CVE-2023-0330 (https://lists.nongnu.org/archive/html/qemu-devel/2023-01/msg03411.html): A vulnerability in the lsi53c895a device affects the latest version of qemu. A DMA-MMIO reentrancy problem may lead to memory corruption bugs like stack overflow or use-after-free. Patch made it into git as 31c4b6fb0293e359f9ef8a61892667e76eea4c99, says it also fixes CVE-2022-1050, in 8.0.0. CVE-2023-1544 (https://lists.nongnu.org/archive/html/qemu-devel/2023-03/msg00206.html): A flaw was found in the QEMU implementation of VMWare's paravirtual RDMA device. This flaw allows a crafted guest driver to allocate and initialize a huge number of page tables to be used as a ring of descriptors for CQ and async events, potentially leading to an out-of-bounds read and crash of QEMU. Not in qemu upstream as far as I can tell.
The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=be4c0fdfda7a00698701d61467154dba7009e38e commit be4c0fdfda7a00698701d61467154dba7009e38e Author: Matthias Maier <tamiko@gentoo.org> AuthorDate: 2023-05-05 16:19:24 +0000 Commit: Matthias Maier <tamiko@gentoo.org> CommitDate: 2023-05-05 18:11:17 +0000 app-emulation/qemu: add 8.0.0 - merge qemu-7.2.1 and qemu-9999 ebuilds - remove static keyword - update to --enable-trace-backends configuration option Bug: https://bugs.gentoo.org/905342 Bug: https://bugs.gentoo.org/865121 Signed-off-by: Matthias Maier <tamiko@gentoo.org> app-emulation/qemu/Manifest | 1 + .../qemu/files/qemu-8.0.0-disable-keymap.patch | 18 +- app-emulation/qemu/files/qemu-8.0.0-make.patch | 9 +- app-emulation/qemu/qemu-8.0.0.ebuild | 962 +++++++++++++++++++++ 4 files changed, 978 insertions(+), 12 deletions(-)
(In reply to John Helmert III from comment #0) > CVE-2023-0330 > (https://lists.nongnu.org/archive/html/qemu-devel/2023-01/msg03411.html): > > A vulnerability in the lsi53c895a device affects the latest version of qemu. > A DMA-MMIO reentrancy problem may lead to memory corruption bugs like stack > overflow or use-after-free. > > Patch made it into git as 31c4b6fb0293e359f9ef8a61892667e76eea4c99, > says it also fixes CVE-2022-1050, in 8.0.0. Looks like I was confused here. That commit was for CVE-2023-1050, not CVE-2023-0330. The latter was fixed with a2e1753b8054344f32cf94f31c6399a58794a380, which isn't in any release. > CVE-2023-1544 > (https://lists.nongnu.org/archive/html/qemu-devel/2023-03/msg00206.html): > > A flaw was found in the QEMU implementation of VMWare's paravirtual RDMA > device. This flaw allows a crafted guest driver to allocate and initialize a > huge number of page tables to be used as a ring of descriptors for CQ and > async events, potentially leading to an out-of-bounds read and crash of QEMU. > > Not in qemu upstream as far as I can tell. *This* one was eventually merged as 31c4b6fb0293e359f9ef8a61892667e76eea4c99, which references CVE-2022-1050, and is in 8.0.0. Let's move this one to bug 865121 and we can track the currently-fixed bugs there.
CVE-2021-20255 (https://bugzilla.redhat.com/show_bug.cgi?id=1930646): A stack overflow via an infinite recursion vulnerability was found in the eepro100 i8255x device emulator of QEMU. This issue occurs while processing controller commands due to a DMA reentry issue. This flaw allows a guest user or process to consume CPU cycles or crash the QEMU process on the host, resulting in a denial of service. The highest threat from this vulnerability is to system availability.
The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=9bdd3ce95b8131c069bc4921d7cfdd75eea92f35 commit 9bdd3ce95b8131c069bc4921d7cfdd75eea92f35 Author: Sam James <sam@gentoo.org> AuthorDate: 2023-06-03 06:06:41 +0000 Commit: Sam James <sam@gentoo.org> CommitDate: 2023-06-03 06:06:56 +0000 app-emulation/qemu: add 8.0.2 Fixes CVE-2023-0330. Bug: https://bugs.gentoo.org/905342 Signed-off-by: Sam James <sam@gentoo.org> app-emulation/qemu/Manifest | 1 + app-emulation/qemu/qemu-8.0.2.ebuild | 963 +++++++++++++++++++++++++++++++++++ 2 files changed, 964 insertions(+)
(In reply to John Helmert III from comment #3) > CVE-2021-20255 (https://bugzilla.redhat.com/show_bug.cgi?id=1930646): > > A stack overflow via an infinite recursion vulnerability was found in the > eepro100 i8255x device emulator of QEMU. This issue occurs while processing > controller commands due to a DMA reentry issue. This flaw allows a guest > user or process to consume CPU cycles or crash the QEMU process on the host, > resulting in a denial of service. The highest threat from this vulnerability > is to system availability. The solution suggested was never merged. https://lists.gnu.org/archive/html/qemu-devel/2021-02/msg06123.html
