Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 775713 (CVE-2021-20263, CVE-2021-3409) - <app-emulation/qemu-6.0.0: multiple vulnerabilities (CVE-2021-{3409,20263})
Summary: <app-emulation/qemu-6.0.0: multiple vulnerabilities (CVE-2021-{3409,20263})
Alias: CVE-2021-20263, CVE-2021-3409
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal major (vote)
Assignee: Gentoo Security
Whiteboard: C1 [glsa+]
Depends on: CVE-2020-35504, CVE-2020-35505, CVE-2020-35506
  Show dependency tree
Reported: 2021-03-13 04:49 UTC by John Helmert III
Modified: 2022-08-14 16:11 UTC (History)
6 users (show)

See Also:
Package list:
Runtime testing required: ---


Note You need to log in before you can comment on or make changes to this bug.
Description John Helmert III archtester Gentoo Infrastructure gentoo-dev Security 2021-03-13 04:49:19 UTC
CVE-2021-3409 (

QEMU upstream commit [1] was supposed to fix CVE-2020-17380 and
CVE-2020-25085, both involving a heap buffer overflow in the SDHCI
controller emulation code. In fact, commit [1] turned out to be
incomplete, in that it was still possible to reproduce the same
issue(s) with specially crafted input, inducing a bogus transfer and
subsequent out-of-bounds read/write access in sdhci_do_adma() or

Old patch:

New patch series:

CVE-2021-20263 (

A flaw was found in the virtio-fs shared file system daemon
(virtiofsd) of QEMU. Virtio-fs is meant to share a host file system
directory with a guest virtual machine. The new 'xattrmap' option may
cause the 'security.capability' xattr in the guest to not drop on file
write, potentially leading to a modified, privileged executable in the
guest. In rare circumstances, this flaw could be used by a malicious
user to elevate their privileges within the guest.

Upstream patch:

Both patchsets seem to be unmerged.
Comment 1 Matthias Maier gentoo-dev 2021-04-04 19:39:11 UTC
Second patch is applied, first patch series not yet in upstream main git branch.
Comment 2 NATTkA bot gentoo-dev 2021-07-29 17:23:41 UTC Comment hidden (obsolete)
Comment 3 NATTkA bot gentoo-dev 2021-07-29 17:32:06 UTC Comment hidden (obsolete)
Comment 4 NATTkA bot gentoo-dev 2021-07-29 17:39:59 UTC Comment hidden (obsolete)
Comment 5 NATTkA bot gentoo-dev 2021-07-29 17:48:10 UTC Comment hidden (obsolete)
Comment 6 NATTkA bot gentoo-dev 2021-07-29 18:04:06 UTC Comment hidden (obsolete)
Comment 7 NATTkA bot gentoo-dev 2021-07-29 18:12:24 UTC
Package list is empty or all packages have requested keywords.
Comment 8 John Helmert III archtester Gentoo Infrastructure gentoo-dev Security 2021-10-17 19:24:59 UTC
Everything seems to be in 6.0.0
Comment 9 John Helmert III archtester Gentoo Infrastructure gentoo-dev Security 2022-08-14 04:42:24 UTC
GLSA request filed
Comment 10 Larry the Git Cow gentoo-dev 2022-08-14 16:09:50 UTC
The bug has been referenced in the following commit(s):

commit fd3b0a54cba850267bd5f7ed0ac9f66f91aa44ac
Author:     GLSAMaker <>
AuthorDate: 2022-08-14 16:09:07 +0000
Commit:     Sam James <>
CommitDate: 2022-08-14 16:09:43 +0000

    [ GLSA 202208-27 ] QEMU: Multiple Vulnerabilities
    Signed-off-by: GLSAMaker <>
    Signed-off-by: Sam James <>

 glsa-202208-27.xml | 85 ++++++++++++++++++++++++++++++++++++++++++++++++++++++
 1 file changed, 85 insertions(+)
Comment 11 Sam James archtester Gentoo Infrastructure gentoo-dev Security 2022-08-14 16:11:36 UTC
GLSA done, all done.