Description: "An out-of-bounds read access issue was found in the SD Memory Card emulator of the QEMU. It occurs while performing block write commands via sdhci_write(), if a guest user has sent 'address' which is OOB of 's->wp_groups'. A guest user/process may use this flaw to crash the QEMU process resulting in DoS." URL: https://lists.gnu.org/archive/html/qemu-devel/2020-05/msg05877.html URL: https://bugs.launchpad.net/qemu/+bug/1880822
* CVE-2020-13361 Description: "In QEMU 4.2.0, es1370_transfer_audio in hw/audio/es1370.c does not properly validate the frame count, which allows guest OS users to trigger an out-of-bounds access during an es1370_write() operation." URL: https://lists.gnu.org/archive/html/qemu-devel/2020-05/msg03983.html * CVE-2020-13362 Description: "In QEMU 4.2.0, megasas_lookup_frame in hw/scsi/megasas.c has an out-of-bounds read via a crafted reply_queue_head field from a guest OS user." URL: https://lists.gnu.org/archive/html/qemu-devel/2020-05/msg03131.html URL: https://lists.gnu.org/archive/html/qemu-devel/2020-05/msg06250.html ---- Note that the CVE text appears wrong, and Debian evaluated these as affecting 5.0.0 too.
* CVE-2020-13800 Description: "An infinite recursion issue was found in the ati-vga emulator of the QEMU. It could occur in ati_mm_read/write routines while accessing VGA registers, for certain values of the 'mm_index' variable. A guest user/process may use this flaw to crash the QEMU process resulting in DoS scenario." URL: https://lists.gnu.org/archive/html/qemu-devel/2020-06/msg00833.html * CVE-2020-13791 Description: "An out-of-bounds access issue was found in the ati-vga emulator of the QEMU. It could occur while reading PCI configuration bytes via ati_mm_read routine, if the address sent by a guest is towards an end of the PCI configuration space. A guest user/process may use this flaw to crash the QEMU process resulting in DoS scenario." URL: https://lists.gnu.org/archive/html/qemu-devel/2020-06/msg00831.html
* CVE-2020-10761 Description: "An assertion failure issue was found in the Network Block Device(NBD) Server in all QEMU versions before QEMU 5.0.1. This flaw occurs when an nbd-client sends a spec-compliant request that is near the boundary of maximum permitted request length. A remote nbd-client could use this flaw to crash the qemu-nbd server resulting in a denial of service." URL: https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2020-10761 URL: https://www.openwall.com/lists/oss-security/2020/06/09/1
* CVE-2020-13754 Description: "hw/pci/msix.c in QEMU 4.2.0 allows guest OS users to trigger an out-of-bounds access via a crafted address in an msi-x mmio operation." * CVE-2020-13659 Description: "address_space_map in exec.c in QEMU 4.2.0 can trigger a NULL pointer dereference related to BounceBuffer."
