Linux Security
    Linux Security
    Linux Security

    ArchLinux: 202012-26: qemu: multiple issues

    Date 31 Dec 2020
    511
    Posted By LinuxSecurity Advisories
    The package qemu before version 5.2.0-1 is vulnerable to multiple issues including arbitrary code execution and denial of service.
    Arch Linux Security Advisory ASA-202012-26
    ==========================================
    
    Severity: Medium
    Date    : 2020-12-16
    CVE-ID  : CVE-2020-14364 CVE-2020-25624 CVE-2020-25625 CVE-2020-25723
              CVE-2020-28916
    Package : qemu
    Type    : multiple issues
    Remote  : No
    Link    : https://security.archlinux.org/AVG-1300
    
    Summary
    =======
    
    The package qemu before version 5.2.0-1 is vulnerable to multiple
    issues including arbitrary code execution and denial of service.
    
    Resolution
    ==========
    
    Upgrade to 5.2.0-1.
    
    # pacman -Syu "qemu>=5.2.0-1"
    
    The problems have been fixed upstream in version 5.2.0.
    
    Workaround
    ==========
    
    None.
    
    Description
    ===========
    
    - CVE-2020-14364 (arbitrary code execution)
    
    An out-of-bounds read/write access flaw was found in the USB emulator
    of the QEMU in versions before 5.2.0. This issue occurs while
    processing USB packets from a guest when USBDevice 'setup_len' exceeds
    its 'data_buf[4096]' in the do_token_in, do_token_out routines. This
    flaw allows a guest user to crash the QEMU process, resulting in a
    denial of service, or the potential execution of arbitrary code with
    the privileges of the QEMU process on the host.
    
    - CVE-2020-25624 (arbitrary code execution)
    
    A flaw was found in QEMU before version 5.2.0. An out-of-bounds
    read/write access issue was found in the USB OHCI controller emulator.
    The issue could occur while servicing transfer descriptors (TD), as
    OHCI controller derives variables 'start_addr', 'end_addr', and 'len'
    from values supplied by the host controller driver. The host controller
    driver may supply values such that using these variables leads to an
    out-of-bounds access issue leading to a guest user/process using this
    flaw to crash the QEMU process on the host resulting in a denial of
    service (DoS) scenario. The highest threat from this vulnerability is
    to data confidentiality and integrity as well as system availability.
    
    - CVE-2020-25625 (denial of service)
    
    An infinite loop issue was found in the USB OHCI controller emulator of
    QEMU before version 5.2.0. It could occur while servicing OHCI
    isochronous transfer descriptors (TD) in ohci_service_iso_td routine,
    as it retires a TD if it has passed its time frame. While doing so it
    does not check if the TD was already processed ones and holds an error
    code in TD_CC. It may happen if the TD list has a loop.
    
    A guest user/process may use this flaw to consume cpu cycles on the
    host resulting in a DoS scenario.
    
    - CVE-2020-25723 (denial of service)
    
    A reachable assertion issue was found in the USB EHCI emulation code of
    QEMU before version 5.2.0. It could occur while processing USB requests
    due to missing handling of DMA memory map failure. A malicious
    privileged user within the guest may abuse this flaw to send bogus USB
    requests and crash the QEMU process on the host, resulting in a denial
    of service.
    
    - CVE-2020-28916 (denial of service)
    
    An infinite loop issue was found in the e1000e device emulator in QEMU
    before version 5.2.0. The issue could occur while receiving packets via
    e1000e_write_packet_to_guest() routine, if the receive(RX) descriptor
    has NULL buffer address. A privileged guest user may use this flaw to
    induce a DoS scenario on the host.
    
    Impact
    ======
    
    A guest might be able to cause a denial of service or execute arbitrary
    code on the host.
    
    References
    ==========
    
    https://bugs.archlinux.org/task/68356
    https://www.openwall.com/lists/oss-security/2020/08/24/2
    https://www.openwall.com/lists/oss-security/2020/08/24/3
    https://git.qemu.org/?p=qemu.git;a=commitdiff;h=b946434f2659a182afc17e155be6791ebfb302eb
    https://git.qemu.org/?p=qemu.git;a=commitdiff;h=1328fe0c32d5474604105b8105310e944976b058
    https://www.openwall.com/lists/oss-security/2020/09/17/1
    https://git.qemu.org/?p=qemu.git;a=commitdiff;h=1be90ebecc95b09a2ee5af3f60c412b45a766c4f
    https://git.qemu.org/?p=qemu.git;a=commit;h=2fdb42d840400d58f2e706ecca82c142b97bcbd6
    https://www.openwall.com/lists/oss-security/2020/12/01/2
    https://git.qemu.org/?p=qemu.git;a=commitdiff;h=c2cb511634012344e3d0fe49a037a33b12d8a98a
    https://security.archlinux.org/CVE-2020-14364
    https://security.archlinux.org/CVE-2020-25624
    https://security.archlinux.org/CVE-2020-25625
    https://security.archlinux.org/CVE-2020-25723
    https://security.archlinux.org/CVE-2020-28916
    

    LinuxSecurity Poll

    'Tis the season of giving! How have you given back to the open-source community?

    No answer selected. Please try again.
    Please select either existing option or enter your own, however not both.
    Please select minimum 0 answer(s) and maximum 3 answer(s).
    /main-polls/49-tis-the-season-of-giving-how-have-you-given-back-to-the-open-source-community?task=poll.vote&format=json
    49
    radio
    [{"id":"171","title":"I've contributed to the development of an open-source project.","votes":"22","type":"x","order":"1","pct":34.92,"resources":[]},{"id":"172","title":"I've reviewed open-source code for security bugs.","votes":"13","type":"x","order":"2","pct":20.63,"resources":[]},{"id":"173","title":"I've made a donation to an open-source project.","votes":"28","type":"x","order":"3","pct":44.44,"resources":[]}] ["#ff5b00","#4ac0f2","#b80028","#eef66c","#60bb22","#b96a9a","#62c2cc"] ["rgba(255,91,0,0.7)","rgba(74,192,242,0.7)","rgba(184,0,40,0.7)","rgba(238,246,108,0.7)","rgba(96,187,34,0.7)","rgba(185,106,154,0.7)","rgba(98,194,204,0.7)"] 350

    Please vote first in order to view vote results.


    VIEW MORE POLLS

    bottom 200

    Please enable / Bitte aktiviere JavaScript!
    Veuillez activer / Por favor activa el Javascript![ ? ]

    We use cookies to provide and improve our services. By using our site, you consent to our Cookie Policy.