Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 738040 (CVE-2020-14364, XSA-335) - <app-emulation/xen-4.13.1-r3: Out of bounds read/write in USB emulation (CVE-2020-14364)
Summary: <app-emulation/xen-4.13.1-r3: Out of bounds read/write in USB emulation (CVE-...
Alias: CVE-2020-14364, XSA-335
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal major (vote)
Assignee: Gentoo Security
Whiteboard: B1 [glsa+]
: 735214 (view as bug list)
Depends on:
Blocks: py3-tracker, python-3-incompatible
  Show dependency tree
Reported: 2020-08-19 19:02 UTC by Sam James
Modified: 2020-09-29 18:12 UTC (History)
5 users (show)

See Also:
Package list:
app-emulation/xen-4.13.1-r3 amd64 app-emulation/xen-pvgrub-4.13.1 app-emulation/xen-tools-4.13.1-r3
Runtime testing required: ---
nattka: sanity-check+


Note You need to log in before you can comment on or make changes to this bug.
Description Sam James archtester Gentoo Infrastructure gentoo-dev Security 2020-08-19 19:02:19 UTC

An out-of-bounds read/write access issue was found in the USB emulator
of the QEMU. It occurs while processing USB packets from a guest, when
'USBDevice->setup_len' exceeds the USBDevice->data_buf[4096], in
do_token_{in,out} routines.


A guest user may use this flaw to crash the QEMU process resulting in
DoS OR potentially execute arbitrary code with the privileges of the
QEMU process on the host.


The Xen security team are still analysing the extent of the vulnerable
systems.  An update will be sent out when we are more certain.

It is currently believed to be any x86 HVM guest, with any version of
qemu-upstream or qemu-traditional.


No mitigation is available.
Comment 1 Sam James archtester Gentoo Infrastructure gentoo-dev Security 2020-09-02 03:05:26 UTC
Comment 2 Larry the Git Cow gentoo-dev 2020-09-12 18:39:12 UTC
The bug has been referenced in the following commit(s):

commit c8e9934490fa854d278ff7f97d5308aeeb30b391
Author:     Tomáš Mózes <>
AuthorDate: 2020-09-02 10:56:35 +0000
Commit:     Thomas Deutschmann <>
CommitDate: 2020-09-12 18:32:15 +0000

    app-emulation/xen-tools: add upstream and security patches
    Signed-off-by: Tomáš Mózes <>
    Signed-off-by: Thomas Deutschmann <>

 app-emulation/xen-tools/Manifest                   |   5 +-
 app-emulation/xen-tools/xen-tools-4.12.3-r3.ebuild | 501 +++++++++++++++++++++
 ...4.13.1-r2.ebuild => xen-tools-4.13.1-r3.ebuild} |   7 +- => xen-tools-4.14.0-r1.ebuild} |   7 +-
 4 files changed, 513 insertions(+), 7 deletions(-)
Comment 3 John Helmert III archtester Gentoo Infrastructure gentoo-dev Security 2020-09-12 21:16:22 UTC
Please stable 4.12.3-r3 when ready.
Comment 4 NATTkA bot gentoo-dev 2020-09-13 00:04:56 UTC
Unable to check for sanity:

> dependent bug #735214 has errors
Comment 5 Tomáš Mózes 2020-09-13 04:42:28 UTC
Let's stabilize 4.13 instead.
Comment 6 NATTkA bot gentoo-dev 2020-09-13 04:45:02 UTC
All sanity-check issues have been resolved
Comment 7 Tomáš Mózes 2020-09-13 04:45:50 UTC
*** Bug 735214 has been marked as a duplicate of this bug. ***
Comment 8 Thomas Deutschmann (RETIRED) gentoo-dev 2020-09-15 17:23:17 UTC
x86 stable
Comment 9 Agostino Sarubbo gentoo-dev 2020-09-18 15:05:30 UTC
amd64 stable.

Maintainer(s), please cleanup.
Security, please add it to the existing request, or file a new one.
Comment 10 Larry the Git Cow gentoo-dev 2020-09-19 08:04:48 UTC
The bug has been referenced in the following commit(s):

commit b5ea55353ef99ee903abf4d9594553b0662f6ad8
Author:     Michał Górny <>
AuthorDate: 2020-09-19 07:27:49 +0000
Commit:     Michał Górny <>
CommitDate: 2020-09-19 08:04:34 +0000

    app-emulation/xen: Remove old
    Signed-off-by: Michał Górny <>

 app-emulation/xen/Manifest             |   3 -
 app-emulation/xen/xen-4.12.3-r2.ebuild | 165 ---------------------------------
 app-emulation/xen/xen-4.12.3-r3.ebuild | 165 ---------------------------------
 3 files changed, 333 deletions(-)
Comment 11 GLSAMaker/CVETool Bot gentoo-dev 2020-09-29 18:12:53 UTC
This issue was resolved and addressed in
 GLSA 202009-14 at
by GLSA coordinator Sam James (sam_c).