Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 775713 (CVE-2021-20263, CVE-2021-3409) - app-emulation/qemu: multiple vulnerabilities (CVE-2021-{3409,20263})
Summary: app-emulation/qemu: multiple vulnerabilities (CVE-2021-{3409,20263})
Status: CONFIRMED
Alias: CVE-2021-20263, CVE-2021-3409
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal major (vote)
Assignee: Gentoo Security
URL:
Whiteboard: C1 [upstream]
Keywords:
Depends on:
Blocks:
 
Reported: 2021-03-13 04:49 UTC by John Helmert III
Modified: 2021-04-04 19:39 UTC (History)
3 users (show)

See Also:
Package list:
Runtime testing required: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description John Helmert III gentoo-dev Security 2021-03-13 04:49:19 UTC
CVE-2021-3409 (https://www.openwall.com/lists/oss-security/2021/03/09/1):

QEMU upstream commit [1] was supposed to fix CVE-2020-17380 and
CVE-2020-25085, both involving a heap buffer overflow in the SDHCI
controller emulation code. In fact, commit [1] turned out to be
incomplete, in that it was still possible to reproduce the same
issue(s) with specially crafted input, inducing a bogus transfer and
subsequent out-of-bounds read/write access in sdhci_do_adma() or
sdhci_sdma_transfer_multi_blocks().

Old patch:
[1] https://git.qemu.org/?p=qemu.git;a=commit;h=dfba99f17feb6d4a129da19d38df1bcd8579d1c3

New patch series:
https://lists.nongnu.org/archive/html/qemu-devel/2021-03/msg00949.html

CVE-2021-20263 (https://www.openwall.com/lists/oss-security/2021/03/08/1):

A flaw was found in the virtio-fs shared file system daemon
(virtiofsd) of QEMU. Virtio-fs is meant to share a host file system
directory with a guest virtual machine. The new 'xattrmap' option may
cause the 'security.capability' xattr in the guest to not drop on file
write, potentially leading to a modified, privileged executable in the
guest. In rare circumstances, this flaw could be used by a malicious
user to elevate their privileges within the guest.

Upstream patch:
https://lists.gnu.org/archive/html/qemu-devel/2021-03/msg01244.html


Both patchsets seem to be unmerged.
Comment 1 Matthias Maier gentoo-dev 2021-04-04 19:39:11 UTC
Second patch is applied, first patch series not yet in upstream main git branch.