Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 725634 (CVE-2020-10761, CVE-2020-13253, CVE-2020-13361, CVE-2020-13362, CVE-2020-13659, CVE-2020-13754, CVE-2020-13791, CVE-2020-13800) - <app-emulation/qemu-5.1.0: Multiple vulnerabilities (CVE-2020-{10761,13253,13361,13362,13754,13791,13800})
Summary: <app-emulation/qemu-5.1.0: Multiple vulnerabilities (CVE-2020-{10761,13253,13...
Status: IN_PROGRESS
Alias: CVE-2020-10761, CVE-2020-13253, CVE-2020-13361, CVE-2020-13362, CVE-2020-13659, CVE-2020-13754, CVE-2020-13791, CVE-2020-13800
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal minor (vote)
Assignee: Gentoo Security
URL: https://lists.gnu.org/archive/html/qe...
Whiteboard: B3 [glsa? cleanup cve]
Keywords:
Depends on:
Blocks: CVE-2020-10717 CVE-2020-15859, CVE-2020-15863
  Show dependency tree
 
Reported: 2020-05-27 13:40 UTC by Sam James
Modified: 2020-09-20 02:32 UTC (History)
4 users (show)

See Also:
Package list:
Runtime testing required: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Sam James archtester gentoo-dev Security 2020-05-27 13:40:29 UTC
Description:
"An out-of-bounds read access issue was found in the SD Memory Card emulator of the QEMU. It occurs while performing block write commands via sdhci_write(), if a guest user has sent 'address' which is OOB of 's->wp_groups'. A guest user/process may use this flaw to crash the QEMU process resulting in DoS."

URL: https://lists.gnu.org/archive/html/qemu-devel/2020-05/msg05877.html
URL: https://bugs.launchpad.net/qemu/+bug/1880822
Comment 1 Sam James archtester gentoo-dev Security 2020-05-30 14:30:24 UTC
* CVE-2020-13361
	
Description:
"In QEMU 4.2.0, es1370_transfer_audio in hw/audio/es1370.c does not properly validate the frame count, which allows guest OS users to trigger an out-of-bounds access during an es1370_write() operation."

URL: https://lists.gnu.org/archive/html/qemu-devel/2020-05/msg03983.html

* CVE-2020-13362

Description:
"In QEMU 4.2.0, megasas_lookup_frame in hw/scsi/megasas.c has an out-of-bounds read via a crafted reply_queue_head field from a guest OS user."

URL: https://lists.gnu.org/archive/html/qemu-devel/2020-05/msg03131.html
URL: https://lists.gnu.org/archive/html/qemu-devel/2020-05/msg06250.html

----
Note that the CVE text appears wrong, and Debian evaluated these as affecting 5.0.0 too.
Comment 2 Sam James archtester gentoo-dev Security 2020-06-04 11:04:21 UTC
* CVE-2020-13800

Description:
"An infinite recursion issue was found in the ati-vga emulator of the QEMU. It could occur in ati_mm_read/write routines while accessing VGA registers, for certain values of the 'mm_index' variable. A guest user/process may use this flaw to crash the QEMU process resulting in DoS scenario."

URL: https://lists.gnu.org/archive/html/qemu-devel/2020-06/msg00833.html

* CVE-2020-13791

Description:
"An out-of-bounds access issue was found in the ati-vga emulator of the QEMU. It could occur while reading PCI configuration bytes via ati_mm_read routine, if the address sent by a guest is towards an end of the PCI configuration space. A guest user/process may use this flaw to crash the QEMU process resulting in DoS scenario."

URL: https://lists.gnu.org/archive/html/qemu-devel/2020-06/msg00831.html
Comment 3 Sam James archtester gentoo-dev Security 2020-06-09 13:44:24 UTC
* CVE-2020-10761

Description:
"An assertion failure issue was found in the Network Block Device(NBD) Server in all QEMU versions before QEMU 5.0.1. This flaw occurs when an nbd-client sends a spec-compliant request that is near the boundary of maximum permitted request length. A remote nbd-client could use this flaw to crash the qemu-nbd server resulting in a denial of service."

URL: https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2020-10761
URL: https://www.openwall.com/lists/oss-security/2020/06/09/1
Comment 4 Sam James archtester gentoo-dev Security 2020-06-11 04:31:07 UTC
* CVE-2020-13754

Description:
"hw/pci/msix.c in QEMU 4.2.0 allows guest OS users to trigger an out-of-bounds access via a crafted address in an msi-x mmio operation."

* CVE-2020-13659

Description:
"address_space_map in exec.c in QEMU 4.2.0 can trigger a NULL pointer dereference related to BounceBuffer."
Comment 5 John Helmert III (ajak) 2020-08-14 03:17:30 UTC
(In reply to Sam James from comment #0)
> Description:
> "An out-of-bounds read access issue was found in the SD Memory Card emulator
> of the QEMU. It occurs while performing block write commands via
> sdhci_write(), if a guest user has sent 'address' which is OOB of
> 's->wp_groups'. A guest user/process may use this flaw to crash the QEMU
> process resulting in DoS."
> 
> URL: https://lists.gnu.org/archive/html/qemu-devel/2020-05/msg05877.html
> URL: https://bugs.launchpad.net/qemu/+bug/1880822

This is CVE-2020-13253.

