Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 775713 (CVE-2021-20263, CVE-2021-3409) - app-emulation/qemu: multiple vulnerabilities (CVE-2021-{3409,20263})
Summary: app-emulation/qemu: multiple vulnerabilities (CVE-2021-{3409,20263})
Alias: CVE-2021-20263, CVE-2021-3409
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal major (vote)
Assignee: Gentoo Security
Whiteboard: C1 [upstream]
Depends on:
Reported: 2021-03-13 04:49 UTC by John Helmert III
Modified: 2021-04-04 19:39 UTC (History)
3 users (show)

See Also:
Package list:
Runtime testing required: ---


Note You need to log in before you can comment on or make changes to this bug.
Description John Helmert III gentoo-dev Security 2021-03-13 04:49:19 UTC
CVE-2021-3409 (

QEMU upstream commit [1] was supposed to fix CVE-2020-17380 and
CVE-2020-25085, both involving a heap buffer overflow in the SDHCI
controller emulation code. In fact, commit [1] turned out to be
incomplete, in that it was still possible to reproduce the same
issue(s) with specially crafted input, inducing a bogus transfer and
subsequent out-of-bounds read/write access in sdhci_do_adma() or

Old patch:

New patch series:

CVE-2021-20263 (

A flaw was found in the virtio-fs shared file system daemon
(virtiofsd) of QEMU. Virtio-fs is meant to share a host file system
directory with a guest virtual machine. The new 'xattrmap' option may
cause the 'security.capability' xattr in the guest to not drop on file
write, potentially leading to a modified, privileged executable in the
guest. In rare circumstances, this flaw could be used by a malicious
user to elevate their privileges within the guest.

Upstream patch:

Both patchsets seem to be unmerged.
Comment 1 Matthias Maier gentoo-dev 2021-04-04 19:39:11 UTC
Second patch is applied, first patch series not yet in upstream main git branch.