775713 – (CVE-2021-20263, CVE-2021-3409) <app-emulation/qemu-6.0.0: multiple vulnerabilities (CVE-2021-{3409,20263})

Bug 775713 (CVE-2021-20263, CVE-2021-3409) - <app-emulation/qemu-6.0.0: multiple vulnerabilities (CVE-2021-{3409,20263})

Summary: <app-emulation/qemu-6.0.0: multiple vulnerabilities (CVE-2021-{3409,20263})

Status:	RESOLVED FIXED

Alias:	CVE-2021-20263, CVE-2021-3409

Product:	Gentoo Security
Classification:	Unclassified
Component:	Vulnerabilities (show other bugs)
Hardware:	All Linux

Importance:	Normal major (vote)
Assignee:	Gentoo Security

URL:
Whiteboard:	C1 [glsa+]
Keywords:

Depends on:	CVE-2020-35504, CVE-2020-35505, CVE-2020-35506
Blocks:
	Show dependency tree

Reported:	2021-03-13 04:49 UTC by John Helmert III
Modified:	2022-08-14 16:11 UTC (History)
CC List:	6 users (show)

See Also:
Package list:
Runtime testing required:	---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description John Helmert III archtester

2021-03-13 04:49:19 UTC

CVE-2021-3409 (https://www.openwall.com/lists/oss-security/2021/03/09/1):

QEMU upstream commit [1] was supposed to fix CVE-2020-17380 and
CVE-2020-25085, both involving a heap buffer overflow in the SDHCI
controller emulation code. In fact, commit [1] turned out to be
incomplete, in that it was still possible to reproduce the same
issue(s) with specially crafted input, inducing a bogus transfer and
subsequent out-of-bounds read/write access in sdhci_do_adma() or
sdhci_sdma_transfer_multi_blocks().

Old patch:
[1] https://git.qemu.org/?p=qemu.git;a=commit;h=dfba99f17feb6d4a129da19d38df1bcd8579d1c3

New patch series:
https://lists.nongnu.org/archive/html/qemu-devel/2021-03/msg00949.html

CVE-2021-20263 (https://www.openwall.com/lists/oss-security/2021/03/08/1):

A flaw was found in the virtio-fs shared file system daemon
(virtiofsd) of QEMU. Virtio-fs is meant to share a host file system
directory with a guest virtual machine. The new 'xattrmap' option may
cause the 'security.capability' xattr in the guest to not drop on file
write, potentially leading to a modified, privileged executable in the
guest. In rare circumstances, this flaw could be used by a malicious
user to elevate their privileges within the guest.

Upstream patch:
https://lists.gnu.org/archive/html/qemu-devel/2021-03/msg01244.html


Both patchsets seem to be unmerged.

Comment 1 Matthias Maier gentoo-dev

2021-04-04 19:39:11 UTC

Second patch is applied, first patch series not yet in upstream main git branch.

Comment 2 NATTkA bot gentoo-dev

2021-07-29 17:23:41 UTC Comment hidden (obsolete)

Package list is empty or all packages have requested keywords.

Comment 3 NATTkA bot gentoo-dev

2021-07-29 17:32:06 UTC Comment hidden (obsolete)

Package list is empty or all packages have requested keywords.

Comment 4 NATTkA bot gentoo-dev

2021-07-29 17:39:59 UTC Comment hidden (obsolete)

Package list is empty or all packages have requested keywords.

Comment 5 NATTkA bot gentoo-dev

2021-07-29 17:48:10 UTC Comment hidden (obsolete)

Package list is empty or all packages have requested keywords.

Comment 6 NATTkA bot gentoo-dev

2021-07-29 18:04:06 UTC Comment hidden (obsolete)

Package list is empty or all packages have requested keywords.

Comment 7 NATTkA bot gentoo-dev

2021-07-29 18:12:24 UTC

Package list is empty or all packages have requested keywords.

Comment 8 John Helmert III archtester

2021-10-17 19:24:59 UTC

Everything seems to be in 6.0.0

Comment 9 John Helmert III archtester

2022-08-14 04:42:24 UTC

GLSA request filed

Comment 10 Larry the Git Cow gentoo-dev

2022-08-14 16:09:50 UTC

The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/data/glsa.git/commit/?id=fd3b0a54cba850267bd5f7ed0ac9f66f91aa44ac

commit fd3b0a54cba850267bd5f7ed0ac9f66f91aa44ac
Author:     GLSAMaker <glsamaker@gentoo.org>
AuthorDate: 2022-08-14 16:09:07 +0000
Commit:     Sam James <sam@gentoo.org>
CommitDate: 2022-08-14 16:09:43 +0000

    [ GLSA 202208-27 ] QEMU: Multiple Vulnerabilities
    
    Bug: https://bugs.gentoo.org/733448
    Bug: https://bugs.gentoo.org/736605
    Bug: https://bugs.gentoo.org/773220
    Bug: https://bugs.gentoo.org/775713
    Bug: https://bugs.gentoo.org/780816
    Bug: https://bugs.gentoo.org/792624
    Bug: https://bugs.gentoo.org/807055
    Bug: https://bugs.gentoo.org/810544
    Bug: https://bugs.gentoo.org/820743
    Bug: https://bugs.gentoo.org/835607
    Bug: https://bugs.gentoo.org/839762
    Signed-off-by: GLSAMaker <glsamaker@gentoo.org>
    Signed-off-by: Sam James <sam@gentoo.org>

 glsa-202208-27.xml | 85 ++++++++++++++++++++++++++++++++++++++++++++++++++++++
 1 file changed, 85 insertions(+)

Comment 11 Sam James archtester

2022-08-14 16:11:36 UTC

GLSA done, all done.