Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 820743 (CVE-2021-3527, CVE-2021-3544, CVE-2021-3545, CVE-2021-3546, CVE-2021-3582, CVE-2021-3607, CVE-2021-3608) - <app-emulation/qemu-6.0.1: multiple vulnerabilities (CVE-2021-{3527,3544,3545,3546,3582,3607,3608})
Summary: <app-emulation/qemu-6.0.1: multiple vulnerabilities (CVE-2021-{3527,3544,3545...
Status: IN_PROGRESS
Alias: CVE-2021-3527, CVE-2021-3544, CVE-2021-3545, CVE-2021-3546, CVE-2021-3582, CVE-2021-3607, CVE-2021-3608
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal normal (vote)
Assignee: Gentoo Security
URL:
Whiteboard: B2 [glsa?]
Keywords: PullRequest
Depends on: 820677
Blocks:
  Show dependency tree
 
Reported: 2021-10-29 18:42 UTC by Sam James
Modified: 2021-12-20 20:10 UTC (History)
5 users (show)

See Also:
Package list:
Runtime testing required: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Sam James archtester Gentoo Infrastructure gentoo-dev Security 2021-10-29 18:42:54 UTC
CVE-2021-3527 (https://www.openwall.com/lists/oss-security/2021/05/05/5):

A flaw was found in the USB redirector device (usb-redir) of QEMU. Small USB packets are combined into a single, large transfer request, to reduce the overhead and improve performance. The combined size of the bulk transfer is used to dynamically allocate a variable length array (VLA) on the stack without proper validation. Since the total size is not bounded, a malicious guest could use this flaw to influence the array length and cause the QEMU process to perform an excessive allocation on the stack, resulting in a denial of service.

CVE-2021-3544 (https://bugzilla.redhat.com/show_bug.cgi?id=1958935):

Several memory leaks were found in the virtio vhost-user GPU device (vhost-user-gpu) of QEMU in versions up to and including 6.0. They exist in contrib/vhost-user-gpu/vhost-user-gpu.c and contrib/vhost-user-gpu/virgl.c due to improper release of memory (i.e., free) after effective lifetime.

CVE-2021-3545 (https://bugzilla.redhat.com/show_bug.cgi?id=1958955):

An information disclosure vulnerability was found in the virtio vhost-user GPU device (vhost-user-gpu) of QEMU in versions up to and including 6.0. The flaw exists in virgl_cmd_get_capset_info() in contrib/vhost-user-gpu/virgl.c and could occur due to the read of uninitialized memory. A malicious guest could exploit this issue to leak memory from the host.

CVE-2021-3546 (https://bugzilla.redhat.com/show_bug.cgi?id=1958978):

An out-of-bounds write vulnerability was found in the virtio vhost-user GPU device (vhost-user-gpu) of QEMU in versions up to and including 6.0. The flaw occurs while processing the 'VIRTIO_GPU_CMD_GET_CAPSET' command from the guest. It could allow a privileged guest user to crash the QEMU process on the host, resulting in a denial of service condition, or potential code execution with the privileges of the QEMU process.
Comment 1 Sam James archtester Gentoo Infrastructure gentoo-dev Security 2021-10-29 18:44:28 UTC
CVE-2021-3582:

A flaw was found in the QEMU implementation of VMWare's paravirtual RDMA device. The issue occurs while handling a "PVRDMA_CMD_CREATE_MR" command due to improper memory remapping (mremap). This flaw allows a malicious guest to crash the QEMU process on the host. The highest threat from this vulnerability is to system availability.

CVE-2021-3607:

An integer overflow was found in the QEMU implementation of VMWare's paravirtual RDMA device. The issue occurs while handling a "PVRDMA_REG_DSRHIGH" write from the guest due to improper input validation. This flaw allows a privileged guest user to make QEMU allocate a large amount of memory, resulting in a denial of service. The highest threat from this vulnerability is to system availability.

CVE-2021-3608:

A flaw was found in the QEMU implementation of VMWare's paravirtual RDMA device. The issue occurs while handling a "PVRDMA_REG_DSRHIGH" write from the guest and may result in a crash of QEMU or cause undefined behavior due to the access of an uninitialized pointer. The highest threat from this vulnerability is to system availability.
Comment 2 Larry the Git Cow gentoo-dev 2021-10-29 18:51:08 UTC
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=bff4fbd804e1bd45e5e8478efd66b28e9c58fad6

commit bff4fbd804e1bd45e5e8478efd66b28e9c58fad6
Author:     Sam James <sam@gentoo.org>
AuthorDate: 2021-10-29 18:50:52 +0000
Commit:     Sam James <sam@gentoo.org>
CommitDate: 2021-10-29 18:50:58 +0000

    app-emulation/qemu: add 6.0.1
    
    Closes: https://bugs.gentoo.org/820677
    Bug: https://bugs.gentoo.org/820743
    Signed-off-by: Sam James <sam@gentoo.org>

 app-emulation/qemu/Manifest          |   1 +
 app-emulation/qemu/qemu-6.0.1.ebuild | 911 +++++++++++++++++++++++++++++++++++
 2 files changed, 912 insertions(+)
Comment 3 Larry the Git Cow gentoo-dev 2021-12-20 06:42:34 UTC
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=d4dbabb19b26f4203d67e25f78772c5bebf650ff

commit d4dbabb19b26f4203d67e25f78772c5bebf650ff
Author:     John Helmert III <ajak@gentoo.org>
AuthorDate: 2021-12-20 04:31:40 +0000
Commit:     Matthias Maier <tamiko@gentoo.org>
CommitDate: 2021-12-20 06:42:24 +0000

    app-emulation/qemu: drop 6.0.0-r4, 6.0.0-r54, 6.0.1-r1
    
    Bug: https://bugs.gentoo.org/807055
    Bug: https://bugs.gentoo.org/820743
    Closes: https://github.com/gentoo/gentoo/pull/23421
    Signed-off-by: John Helmert III <ajak@gentoo.org>
    Signed-off-by: Matthias Maier <tamiko@gentoo.org>

 app-emulation/qemu/Manifest                        |   2 -
 .../qemu/files/qemu-5.2.0-cleaner-werror.patch     |  40 -
 .../qemu/files/qemu-5.2.0-dce-locks.patch          |  18 -
 app-emulation/qemu/files/qemu-5.2.0-strings.patch  |  23 -
 app-emulation/qemu/qemu-6.0.0-r4.ebuild            | 910 --------------------
 app-emulation/qemu/qemu-6.0.0-r54.ebuild           | 911 ---------------------
 app-emulation/qemu/qemu-6.0.1-r1.ebuild            | 911 ---------------------
 7 files changed, 2815 deletions(-)