CVE-2021-20255 (https://bugzilla.redhat.com/show_bug.cgi?id=1930646): https://www.openwall.com/lists/oss-security/2021/02/25/1 https://ruhr-uni-bochum.sciebo.de/s/NNWP2GfwzYKeKwE?path=%2Feepro100_stackoverflow1 https://lists.debian.org/debian-lts-announce/2021/04/msg00009.html https://security.netapp.com/advisory/ntap-20210507-0003/ A stack overflow via an infinite recursion vulnerability was found in the eepro100 i8255x device emulator of QEMU. This issue occurs while processing controller commands due to a DMA reentry issue. This flaw allows a guest user or process to consume CPU cycles or crash the QEMU process on the host, resulting in a denial of service. The highest threat from this vulnerability is to system availability. CVE-2022-1050 (https://bugzilla.redhat.com/show_bug.cgi?id=2069625): A flaw was found in the QEMU implementation of VMWare's paravirtual RDMA device. This flaw allows a crafted guest driver to execute HW commands when shared buffers are not yet allocated, potentially leading to a use-after-free condition.
CVE-2022-2962 (https://gitlab.com/qemu-project/qemu/-/issues/1171): https://gitlab.com/qemu-project/qemu/-/commit/36a894aeb64a2e02871016da1c37d4a4ca109182 A DMA reentrancy issue was found in the Tulip device emulation in QEMU. When Tulip reads or writes to the rx/tx descriptor or copies the rx/tx frame, it doesn't check whether the destination address is its own MMIO address. This can cause the device to trigger MMIO handlers multiple times, possibly leading to a stack or heap overflow. A malicious guest could use this flaw to crash the QEMU process on the host, resulting in a denial of service condition.
The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=be4c0fdfda7a00698701d61467154dba7009e38e commit be4c0fdfda7a00698701d61467154dba7009e38e Author: Matthias Maier <tamiko@gentoo.org> AuthorDate: 2023-05-05 16:19:24 +0000 Commit: Matthias Maier <tamiko@gentoo.org> CommitDate: 2023-05-05 18:11:17 +0000 app-emulation/qemu: add 8.0.0 - merge qemu-7.2.1 and qemu-9999 ebuilds - remove static keyword - update to --enable-trace-backends configuration option Bug: https://bugs.gentoo.org/905342 Bug: https://bugs.gentoo.org/865121 Signed-off-by: Matthias Maier <tamiko@gentoo.org> app-emulation/qemu/Manifest | 1 + .../qemu/files/qemu-8.0.0-disable-keymap.patch | 18 +- app-emulation/qemu/files/qemu-8.0.0-make.patch | 9 +- app-emulation/qemu/qemu-8.0.0.ebuild | 962 +++++++++++++++++++++ 4 files changed, 978 insertions(+), 12 deletions(-)
Looks like the patch for CVE-2022-1050 is in 8.0.0 and CVE-2023-2962 in 7.2.0. Let's remove CVE-2021-20255 and proceed with this bug otherwise.
CVE-2023-1544 (https://bugzilla.redhat.com/show_bug.cgi?id=2180364): A flaw was found in the QEMU implementation of VMWare's paravirtual RDMA device. This flaw allows a crafted guest driver to allocate and initialize a huge number of page tables to be used as a ring of descriptors for CQ and async events, potentially leading to an out-of-bounds read and crash of QEMU.
(managed to typo the bug number) commit 50ad24c08d86326adcff296e6beb26107e0ab028 Author: John Helmert III <ajak@gentoo.org> Date: Sun Oct 29 19:57:34 2023 -0700 app-emulation/qemu: drop 7.2.0-r3, 7.2.3 Bug: https://bugs.gentoo.org/909542 Bug: https://bugs.gentoo.org/865112 Signed-off-by: John Helmert III <ajak@gentoo.org>
The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/data/glsa.git/commit/?id=1baff7cf9283037d49a3b562d771e3cf77039bfa commit 1baff7cf9283037d49a3b562d771e3cf77039bfa Author: GLSAMaker <glsamaker@gentoo.org> AuthorDate: 2024-08-09 09:49:28 +0000 Commit: Hans de Graaff <graaff@gentoo.org> CommitDate: 2024-08-09 09:49:35 +0000 [ GLSA 202408-18 ] QEMU: Multiple Vulnerabilities Bug: https://bugs.gentoo.org/857657 Bug: https://bugs.gentoo.org/865121 Bug: https://bugs.gentoo.org/883693 Bug: https://bugs.gentoo.org/909542 Signed-off-by: GLSAMaker <glsamaker@gentoo.org> Signed-off-by: Hans de Graaff <graaff@gentoo.org> glsa-202408-18.xml | 53 +++++++++++++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 53 insertions(+)
