CVE-2021-3527 (https://www.openwall.com/lists/oss-security/2021/05/05/5): A flaw was found in the USB redirector device (usb-redir) of QEMU. Small USB packets are combined into a single, large transfer request, to reduce the overhead and improve performance. The combined size of the bulk transfer is used to dynamically allocate a variable length array (VLA) on the stack without proper validation. Since the total size is not bounded, a malicious guest could use this flaw to influence the array length and cause the QEMU process to perform an excessive allocation on the stack, resulting in a denial of service. CVE-2021-3544 (https://bugzilla.redhat.com/show_bug.cgi?id=1958935): Several memory leaks were found in the virtio vhost-user GPU device (vhost-user-gpu) of QEMU in versions up to and including 6.0. They exist in contrib/vhost-user-gpu/vhost-user-gpu.c and contrib/vhost-user-gpu/virgl.c due to improper release of memory (i.e., free) after effective lifetime. CVE-2021-3545 (https://bugzilla.redhat.com/show_bug.cgi?id=1958955): An information disclosure vulnerability was found in the virtio vhost-user GPU device (vhost-user-gpu) of QEMU in versions up to and including 6.0. The flaw exists in virgl_cmd_get_capset_info() in contrib/vhost-user-gpu/virgl.c and could occur due to the read of uninitialized memory. A malicious guest could exploit this issue to leak memory from the host. CVE-2021-3546 (https://bugzilla.redhat.com/show_bug.cgi?id=1958978): An out-of-bounds write vulnerability was found in the virtio vhost-user GPU device (vhost-user-gpu) of QEMU in versions up to and including 6.0. The flaw occurs while processing the 'VIRTIO_GPU_CMD_GET_CAPSET' command from the guest. It could allow a privileged guest user to crash the QEMU process on the host, resulting in a denial of service condition, or potential code execution with the privileges of the QEMU process.
CVE-2021-3582: A flaw was found in the QEMU implementation of VMWare's paravirtual RDMA device. The issue occurs while handling a "PVRDMA_CMD_CREATE_MR" command due to improper memory remapping (mremap). This flaw allows a malicious guest to crash the QEMU process on the host. The highest threat from this vulnerability is to system availability. CVE-2021-3607: An integer overflow was found in the QEMU implementation of VMWare's paravirtual RDMA device. The issue occurs while handling a "PVRDMA_REG_DSRHIGH" write from the guest due to improper input validation. This flaw allows a privileged guest user to make QEMU allocate a large amount of memory, resulting in a denial of service. The highest threat from this vulnerability is to system availability. CVE-2021-3608: A flaw was found in the QEMU implementation of VMWare's paravirtual RDMA device. The issue occurs while handling a "PVRDMA_REG_DSRHIGH" write from the guest and may result in a crash of QEMU or cause undefined behavior due to the access of an uninitialized pointer. The highest threat from this vulnerability is to system availability.
The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=bff4fbd804e1bd45e5e8478efd66b28e9c58fad6 commit bff4fbd804e1bd45e5e8478efd66b28e9c58fad6 Author: Sam James <sam@gentoo.org> AuthorDate: 2021-10-29 18:50:52 +0000 Commit: Sam James <sam@gentoo.org> CommitDate: 2021-10-29 18:50:58 +0000 app-emulation/qemu: add 6.0.1 Closes: https://bugs.gentoo.org/820677 Bug: https://bugs.gentoo.org/820743 Signed-off-by: Sam James <sam@gentoo.org> app-emulation/qemu/Manifest | 1 + app-emulation/qemu/qemu-6.0.1.ebuild | 911 +++++++++++++++++++++++++++++++++++ 2 files changed, 912 insertions(+)
The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=d4dbabb19b26f4203d67e25f78772c5bebf650ff commit d4dbabb19b26f4203d67e25f78772c5bebf650ff Author: John Helmert III <ajak@gentoo.org> AuthorDate: 2021-12-20 04:31:40 +0000 Commit: Matthias Maier <tamiko@gentoo.org> CommitDate: 2021-12-20 06:42:24 +0000 app-emulation/qemu: drop 6.0.0-r4, 6.0.0-r54, 6.0.1-r1 Bug: https://bugs.gentoo.org/807055 Bug: https://bugs.gentoo.org/820743 Closes: https://github.com/gentoo/gentoo/pull/23421 Signed-off-by: John Helmert III <ajak@gentoo.org> Signed-off-by: Matthias Maier <tamiko@gentoo.org> app-emulation/qemu/Manifest | 2 - .../qemu/files/qemu-5.2.0-cleaner-werror.patch | 40 - .../qemu/files/qemu-5.2.0-dce-locks.patch | 18 - app-emulation/qemu/files/qemu-5.2.0-strings.patch | 23 - app-emulation/qemu/qemu-6.0.0-r4.ebuild | 910 -------------------- app-emulation/qemu/qemu-6.0.0-r54.ebuild | 911 --------------------- app-emulation/qemu/qemu-6.0.1-r1.ebuild | 911 --------------------- 7 files changed, 2815 deletions(-)
GLSA request filed
The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/data/glsa.git/commit/?id=fd3b0a54cba850267bd5f7ed0ac9f66f91aa44ac commit fd3b0a54cba850267bd5f7ed0ac9f66f91aa44ac Author: GLSAMaker <glsamaker@gentoo.org> AuthorDate: 2022-08-14 16:09:07 +0000 Commit: Sam James <sam@gentoo.org> CommitDate: 2022-08-14 16:09:43 +0000 [ GLSA 202208-27 ] QEMU: Multiple Vulnerabilities Bug: https://bugs.gentoo.org/733448 Bug: https://bugs.gentoo.org/736605 Bug: https://bugs.gentoo.org/773220 Bug: https://bugs.gentoo.org/775713 Bug: https://bugs.gentoo.org/780816 Bug: https://bugs.gentoo.org/792624 Bug: https://bugs.gentoo.org/807055 Bug: https://bugs.gentoo.org/810544 Bug: https://bugs.gentoo.org/820743 Bug: https://bugs.gentoo.org/835607 Bug: https://bugs.gentoo.org/839762 Signed-off-by: GLSAMaker <glsamaker@gentoo.org> Signed-off-by: Sam James <sam@gentoo.org> glsa-202208-27.xml | 85 ++++++++++++++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 85 insertions(+)
GLSA done, all done.