Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 743649 - <app-emulation/qemu-5.1.0-r1: Out of bounds read/write in USB emulation (CVE-2020-14364)
Summary: <app-emulation/qemu-5.1.0-r1: Out of bounds read/write in USB emulation (CVE-...
Status: RESOLVED FIXED
Alias: None
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal critical (vote)
Assignee: Gentoo Security
URL: https://www.openwall.com/lists/oss-se...
Whiteboard: A1 [glsa++]
Keywords:
Depends on:
Blocks:
 
Reported: 2020-09-20 02:34 UTC by John Helmert III
Modified: 2020-11-11 03:50 UTC (History)
3 users (show)

See Also:
Package list:
app-emulation/qemu-5.1.0-r2
Runtime testing required: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description John Helmert III archtester Gentoo Infrastructure gentoo-dev Security 2020-09-20 02:34:56 UTC
From $URL:

An out-of-bounds read/write access issue was found in the USB emulator of the 
QEMU. It occurs while processing USB packets from a guest, when 
'USBDevice->setup_len' exceeds the USBDevice->data_buf[4096], in 
do_token_{in,out} routines.

A guest user may use this flaw to crash the QEMU process resulting in DoS OR 
potentially execute arbitrary code with the privileges of the QEMU process on 
the host.



Patch: https://www.openwall.com/lists/oss-security/2020/08/24/3/1
Comment 1 Sergei Trofimovich (RETIRED) gentoo-dev 2020-09-20 08:15:27 UTC
Upstream commit: https://gitlab.com/qemu-project/qemu/-/commit/b946434f2659a182afc17e155be6791ebfb302eb
Comment 2 Larry the Git Cow gentoo-dev 2020-09-20 08:23:29 UTC
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=bf5b7df71d5fa17a248529f6e8180098c1adc667

commit bf5b7df71d5fa17a248529f6e8180098c1adc667
Author:     Sergei Trofimovich <slyfox@gentoo.org>
AuthorDate: 2020-09-20 08:22:57 +0000
Commit:     Sergei Trofimovich <slyfox@gentoo.org>
CommitDate: 2020-09-20 08:23:26 +0000

    app-emulation/qemu: backport USB oob access (CVE-2020-14364)
    
    Reported-by: John Helmert III (ajak)
    Bug: https://bugs.gentoo.org/743649
    Package-Manager: Portage-3.0.7, Repoman-3.0.1
    Signed-off-by: Sergei Trofimovich <slyfox@gentoo.org>

 .../files/qemu-5.1.0-usb-oob-CVE-2020-14364.patch  |  90 +++
 app-emulation/qemu/qemu-5.1.0-r1.ebuild            | 846 +++++++++++++++++++++
 2 files changed, 936 insertions(+)
Comment 3 John Helmert III archtester Gentoo Infrastructure gentoo-dev Security 2020-09-20 15:50:21 UTC
Thanks. Please stable when ready.
Comment 4 Sam James archtester Gentoo Infrastructure gentoo-dev Security 2020-09-25 20:50:50 UTC
(In reply to John Helmert III (ajak) from comment #3)
> Thanks. Please stable when ready.

Ready?
Comment 5 Sam James archtester Gentoo Infrastructure gentoo-dev Security 2020-09-30 22:18:49 UTC
arm64 done
Comment 6 Sam James archtester Gentoo Infrastructure gentoo-dev Security 2020-10-02 00:15:02 UTC
amd64 done
Comment 7 Agostino Sarubbo gentoo-dev 2020-10-07 07:10:45 UTC
x86 stable.

Maintainer(s), please cleanup.
Security, please add it to the existing request, or file a new one.
Comment 8 NATTkA bot gentoo-dev 2020-11-07 01:21:00 UTC Comment hidden (obsolete)
Comment 9 Sam James archtester Gentoo Infrastructure gentoo-dev Security 2020-11-07 02:00:28 UTC
(In reply to Agostino Sarubbo from comment #7)
> x86 stable.
> 
> Maintainer(s), please cleanup.
> Security, please add it to the existing request, or file a new one.

Done in https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=09d8b2d015074015e7c732b8119bacf18283fe95.
Comment 10 GLSAMaker/CVETool Bot gentoo-dev 2020-11-11 03:50:02 UTC
This issue was resolved and addressed in
 GLSA 202011-09 at https://security.gentoo.org/glsa/202011-09
by GLSA coordinator Sam James (sam_c).
Comment 11 GLSAMaker/CVETool Bot gentoo-dev 2020-11-11 03:50:25 UTC
This issue was resolved and addressed in
 GLSA 202011-09 at https://security.gentoo.org/glsa/202011-09
by GLSA coordinator Sam James (sam_c).