(In reply to Sam James from comment #0) > Description: > "An out-of-bounds read access issue was found in the SD Memory Card emulator > of the QEMU. It occurs while performing block write commands via > sdhci_write(), if a guest user has sent 'address' which is OOB of > 's->wp_groups'. A guest user/process may use this flaw to crash the QEMU > process resulting in DoS." > > URL: https://lists.gnu.org/archive/html/qemu-devel/2020-05/msg05877.html > URL: https://bugs.launchpad.net/qemu/+bug/1880822 This is CVE-2020-13253. Patches: https://git.qemu.org/?p=qemu.git;a=commitdiff;h=3a9163af4e3dd61795a35d47b702e302f98f81d6 https://git.qemu.org/?p=qemu.git;a=commitdiff;h=790762e5487114341cccc5bffcec4cb3c022c3cd (In reply to Sam James from comment #1) > * CVE-2020-13361 > > Description: > "In QEMU 4.2.0, es1370_transfer_audio in hw/audio/es1370.c does not properly > validate the frame count, which allows guest OS users to trigger an > out-of-bounds access during an es1370_write() operation." > > URL: https://lists.gnu.org/archive/html/qemu-devel/2020-05/msg03983.html Patch: https://git.qemu.org/?p=qemu.git;a=commitdiff;h=369ff955a8497988d079c4e3fa1e93c2570c1c69 > * CVE-2020-13362 > > Description: > "In QEMU 4.2.0, megasas_lookup_frame in hw/scsi/megasas.c has an > out-of-bounds read via a crafted reply_queue_head field from a guest OS > user." > > URL: https://lists.gnu.org/archive/html/qemu-devel/2020-05/msg03131.html > URL: https://lists.gnu.org/archive/html/qemu-devel/2020-05/msg06250.html Patches: https://git.qemu.org/?p=qemu.git;a=commitdiff;h=f50ab86a2620bd7e8507af865b164655ee921661 https://git.qemu.org/?p=qemu.git;a=commitdiff;h=fd6918556736ecce8b10acd581ba134ffb62d9f9 https://git.qemu.org/?p=qemu.git;a=commitdiff;h=2b151297e44655e45c18f57ae0232780ee4ad45a (In reply to Sam James from comment #2) > * CVE-2020-13800 > > Description: > "An infinite recursion issue was found in the ati-vga emulator of the QEMU. > It could occur in ati_mm_read/write routines while accessing VGA registers, > for certain values of the 'mm_index' variable. A guest user/process may use > this flaw to crash the QEMU process resulting in DoS scenario." > > URL: https://lists.gnu.org/archive/html/qemu-devel/2020-06/msg00833.html Patch: https://git.qemu.org/?p=qemu.git;a=commitdiff;h=a98610c429d52db0937c1e48659428929835c455 > * CVE-2020-13791 > > Description: > "An out-of-bounds access issue was found in the ati-vga emulator of the > QEMU. It could occur while reading PCI configuration bytes via ati_mm_read > routine, if the address sent by a guest is towards an end of the PCI > configuration space. A guest user/process may use this flaw to crash the > QEMU process resulting in DoS scenario." > > URL: https://lists.gnu.org/archive/html/qemu-devel/2020-06/msg00831.html This *appears* to be the patch, someone else should check me to be safe: https://git.qemu.org/?p=qemu.git;a=commitdiff;h=f7d6a635fa3b7797f9d072e280f065bf3cfcd24d (In reply to Sam James from comment #3) > * CVE-2020-10761 > > Description: > "An assertion failure issue was found in the Network Block Device(NBD) > Server in all QEMU versions before QEMU 5.0.1. This flaw occurs when an > nbd-client sends a spec-compliant request that is near the boundary of > maximum permitted request length. A remote nbd-client could use this flaw to > crash the qemu-nbd server resulting in a denial of service." > > URL: https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2020-10761 > URL: https://www.openwall.com/lists/oss-security/2020/06/09/1 Patch: https://git.qemu.org/?p=qemu.git;a=commitdiff;h=5c4fe018c025740fef4a0a4421e8162db0c3eefd (In reply to Sam James from comment #4) > * CVE-2020-13754 > > Description: > "hw/pci/msix.c in QEMU 4.2.0 allows guest OS users to trigger an > out-of-bounds access via a crafted address in an msi-x mmio operation." Patch: https://git.qemu.org/?p=qemu.git;a=commitdiff;h=5d971f9e672507210e77d020d89e0e89165c8fc9 > * CVE-2020-13659 > > Description: > "address_space_map in exec.c in QEMU 4.2.0 can trigger a NULL pointer > dereference related to BounceBuffer." Patch: https://git.qemu.org/?p=qemu.git;a=commitdiff;h=77f55eac6c433e23e82a1b88b2d74f385c4c7d82 All in 5.1.0.
Maintainers, let's stable 5.1.0 when ready?
Please cleanup.
This issue was resolved and addressed in GLSA 202011-09 at https://security.gentoo.org/glsa/202011-09 by GLSA coordinator Sam James (sam_c).