Patches: https://git.qemu.org/?p=qemu.git;a=commitdiff;h=3a9163af4e3dd61795a35d47b702e302f98f81d6
https://git.qemu.org/?p=qemu.git;a=commitdiff;h=790762e5487114341cccc5bffcec4cb3c022c3cd

(In reply to Sam James from comment #1)
> * CVE-2020-13361
> 	
> Description:
> "In QEMU 4.2.0, es1370_transfer_audio in hw/audio/es1370.c does not properly
> validate the frame count, which allows guest OS users to trigger an
> out-of-bounds access during an es1370_write() operation."
> 
> URL: https://lists.gnu.org/archive/html/qemu-devel/2020-05/msg03983.html

Patch: https://git.qemu.org/?p=qemu.git;a=commitdiff;h=369ff955a8497988d079c4e3fa1e93c2570c1c69

> * CVE-2020-13362
> 
> Description:
> "In QEMU 4.2.0, megasas_lookup_frame in hw/scsi/megasas.c has an
> out-of-bounds read via a crafted reply_queue_head field from a guest OS
> user."
> 
> URL: https://lists.gnu.org/archive/html/qemu-devel/2020-05/msg03131.html
> URL: https://lists.gnu.org/archive/html/qemu-devel/2020-05/msg06250.html

Patches: https://git.qemu.org/?p=qemu.git;a=commitdiff;h=f50ab86a2620bd7e8507af865b164655ee921661
https://git.qemu.org/?p=qemu.git;a=commitdiff;h=fd6918556736ecce8b10acd581ba134ffb62d9f9
https://git.qemu.org/?p=qemu.git;a=commitdiff;h=2b151297e44655e45c18f57ae0232780ee4ad45a

(In reply to Sam James from comment #2)
> * CVE-2020-13800
> 
> Description:
> "An infinite recursion issue was found in the ati-vga emulator of the QEMU.
> It could occur in ati_mm_read/write routines while accessing VGA registers,
> for certain values of the 'mm_index' variable. A guest user/process may use
> this flaw to crash the QEMU process resulting in DoS scenario."
> 
> URL: https://lists.gnu.org/archive/html/qemu-devel/2020-06/msg00833.html

Patch: https://git.qemu.org/?p=qemu.git;a=commitdiff;h=a98610c429d52db0937c1e48659428929835c455

> * CVE-2020-13791
> 
> Description:
> "An out-of-bounds access issue was found in the ati-vga emulator of the
> QEMU. It could occur while reading PCI configuration bytes via ati_mm_read
> routine, if the address sent by a guest is towards an end of the PCI
> configuration space. A guest user/process may use this flaw to crash the
> QEMU process resulting in DoS scenario."
> 
> URL: https://lists.gnu.org/archive/html/qemu-devel/2020-06/msg00831.html

This *appears* to be the patch, someone else should check me to be safe: https://git.qemu.org/?p=qemu.git;a=commitdiff;h=f7d6a635fa3b7797f9d072e280f065bf3cfcd24d

(In reply to Sam James from comment #3)
> * CVE-2020-10761
> 
> Description:
> "An assertion failure issue was found in the Network Block Device(NBD)
> Server in all QEMU versions before QEMU 5.0.1. This flaw occurs when an
> nbd-client sends a spec-compliant request that is near the boundary of
> maximum permitted request length. A remote nbd-client could use this flaw to
> crash the qemu-nbd server resulting in a denial of service."
> 
> URL: https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2020-10761
> URL: https://www.openwall.com/lists/oss-security/2020/06/09/1

Patch: https://git.qemu.org/?p=qemu.git;a=commitdiff;h=5c4fe018c025740fef4a0a4421e8162db0c3eefd

(In reply to Sam James from comment #4)
> * CVE-2020-13754
> 
> Description:
> "hw/pci/msix.c in QEMU 4.2.0 allows guest OS users to trigger an
> out-of-bounds access via a crafted address in an msi-x mmio operation."

Patch: https://git.qemu.org/?p=qemu.git;a=commitdiff;h=5d971f9e672507210e77d020d89e0e89165c8fc9

> * CVE-2020-13659
> 
> Description:
> "address_space_map in exec.c in QEMU 4.2.0 can trigger a NULL pointer
> dereference related to BounceBuffer."

Patch: https://git.qemu.org/?p=qemu.git;a=commitdiff;h=77f55eac6c433e23e82a1b88b2d74f385c4c7d82



All in 5.1.0.
Comment 6 John Helmert III (ajak) 2020-08-14 05:26:32 UTC
Maintainers, let's stable 5.1.0 when ready?
Comment 7 John Helmert III (ajak) 2020-09-20 02:32:43 UTC
Please cleanup.