <app-emulation/qemu-7.0.0: multiple vulnerabilities
Product: Gentoo Security Reporter: John Helmert III <ajak>
Component: VulnerabilitiesAssignee: Gentoo Security <security>
Status: RESOLVED FIXED    
Severity: minor CC: ajak, sam, tamiko, virtualization, zlogene
Priority: Normal    
Version: unspecified   
Hardware: All   
OS: Linux   
Whiteboard: B4 [glsa+]
Package list:
Runtime testing required: ---

Description John Helmert III archtester Gentoo Infrastructure gentoo-dev Security 2022-03-19 03:56:16 UTC
CVE-2022-26353 (https://lists.nongnu.org/archive/html/qemu-devel/2022-03/msg02438.html):

A flaw was found in the virtio-net device of QEMU. This flaw was inadvertently introduced with the fix for CVE-2021-3748, which forgot to unmap the cached virtqueue elements on error, leading to memory leakage and other unexpected results. Affected QEMU version: 6.2.0.

CVE-2022-26354 (https://gitlab.com/qemu-project/qemu/-/commit/8d1b247f3748ac4078524130c6d7ae42b6140aaf):

A flaw was found in the vhost-vsock device of QEMU. In case of error, an invalid element was not detached from the virtqueue before freeing its memory, leading to memory leakage and other unexpected results. Affected QEMU versions <= 6.2.0.

Fixed in 7.0.0-rc0.
Comment 1 John Helmert III archtester Gentoo Infrastructure gentoo-dev Security 2022-03-30 02:51:07 UTC
CVE-2022-1050 (https://lists.nongnu.org/archive/html/qemu-devel/2022-03/msg05197.html):

Guest driver might execute HW commands when shared buffers are not yet allocated, potentially leading to a use-after-free condition.

The referenced patch doesn't seem to be upstreamed.
Comment 2 John Helmert III archtester Gentoo Infrastructure gentoo-dev Security 2022-04-20 15:31:32 UTC
(In reply to John Helmert III from comment #0)
> CVE-2022-26353
> (https://lists.nongnu.org/archive/html/qemu-devel/2022-03/msg02438.html):
> 
> A flaw was found in the virtio-net device of QEMU. This flaw was
> inadvertently introduced with the fix for CVE-2021-3748, which forgot to
> unmap the cached virtqueue elements on error, leading to memory leakage and
> other unexpected results. Affected QEMU version: 6.2.0.

Also in 7.0.0.

> CVE-2022-26354
> (https://gitlab.com/qemu-project/qemu/-/commit/
> 8d1b247f3748ac4078524130c6d7ae42b6140aaf):
> 
> A flaw was found in the vhost-vsock device of QEMU. In case of error, an
> invalid element was not detached from the virtqueue before freeing its
> memory, leading to memory leakage and other unexpected results. Affected
> QEMU versions <= 6.2.0.
> 
> Fixed in 7.0.0-rc0.
Comment 3 John Helmert III archtester Gentoo Infrastructure gentoo-dev Security 2022-08-14 03:05:06 UTC
(In reply to John Helmert III from comment #1)
> CVE-2022-1050
> (https://lists.nongnu.org/archive/html/qemu-devel/2022-03/msg05197.html):
> 
> Guest driver might execute HW commands when shared buffers are not yet
> allocated, potentially leading to a use-after-free condition.
> 
> The referenced patch doesn't seem to be upstreamed.

Popping this one out of this bug so we can proceed with the other issues here.
Comment 4 John Helmert III archtester Gentoo Infrastructure gentoo-dev Security 2022-08-14 04:42:29 UTC
GLSA request filed
Comment 5 Larry the Git Cow gentoo-dev 2022-08-14 16:10:01 UTC
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/data/glsa.git/commit/?id=fd3b0a54cba850267bd5f7ed0ac9f66f91aa44ac

commit fd3b0a54cba850267bd5f7ed0ac9f66f91aa44ac
Author:     GLSAMaker <glsamaker@gentoo.org>
AuthorDate: 2022-08-14 16:09:07 +0000
Commit:     Sam James <sam@gentoo.org>
CommitDate: 2022-08-14 16:09:43 +0000

    [ GLSA 202208-27 ] QEMU: Multiple Vulnerabilities
    
    Bug: https://bugs.gentoo.org/733448
    Bug: https://bugs.gentoo.org/736605
    Bug: https://bugs.gentoo.org/773220
    Bug: https://bugs.gentoo.org/775713
    Bug: https://bugs.gentoo.org/780816
    Bug: https://bugs.gentoo.org/792624
    Bug: https://bugs.gentoo.org/807055
    Bug: https://bugs.gentoo.org/810544
    Bug: https://bugs.gentoo.org/820743
    Bug: https://bugs.gentoo.org/835607
    Bug: https://bugs.gentoo.org/839762
    Signed-off-by: GLSAMaker <glsamaker@gentoo.org>
    Signed-off-by: Sam James <sam@gentoo.org>

 glsa-202208-27.xml | 85 ++++++++++++++++++++++++++++++++++++++++++++++++++++++
 1 file changed, 85 insertions(+)
Comment 6 Sam James archtester Gentoo Infrastructure gentoo-dev Security 2022-08-14 16:12:31 UTC
GLSA done, all done.